Fix helm upgrade procedure

enforcer/README.md

@@ -59,27 +59,41 @@ The webhook uses `failurePolicy: Ignore` by default, meaning if the webhook fail
 helm repo add robusta https://robusta-charts.storage.googleapis.com && helm repo update
 ```
 
-2. **Add cluster configuration**:
+2. **Configure Robusta Account Connection**:
 
-If the enforcer is installed in the same namespace as Robusta, it will automatically detect the Robusta account settings.
+The `Enforcer` needs access to your Robusta account to fetch KRR recommendations. Choose the appropriate configuration based on your setup:
 
-If your Robusta UI sink token, is pulled from a secret (as described [here](https://docs.robusta.dev/master/setup-robusta/configuration-secrets.html#pulling-values-from-kubernetes-secrets)), you should add the same environement variable to the `Enforcer` pod as well.
+#### Option A: Same Namespace as Robusta (Easiest)
+If the enforcer is installed in the **same namespace as Robusta**, it will automatically detect Robusta account settings from the existing configuration.
 
-If the `Enforcer` is installed on a different namespace, you can provide your Robusta account credentials using env variables:
+**⚠️ Caveat**: If your Robusta UI token is pulled from a secret (as described [here](https://docs.robusta.dev/master/setup-robusta/configuration-secrets.html#pulling-values-from-kubernetes-secrets)), you must add the same environment variables to the enforcer pod:
 
-Add your robusta credentials and cluster name: (`enforcer-values.yaml`)
+```yaml
+# enforcer-values.yaml
+additionalEnvVars:
+  - name: TOKEN_ENV_VAR_NAME
+    valueFrom:
+      secretKeyRef:
+        name: robusta-secrets
+        key: robustaSinkToken
+```
+
+#### Option B: Different Namespace
+If the enforcer is installed in a **different namespace than Robusta**, provide the Robusta credentials explicitly:
 
 ```yaml
+# enforcer-values.yaml
 additionalEnvVars:
   - name: CLUSTER_NAME
-    value: my-cluster-name  # should be the same as the robusta installation on this cluster
+    value: my-cluster-name        # should match your Robusta cluster name
   - name: ROBUSTA_UI_TOKEN
-    value: "MY ROBUSTA UI TOKEN"
-#  - name: ROBUSTA_UI_TOKEN  # or pulled from a secret
-#    valueFrom:
-#      secretKeyRef:
-#        name: robusta-secrets
-#        key: robustaSinkToken
+    value: "MY_ROBUSTA_UI_TOKEN"
+  # OR pull from a secret:
+  # - name: ROBUSTA_UI_TOKEN
+  #   valueFrom:
+  #     secretKeyRef:
+  #       name: robusta-secrets
+  #       key: robustaSinkToken
 ```
 
 2. **Install with default settings**:

enforcer/env_vars.py

@@ -15,7 +15,7 @@
 UPDATE_THRESHOLD = float(os.environ.get("UPDATE_THRESHOLD", 20.0))
 
 SCAN_RELOAD_INTERVAL = int(os.environ.get("SCAN_RELOAD_INTERVAL", 3600))
-KRR_MUTATION_MODE_DEFAULT = os.environ.get("KRR_MUTATION_MODE_DEFAULT", "enforce")
+KRR_MUTATION_MODE_DEFAULT = os.environ.get("KRR_MUTATION_MODE_DEFAULT", "ignore")
 REPLICA_SET_CLEANUP_INTERVAL = int(os.environ.get("REPLICA_SET_CLEANUP_INTERVAL", 600))
 REPLICA_SET_DELETION_WAIT = int(os.environ.get("REPLICA_SET_DELETION_WAIT", 600))
 SCAN_AGE_HOURS_THRESHOLD = int(os.environ.get("SCAN_AGE_HOURS_THRESHOLD", 360)) # 15 days

helm/krr-enforcer/Chart.yaml

@@ -3,5 +3,5 @@ name: krr-enforcer
 description: KRR enforcer - auto apply KRR recommendations
 type: application
 
-version: 0.3.1
-appVersion: 0.3.1
+version: 0.3.2
+appVersion: 0.3.2

helm/krr-enforcer/templates/enforcer-cert-job.yaml

@@ -139,15 +139,6 @@ spec:
                     values: ["kube-system"]
               EOF
 
-              # Restart the enforcer deployment to pick up new certificates (only if it exists)
-              echo "Checking if enforcer deployment exists..."
-              if kubectl get deployment ${SERVICE_NAME} -n ${NAMESPACE} >/dev/null 2>&1; then
-                echo "Restarting enforcer deployment..."
-                kubectl rollout restart deployment ${SERVICE_NAME} -n ${NAMESPACE}
-              else
-                echo "Deployment ${SERVICE_NAME} does not exist yet, skipping restart"
-              fi
-
               echo "Job completed successfully!"
 ---
 apiVersion: v1

helm/krr-enforcer/templates/enforcer.yaml

@@ -24,6 +24,7 @@ spec:
         app.kubernetes.io/component: krr-enforcer
       annotations:
         admission.robusta.dev/krr-mutation-mode: ignore
+        checksum/cert: {{ .Release.Revision | toString | sha256sum }}
         {{- with .Values.annotations }}
         {{- toYaml . | nindent 8 }}
         {{- end }}
@@ -118,6 +119,10 @@ spec:
               value: "/etc/webhook/certs/tls.crt"
             - name: LOG_LEVEL
               value: {{ .Values.logLevel | quote }}
+            - name: KRR_MUTATION_MODE_DEFAULT
+              value: {{ .Values.mutationMode | quote }}
+            - name: UPDATE_THRESHOLD
+              value: {{ .Values.updateThreshold | quote }}
             {{- if .Values.certificate }}
             - name: CERTIFICATE
               value: {{ .Values.certificate | quote }}

helm/krr-enforcer/values.yaml

@@ -1,12 +1,16 @@
 certificate: "" # base64 encoded
 logLevel: INFO
 
+# Enforcer configuration
+mutationMode: ignore            # enforce or ignore - default global enforcement mode
+updateThreshold: 20.0           # percentage threshold for applying resource updates
+
 # fullImage: ~  # full image path can be used to override image.repository/image.name:image.tag
 
 image:
   repository: us-central1-docker.pkg.dev/genuine-flight-317411/devel
   name: krr-enforcer
-  tag: 0.3.1
+  tag: 0.3.2
 imagePullPolicy: IfNotPresent
 resources:
   requests: