github-personal/cozystack
1
0
Fork 0
mirror of https://github.com/outbackdingo/cozystack.git synced 2026-01-27 10:18:39 +00:00
Code Issues Packages Projects Releases Wiki Activity

Update mariadb-operator and mysql chart (#328)

Browse Source 
Signed-off-by: Andrei Kvapil <kvapss@gmail.com>


<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->

## Summary by CodeRabbit

- **New Features**
- Enhanced database user management with role definitions for `admin`
and `readonly` users.
- Introduced support for additional environment variables in the MariaDB
operator deployment.
	- Added new RBAC roles for viewing and editing MariaDB resources.

- **Changes**
- Updated configuration structure for database and user management,
shifting from arrays to objects.
- Improved webhook certificate management with revision history control.
	- Updated image repository for the MariaDB operator.

- **Bug Fixes**
- Adjusted permissions in RBAC configuration for better security and
resource management.

<!-- end of auto-generated comment: release notes by coderabbit.ai -->

Signed-off-by: Andrei Kvapil <kvapss@gmail.com>
This commit is contained in:
Andrei Kvapil
2024-09-04 15:14:31 +02:00
committed by GitHub
parent 36d88553ce
commit aa2f553281
21 changed files with 4254 additions and 1551 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
packages/apps/mysql/README.md
View File

@@ -79,7 +79,7 @@ more details:
| Name | Description | Value |
| ----------- | ----------------------- | ----- |
| `users` | Users configuration | `{}` |
| `databases` | Databases configuration | `[]` |
| `databases` | Databases configuration | `{}` |
### Backup parameters

20
packages/apps/mysql/templates/dashboard-resourcemap.yaml Normal file
View File

@@ -0,0 +1,20 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: {{ .Release.Name }}-dashboard-resources
rules:
- apiGroups:
- ""
resources:
- services
resourceNames:
- {{ .Release.Name }}-primary
- {{ .Release.Name }}-secondary
verbs: ["get", "list", "watch"]
- apiGroups:
- ""
resources:
- secrets
resourceNames:
- {{ .Release.Name }}-credentials
verbs: ["get", "list", "watch"]

39
packages/apps/mysql/templates/db.yaml
View File

@@ -1,14 +1,47 @@
{{- range $name := .Values.databases }}
{{ $dnsName := replace "_" "-" $name }}
{{- range $name, $db := .Values.databases }}
{{ $dbDNSName := replace "_" "-" $name }}
---
apiVersion: k8s.mariadb.com/v1alpha1
kind: Database
metadata:
name: {{ $.Release.Name }}-{{ $dnsName }}
name: {{ $.Release.Name }}-{{ $dbDNSName }}
spec:
name: {{ $name }}
mariaDbRef:
name: {{ $.Release.Name }}
characterSet: utf8
collate: utf8_general_ci
{{- range $user := $db.roles.admin }}
{{ $userDNSName := replace "_" "-" $user }}
---
apiVersion: k8s.mariadb.com/v1alpha1
kind: Grant
metadata:
name: {{ $.Release.Name }}-{{ $dbDNSName }}-{{ $userDNSName }}
spec:
mariaDbRef:
name: {{ $.Release.Name }}
privileges: ['ALL']
database: {{ $name }}
table: "*"
username: {{ $user }}
grantOption: true
{{- end }}
{{- range $user := $db.roles.readonly }}
{{ $userDNSName := replace "_" "-" $user }}
---
apiVersion: k8s.mariadb.com/v1alpha1
kind: Grant
metadata:
name: {{ $.Release.Name }}-{{ $dbDNSName }}-{{ $userDNSName }}
spec:
mariaDbRef:
name: {{ $.Release.Name }}
privileges: ['SELECT']
database: {{ $name }}
table: "*"
username: {{ $user }}
grantOption: true
{{- end }}
{{- end }}

6
packages/apps/mysql/templates/mariadb.yaml
View File

@@ -4,11 +4,9 @@ kind: MariaDB
metadata:
name: {{ .Release.Name }}
spec:
{{- if (and .Values.users.root .Values.users.root.password) }}
rootPasswordSecretKeyRef:
name: {{ .Release.Name }}
key: root-password
{{- end }}
name: {{ .Release.Name }}-credentials
key: root
image: "mariadb:11.0.2"

28
packages/apps/mysql/templates/secret.yaml
View File

@@ -1,9 +1,31 @@
{{- $existingSecret := lookup "v1" "Secret" .Release.Namespace (printf "%s-credentials" .Release.Name) }}
{{- $passwords := dict }}
{{- with (index $existingSecret "data") }}
{{- range $k, $v := . }}
{{- $_ := set $passwords $k (b64dec $v) }}
{{- end }}
{{- end }}
{{- $usersWithRoot := .Values.users }}
{{- if (and .Values.users.root .Values.users.root.password) }}
{{- $_ := set $usersWithRoot "root" dict }}
{{- end }}
{{- range $user, $u := $usersWithRoot }}
{{- if $u.password }}
{{- $_ := set $passwords $user $u.password }}
{{- else if not (index $passwords $user) }}
{{- $_ := set $passwords $user (randAlphaNum 16) }}
{{- end }}
{{- end }}
---
apiVersion: v1
kind: Secret
metadata:
name: {{ .Release.Name }}
name: {{ .Release.Name }}-credentials
stringData:
{{- range $name, $u := .Values.users }}
{{ $name }}-password: {{ $u.password }}
{{- range $name, $u := $usersWithRoot }}
{{ $name }}: {{ index $passwords $name }}
{{- end }}

17
packages/apps/mysql/templates/user.yaml
View File

@@ -11,21 +11,8 @@ spec:
mariaDbRef:
name: {{ $.Release.Name }}
passwordSecretKeyRef:
name: {{ $.Release.Name }}
key: {{ $name }}-password
name: {{ $.Release.Name }}-credentials
key: {{ $name }}
maxUserConnections: {{ $u.maxUserConnections }}
---
apiVersion: k8s.mariadb.com/v1alpha1
kind: Grant
metadata:
name: {{ $.Release.Name }}-{{ $dnsName }}
spec:
mariaDbRef:
name: {{ $.Release.Name }}
privileges: {{ $u.privileges | toJson }}
database: "*"
table: "*"
username: {{ $name }}
grantOption: true
{{- end }}
{{- end }}

6
packages/apps/mysql/values.schema.json
View File

@@ -22,12 +22,6 @@
"description": "StorageClass used to store the data",
"default": ""
},
"databases": {
"type": "array",
"description": "Databases configuration",
"default": [],
"items": {}
},
"backup": {
"type": "object",
"properties": {

18
packages/apps/mysql/values.yaml
View File

@@ -15,27 +15,25 @@ storageClass: ""
## @param users [object] Users configuration
## Example:
## users:
## root:
## password: strongpassword
## user1:
## privileges: ['ALL']
## maxUserConnections: 1000
## password: hackme
## user2:
## privileges: ['SELECT']
## maxUserConnections: 1000
## password: hackme
##
users: {}
## @param databases Databases configuration
## @param databases [object] Databases configuration
## Example:
## databases:
## - wordpress1
## - wordpress2
## - wordpress3
## - wordpress4
databases: []
## myapp1:
## roles:
## admin:
## - user1
## readonly:
## - user2
databases: {}
## @section Backup parameters

6
packages/system/mariadb-operator/charts/mariadb-operator/Chart.yaml
View File

@@ -1,5 +1,5 @@
apiVersion: v2
appVersion: v0.0.28
appVersion: v0.0.30
description: Run and operate MariaDB in a cloud native way
home: https://github.com/mariadb-operator/mariadb-operator
icon: https://mariadb-operator.github.io/mariadb-operator/assets/mariadb_profile.svg
@@ -10,10 +10,10 @@ keywords:
- mariadb-operator
- database
- maxscale
kubeVersion: '>= 1.16.0-0'
kubeVersion: '>=1.26.0-0'
maintainers:
- email: mariadb-operator@proton.me
name: mmontes11
name: mariadb-operator
type: application
version: 0.28.1
version: 0.30.0

