chore: clean up examples (#181)

Jonathan Yu · web-flow · commit e87fe09fd42b · 2021-12-10T08:38:05.000-08:00
* Update OpenShift example to create Route with Ingress object
* Remove superfluous configuration options
* Enable lint check for resource request/limit settings
diff --git a/examples/ingress/ingress.values.yaml b/examples/ingress/ingress.values.yaml
@@ -1,26 +1,14 @@
-# Using coder with ingress in versions from 1.21 and newer
-# Coder's built-in ingress controller is no longer packaged
-# the coderd pod does not require a fanout so it is exposed
-# by creating a LoadBalancer service
 coderd:
-  serviceNext: true
   devurlsHost: '*.devurls.coderhost.com'
   serviceSpec:
+    # The Ingress will route traffic to the internal ClusterIP.
     type: ClusterIP
-    # The values.yaml file in the chart includes LoadBalancer
-    # specs which need to have the keys removed using null
-    # this does not work as a sub-chart
-    loadBalancerIP: null
-    externalTrafficPolicy: null
-    loadBalancerSourceRanges: null
-# Add the ingress values section to enable the ingress resource
-# without the controller
+
 ingress:
-  # Enable set to true creates the ingress resource
   enable: true
-  # Ingress needs a host name so it can share a controller
+  # Hostname to use for routing decisions
   host: 'coder.coderhost.com'
-  # useDefault set to false disables creation of the ingress controller
-  useDefault: false
-  # add annotations for TLS issuers and such
-  annotations: {}
+  # Custom annotations to apply to the resulting Ingress object.
+  # This is useful for configuring other controllers in the cluster,
+  # such as cert-manager or the ingress controller.
+  annotations: {}
diff --git a/examples/kind/kind.values.yaml b/examples/kind/kind.values.yaml
@@ -1,25 +1,26 @@
 coderd:
+  replicas: 1
   serviceSpec:
+    # Avoid provisioning a LoadBalancer
     type: ClusterIP
-  replicas: 1
-  resources:
-    requests:
-      cpu: "0m"
-      memory: "32Mi"
-  podSecurityContext:
-    seccompProfile:
-      type: RuntimeDefault
+
+  # Set the container security context (by default, this inherits
+  # the settings from the pod security context)
   securityContext:
-    seccompProfile:
-      type: RuntimeDefault
-    readOnlyRootFilesystem: true
     runAsNonRoot: true
     runAsUser: 1000
     runAsGroup: 1000
 
+  # Reduce resource requirements for deployments using kind, which
+  # we typically use for development and test purposes only.
+  resources:
+    requests:
+      memory: "32Mi"
+
 postgres:
   default:
+    # Reduce resource requirements for deployments using kind, which
+    # we typically use for development and test purposes only.
     resources:
       requests:
-        cpu: "0m"
         memory: "32Mi"
diff --git a/examples/openshift/openshift.values.yaml b/examples/openshift/openshift.values.yaml
@@ -1,17 +1,34 @@
 coderd:
+  replicas: 1
+
   serviceSpec:
     type: ClusterIP
-  replicas: 1
+
+  # OpenShift's default "restricted" Security Context Constraint
+  # requires that these be unset. OpenShift manages the runAsUser
+  # (using the project-specific User ID range) and seccompProfile.
   podSecurityContext:
     runAsUser: null
+    runAsGroup: null
     seccompProfile: null
+
   securityContext:
-    readOnlyRootFilesystem: true
+    runAsUser: null
+    runAsGroup: null
     seccompProfile: null
 
-postgres:
-  default:
-    resources:
-      requests:
-        cpu: "0m"
-        memory: "32Mi"
+ingress:
+  enable: true
+  # Hostname to use for routing decisions
+  host: 'coder.apps.openshift.coder.com'
+  # Custom annotations to apply to the resulting Ingress object.
+  # This is useful for configuring other controllers in the cluster,
+  # such as cert-manager or the ingress controller.
+  #
+  # OpenShift supports annotations that configure the corresponding
+  # Route object created from this Ingress. See the documentation:
+  # https://docs.okd.io/latest/networking/routes/route-configuration.html#nw-ingress-creating-a-route-via-an-ingress_route-configuration
+  annotations:
+    route.openshift.io/termination: "edge"
+    haproxy.router.openshift.io/set-forwarded-headers: "replace"
+    haproxy.router.openshift.io/balance: "leastconn"
diff --git a/kube-linter.yaml b/kube-linter.yaml
@@ -30,6 +30,7 @@ checks:
     - ssh-port
     - unsafe-proc-mount
     - unsafe-sysctls
+    - unset-cpu-requirements
     - unset-memory-requirements
     - use-namespace
     - wildcard-in-rules
@@ -44,4 +45,3 @@ checks:
     - non-isolated-pod
     - required-annotation-email
     - required-label-owner
-    - unset-cpu-requirements
