From 238da3c2dfa3b8965048174be35507ca089cdcaa Mon Sep 17 00:00:00 2001
From: Sheogorath <sheogorath@shivering-isles.com>
Date: Sat, 16 Sep 2023 01:59:23 +0200
Subject: [PATCH] feat(oauth2-proxy): Switch to topologySpreadConstraints

This patch adjusts the central oauth2-proxy resource to use
`topologySpreadConstraints` instead of using `podAntiAffinity`. This
helps with reducing the risk of Pending Pods e.g. during updates when
also a pod config is adjusted.
---
 shared/applications/oauth2-proxy.yaml | 36 ++++++++++++++-------------
 1 file changed, 19 insertions(+), 17 deletions(-)

diff --git a/shared/applications/oauth2-proxy.yaml b/shared/applications/oauth2-proxy.yaml
index a38f2736a..991b2c973 100644
--- a/shared/applications/oauth2-proxy.yaml
+++ b/shared/applications/oauth2-proxy.yaml
@@ -11,8 +11,8 @@ sops:
     azure_kv: []
     hc_vault: []
     age: []
-    lastmodified: "2023-09-15T23:29:01Z"
-    mac: ENC[AES256_GCM,data:BZWJOzZhbJ7hXWucybSHvooDPCqO112sz1UBpa/EW1u3/y4UUMbOWpg7EAbfQ9gidOJXFcWrlrK5wskZiVBonirU1yztYK5UIb03rn7aOBxCabBzYUIS8V4G/zN+T+ktvETMtqk9bUV/ydEWaHaiBBg6UzT5JHLZ2Du8COb6FMQ=,iv:JBGeeXaBKMc7dDNhekYuuSbDgDW/Opxi4AdGA8I1Iig=,tag:Hko4Qo1ENNAlP9fPwNEHuA==,type:str]
+    lastmodified: "2023-09-15T23:59:17Z"
+    mac: ENC[AES256_GCM,data:s8jv3Rp45hW2JZkIIZjwiyTHzVLSXrHSfjt5O+7VgidkSXeAMssZVMgrQtI6cX2Umw9df2hIHemjWRwaCOXRzEDk8brJe3lGbnCIe6a+9wxGmMujKuhdW/Fzv0EWq6Gyib8UaXbJXFEuSBCm3oxMizmRIK6lL5kTvjj0MfOGDA0=,iv:WX3kcICIx+Re3nwk0fit0nuZxBGNGLFayLQRToSEqSQ=,tag:CRXzb0tcDK6CJ4WJWmslKA==,type:str]
     pgp:
         - created_at: "2023-09-15T23:29:01Z"
           enc: |-
@@ -96,8 +96,8 @@ sops:
     azure_kv: []
     hc_vault: []
     age: []
-    lastmodified: "2023-09-15T23:29:01Z"
-    mac: ENC[AES256_GCM,data:BZWJOzZhbJ7hXWucybSHvooDPCqO112sz1UBpa/EW1u3/y4UUMbOWpg7EAbfQ9gidOJXFcWrlrK5wskZiVBonirU1yztYK5UIb03rn7aOBxCabBzYUIS8V4G/zN+T+ktvETMtqk9bUV/ydEWaHaiBBg6UzT5JHLZ2Du8COb6FMQ=,iv:JBGeeXaBKMc7dDNhekYuuSbDgDW/Opxi4AdGA8I1Iig=,tag:Hko4Qo1ENNAlP9fPwNEHuA==,type:str]
+    lastmodified: "2023-09-15T23:59:17Z"
+    mac: ENC[AES256_GCM,data:s8jv3Rp45hW2JZkIIZjwiyTHzVLSXrHSfjt5O+7VgidkSXeAMssZVMgrQtI6cX2Umw9df2hIHemjWRwaCOXRzEDk8brJe3lGbnCIe6a+9wxGmMujKuhdW/Fzv0EWq6Gyib8UaXbJXFEuSBCm3oxMizmRIK6lL5kTvjj0MfOGDA0=,iv:WX3kcICIx+Re3nwk0fit0nuZxBGNGLFayLQRToSEqSQ=,tag:CRXzb0tcDK6CJ4WJWmslKA==,type:str]
     pgp:
         - created_at: "2023-09-15T23:29:01Z"
           enc: |-
@@ -155,13 +155,6 @@ data:
         replicaCount: 2
         securityContext:
           enabled: true
-        affinity:
-          podAntiAffinity:
-            requiredDuringSchedulingIgnoredDuringExecution:
-              - labelSelector:
-                  matchLabels:
-                    app: oauth2-proxy
-                topologyKey: kubernetes.io/hostname
         resources:
             limits:
                 cpu: 200m
