From a798afc7e83ec20deccd25cb2c9461eb0c1ed862 Mon Sep 17 00:00:00 2001 From: Andrei Kvapil Date: Wed, 3 Jul 2024 14:14:21 +0200 Subject: [PATCH] Update etcd-operator v0.3.0 Signed-off-by: Andrei Kvapil --- .../charts/etcd-operator/Chart.yaml | 4 +- .../charts/etcd-operator/README.md | 85 +++++------ .../charts/etcd-operator/README.md.gotmpl | 19 +++ .../etcd-operator/crds/etcd-cluster.yaml | 29 +++- .../rbac/clusterrole-manager-role.yml | 16 +++ .../templates/workload/deployment.yml | 6 + .../charts/etcd-operator/values.schema.json | 10 +- .../charts/etcd-operator/values.yaml | 132 +++++++++++++++--- 8 files changed, 215 insertions(+), 86 deletions(-) create mode 100644 packages/system/etcd-operator/charts/etcd-operator/README.md.gotmpl diff --git a/packages/system/etcd-operator/charts/etcd-operator/Chart.yaml b/packages/system/etcd-operator/charts/etcd-operator/Chart.yaml index 36ad3b42..9c3b72a5 100644 --- a/packages/system/etcd-operator/charts/etcd-operator/Chart.yaml +++ b/packages/system/etcd-operator/charts/etcd-operator/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v2 -appVersion: v0.2.0 +appVersion: v0.3.0 name: etcd-operator type: application -version: 0.2.0 +version: 0.3.0 diff --git a/packages/system/etcd-operator/charts/etcd-operator/README.md b/packages/system/etcd-operator/charts/etcd-operator/README.md index 729dab25..33838106 100644 --- a/packages/system/etcd-operator/charts/etcd-operator/README.md +++ b/packages/system/etcd-operator/charts/etcd-operator/README.md @@ -1,63 +1,54 @@ # etcd-operator -![Version: 0.0.0](https://img.shields.io/badge/Version-0.0.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v0.0.0](https://img.shields.io/badge/AppVersion-v0.0.0-informational?style=flat-square) +![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ## Values | Key | Type | Default | Description | |-----|------|---------|-------------| -| affinity | object | `{}` | | +| affinity | object | `{}` | ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity | | etcdOperator.args[0] | string | `"--health-probe-bind-address=:8081"` | | | etcdOperator.args[1] | string | `"--metrics-bind-address=127.0.0.1:8080"` | | | etcdOperator.args[2] | string | `"--leader-elect"` | | -| etcdOperator.envVars | object | `{}` | | -| etcdOperator.image.pullPolicy | string | `"IfNotPresent"` | | -| etcdOperator.image.repository | string | `"ghcr.io/aenix-io/etcd-operator"` | | -| etcdOperator.image.tag | string | `""` | | -| etcdOperator.livenessProbe.httpGet.path | string | `"/healthz"` | | -| etcdOperator.livenessProbe.httpGet.port | int | `8081` | | -| etcdOperator.livenessProbe.initialDelaySeconds | int | `15` | | -| etcdOperator.livenessProbe.periodSeconds | int | `20` | | -| etcdOperator.readinessProbe.httpGet.path | string | `"/readyz"` | | -| etcdOperator.readinessProbe.httpGet.port | int | `8081` | | -| etcdOperator.readinessProbe.initialDelaySeconds | int | `5` | | -| etcdOperator.readinessProbe.periodSeconds | int | `10` | | -| etcdOperator.resources.limits.cpu | string | `"500m"` | | -| etcdOperator.resources.limits.memory | string | `"128Mi"` | | -| etcdOperator.resources.requests.cpu | string | `"100m"` | | -| etcdOperator.resources.requests.memory | string | `"64Mi"` | | -| etcdOperator.securityContext.allowPrivilegeEscalation | bool | `false` | | -| etcdOperator.securityContext.capabilities.drop[0] | string | `"ALL"` | | -| etcdOperator.service.port | int | `9443` | | -| etcdOperator.service.type | string | `"ClusterIP"` | | -| fullnameOverride | string | `""` | | +| etcdOperator.envVars | object | `{}` | Empty environment variables section | +| etcdOperator.image.pullPolicy | string | `"IfNotPresent"` | Image pull policy | +| etcdOperator.image.repository | string | `"ghcr.io/aenix-io/etcd-operator"` | Image repository | +| etcdOperator.image.tag | string | `""` | Overrides the image tag whose default is the chart appVersion. | +| etcdOperator.livenessProbe.httpGet.path | string | `"/healthz"` | Healthcheck liveness probe path | +| etcdOperator.livenessProbe.httpGet.port | int | `8081` | Healthcheck port | +| etcdOperator.livenessProbe.initialDelaySeconds | int | `15` | ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#configure-probes | +| etcdOperator.livenessProbe.periodSeconds | int | `20` | ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#configure-probes | +| etcdOperator.readinessProbe.httpGet.path | string | `"/readyz"` | Healthcheck readiness probe path | +| etcdOperator.readinessProbe.httpGet.port | int | `8081` | Healthcheck port | +| etcdOperator.readinessProbe.initialDelaySeconds | int | `5` | ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#configure-probes | +| etcdOperator.readinessProbe.periodSeconds | int | `10` | ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#configure-probes | +| etcdOperator.resources | object | `{"limits":{"cpu":"500m","memory":"128Mi"},"requests":{"cpu":"100m","memory":"64Mi"}}` | ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ | +| etcdOperator.