18
packages/system/mariadb-operator/charts/mariadb-operator/README.md
View File

@@ -6,13 +6,13 @@
<img src="https://mariadb-operator.github.io/mariadb-operator/assets/mariadb-operator_centered_whitebg.svg" alt="mariadb" width="100%"/>
</p>
![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![Version: 0.28.1](https://img.shields.io/badge/Version-0.28.1-informational?style=flat-square) ![AppVersion: v0.0.28](https://img.shields.io/badge/AppVersion-v0.0.28-informational?style=flat-square)
![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![Version: 0.30.0](https://img.shields.io/badge/Version-0.30.0-informational?style=flat-square) ![AppVersion: v0.0.30](https://img.shields.io/badge/AppVersion-v0.0.30-informational?style=flat-square)
Run and operate MariaDB in a cloud native way
## Installing
```bash
helm repo add mariadb-operator https://mariadb-operator.github.io/mariadb-operator
helm repo add mariadb-operator https://helm.mariadb.com/mariadb-operator
helm install mariadb-operator mariadb-operator/mariadb-operator
```
@@ -36,7 +36,7 @@ helm uninstall mariadb-operator
| certController.ha.enabled | bool | `false` | Enable high availability |
| certController.ha.replicas | int | `3` | Number of replicas |
| certController.image.pullPolicy | string | `"IfNotPresent"` | |
| certController.image.repository | string | `"ghcr.io/mariadb-operator/mariadb-operator"` | |
| certController.image.repository | string | `"docker-registry3.mariadb.com/mariadb-operator/mariadb-operator"` | |
| certController.image.tag | string | `""` | Image tag to use. By default the chart appVersion is used |
| certController.imagePullSecrets | list | `[]` | |
| certController.lookaheadValidity | string | `"2160h"` | Duration used to verify whether a certificate is valid or not. |
@@ -59,13 +59,14 @@ helm uninstall mariadb-operator
| clusterName | string | `"cluster.local"` | Cluster DNS name |
| extrArgs | list | `[]` | Extra arguments to be passed to the controller entrypoint |
| extraEnv | list | `[]` | Extra environment variables to be passed to the controller |
| extraEnvFrom | list | `[]` | Extra environment variables from preexiting ConfigMap / Secret objects used by the controller using envFrom |
| extraVolumeMounts | list | `[]` | Extra volumes to mount to the container. |
| extraVolumes | list | `[]` | Extra volumes to pass to pod. |
| fullnameOverride | string | `""` | |
| ha.enabled | bool | `false` | Enable high availability |
| ha.replicas | int | `3` | Number of replicas |
| image.pullPolicy | string | `"IfNotPresent"` | |
| image.repository | string | `"ghcr.io/mariadb-operator/mariadb-operator"` | |
| image.repository | string | `"docker-registry3.mariadb.com/mariadb-operator/mariadb-operator"` | |
| image.tag | string | `""` | Image tag to use. By default the chart appVersion is used |
| imagePullSecrets | list | `[]` | |
| logLevel | string | `"INFO"` | Controller log level |
@@ -78,6 +79,7 @@ helm uninstall mariadb-operator
| nodeSelector | object | `{}` | Node selectors to add to controller Pod |
| podAnnotations | object | `{}` | Annotations to add to controller Pod |
| podSecurityContext | object | `{}` | Security context to add to controller Pod |
| rbac.aggregation.enabled | bool | `true` | Specifies whether the cluster roles aggrate to view and edit predefinied roles |
| rbac.enabled | bool | `true` | Specifies whether RBAC resources should be created |
| resources | object | `{}` | Resources to add to controller container |
| securityContext | object | `{}` | Security context to add to controller container |
@@ -89,12 +91,14 @@ helm uninstall mariadb-operator
| tolerations | list | `[]` | Tolerations to add to controller Pod |
| webhook.affinity | object | `{}` | Affinity to add to controller Pod |
| webhook.annotations | object | `{}` | Annotations for webhook configurations. |
| webhook.cert.caPath | string | `"/tmp/k8s-webhook-server/certificate-authority"` | Path where the CA certificate will be mounted. |
| webhook.cert.ca.key | string | `""` | File under 'ca.path' that contains the full CA trust chain. |
| webhook.cert.ca.path | string | `""` | Path that contains the full CA trust chain. |
| webhook.cert.certManager.duration | string | `""` | Duration to be used in the Certificate resource, |
| webhook.cert.certManager.enabled | bool | `false` | Whether to use cert-manager to issue and rotate the certificate. If set to false, mariadb-operator's cert-controller will be used instead. |
| webhook.cert.certManager.issuerRef | object | `{}` | Issuer reference to be used in the Certificate resource. If not provided, a self-signed issuer will be used. |
| webhook.cert.certManager.renewBefore | string | `""` | Renew before duration to be used in the Certificate resource. |
| webhook.cert.path | string | `"/tmp/k8s-webhook-server/serving-certs"` | Path where the certificate will be mounted. |
| webhook.cert.certManager.revisionHistoryLimit | int | `3` | The maximum number of CertificateRequest revisions that are maintained in the Certificates history. |
| webhook.cert.path | string | `"/tmp/k8s-webhook-server/serving-certs"` | Path where the certificate will be mounted. 'tls.crt' and 'tls.key' certificates files should be under this path. |
| webhook.cert.secretAnnotations | object | `{}` | Annotatioms to be added to webhook TLS secret. |
| webhook.cert.secretLabels | object | `{}` | Labels to be added to webhook TLS secret. |
| webhook.extrArgs | list | `[]` | Extra arguments to be passed to the webhook entrypoint |
@@ -104,7 +108,7 @@ helm uninstall mariadb-operator
| webhook.ha.replicas | int | `3` | Number of replicas |
| webhook.hostNetwork | bool | `false` | Expose the webhook server in the host network |
| webhook.image.pullPolicy | string | `"IfNotPresent"` | |
| webhook.image.repository | string | `"ghcr.io/mariadb-operator/mariadb-operator"` | |
| webhook.image.repository | string | `"docker-registry3.mariadb.com/mariadb-operator/mariadb-operator"` | |
| webhook.image.tag | string | `""` | Image tag to use. By default the chart appVersion is used |
| webhook.imagePullSecrets | list | `[]` | |
| webhook.nodeSelector | object | `{}` | Node selectors to add to controller Pod |