@@ -169,14 +162,23 @@ data:
             requests:
                 cpu: 100m
                 memory: 25Mi
+        topologySpreadConstraints:
+          - maxSkew: 1
+            topologyKey: kubernetes.io/hostname
+            whenUnsatisfiable: DoNotSchedule
+            labelSelector:
+              matchLabels:
+                app: oauth2-proxy
+            matchLabelKeys:
+              - pod-template-hash
 sops:
     kms: []
     gcp_kms: []
     azure_kv: []
     hc_vault: []
     age: []
-    lastmodified: "2023-09-15T23:29:01Z"
-    mac: ENC[AES256_GCM,data:BZWJOzZhbJ7hXWucybSHvooDPCqO112sz1UBpa/EW1u3/y4UUMbOWpg7EAbfQ9gidOJXFcWrlrK5wskZiVBonirU1yztYK5UIb03rn7aOBxCabBzYUIS8V4G/zN+T+ktvETMtqk9bUV/ydEWaHaiBBg6UzT5JHLZ2Du8COb6FMQ=,iv:JBGeeXaBKMc7dDNhekYuuSbDgDW/Opxi4AdGA8I1Iig=,tag:Hko4Qo1ENNAlP9fPwNEHuA==,type:str]
+    lastmodified: "2023-09-15T23:59:17Z"
+    mac: ENC[AES256_GCM,data:s8jv3Rp45hW2JZkIIZjwiyTHzVLSXrHSfjt5O+7VgidkSXeAMssZVMgrQtI6cX2Umw9df2hIHemjWRwaCOXRzEDk8brJe3lGbnCIe6a+9wxGmMujKuhdW/Fzv0EWq6Gyib8UaXbJXFEuSBCm3oxMizmRIK6lL5kTvjj0MfOGDA0=,iv:WX3kcICIx+Re3nwk0fit0nuZxBGNGLFayLQRToSEqSQ=,tag:CRXzb0tcDK6CJ4WJWmslKA==,type:str]
     pgp:
         - created_at: "2023-09-15T23:29:01Z"
           enc: |-
@@ -241,8 +243,8 @@ sops:
     azure_kv: []
     hc_vault: []
     age: []
-    lastmodified: "2023-09-15T23:29:01Z"
-    mac: ENC[AES256_GCM,data:BZWJOzZhbJ7hXWucybSHvooDPCqO112sz1UBpa/EW1u3/y4UUMbOWpg7EAbfQ9gidOJXFcWrlrK5wskZiVBonirU1yztYK5UIb03rn7aOBxCabBzYUIS8V4G/zN+T+ktvETMtqk9bUV/ydEWaHaiBBg6UzT5JHLZ2Du8COb6FMQ=,iv:JBGeeXaBKMc7dDNhekYuuSbDgDW/Opxi4AdGA8I1Iig=,tag:Hko4Qo1ENNAlP9fPwNEHuA==,type:str]
+    lastmodified: "2023-09-15T23:59:17Z"
+    mac: ENC[AES256_GCM,data:s8jv3Rp45hW2JZkIIZjwiyTHzVLSXrHSfjt5O+7VgidkSXeAMssZVMgrQtI6cX2Umw9df2hIHemjWRwaCOXRzEDk8brJe3lGbnCIe6a+9wxGmMujKuhdW/Fzv0EWq6Gyib8UaXbJXFEuSBCm3oxMizmRIK6lL5kTvjj0MfOGDA0=,iv:WX3kcICIx+Re3nwk0fit0nuZxBGNGLFayLQRToSEqSQ=,tag:CRXzb0tcDK6CJ4WJWmslKA==,type:str]
     pgp:
         - created_at: "2023-09-15T23:29:01Z"
           enc: |-
@@ -300,8 +302,8 @@ sops:
     azure_kv: []
     hc_vault: []
     age: []
-    lastmodified: "2023-09-15T23:29:01Z"
-    mac: ENC[AES256_GCM,data:BZWJOzZhbJ7hXWucybSHvooDPCqO112sz1UBpa/EW1u3/y4UUMbOWpg7EAbfQ9gidOJXFcWrlrK5wskZiVBonirU1yztYK5UIb03rn7aOBxCabBzYUIS8V4G/zN+T+ktvETMtqk9bUV/ydEWaHaiBBg6UzT5JHLZ2Du8COb6FMQ=,iv:JBGeeXaBKMc7dDNhekYuuSbDgDW/Opxi4AdGA8I1Iig=,tag:Hko4Qo1ENNAlP9fPwNEHuA==,type:str]
+    lastmodified: "2023-09-15T23:59:17Z"
+    mac: ENC[AES256_GCM,data:s8jv3Rp45hW2JZkIIZjwiyTHzVLSXrHSfjt5O+7VgidkSXeAMssZVMgrQtI6cX2Umw9df2hIHemjWRwaCOXRzEDk8brJe3lGbnCIe6a+9wxGmMujKuhdW/Fzv0EWq6Gyib8UaXbJXFEuSBCm3oxMizmRIK6lL5kTvjj0MfOGDA0=,iv:WX3kcICIx+Re3nwk0fit0nuZxBGNGLFayLQRToSEqSQ=,tag:CRXzb0tcDK6CJ4WJWmslKA==,type:str]
     pgp:
         - created_at: "2023-09-15T23:29:01Z"
           enc: |-
-- 
GitLab