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]}}` | ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ | +| etcdOperator.service.port | int | `9443` | Service port | +| etcdOperator.service.type | string | `"ClusterIP"` | Service type | +| fullnameOverride | string | `""` | Override a full name of helm release | | imagePullSecrets | list | `[]` | | | kubeRbacProxy.args[0] | string | `"--secure-listen-address=0.0.0.0:8443"` | | | kubeRbacProxy.args[1] | string | `"--upstream=http://127.0.0.1:8080/"` | | | kubeRbacProxy.args[2] | string | `"--logtostderr=true"` | | | kubeRbacProxy.args[3] | string | `"--v=0"` | | -| kubeRbacProxy.image.pullPolicy | string | `"IfNotPresent"` | | -| kubeRbacProxy.image.repository | string | `"gcr.io/kubebuilder/kube-rbac-proxy"` | | -| kubeRbacProxy.image.tag | string | `"v0.16.0"` | | -| kubeRbacProxy.livenessProbe | object | `{}` | | -| kubeRbacProxy.readinessProbe | object | `{}` | | -| kubeRbacProxy.resources.limits.cpu | string | `"500m"` | | -| kubeRbacProxy.resources.limits.memory | string | `"128Mi"` | | -| kubeRbacProxy.resources.requests.cpu | string | `"100m"` | | -| kubeRbacProxy.resources.requests.memory | string | `"64Mi"` | | -| kubeRbacProxy.securityContext.allowPrivilegeEscalation | bool | `false` | | -| kubeRbacProxy.securityContext.capabilities.drop[0] | string | `"ALL"` | | -| kubeRbacProxy.service.port | int | `8443` | | -| kubeRbacProxy.service.type | string | `"ClusterIP"` | | -| kubernetesClusterDomain | string | `"cluster.local"` | | -| nameOverride | string | `""` | | -| nodeSelector | object | `{}` | | -| podAnnotations | object | `{}` | | -| podLabels | object | `{}` | | -| podSecurityContext | object | `{}` | | -| replicaCount | int | `1` | | -| securityContext.runAsNonRoot | bool | `true` | | -| serviceAccount.annotations | object | `{}` | | -| serviceAccount.create | bool | `true` | | -| tolerations | list | `[]` | | +| kubeRbacProxy.image.pullPolicy | string | `"IfNotPresent"` | Image pull policy | +| kubeRbacProxy.image.repository | string | `"gcr.io/kubebuilder/kube-rbac-proxy"` | Image repository | +| kubeRbacProxy.image.tag | string | `"v0.16.0"` | Version of image | +| kubeRbacProxy.livenessProbe | object | `{}` | https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/ | +| kubeRbacProxy.readinessProbe | object | `{}` | https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/ | +| kubeRbacProxy.resources | object | `{"limits":{"cpu":"250m","memory":"128Mi"},"requests":{"cpu":"100m","memory":"64Mi"}}` | ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ | +| kubeRbacProxy.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]}}` | ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ | +| kubeRbacProxy.service.port | int | `8443` | Service port | +| kubeRbacProxy.service.type | string | `"ClusterIP"` | Service type | +| kubernetesClusterDomain | string | `"cluster.local"` | Kubernetes cluster domain prefix | +| nameOverride | string | `""` | Override a name of helm release | +| nodeSelector | object | `{}` | ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/ | +| podAnnotations | object | `{}` | ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ | +| podLabels | object | `{}` | ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ | +| podSecurityContext | object | `{}` | ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ | +| replicaCount | int | `1` | Count of pod replicas | +| serviceAccount.annotations | object | `{}` | Annotations to add to the service account | +| serviceAccount.create | bool | `true` | Specifies whether a service account should be created | +| tolerations | list | `[]` | ref: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/ | diff --git a/packages/system/etcd-operator/charts/etcd-operator/README.md.gotmpl b/packages/system/etcd-operator/charts/etcd-operator/README.md.gotmpl new file mode 100644 index 00000000..e1c25058 --- /dev/null +++ b/packages/system/etcd-operator/charts/etcd-operator/README.md.gotmpl @@ -0,0 +1,19 @@ +{{ template "chart.header" . }} + +{{ template "chart.deprecationWarning" . }} + +{{ template "chart.typeBadge" . }} + +{{ template "chart.description" . }} + +{{ template "chart.homepageLine" . }} + +{{ template "chart.maintainersSection" . }} + +{{ template "chart.sourcesSection" . }} + +{{ template "chart.requirementsSection" . }} + +{{ template "chart.valuesSection" . }} + +{{ template "helm-docs.versionFooter" . }} diff --git a/packages/system/etcd-operator/charts/etcd-operator/crds/etcd-cluster.yaml b/packages/system/etcd-operator/charts/etcd-operator/crds/etcd-cluster.yaml index 3abbf976..279e4b63 100644 --- a/packages/system/etcd-operator/charts/etcd-operator/crds/etcd-cluster.yaml +++ b/packages/system/etcd-operator/charts/etcd-operator/crds/etcd-cluster.yaml @@ -3,7 +3,7 @@ kind: CustomResourceDefinition metadata: annotations: cert-manager.io/inject-ca-from: etcd-operator-system/etcd-operator-serving-cert - controller-gen.kubebuilder.io/version: v0.14.0 + controller-gen.kubebuilder.io/version: v0.15.0 name: etcdclusters.etcd.aenix.io spec: conversion: @@ -202,25 +202,43 @@ spec: security: description: Security describes security settings of etcd (authentication, certificates, rbac) properties: + enableAuth: + description: Section to enable etcd auth + type: boolean tls: description: Section for user-managed tls certificates properties: clientSecret: - description: Client certificate for etcd-operator to do maintenance. It is expected to have tls.crt and tls.key fields in the secret. + description: |- + Client certificate for etcd-operator to do maintenance. It is expected to have tls.crt and tls.key fields in the secret. + This secret must be created in the namespace with etcdCluster CR. type: string clientTrustedCASecret: - description: Trusted CA for client certificates that are provided by client to etcd. It is expected to have tls.crt field in the secret. + description: |- + Trusted CA for client certificates that are provided by client to etcd. It is expected to have ca.crt field in the secret. + This secret must be created in the namespace with etcdCluster CR. type: string peerSecret: - description: Certificate secret to secure peer-to-peer communication between etcd nodes. It is expected to have tls.crt and tls.key fields in the secret. + description: |- + Certificate secret to secure peer-to-peer communication between etcd nodes. It is expected to have tls.crt and tls.key fields in the secret. + This secret must be created in the namespace with etcdCluster CR. type: string peerTrustedCASecret: - description: Trusted CA certificate secret to secure peer-to-peer communication between etcd nodes. It is expected to have tls.crt field in the secret. + description: |- + Trusted CA certificate secret to secure peer-to-peer communication between etcd nodes. It is expected to have ca.crt field in the secret. + This secret must be created in the namespace with etcdCluster CR. type: string serverSecret: description: |- Server certificate secret to secure client-server communication. Is provided to the client who connects to etcd by client port (2379 by default). It is expected to have tls.crt and tls.key fields in the secret. + This secret must be created in the namespace with etcdCluster CR. + type: string + serverTrustedCASecret: + description: |- + Trusted CA for etcd server certificates for client-server communication. Is necessary to set trust between operator and etcd. + It is expected to have ca.crt field in the secret. If it is not specified, then insecure communication will be used. + This secret must be created in the namespace with etcdCluster CR. type: string type: object type: object @@ -581,6 +599,7 @@ spec: not set, the implementation will apply its default routing strategy. If set to "PreferClose", implementations should prioritize endpoints that are topologically close (e.g., same zone). + This is an alpha field and requires enabling ServiceTrafficDistribution feature. type: string type: description: |- diff --git a/packages/system/etcd-operator/charts/etcd-operator/templates/rbac/clusterrole-manager-role.yml b/packages/system/etcd-operator/charts/etcd-operator/templates/rbac/clusterrole-manager-role.yml index ccb982ac..6cc79370 100644 --- a/packages/system/etcd-operator/charts/etcd-operator/templates/rbac/clusterrole-manager-role.yml +++ b/packages/system/etcd-operator/charts/etcd-operator/templates/rbac/clusterrole-manager-role.yml @@ -17,6 +17,22 @@ rules: - patch - update - watch + - apiGroups: + - "" + resources: + - endpoints + verbs: + - get + - list + - watch + - apiGroups: + - "" + resources: + - secrets + verbs: + - list + - get + - watch - apiGroups: - "" resources: diff --git a/packages/system/etcd-operator/charts/etcd-operator/templates/workload/deployment.yml b/packages/system/etcd-operator/charts/etcd-operator/templates/workload/deployment.yml index ece5bae8..17848ada 100644 --- a/packages/system/etcd-operator/charts/etcd-operator/templates/workload/deployment.yml +++ b/packages/system/etcd-operator/charts/etcd-operator/templates/workload/deployment.yml @@ -58,6 +58,12 @@ spec: - configMapRef: name: {{ include "etcd-operator.fullname" . }}-env {{- end }} + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace volumeMounts: - mountPath: /tmp/k8s-webhook-server/serving-certs name: cert diff --git a/packages/system/etcd-operator/charts/etcd-operator/values.schema.json b/packages/system/etcd-operator/charts/etcd-operator/values.schema.json index 97400378..65836a6b 100644 --- a/packages/system/etcd-operator/charts/etcd-operator/values.schema.json +++ b/packages/system/etcd-operator/charts/etcd-operator/values.schema.json @@ -256,14 +256,6 @@ "replicaCount": { "type": "integer" }, - "securityContext": { - "properties": { - "runAsNonRoot": { - "type": "boolean" - } - }, - "type": "object" - }, "serviceAccount": { "properties": { "annotations": { @@ -281,4 +273,4 @@ } }, "type": "object" -} \ No newline at end of file +} diff --git a/packages/system/etcd-operator/charts/etcd-operator/values.yaml b/packages/system/etcd-operator/charts/etcd-operator/values.yaml index 9c9ff75a..dcef802b 100644 --- a/packages/system/etcd-operator/charts/etcd-operator/values.yaml +++ b/packages/system/etcd-operator/charts/etcd-operator/values.yaml @@ -1,98 +1,184 @@ etcdOperator: + image: + + # -- Image repository repository: ghcr.io/aenix-io/etcd-operator + + # -- Image pull policy pullPolicy: IfNotPresent - # Overrides the image tag whose default is the chart appVersion. + + # -- Overrides the image tag whose default is the chart appVersion. tag: "" + args: - --health-probe-bind-address=:8081 - --metrics-bind-address=127.0.0.1:8080 - --leader-elect + service: + + # -- Service type type: ClusterIP + + # -- Service port port: 9443 + + # -- Empty environment variables section envVars: {} + livenessProbe: + httpGet: + + # -- Healthcheck liveness probe path path: /healthz + + # -- Healthcheck port port: 8081 + + # -- ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#configure-probes initialDelaySeconds: 15 + + # -- ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#configure-probes periodSeconds: 20 + readinessProbe: + httpGet: + + # -- Healthcheck readiness probe path path: /readyz + + # -- Healthcheck port port: 8081 + + # -- ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#configure-probes initialDelaySeconds: 5 + + # -- ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#configure-probes periodSeconds: 10 + + # -- ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ resources: + limits: + cpu: 500m + memory: 128Mi + requests: + cpu: 100m + memory: 64Mi + + # -- ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: - ALL kubeRbacProxy: + image: + + # -- Image repository repository: gcr.io/kubebuilder/kube-rbac-proxy + + # -- Image pull policy pullPolicy: IfNotPresent + + # -- Version of image tag: v0.16.0 + args: - --secure-listen-address=0.0.0.0:8443 - --upstream=http://127.0.0.1:8080/ - --logtostderr=true - --v=0 - service: - type: ClusterIP - port: 8443 - livenessProbe: {} - readinessProbe: {} - resources: - limits: - cpu: 500m - memory: 128Mi - requests: - cpu: 100m - memory: 64Mi - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL + service: + + # -- Service type + type: ClusterIP + + # -- Service port + port: 8443 + + # -- https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/ + livenessProbe: {} + + # -- https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/ + readinessProbe: {} + + # -- ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + resources: + + limits: + + cpu: 250m + + memory: 128Mi + + requests: + + cpu: 100m + + memory: 64Mi + + # -- ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ + securityContext: + + allowPrivilegeEscalation: false + + capabilities: + + drop: + - ALL + +# -- Kubernetes cluster domain prefix kubernetesClusterDomain: cluster.local +# -- Count of pod replicas replicaCount: 1 imagePullSecrets: [] +# -- Override a name of helm release nameOverride: "" +# -- Override a full name of helm release fullnameOverride: "" serviceAccount: - # Specifies whether a service account should be created + + # -- Specifies whether a service account should be created create: true - # Annotations to add to the service account + + # -- Annotations to add to the service account annotations: {} +# -- ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ podAnnotations: {} +# -- ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ podLabels: {} +# -- ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ podSecurityContext: {} # fsGroup: 2000 -securityContext: - runAsNonRoot: true - +# -- ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/ nodeSelector: {} +# -- ref: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/ tolerations: [] +# -- ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity affinity: {}