cleanup[BREAKING]: Templatize labels across resources

Author: thefirstofthe300

gremlin/templates/_helpers.tpl

@@ -31,6 +31,26 @@ Create chart name and version as used by the chart label.
 {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
 {{- end -}}
 
+{{/*
+Common labels
+*/}}
+{{- define "gremlin.labels" -}}
+helm.sh/chart: {{ include "gremlin.chart" . }}
+{{ include "gremlin.selectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "gremlin.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "gremlin.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end }}
+
 {{/*
 Because we've evolved the recommended way to pass the secret name over time, we hide the following order of operations behind this computed value:
 In later versions of this chart, we will remove the use of the fallback value of `gremlin-team-cert`

gremlin/templates/apparmor-configmap.yaml

@@ -4,6 +4,8 @@ kind: ConfigMap
 metadata:
   name: {{ .Release.Name }}-apparmor-profile-content
   namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "gremlin.labels" . | nindent 4 }}
 data:
   agent_apparmor.profile: |-
     {{ .Files.Get "agent_apparmor.profile" | nindent 4 | trim }}

gremlin/templates/apparmor-loader.yaml

@@ -6,24 +6,19 @@ metadata:
   # Namespace must match that of the ConfigMap.
   namespace: {{ .Release.Namespace}}
   labels:
-    daemon: apparmor-loader
-    helm.sh/chart: {{ include "gremlin.chart" . }}
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/managed-by: {{ .Release.Service }}
-    version: v1
+    {{- include "gremlin.labels" . | nindent 4 }}
+    app.kubernetes.io/component: apparmor-loader
 spec:
   selector:
     matchLabels:
-      daemon: apparmor-loader
+      {{- include "gremlin.selectorLabels" . | nindent 6 }}
+      app.kubernetes.io/component: apparmor-loader
   template:
     metadata:
       name: apparmor-loader
       labels:
-        daemon: apparmor-loader
-        helm.sh/chart: {{ include "gremlin.chart" . }}
-        app.kubernetes.io/instance: {{ .Release.Name }}
-        app.kubernetes.io/managed-by: {{ .Release.Service }}
-        version: v1
+        {{- include "gremlin.labels" . | nindent 8 }}
+        app.kubernetes.io/component: apparmor-loader
     {{- if .Values.gremlin.podSecurity.seccomp.enabled }}
       annotations:
         container.seccomp.security.alpha.kubernetes.io/{{ .Chart.Name }}: {{ .Values.gremlin.podSecurity.seccomp.profile }}

gremlin/templates/chao-deployment.yaml

@@ -2,16 +2,14 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
+  name: chao
+  namespace: {{ .Release.Namespace }}
   labels:
-    app.kubernetes.io/instance: chao
-    app.kubernetes.io/name: chao
-    helm.sh/chart: {{ include "gremlin.chart" . }}
-    app.kubernetes.io/version: "1"
+    {{- include "gremlin.labels" . | nindent 4 }}
+    app.kubernetes.io/component: chao
     {{- if .Values.chao.podLabels }}
     {{- toYaml .Values.chao.podLabels | nindent 4 }}
     {{- end }}
-  name: chao
-  namespace: {{ .Release.Namespace }}
 spec:
   replicas: 1
   {{- if .Values.chao.updateStrategy }}
@@ -20,16 +18,13 @@ spec:
   {{- end }}
   selector:
     matchLabels:
-      app.kubernetes.io/instance: chao
-      app.kubernetes.io/name: chao
-      app.kubernetes.io/version: "1"
+      {{ include "gremlin.selectorLabels" . | nindent 6 }}
+      app.kubernetes.io/component: chao
   template:
     metadata:
       labels:
-        app.kubernetes.io/instance: chao
-        app.kubernetes.io/name: chao
-        helm.sh/chart: {{ include "gremlin.chart" . }}
-        app.kubernetes.io/version: "1"
+        {{ include "gremlin.labels" . | nindent 8 }}
+        app.kubernetes.io/component: chao
         {{- if .Values.chao.podLabels }}
         {{- toYaml .Values.chao.podLabels | nindent 8 }}
         {{- end }}

gremlin/templates/chao-service-account.yaml

@@ -5,6 +5,12 @@ kind: ServiceAccount
 metadata:
   name: chao
   namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "gremlin.labels" . | nindent 4 }}
+    app.kubernetes.io/component: chao
+    {{- if .Values.chao.serviceAccount.labels }}
+    {{- toYaml .Values.chao.serviceAccount.labels | nindent 4 }}
+    {{- end }}
   annotations:
     {{- with .Values.chao.serviceAccount.annotations }}
       {{- toYaml . | nindent 4 }}
@@ -29,7 +35,7 @@ rules:
     verbs: ["get", "watch", "list"]
   - apiGroups: ["argoproj.io"]
     resources: ["rollouts"]
-    verbs: ["get", "list", "watch"]    
+    verbs: ["get", "list", "watch"]
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding

gremlin/templates/daemonset.yaml

@@ -4,30 +4,25 @@ metadata:
   name: {{ include "gremlin.fullname" . }}
   namespace: {{ .Release.Namespace }}
   labels:
-    app.kubernetes.io/name: {{ include "gremlin.name" . }}
-    helm.sh/chart: {{ include "gremlin.chart" . }}
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/managed-by: {{ .Release.Service }}
-    version: v1
+    {{- include "gremlin.labels" . | nindent 4 }}
+    app.kubernetes.io/component: agent
     {{- if .Values.gremlin.podLabels }}
     {{- toYaml .Values.gremlin.podLabels | nindent 4 }}
     {{- end }}
 spec:
   selector:
     matchLabels:
-      app.kubernetes.io/name: {{ include "gremlin.name" . }}
+      {{ include "gremlin.selectorLabels" . | nindent 6 }}
+      app.kubernetes.io/component: agent
   {{- if .Values.gremlin.updateStrategy }}
   updateStrategy:
     {{- toYaml .Values.gremlin.updateStrategy | nindent 4 }}
   {{- end }}
   template:
     metadata:
       labels:
-        app.kubernetes.io/name: {{ include "gremlin.name" . }}
-        helm.sh/chart: {{ include "gremlin.chart" . }}
-        app.kubernetes.io/instance: {{ .Release.Name }}
-        app.kubernetes.io/managed-by: {{ .Release.Service }}
-        version: v1
+        {{ include "gremlin.labels" . | nindent 8 }}
+        app.kubernetes.io/component: agent
         {{- if .Values.gremlin.podLabels }}
         {{- toYaml .Values.gremlin.podLabels | nindent 8 }}
         {{- end }}

gremlin/templates/gremlin-scc.yaml

@@ -3,11 +3,13 @@
 kind: SecurityContextConstraints
 apiVersion: security.openshift.io/v1
 metadata:
+  name: gremlin
+  labels:
+    {{- include "gremlin.labels" . | nindent 4 }}
   annotations:
     kubernetes.io/description: 'This SCC provides as many restrictions from the `restricted` SCC as possible while
     allowing host mounts, any UID by a pod, and forces the process to run as the gremlin.process SELinux type. This is
     intended to be used solely by  Gremlin. WARNING: this SCC allows host file system access as root Grant with caution.'
-  name: gremlin
 allowHostDirVolumePlugin: {{ .Values.gremlin.podSecurity.securityContextConstraints.allowHostDirVolumePlugin }}
 allowHostIPC: false
 allowHostNetwork: {{ .Values.gremlin.hostNetwork }}

gremlin/templates/gremlin-seccomp-configmap.yaml

@@ -6,11 +6,7 @@ metadata:
   name: {{ template "gremlin.fullname" . }}-seccomp
   namespace: {{ .Release.Namespace }}
   labels:
-    helm.sh/chart: {{ include "gremlin.chart" . }}
-    app.kubernetes.io/name: {{ include "gremlin.fullname" . }}
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/managed-by: {{ .Release.Service }}
-    app.kubernetes.io/version: "1"
+    {{- include "gremlin.labels" . | nindent 4 }}
 data:
   # The following profile extends Docker's default seccomp profile, adding `keyctl` and `pivot_root` to the list of
   # allowed syscalls.
@@ -840,4 +836,4 @@ data:
         }
       ]
     }
-{{- end }}
+{{- end }}

gremlin/templates/gremlin-service-account.yaml

@@ -5,6 +5,12 @@ kind: ServiceAccount
 metadata:
   name: gremlin
   namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "gremlin.labels" . | nindent 4 }}
+    app.kubernetes.io/component: agent
+    {{- if .Values.chao.serviceAccount.labels }}
+    {{- toYaml .Values.chao.serviceAccount.labels | nindent 4 }}
+    {{- end }}
   annotations:
     {{- with .Values.gremlin.serviceAccount.annotations }}
       {{- toYaml . | nindent 4 }}
@@ -14,6 +20,8 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   name: gremlin-metadata-reader
+  labels:
+    {{- include "gremlin.labels" . | nindent 4 }}
 rules:
   - apiGroups: [""]
     resources:
@@ -32,6 +40,8 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
   name: gremlin-metadata-reader
+  labels:
+    {{- include "gremlin.labels" . | nindent 4 }}
 subjects:
   - kind: ServiceAccount
     name: gremlin
@@ -78,7 +88,8 @@ kind: Role
 metadata:
   name: scc:gremlin
   labels:
-    addonmanager.kubernetes.io/mode: EnsureExists
+    {{- include "gremlin.labels" . | nindent 4 }}
+    app.kubernetes.io/component: agent    addonmanager.kubernetes.io/mode: EnsureExists
 rules:
 - apiGroups: ['security.openshift.io']
   resources: ['securitycontextconstraints']
@@ -91,6 +102,7 @@ kind: RoleBinding
 metadata:
   name: default:gremlin
   labels:
+    {{- include "gremlin.labels" . | nindent 4 }}
     addonmanager.kubernetes.io/mode: EnsureExists
 roleRef:
   apiGroup: rbac.authorization.k8s.io

gremlin/templates/secret-ssl-cert-file.yaml

@@ -6,11 +6,7 @@ metadata:
   name: ssl-cert-file
   namespace: {{ .Release.Namespace }}
   labels:
-    app.kubernetes.io/name: {{ include "gremlin.name" . }}
-    helm.sh/chart: {{ include "gremlin.chart" . }}
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/managed-by: {{ .Release.Service }}
-    version: v1
+    {{- include "gremlin.labels" . | nindent 4 }}
 type: kubernetes.io/Opaque
 data:
   certfile.pem: {{ default .Values.ssl.certFile | toString | b64enc }}