2
packages/system/mariadb-operator/charts/mariadb-operator/README.md.gotmpl
View File

@@ -1,4 +1,4 @@
{{ $chartRepo := "https://mariadb-operator.github.io/mariadb-operator" }}
{{ $chartRepo := "https://helm.mariadb.com/mariadb-operator" }}
{{ $org := "mariadb-operator" }}
{{ $release := "mariadb-operator" }}
[//]: # (README.md generated by gotmpl. DO NOT EDIT.)

5242
packages/system/mariadb-operator/charts/mariadb-operator/crds/crds.yaml
View File

File diff suppressed because it is too large Load Diff

28
packages/system/mariadb-operator/charts/mariadb-operator/templates/_helpers.tpl
View File

@@ -70,6 +70,34 @@ app.kubernetes.io/name: {{ include "mariadb-operator.name" . }}-webhook
app.kubernetes.io/instance: {{ .Release.Name }}
{{- end }}
{{/*
Webhook CA path to use cert-controller issued certificates
*/}}
{{- define "mariadb-operator-webhook.certControllerCAPath" -}}
{{ .Values.webhook.cert.ca.path | default "/tmp/k8s-webhook-server/certificate-authority" }}
{{- end }}
{{/*
Webhook CA full path to use cert-controller issued certificates
*/}}
{{- define "mariadb-operator-webhook.certControllerFullCAPath" -}}
{{- printf "%s/%s" (include "mariadb-operator-webhook.certControllerCAPath" .) (.Values.webhook.cert.ca.key | default "tls.crt") }}
{{- end }}
{{/*
Webhook CA path to use cert-manager issued certificates
*/}}
{{- define "mariadb-operator-webhook.certManagerCAPath" -}}
{{ .Values.webhook.cert.ca.path | default .Values.webhook.cert.path }}
{{- end }}
{{/*
Webhook CA full path to use cert-manager issued certificates
*/}}
{{- define "mariadb-operator-webhook.certManagerFullCAPath" -}}
{{- printf "%s/%s" (include "mariadb-operator-webhook.certManagerCAPath" .) (.Values.webhook.cert.ca.key | default "ca.crt") }}
{{- end }}
{{/*
Cert-controller common labels
*/}}

11
packages/system/mariadb-operator/charts/mariadb-operator/templates/configmap.yaml
View File

@@ -1,13 +1,12 @@
apiVersion: v1
data:
MARIADB_GALERA_AGENT_IMAGE: ghcr.io/mariadb-operator/mariadb-operator:v0.0.28
MARIADB_GALERA_INIT_IMAGE: ghcr.io/mariadb-operator/mariadb-operator:v0.0.28
MARIADB_ENTRYPOINT_VERSION: "11.4"
MARIADB_GALERA_LIB_PATH: /usr/lib/galera/libgalera_smm.so
MARIADB_OPERATOR_IMAGE: ghcr.io/mariadb-operator/mariadb-operator:v0.0.28
MARIADB_OPERATOR_IMAGE: docker-registry3.mariadb.com/mariadb-operator/mariadb-operator:v0.0.30
RELATED_IMAGE_EXPORTER: prom/mysqld-exporter:v0.15.1
RELATED_IMAGE_EXPORTER_MAXSCALE: mariadb/maxscale-prometheus-exporter-ubi:latest
RELATED_IMAGE_MARIADB: mariadb:10.11.7
RELATED_IMAGE_MAXSCALE: mariadb/maxscale:23.08
RELATED_IMAGE_EXPORTER_MAXSCALE: docker-registry2.mariadb.com/mariadb/maxscale-prometheus-exporter-ubi:v0.0.1
RELATED_IMAGE_MARIADB: docker-registry1.mariadb.com/library/mariadb:11.4.3
RELATED_IMAGE_MAXSCALE: docker-registry2.mariadb.com/mariadb/maxscale:23.08.5
kind: ConfigMap
metadata:
creationTimestamp: null

3
packages/system/mariadb-operator/charts/mariadb-operator/templates/deployment.yaml
View File

@@ -63,6 +63,9 @@ spec:
envFrom:
- configMapRef:
name: mariadb-operator-env
{{- with .Values.extraEnvFrom }}
{{- toYaml . | nindent 12 }}
{{- end }}
env:
- name: CLUSTER_NAME
value: {{ .Values.clusterName }}

30
packages/system/mariadb-operator/charts/mariadb-operator/templates/rbac-user.yaml Normal file
View File

@@ -0,0 +1,30 @@
{{- if .Values.rbac.enabled -}}
{{ $fullName := include "mariadb-operator.fullname" . }}
# the mariadb-view ClusterRole allows viewing all k8s.mariadb.com resources
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ $fullName }}-view
{{- if .Values.rbac.aggregation.enabled }}
labels:
rbac.authorization.k8s.io/aggregate-to-view: "true"
{{- end }}
rules:
- apiGroups: ["k8s.mariadb.com"]
resources: ["*"]
verbs: ["get", "list", "watch"]
---
# the mariadb-edit ClusterRole allows editing k8s.mariadb.com resources
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ $fullName }}-edit
{{- if .Values.rbac.aggregation.enabled }}
labels:
rbac.authorization.k8s.io/aggregate-to-edit: "true"
{{- end }}
rules:
- apiGroups: ["k8s.mariadb.com"]
resources: ["*"]
verbs: ["create", "update", "patch", "delete"]
{{- end }}

286
packages/system/mariadb-operator/charts/mariadb-operator/templates/rbac.yaml
View File

@@ -57,15 +57,6 @@ rules:
- ""
resources:
- endpoints
verbs:
- create
- get
- list
- patch
- watch
- apiGroups:
- ""
resources:
- endpoints/restricted
verbs:
- create
@@ -77,6 +68,9 @@ rules:
- ""
resources:
- events
- secrets
- serviceaccounts
- services
verbs:
- create
- list
@@ -104,30 +98,9 @@ rules:
- apiGroups:
- ""
resources:
- secrets
- pods/log
verbs:
- create
- list
- patch
- watch
- apiGroups:
- ""
resources:
- serviceaccounts
verbs:
- create
- list
- patch
- watch
- apiGroups:
- ""
resources:
- services
verbs:
- create
- list
- patch
- watch
- get
- apiGroups:
- apps
resources:
@@ -183,6 +156,14 @@ rules:
- k8s.mariadb.com
resources:
- backups
- connections
- databases
- grants
- mariadbs
- maxscales
- restores
- sqljobs
- users
verbs:
- create
- delete
@@ -195,248 +176,41 @@ rules:
- k8s.mariadb.com
resources:
- backups/finalizers
verbs:
- update
- apiGroups:
- k8s.mariadb.com
resources:
- backups/status
verbs:
- get
- patch
- update
- apiGroups:
- k8s.mariadb.com
resources:
- connections
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- k8s.mariadb.com
resources:
- connections
- grants
- maxscale
- restores
- users
verbs:
- create
- list
- patch
- watch
- apiGroups:
- k8s.mariadb.com
resources:
- connections
- grants
- users
verbs:
- create
- list
- patch
- watch
- apiGroups:
- k8s.mariadb.com
resources:
- connections/finalizers
verbs:
- update
- apiGroups:
- k8s.mariadb.com
resources:
- connections/status
verbs:
- get
- patch
- update
- apiGroups:
- k8s.mariadb.com
resources:
- databases
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- k8s.mariadb.com
resources:
- databases/finalizers
verbs:
- update
- apiGroups:
- k8s.mariadb.com
resources:
- databases/status
verbs:
- get
- patch
- update
- apiGroups:
- k8s.mariadb.com
resources:
- grants
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- k8s.mariadb.com
resources:
- grants/finalizers
verbs:
- update
- apiGroups:
- k8s.mariadb.com
resources:
- grants/status
verbs:
- get
- patch
- update
- apiGroups:
- k8s.mariadb.com
resources:
- mariadbs
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- k8s.mariadb.com
resources:
- mariadbs/finalizers
verbs:
- update
- apiGroups:
- k8s.mariadb.com
resources:
- mariadbs/status
verbs:
- get
- patch
- update
- apiGroups:
- k8s.mariadb.com
resources:
- maxscales
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- k8s.mariadb.com
resources:
- maxscales/finalizers
verbs:
- update
- apiGroups:
- k8s.mariadb.com
resources:
- maxscales/status
verbs:
- get
- patch
- update
- apiGroups:
- k8s.mariadb.com
resources:
- restores
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- k8s.mariadb.com
resources:
- restores/finalizers
verbs:
- update
- apiGroups:
- k8s.mariadb.com
resources:
- restores/status
verbs:
- get
- patch
- update
- apiGroups:
- k8s.mariadb.com
resources:
- sqljobs
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- k8s.mariadb.com
resources:
- sqljobs/finalizers
verbs:
- update
- apiGroups:
- k8s.mariadb.com
resources:
- sqljobs/status
verbs:
- get
- patch
- update
- apiGroups:
- k8s.mariadb.com
resources:
- users
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- k8s.mariadb.com
resources:
- users/finalizers
verbs:
- update
- apiGroups:
- k8s.mariadb.com
resources:
- backups/status
- connections/status
- databases/status
- grants/status
- mariadbs/status
- maxscales/status
- restores/status
- sqljobs/status
- users/status
verbs:
- get
- patch
- update
- apiGroups:
- k8s.mariadb.com
resources:
- maxscale
verbs:
- create
- list
- patch
- watch
- apiGroups:
- monitoring.coreos.com
resources:

7
packages/system/mariadb-operator/charts/mariadb-operator/templates/webhook-certificate.yaml
View File

@@ -36,7 +36,11 @@ spec:
{{- with .Values.webhook.cert.certManager.renewBefore }}
renewBefore: {{ . | quote }}
{{- end }}
{{- with .Values.webhook.cert.certManager.revisionHistoryLimit }}
revisionHistoryLimit: {{ . }}
{{- end }}
secretName: {{ include "mariadb-operator.fullname" . }}-webhook-cert
{{- if or (.Values.webhook.cert.secretLabels) (.Values.webhook.cert.secretAnnotations) }}
secretTemplate:
{{- with .Values.webhook.cert.secretLabels }}
labels:
@@ -44,6 +48,7 @@ spec:
{{- end }}
{{- with .Values.webhook.cert.secretAnnotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- toYaml . | nindent 6 }}
{{- end }}
{{- end }}
{{ end }}

6
packages/system/mariadb-operator/charts/mariadb-operator/templates/webhook-deployment.yaml
View File

@@ -51,9 +51,9 @@ spec:
args:
- webhook
{{- if .Values.webhook.cert.certManager.enabled }}
- --ca-cert-path={{ .Values.webhook.cert.path }}/ca.crt
- --ca-cert-path={{ include "mariadb-operator-webhook.certManagerFullCAPath" . }}
{{- else }}
- --ca-cert-path={{ .Values.webhook.cert.caPath }}/tls.crt
- --ca-cert-path={{ include "mariadb-operator-webhook.certControllerFullCAPath" . }}
{{- end }}
- --cert-dir={{ .Values.webhook.cert.path }}
- --dns-name={{ $fullName }}-webhook.{{ .Release.Namespace }}.svc
@@ -76,7 +76,7 @@ spec:
name: health
volumeMounts:
{{- if not .Values.webhook.cert.certManager.enabled }}
- mountPath: {{ .Values.webhook.cert.caPath }}
- mountPath: {{ include "mariadb-operator-webhook.certControllerCAPath" . }}
name: ca
readOnly: true
{{- end }}

29
packages/system/mariadb-operator/charts/mariadb-operator/values.yaml
View File

@@ -2,7 +2,7 @@ nameOverride: ""
fullnameOverride: ""
image:
repository: ghcr.io/mariadb-operator/mariadb-operator
repository: docker-registry3.mariadb.com/mariadb-operator/mariadb-operator
pullPolicy: IfNotPresent
# -- Image tag to use. By default the chart appVersion is used
tag: ""
@@ -51,12 +51,20 @@ rbac:
# -- Specifies whether RBAC resources should be created
enabled: true
aggregation:
# -- Specifies whether the cluster roles aggrate to view and edit predefinied roles
enabled: true
# -- Extra arguments to be passed to the controller entrypoint
extrArgs: []
# -- Extra environment variables to be passed to the controller
extraEnv: []
# -- Extra environment variables from preexiting ConfigMap / Secret objects used by the controller using envFrom
extraEnvFrom: []
# -- Extra volumes to pass to pod.
extraVolumes: []
@@ -89,7 +97,7 @@ affinity: {}
webhook:
image:
repository: ghcr.io/mariadb-operator/mariadb-operator
repository: docker-registry3.mariadb.com/mariadb-operator/mariadb-operator
pullPolicy: IfNotPresent
# -- Image tag to use. By default the chart appVersion is used
tag: ""
@@ -105,17 +113,22 @@ webhook:
enabled: false
# -- Issuer reference to be used in the Certificate resource. If not provided, a self-signed issuer will be used.
issuerRef: {}
# -- Duration to be used in the Certificate resource,
# -- Duration to be used in the Certificate resource,
duration: ""
# -- Renew before duration to be used in the Certificate resource.
# -- Renew before duration to be used in the Certificate resource.
renewBefore: ""
# -- The maximum number of CertificateRequest revisions that are maintained in the Certificates history.
revisionHistoryLimit: 3
# -- Annotatioms to be added to webhook TLS secret.
secretAnnotations: {}
# -- Labels to be added to webhook TLS secret.
secretLabels: {}
# -- Path where the CA certificate will be mounted.
caPath: /tmp/k8s-webhook-server/certificate-authority
# -- Path where the certificate will be mounted.
ca:
# -- Path that contains the full CA trust chain.
path: ""
# -- File under 'ca.path' that contains the full CA trust chain.
key: ""
# -- Path where the certificate will be mounted. 'tls.crt' and 'tls.key' certificates files should be under this path.
path: /tmp/k8s-webhook-server/serving-certs
# -- Port to be used by the webhook server
port: 9443
@@ -173,7 +186,7 @@ certController:
# -- Specifies whether the cert-controller should be created.
enabled: true
image:
repository: ghcr.io/mariadb-operator/mariadb-operator
repository: docker-registry3.mariadb.com/mariadb-operator/mariadb-operator
pullPolicy: IfNotPresent
# -- Image tag to use. By default the chart appVersion is used
tag: ""

1
packages/system/mariadb-operator/values.yaml
View File

@@ -1,4 +1,5 @@
mariadb-operator:
clusterName: cozy.local
metrics:
enabled: true
webhook: