mirror of
https://github.com/outbackdingo/cozystack.git
synced 2026-01-27 10:18:39 +00:00
mariadb-operator v0.27.0 (#51)
This commit is contained in:
Andrei Kvapil
@@ -1,17 +1,19 @@
|
||||
apiVersion: v2
|
||||
appVersion: v0.0.22
|
||||
appVersion: v0.0.27
|
||||
description: Run and operate MariaDB in a cloud native way
|
||||
home: https://github.com/mariadb-operator/mariadb-operator
|
||||
icon: https://mariadb-operator.github.io/mariadb-operator/assets/mariadb.png
|
||||
icon: https://mariadb-operator.github.io/mariadb-operator/assets/mariadb_profile.svg
|
||||
keywords:
|
||||
- mariadb
|
||||
- mysql
|
||||
- operator
|
||||
- mariadb-operator
|
||||
- database
|
||||
- maxscale
|
||||
kubeVersion: '>= 1.16.0-0'
|
||||
maintainers:
|
||||
- email: mariadb-operator@proton.me
|
||||
name: mmontes11
|
||||
name: mariadb-operator
|
||||
type: application
|
||||
version: 0.22.0
|
||||
version: 0.27.0
|
||||
|
||||
@@ -3,10 +3,10 @@
|
||||
[//]: # (README.md generated by gotmpl. DO NOT EDIT.)
|
||||
|
||||
<p align="center">
|
||||
<img src="https://mariadb-operator.github.io/mariadb-operator/assets/mariadb-operator.png" alt="mariadb" width="250"/>
|
||||
<img src="https://mariadb-operator.github.io/mariadb-operator/assets/mariadb-operator_centered_whitebg.svg" alt="mariadb" width="100%"/>
|
||||
</p>
|
||||
|
||||
  
|
||||
  
|
||||
|
||||
Run and operate MariaDB in a cloud native way
|
||||
|
||||
@@ -26,20 +26,50 @@ helm uninstall mariadb-operator
|
||||
| Key | Type | Default | Description |
|
||||
|-----|------|---------|-------------|
|
||||
| affinity | object | `{}` | Affinity to add to controller Pod |
|
||||
| certController.affinity | object | `{}` | Affinity to add to controller Pod |
|
||||
| certController.caValidity | string | `"35064h"` | CA certificate validity. It must be greater than certValidity. |
|
||||
| certController.certValidity | string | `"8766h"` | Certificate validity. |
|
||||
| certController.enabled | bool | `true` | Specifies whether the cert-controller should be created. |
|
||||
| certController.extrArgs | list | `[]` | Extra arguments to be passed to the cert-controller entrypoint |
|
||||
| certController.extraVolumeMounts | list | `[]` | Extra volumes to mount to cert-controller container |
|
||||
| certController.extraVolumes | list | `[]` | Extra volumes to pass to cert-controller Pod |
|
||||
| certController.ha.enabled | bool | `false` | Enable high availability |
|
||||
| certController.ha.replicas | int | `3` | Number of replicas |
|
||||
| certController.image.pullPolicy | string | `"IfNotPresent"` | |
|
||||
| certController.image.repository | string | `"ghcr.io/mariadb-operator/mariadb-operator"` | |
|
||||
| certController.image.tag | string | `""` | Image tag to use. By default the chart appVersion is used |
|
||||
| certController.imagePullSecrets | list | `[]` | |
|
||||
| certController.lookaheadValidity | string | `"2160h"` | Duration used to verify whether a certificate is valid or not. |
|
||||
| certController.nodeSelector | object | `{}` | Node selectors to add to controller Pod |
|
||||
| certController.podAnnotations | object | `{}` | Annotations to add to cert-controller Pod |
|
||||
| certController.podSecurityContext | object | `{}` | Security context to add to cert-controller Pod |
|
||||
| certController.requeueDuration | string | `"5m"` | Requeue duration to ensure that certificate gets renewed. |
|
||||
| certController.resources | object | `{}` | Resources to add to cert-controller container |
|
||||
| certController.securityContext | object | `{}` | Security context to add to cert-controller container |
|
||||
| certController.serviceAccount.annotations | object | `{}` | Annotations to add to the service account |
|
||||
| certController.serviceAccount.automount | bool | `true` | Automounts the service account token in all containers of the Pod |
|
||||
| certController.serviceAccount.enabled | bool | `true` | Specifies whether a service account should be created |
|
||||
| certController.serviceAccount.extraLabels | object | `{}` | Extra Labels to add to the service account |
|
||||
| certController.serviceAccount.name | string | `""` | The name of the service account to use. If not set and enabled is true, a name is generated using the fullname template |
|
||||
| certController.serviceMonitor.additionalLabels | object | `{}` | Labels to be added to the cert-controller ServiceMonitor |
|
||||
| certController.serviceMonitor.enabled | bool | `true` | Enable cert-controller ServiceMonitor. Metrics must be enabled |
|
||||
| certController.serviceMonitor.interval | string | `"30s"` | Interval to scrape metrics |
|
||||
| certController.serviceMonitor.scrapeTimeout | string | `"25s"` | Timeout if metrics can't be retrieved in given time interval |
|
||||
| certController.tolerations | list | `[]` | Tolerations to add to controller Pod |
|
||||
| clusterName | string | `"cluster.local"` | Cluster DNS name |
|
||||
| extrArgs | list | `[]` | Extra arguments to be passed to the controller entrypoint |
|
||||
| extraEnv | list | `[]` | Extra environment variables to be passed to the controller |
|
||||
| extraVolumeMounts | list | `[]` | Extra volumes to mount to the container. |
|
||||
| extraVolumes | list | `[]` | Extra volumes to pass to pod. |
|
||||
| fullnameOverride | string | `""` | |
|
||||
| ha.enabled | bool | `false` | Enable high availability |
|
||||
| ha.leaseId | string | `"mariadb.mmontes.io"` | Lease resource name to be used for leader election |
|
||||
| ha.replicas | int | `3` | Number of replicas |
|
||||
| image.pullPolicy | string | `"IfNotPresent"` | |
|
||||
| image.repository | string | `"ghcr.io/mariadb-operator/mariadb-operator"` | |
|
||||
| image.tag | string | `""` | Image tag to use. By default the chart appVersion is used |
|
||||
| imagePullSecrets | list | `[]` | |
|
||||
| logLevel | string | `"INFO"` | Controller log level |
|
||||
| metrics.enabled | bool | `false` | Enable prometheus metrics. Prometheus must be installed in the cluster |
|
||||
| metrics.enabled | bool | `false` | Enable operator internal metrics. Prometheus must be installed in the cluster |
|
||||
| metrics.serviceMonitor.additionalLabels | object | `{}` | Labels to be added to the controller ServiceMonitor |
|
||||
| metrics.serviceMonitor.enabled | bool | `true` | Enable controller ServiceMonitor |
|
||||
| metrics.serviceMonitor.interval | string | `"30s"` | Interval to scrape metrics |
|
||||
@@ -59,16 +89,19 @@ helm uninstall mariadb-operator
|
||||
| tolerations | list | `[]` | Tolerations to add to controller Pod |
|
||||
| webhook.affinity | object | `{}` | Affinity to add to controller Pod |
|
||||
| webhook.annotations | object | `{}` | Annotations for webhook configurations. |
|
||||
| webhook.certificate.certManager | bool | `false` | Use cert-manager to issue and rotate the certificate. If set to false, a default certificate will be used. |
|
||||
| webhook.certificate.default | object | `{"annotations":{},"caExpirationDays":365,"certExpirationDays":365,"hook":""}` | Default certificate generated when the chart is installed or upgraded. |
|
||||
| webhook.certificate.default.annotations | object | `{}` | Annotations for certificate Secret. |
|
||||
| webhook.certificate.default.caExpirationDays | int | `365` | Certificate authority expiration in days. |
|
||||
| webhook.certificate.default.certExpirationDays | int | `365` | Certificate expiration in days. |
|
||||
| webhook.certificate.default.hook | string | `""` | Helm hook to be added to the default certificate. |
|
||||
| webhook.certificate.path | string | `"/tmp/k8s-webhook-server/serving-certs"` | Path where the certificate will be mounted. |
|
||||
| webhook.cert.caPath | string | `"/tmp/k8s-webhook-server/certificate-authority"` | Path where the CA certificate will be mounted. |
|
||||
| webhook.cert.certManager.duration | string | `""` | Duration to be used in the Certificate resource, |
|
||||
| webhook.cert.certManager.enabled | bool | `false` | Whether to use cert-manager to issue and rotate the certificate. If set to false, mariadb-operator's cert-controller will be used instead. |
|
||||
| webhook.cert.certManager.issuerRef | object | `{}` | Issuer reference to be used in the Certificate resource. If not provided, a self-signed issuer will be used. |
|
||||
| webhook.cert.certManager.renewBefore | string | `""` | Renew before duration to be used in the Certificate resource. |
|
||||
| webhook.cert.path | string | `"/tmp/k8s-webhook-server/serving-certs"` | Path where the certificate will be mounted. |
|
||||
| webhook.cert.secretAnnotations | object | `{}` | Annotatioms to be added to webhook TLS secret. |
|
||||
| webhook.cert.secretLabels | object | `{}` | Labels to be added to webhook TLS secret. |
|
||||
| webhook.extrArgs | list | `[]` | Extra arguments to be passed to the webhook entrypoint |
|
||||
| webhook.extraVolumeMounts | list | `[]` | Extra volumes to mount to webhook container |
|
||||
| webhook.extraVolumes | list | `[]` | Extra volumes to pass to webhook Pod |
|
||||
| webhook.ha.enabled | bool | `false` | Enable high availability |
|
||||
| webhook.ha.replicas | int | `3` | Number of replicas |
|
||||
| webhook.hostNetwork | bool | `false` | Expose the webhook server in the host network |
|
||||
| webhook.image.pullPolicy | string | `"IfNotPresent"` | |
|
||||
| webhook.image.repository | string | `"ghcr.io/mariadb-operator/mariadb-operator"` | |
|
||||
@@ -77,7 +110,7 @@ helm uninstall mariadb-operator
|
||||
| webhook.nodeSelector | object | `{}` | Node selectors to add to controller Pod |
|
||||
| webhook.podAnnotations | object | `{}` | Annotations to add to webhook Pod |
|
||||
| webhook.podSecurityContext | object | `{}` | Security context to add to webhook Pod |
|
||||
| webhook.port | int | `10250` | Port to be used by the webhook server |
|
||||
| webhook.port | int | `9443` | Port to be used by the webhook server |
|
||||
| webhook.resources | object | `{}` | Resources to add to webhook container |
|
||||
| webhook.securityContext | object | `{}` | Security context to add to webhook container |
|
||||
| webhook.serviceAccount.annotations | object | `{}` | Annotations to add to the service account |
|
||||
|
||||
@@ -4,7 +4,7 @@
|
||||
[//]: # (README.md generated by gotmpl. DO NOT EDIT.)
|
||||
|
||||
<p align="center">
|
||||
<img src="https://mariadb-operator.github.io/mariadb-operator/assets/mariadb-operator.png" alt="mariadb" width="250"/>
|
||||
<img src="https://mariadb-operator.github.io/mariadb-operator/assets/mariadb-operator_centered_whitebg.svg" alt="mariadb" width="100%"/>
|
||||
</p>
|
||||
|
||||
{{ template "chart.typeBadge" . }}{{ template "chart.versionBadge" . }}{{ template "chart.appVersionBadge" . }}
|
||||
|
||||
File diff suppressed because it is too large
Load Diff
@@ -71,28 +71,23 @@ app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
{{- end }}
|
||||
|
||||
{{/*
|
||||
Webhook certificate
|
||||
Cert-controller common labels
|
||||
*/}}
|
||||
{{- define "mariadb-operator-webhook.certificate" -}}
|
||||
{{- if .Values.webhook.certificate.certManager }}
|
||||
{{- include "mariadb-operator.fullname" . }}-webhook-cert
|
||||
{{- else }}
|
||||
{{- include "mariadb-operator.fullname" . }}-webhook-default-cert
|
||||
{{- end }}
|
||||
{{- define "mariadb-operator-cert-controller.labels" -}}
|
||||
helm.sh/chart: {{ include "mariadb-operator.chart" . }}
|
||||
{{ include "mariadb-operator-cert-controller.selectorLabels" . }}
|
||||
{{ if .Chart.AppVersion }}
|
||||
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
|
||||
{{ end }}
|
||||
app.kubernetes.io/managed-by: {{ .Release.Service }}
|
||||
{{- end }}
|
||||
|
||||
{{/*
|
||||
Webhook certificate subject name
|
||||
Cert-controller selector labels
|
||||
*/}}
|
||||
{{- define "mariadb-operator-webhook.subjectName" -}}
|
||||
{{- include "mariadb-operator.fullname" . }}-webhook.{{ .Release.Namespace }}.svc
|
||||
{{- end }}
|
||||
|
||||
{{/*
|
||||
Webhook certificate subject alternative name
|
||||
*/}}
|
||||
{{- define "mariadb-operator-webhook.altName" -}}
|
||||
{{- include "mariadb-operator.fullname" . }}-webhook.{{ .Release.Namespace }}.svc.{{ .Values.clusterName }}
|
||||
{{- define "mariadb-operator-cert-controller.selectorLabels" -}}
|
||||
app.kubernetes.io/name: {{ include "mariadb-operator.name" . }}-cert-controller
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
{{- end }}
|
||||
|
||||
{{/*
|
||||
@@ -116,3 +111,14 @@ Create the name of the webhook service account to use
|
||||
{{- default "default" .Values.webhook.serviceAccount.name }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
||||
{{/*
|
||||
Create the name of the cert-controller service account to use
|
||||
*/}}
|
||||
{{- define "mariadb-operator-cert-controller.serviceAccountName" -}}
|
||||
{{- if .Values.certController.serviceAccount.enabled }}
|
||||
{{- default (printf "%s-cert-controller" (include "mariadb-operator.fullname" .)) .Values.certController.serviceAccount.name }}
|
||||
{{- else }}
|
||||
{{- default "default" .Values.certController.serviceAccount.name }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
@@ -0,0 +1,103 @@
|
||||
{{- if and .Values.certController.enabled (not .Values.webhook.cert.certManager.enabled) -}}
|
||||
apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
metadata:
|
||||
name: {{ include "mariadb-operator.fullname" . }}-cert-controller
|
||||
labels:
|
||||
{{ include "mariadb-operator-cert-controller.labels" . | nindent 4 }}
|
||||
spec:
|
||||
{{ if .Values.certController.ha.enabled }}
|
||||
replicas: {{ .Values.certController.ha.replicas}}
|
||||
{{ end }}
|
||||
selector:
|
||||
matchLabels:
|
||||
{{ include "mariadb-operator-cert-controller.selectorLabels" . | nindent 6 }}
|
||||
template:
|
||||
metadata:
|
||||
{{ with .Values.certController.podAnnotations }}
|
||||
annotations:
|
||||
{{ toYaml . | nindent 8 }}
|
||||
{{ end }}
|
||||
labels:
|
||||
{{ include "mariadb-operator-cert-controller.selectorLabels" . | nindent 8 }}
|
||||
spec:
|
||||
{{- with .Values.certController.imagePullSecrets }}
|
||||
imagePullSecrets:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
serviceAccountName: {{ include "mariadb-operator-cert-controller.serviceAccountName" . }}-cert-controller
|
||||
automountServiceAccountToken: {{ .Values.certController.serviceAccount.automount }}
|
||||
{{ with .Values.certController.nodeSelector }}
|
||||
nodeSelector:
|
||||
{{ toYaml . | nindent 8 }}
|
||||
{{ end }}
|
||||
{{ with .Values.certController.tolerations }}
|
||||
tolerations:
|
||||
{{ toYaml . | nindent 8 }}
|
||||
{{ end }}
|
||||
{{ with .Values.certController.affinity }}
|
||||
affinity:
|
||||
{{ toYaml . | nindent 8 }}
|
||||
{{ end }}
|
||||
{{ with .Values.certController.podSecurityContext }}
|
||||
securityContext:
|
||||
{{ toYaml . | nindent 8 }}
|
||||
{{ end }}
|
||||
containers:
|
||||
- image: "{{ .Values.certController.image.repository }}:{{ .Values.certController.image.tag | default .Chart.AppVersion }}"
|
||||
imagePullPolicy: {{ .Values.certController.image.pullPolicy }}
|
||||
name: cert-controller
|
||||
args:
|
||||
- cert-controller
|
||||
- --ca-secret-name={{ include "mariadb-operator.fullname" . }}-webhook-ca
|
||||
- --ca-secret-namespace={{ .Release.Namespace }}
|
||||
- --ca-validity={{ .Values.certController.caValidity }}
|
||||
- --cert-secret-name={{ include "mariadb-operator.fullname" . }}-webhook-cert
|
||||
- --cert-secret-namespace={{ .Release.Namespace }}
|
||||
- --cert-validity={{ .Values.certController.certValidity }}
|
||||
- --lookahead-validity={{ .Values.certController.lookaheadValidity }}
|
||||
- --service-name={{ include "mariadb-operator.fullname" . }}-webhook
|
||||
- --service-namespace={{ .Release.Namespace }}
|
||||
- --requeue-duration={{ .Values.certController.requeueDuration }}
|
||||
- --metrics-addr=:8080
|
||||
- --health-addr=:8081
|
||||
- --log-level={{ .Values.logLevel }}
|
||||
{{- if .Values.certController.ha.enabled }}
|
||||
- --leader-elect
|
||||
{{- end }}
|
||||
{{- range .Values.certController.extrArgs }}
|
||||
- {{ . }}
|
||||
{{- end }}
|
||||
ports:
|
||||
- containerPort: 8080
|
||||
protocol: TCP
|
||||
name: metrics
|
||||
- containerPort: 8081
|
||||
protocol: TCP
|
||||
name: health
|
||||
env:
|
||||
- name: CLUSTER_NAME
|
||||
value: {{ .Values.clusterName }}
|
||||
{{- with .Values.certController.extraVolumeMounts }}
|
||||
volumeMounts:
|
||||
{{- toYaml . | nindent 12 }}
|
||||
{{- end }}
|
||||
readinessProbe:
|
||||
httpGet:
|
||||
path: /readyz
|
||||
port: 8081
|
||||
initialDelaySeconds: 20
|
||||
periodSeconds: 5
|
||||
{{ with .Values.certController.resources }}
|
||||
resources:
|
||||
{{ toYaml . | nindent 12 }}
|
||||
{{ end }}
|
||||
{{ with .Values.certController.securityContext}}
|
||||
securityContext:
|
||||
{{ toYaml . | nindent 12 }}
|
||||
{{ end }}
|
||||
{{- with .Values.certController.extraVolumes }}
|
||||
volumes:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
@@ -0,0 +1,88 @@
|
||||
{{- if and .Values.rbac.enabled .Values.certController.enabled (not .Values.webhook.cert.certManager.enabled) -}}
|
||||
{{ $fullName := include "mariadb-operator.fullname" . }}
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: Role
|
||||
metadata:
|
||||
name: {{ $fullName }}-cert-controller
|
||||
rules:
|
||||
- apiGroups:
|
||||
- coordination.k8s.io
|
||||
resources:
|
||||
- leases
|
||||
verbs:
|
||||
- get
|
||||
- list
|
||||
- watch
|
||||
- create
|
||||
- update
|
||||
- patch
|
||||
- delete
|
||||
- apiGroups:
|
||||
- ""
|
||||
resources:
|
||||
- events
|
||||
verbs:
|
||||
- create
|
||||
- patch
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRole
|
||||
metadata:
|
||||
name: {{ $fullName }}-cert-controller
|
||||
rules:
|
||||
- apiGroups:
|
||||
- admissionregistration.k8s.io
|
||||
resources:
|
||||
- validatingwebhookconfigurations
|
||||
- mutatingwebhookconfigurations
|
||||
verbs:
|
||||
- get
|
||||
- list
|
||||
- update
|
||||
- patch
|
||||
- watch
|
||||
- apiGroups:
|
||||
- ""
|
||||
resources:
|
||||
- secrets
|
||||
verbs:
|
||||
- create
|
||||
- list
|
||||
- patch
|
||||
- watch
|
||||
- apiGroups:
|
||||
- ""
|
||||
resources:
|
||||
- endpoints
|
||||
- endpoints/restricted
|
||||
verbs:
|
||||
- get
|
||||
- list
|
||||
- watch
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: RoleBinding
|
||||
metadata:
|
||||
name: {{ $fullName }}-cert-controller
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: Role
|
||||
name: {{ $fullName }}-cert-controller
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: {{ include "mariadb-operator-cert-controller.serviceAccountName" . }}-cert-controller
|
||||
namespace: {{ .Release.Namespace }}
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRoleBinding
|
||||
metadata:
|
||||
name: {{ $fullName }}-cert-controller
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: ClusterRole
|
||||
name: {{ $fullName }}-cert-controller
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: {{ include "mariadb-operator-cert-controller.serviceAccountName" . }}-cert-controller
|
||||
namespace: {{ .Release.Namespace }}
|
||||
{{- end }}
|
||||
@@ -0,0 +1,15 @@
|
||||
{{- if and .Values.certController.enabled (not .Values.webhook.cert.certManager.enabled) -}}
|
||||
apiVersion: v1
|
||||
kind: ServiceAccount
|
||||
metadata:
|
||||
name: {{ include "mariadb-operator-cert-controller.serviceAccountName" . }}-cert-controller
|
||||
labels:
|
||||
{{- include "mariadb-operator-cert-controller.labels" . | nindent 4 }}
|
||||
{{- with .Values.certController.serviceAccount.extraLabels }}
|
||||
{{- toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
{{- with .Values.certController.serviceAccount.annotations }}
|
||||
annotations:
|
||||
{{- toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
@@ -0,0 +1,36 @@
|
||||
{{ if and .Values.certController.enabled (not .Values.webhook.cert.certManager.enabled) .Values.metrics.enabled .Values.certController.serviceMonitor.enabled }}
|
||||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
name: {{ include "mariadb-operator.fullname" . }}-cert-controller-metrics
|
||||
labels:
|
||||
{{ include "mariadb-operator-cert-controller.labels" . | nindent 4 }}
|
||||
spec:
|
||||
ports:
|
||||
- port: 8080
|
||||
protocol: TCP
|
||||
name: metrics
|
||||
selector:
|
||||
{{ include "mariadb-operator-cert-controller.selectorLabels" . | nindent 4 }}
|
||||
---
|
||||
apiVersion: monitoring.coreos.com/v1
|
||||
kind: ServiceMonitor
|
||||
metadata:
|
||||
name: {{ include "mariadb-operator.fullname" . }}-cert-controller
|
||||
labels:
|
||||
{{ include "mariadb-operator-cert-controller.labels" . | nindent 4 }}
|
||||
{{ with .Values.certController.serviceMonitor.additionalLabels }}
|
||||
{{ toYaml . | nindent 4 }}
|
||||
{{ end }}
|
||||
spec:
|
||||
selector:
|
||||
matchLabels:
|
||||
{{ include "mariadb-operator-cert-controller.selectorLabels" . | nindent 6 }}
|
||||
namespaceSelector:
|
||||
matchNames:
|
||||
- {{ .Release.Namespace | quote }}
|
||||
endpoints:
|
||||
- port: metrics
|
||||
interval: {{ .Values.certController.serviceMonitor.interval }}
|
||||
scrapeTimeout: {{ .Values.certController.serviceMonitor.scrapeTimeout }}
|
||||
{{ end }}
|
||||
@@ -0,0 +1,13 @@
|
||||
apiVersion: v1
|
||||
data:
|
||||
MARIADB_GALERA_AGENT_IMAGE: ghcr.io/mariadb-operator/mariadb-operator:v0.0.27
|
||||
MARIADB_GALERA_INIT_IMAGE: ghcr.io/mariadb-operator/mariadb-operator:v0.0.27
|
||||
MARIADB_GALERA_LIB_PATH: /usr/lib/galera/libgalera_smm.so
|
||||
MARIADB_OPERATOR_IMAGE: ghcr.io/mariadb-operator/mariadb-operator:v0.0.27
|
||||
RELATED_IMAGE_EXPORTER: prom/mysqld-exporter:v0.15.1
|
||||
RELATED_IMAGE_MARIADB: mariadb:11.2.2
|
||||
RELATED_IMAGE_MAXSCALE: mariadb/maxscale:23.08
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
creationTimestamp: null
|
||||
name: mariadb-operator-env
|
||||
@@ -53,17 +53,17 @@ spec:
|
||||
{{- if .Values.ha.enabled }}
|
||||
- --leader-elect
|
||||
{{- end }}
|
||||
{{- if .Values.metrics.enabled }}
|
||||
- --service-monitor-reconciler
|
||||
{{- end }}
|
||||
{{- range .Values.extrArgs }}
|
||||
{{- range .Values.extraArgs }}
|
||||
- {{ . }}
|
||||
{{- end }}
|
||||
ports:
|
||||
- containerPort: 8080
|
||||
protocol: TCP
|
||||
name: metrics
|
||||
env:
|
||||
envFrom:
|
||||
- configMapRef:
|
||||
name: mariadb-operator-env
|
||||
env:
|
||||
- name: CLUSTER_NAME
|
||||
value: {{ .Values.clusterName }}
|
||||
- name: MARIADB_OPERATOR_NAME
|
||||
@@ -76,6 +76,9 @@ spec:
|
||||
fieldPath: metadata.namespace
|
||||
- name: MARIADB_OPERATOR_SA_PATH
|
||||
value: /var/run/secrets/kubernetes.io/serviceaccount/token
|
||||
{{- with .Values.extraEnv }}
|
||||
{{- toYaml . | nindent 12 }}
|
||||
{{- end }}
|
||||
{{- if .Values.extraVolumeMounts }}
|
||||
volumeMounts:
|
||||
{{- toYaml .Values.extraVolumeMounts | nindent 12 }}
|
||||
@@ -88,21 +91,6 @@ spec:
|
||||
securityContext:
|
||||
{{ toYaml . | nindent 12 }}
|
||||
{{ end }}
|
||||
readinessProbe:
|
||||
tcpSocket:
|
||||
port: 8080
|
||||
initialDelaySeconds: 30
|
||||
periodSeconds: 10
|
||||
livenessProbe:
|
||||
tcpSocket:
|
||||
port: 8080
|
||||
initialDelaySeconds: 30
|
||||
periodSeconds: 10
|
||||
startupProbe:
|
||||
tcpSocket:
|
||||
port: 8080
|
||||
initialDelaySeconds: 20
|
||||
periodSeconds: 10
|
||||
{{- if .Values.extraVolumes }}
|
||||
volumes:
|
||||
{{- toYaml .Values.extraVolumes | nindent 8 }}
|
||||
|
||||
@@ -56,6 +56,15 @@ rules:
|
||||
- ""
|
||||
resources:
|
||||
- endpoints
|
||||
verbs:
|
||||
- create
|
||||
- get
|
||||
- list
|
||||
- patch
|
||||
- watch
|
||||
- apiGroups:
|
||||
- ""
|
||||
resources:
|
||||
- endpoints/restricted
|
||||
verbs:
|
||||
- create
|
||||
@@ -90,6 +99,12 @@ rules:
|
||||
- get
|
||||
- list
|
||||
- watch
|
||||
- apiGroups:
|
||||
- ""
|
||||
resources:
|
||||
- pvcs
|
||||
verbs:
|
||||
- list
|
||||
- apiGroups:
|
||||
- ""
|
||||
resources:
|
||||
@@ -117,16 +132,38 @@ rules:
|
||||
- list
|
||||
- patch
|
||||
- watch
|
||||
- apiGroups:
|
||||
- apps
|
||||
resources:
|
||||
- deployments
|
||||
verbs:
|
||||
- create
|
||||
- list
|
||||
- patch
|
||||
- watch
|
||||
- apiGroups:
|
||||
- apps
|
||||
resources:
|
||||
- statefulsets
|
||||
verbs:
|
||||
- create
|
||||
- delete
|
||||
- get
|
||||
- list
|
||||
- patch
|
||||
- watch
|
||||
- apiGroups:
|
||||
- authentication.k8s.io
|
||||
resources:
|
||||
- tokenreviews
|
||||
verbs:
|
||||
- create
|
||||
- apiGroups:
|
||||
- authorization.k8s.io
|
||||
resources:
|
||||
- subjectaccessreviews
|
||||
verbs:
|
||||
- create
|
||||
- apiGroups:
|
||||
- batch
|
||||
resources:
|
||||
@@ -142,11 +179,12 @@ rules:
|
||||
- jobs
|
||||
verbs:
|
||||
- create
|
||||
- delete
|
||||
- list
|
||||
- patch
|
||||
- watch
|
||||
- apiGroups:
|
||||
- mariadb.mmontes.io
|
||||
- k8s.mariadb.com
|
||||
resources:
|
||||
- backups
|
||||
verbs:
|
||||
@@ -158,13 +196,13 @@ rules:
|
||||
- update
|
||||
- watch
|
||||
- apiGroups:
|
||||
- mariadb.mmontes.io
|
||||
- k8s.mariadb.com
|
||||
resources:
|
||||
- backups/finalizers
|
||||
verbs:
|
||||
- update
|
||||
- apiGroups:
|
||||
- mariadb.mmontes.io
|
||||
- k8s.mariadb.com
|
||||
resources:
|
||||
- backups/status
|
||||
verbs:
|
||||
@@ -172,7 +210,7 @@ rules:
|
||||
- patch
|
||||
- update
|
||||
- apiGroups:
|
||||
- mariadb.mmontes.io
|
||||
- k8s.mariadb.com
|
||||
resources:
|
||||
- connections
|
||||
verbs:
|
||||
@@ -184,23 +222,37 @@ rules:
|
||||
- update
|
||||
- watch
|
||||
- apiGroups:
|
||||
- mariadb.mmontes.io
|
||||
- k8s.mariadb.com
|
||||
resources:
|
||||
- connections
|
||||
- grants
|
||||
- maxscale
|
||||
- restores
|
||||
- users
|
||||
verbs:
|
||||
- create
|
||||
- list
|
||||
- patch
|
||||
- watch
|
||||
- apiGroups:
|
||||
- mariadb.mmontes.io
|
||||
- k8s.mariadb.com
|
||||
resources:
|
||||
- connections
|
||||
- grants
|
||||
- users
|
||||
verbs:
|
||||
- create
|
||||
- list
|
||||
- patch
|
||||
- watch
|
||||
- apiGroups:
|
||||
- k8s.mariadb.com
|
||||
resources:
|
||||
- connections/finalizers
|
||||
verbs:
|
||||
- update
|
||||
- apiGroups:
|
||||
- mariadb.mmontes.io
|
||||
- k8s.mariadb.com
|
||||
resources:
|
||||
- connections/status
|
||||
verbs:
|
||||
@@ -208,7 +260,7 @@ rules:
|
||||
- patch
|
||||
- update
|
||||
- apiGroups:
|
||||
- mariadb.mmontes.io
|
||||
- k8s.mariadb.com
|
||||
resources:
|
||||
- databases
|
||||
verbs:
|
||||
@@ -220,13 +272,13 @@ rules:
|
||||
- update
|
||||
- watch
|
||||
- apiGroups:
|
||||
- mariadb.mmontes.io
|
||||
- k8s.mariadb.com
|
||||
resources:
|
||||
- databases/finalizers
|
||||
verbs:
|
||||
- update
|
||||
- apiGroups:
|
||||
- mariadb.mmontes.io
|
||||
- k8s.mariadb.com
|
||||
resources:
|
||||
- databases/status
|
||||
verbs:
|
||||
@@ -234,7 +286,7 @@ rules:
|
||||
- patch
|
||||
- update
|
||||
- apiGroups:
|
||||
- mariadb.mmontes.io
|
||||
- k8s.mariadb.com
|
||||
resources:
|
||||
- grants
|
||||
verbs:
|
||||
@@ -246,13 +298,13 @@ rules:
|
||||
- update
|
||||
- watch
|
||||
- apiGroups:
|
||||
- mariadb.mmontes.io
|
||||
- k8s.mariadb.com
|
||||
resources:
|
||||
- grants/finalizers
|
||||
verbs:
|
||||
- update
|
||||
- apiGroups:
|
||||
- mariadb.mmontes.io
|
||||
- k8s.mariadb.com
|
||||
resources:
|
||||
- grants/status
|
||||
verbs:
|
||||
@@ -260,7 +312,7 @@ rules:
|
||||
- patch
|
||||
- update
|
||||
- apiGroups:
|
||||
- mariadb.mmontes.io
|
||||
- k8s.mariadb.com
|
||||
resources:
|
||||
- mariadbs
|
||||
verbs:
|
||||
@@ -272,13 +324,13 @@ rules:
|
||||
- update
|
||||
- watch
|
||||
- apiGroups:
|
||||
- mariadb.mmontes.io
|
||||
- k8s.mariadb.com
|
||||
resources:
|
||||
- mariadbs/finalizers
|
||||
verbs:
|
||||
- update
|
||||
- apiGroups:
|
||||
- mariadb.mmontes.io
|
||||
- k8s.mariadb.com
|
||||
resources:
|
||||
- mariadbs/status
|
||||
verbs:
|
||||
@@ -286,7 +338,33 @@ rules:
|
||||
- patch
|
||||
- update
|
||||
- apiGroups:
|
||||
- mariadb.mmontes.io
|
||||
- k8s.mariadb.com
|
||||
resources:
|
||||
- maxscales
|
||||
verbs:
|
||||
- create
|
||||
- delete
|
||||
- get
|
||||
- list
|
||||
- patch
|
||||
- update
|
||||
- watch
|
||||
- apiGroups:
|
||||
- k8s.mariadb.com
|
||||
resources:
|
||||
- maxscales/finalizers
|
||||
verbs:
|
||||
- update
|
||||
- apiGroups:
|
||||
- k8s.mariadb.com
|
||||
resources:
|
||||
- maxscales/status
|
||||
verbs:
|
||||
- get
|
||||
- patch
|
||||
- update
|
||||
- apiGroups:
|
||||
- k8s.mariadb.com
|
||||
resources:
|
||||
- restores
|
||||
verbs:
|
||||
@@ -298,13 +376,13 @@ rules:
|
||||
- update
|
||||
- watch
|
||||
- apiGroups:
|
||||
- mariadb.mmontes.io
|
||||
- k8s.mariadb.com
|
||||
resources:
|
||||
- restores/finalizers
|
||||
verbs:
|
||||
- update
|
||||
- apiGroups:
|
||||
- mariadb.mmontes.io
|
||||
- k8s.mariadb.com
|
||||
resources:
|
||||
- restores/status
|
||||
verbs:
|
||||
@@ -312,7 +390,7 @@ rules:
|
||||
- patch
|
||||
- update
|
||||
- apiGroups:
|
||||
- mariadb.mmontes.io
|
||||
- k8s.mariadb.com
|
||||
resources:
|
||||
- sqljobs
|
||||
verbs:
|
||||
@@ -324,13 +402,13 @@ rules:
|
||||
- update
|
||||
- watch
|
||||
- apiGroups:
|
||||
- mariadb.mmontes.io
|
||||
- k8s.mariadb.com
|
||||
resources:
|
||||
- sqljobs/finalizers
|
||||
verbs:
|
||||
- update
|
||||
- apiGroups:
|
||||
- mariadb.mmontes.io
|
||||
- k8s.mariadb.com
|
||||
resources:
|
||||
- sqljobs/status
|
||||
verbs:
|
||||
@@ -338,7 +416,7 @@ rules:
|
||||
- patch
|
||||
- update
|
||||
- apiGroups:
|
||||
- mariadb.mmontes.io
|
||||
- k8s.mariadb.com
|
||||
resources:
|
||||
- users
|
||||
verbs:
|
||||
@@ -350,13 +428,13 @@ rules:
|
||||
- update
|
||||
- watch
|
||||
- apiGroups:
|
||||
- mariadb.mmontes.io
|
||||
- k8s.mariadb.com
|
||||
resources:
|
||||
- users/finalizers
|
||||
verbs:
|
||||
- update
|
||||
- apiGroups:
|
||||
- mariadb.mmontes.io
|
||||
- k8s.mariadb.com
|
||||
resources:
|
||||
- users/status
|
||||
verbs:
|
||||
@@ -431,4 +509,4 @@ subjects:
|
||||
- kind: ServiceAccount
|
||||
name: {{ include "mariadb-operator.serviceAccountName" . }}
|
||||
namespace: {{ .Release.Namespace }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
||||
@@ -1,4 +1,5 @@
|
||||
{{ if .Values.webhook.certificate.certManager }}
|
||||
{{ if .Values.webhook.cert.certManager.enabled }}
|
||||
{{ if not .Values.webhook.cert.certManager.issuerRef }}
|
||||
apiVersion: cert-manager.io/v1
|
||||
kind: Issuer
|
||||
metadata:
|
||||
@@ -7,6 +8,7 @@ metadata:
|
||||
{{ include "mariadb-operator-webhook.labels" . | nindent 4 }}
|
||||
spec:
|
||||
selfSigned: {}
|
||||
{{ end }}
|
||||
---
|
||||
apiVersion: cert-manager.io/v1
|
||||
kind: Certificate
|
||||
@@ -15,11 +17,33 @@ metadata:
|
||||
labels:
|
||||
{{ include "mariadb-operator-webhook.labels" . | nindent 4 }}
|
||||
spec:
|
||||
commonName: {{ include "mariadb-operator.fullname" . }}-webhook.{{ .Release.Namespace }}.svc
|
||||
dnsNames:
|
||||
- {{ include "mariadb-operator-webhook.subjectName" . }}
|
||||
- {{ include "mariadb-operator-webhook.altName" . }}
|
||||
- {{ include "mariadb-operator.fullname" . }}-webhook.{{ .Release.Namespace }}.svc.{{ .Values.clusterName }}
|
||||
- {{ include "mariadb-operator.fullname" . }}-webhook.{{ .Release.Namespace }}.svc
|
||||
- {{ include "mariadb-operator.fullname" . }}-webhook.{{ .Release.Namespace }}
|
||||
- {{ include "mariadb-operator.fullname" . }}-webhook
|
||||
issuerRef:
|
||||
{{- if .Values.webhook.cert.certManager.issuerRef -}}
|
||||
{{ toYaml .Values.webhook.cert.certManager.issuerRef | nindent 4 }}
|
||||
{{- else }}
|
||||
kind: Issuer
|
||||
name: {{ include "mariadb-operator.fullname" . }}-selfsigned-issuer
|
||||
{{- end }}
|
||||
{{- with .Values.webhook.cert.certManager.duration }}
|
||||
duration: {{ . | quote }}
|
||||
{{- end }}
|
||||
{{- with .Values.webhook.cert.certManager.renewBefore }}
|
||||
renewBefore: {{ . | quote }}
|
||||
{{- end }}
|
||||
secretName: {{ include "mariadb-operator.fullname" . }}-webhook-cert
|
||||
{{ end }}
|
||||
secretTemplate:
|
||||
{{- with .Values.webhook.cert.secretLabels }}
|
||||
labels:
|
||||
{{- toYaml . | nindent 6 }}
|
||||
{{- end }}
|
||||
{{- with .Values.webhook.cert.secretAnnotations }}
|
||||
annotations:
|
||||
{{- toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
{{ end }}
|
||||
|
||||
@@ -1,30 +1,4 @@
|
||||
{{ $fullName := include "mariadb-operator.fullname" . }}
|
||||
{{ $subjectName := include "mariadb-operator-webhook.subjectName" . }}
|
||||
{{ $altNames := list }}
|
||||
{{ $altNames := append $altNames $subjectName }}
|
||||
{{ $altNames := append $altNames (include "mariadb-operator-webhook.altName" . ) }}
|
||||
{{ $ca := genCA $fullName (.Values.webhook.certificate.default.caExpirationDays | int) }}
|
||||
{{ $cert := genSignedCert $subjectName nil $altNames (.Values.webhook.certificate.default.certExpirationDays | int) $ca }}
|
||||
{{ if not .Values.webhook.certificate.certManager }}
|
||||
apiVersion: v1
|
||||
kind: Secret
|
||||
type: kubernetes.io/tls
|
||||
metadata:
|
||||
name: {{ $fullName }}-webhook-default-cert
|
||||
labels:
|
||||
{{ include "mariadb-operator-webhook.labels" . | nindent 4 }}
|
||||
annotations:
|
||||
{{ with .Values.webhook.certificate.default.hook }}
|
||||
helm.sh/hook: {{ . }}
|
||||
{{ end }}
|
||||
{{ with .Values.webhook.certificate.default.annotations }}
|
||||
{{ toYaml . | nindent 4 }}
|
||||
{{ end }}
|
||||
data:
|
||||
tls.crt: {{ $cert.Cert | b64enc }}
|
||||
tls.key: {{ $cert.Key | b64enc }}
|
||||
{{ end }}
|
||||
---
|
||||
apiVersion: admissionregistration.k8s.io/v1
|
||||
kind: MutatingWebhookConfiguration
|
||||
metadata:
|
||||
@@ -32,12 +6,11 @@ metadata:
|
||||
labels:
|
||||
{{ include "mariadb-operator-webhook.labels" . | nindent 4 }}
|
||||
annotations:
|
||||
{{ if .Values.webhook.certificate.certManager }}
|
||||
{{- if .Values.webhook.cert.certManager.enabled }}
|
||||
cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "mariadb-operator.fullname" . }}-webhook-cert
|
||||
{{ end }}
|
||||
{{ with .Values.webhook.certificate.default.hook }}
|
||||
helm.sh/hook: {{ . }}
|
||||
{{ end }}
|
||||
{{- else }}
|
||||
k8s.mariadb.com/webhook: ""
|
||||
{{- end }}
|
||||
{{ with .Values.webhook.annotations }}
|
||||
{{ toYaml . | indent 4 }}
|
||||
{{ end }}
|
||||
@@ -48,15 +21,12 @@ webhooks:
|
||||
service:
|
||||
name: {{ $fullName }}-webhook
|
||||
namespace: {{ .Release.Namespace }}
|
||||
path: /mutate-mariadb-mmontes-io-v1alpha1-mariadb
|
||||
{{ if not .Values.webhook.certificate.certManager }}
|
||||
caBundle: {{ $ca.Cert | b64enc }}
|
||||
{{ end }}
|
||||
path: /mutate-k8s-mariadb-com-v1alpha1-mariadb
|
||||
failurePolicy: Fail
|
||||
name: mmariadb.kb.io
|
||||
rules:
|
||||
- apiGroups:
|
||||
- mariadb.mmontes.io
|
||||
- k8s.mariadb.com
|
||||
apiVersions:
|
||||
- v1alpha1
|
||||
operations:
|
||||
@@ -73,12 +43,11 @@ metadata:
|
||||
labels:
|
||||
{{ include "mariadb-operator-webhook.labels" . | nindent 4 }}
|
||||
annotations:
|
||||
{{ if .Values.webhook.certificate.certManager }}
|
||||
{{- if .Values.webhook.cert.certManager.enabled }}
|
||||
cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "mariadb-operator.fullname" . }}-webhook-cert
|
||||
{{ end }}
|
||||
{{ with .Values.webhook.certificate.default.hook }}
|
||||
helm.sh/hook: {{ . }}
|
||||
{{ end }}
|
||||
{{- else }}
|
||||
k8s.mariadb.com/webhook: ""
|
||||
{{- end }}
|
||||
{{ with .Values.webhook.annotations }}
|
||||
{{ toYaml . | indent 4 }}
|
||||
{{ end }}
|
||||
@@ -89,15 +58,12 @@ webhooks:
|
||||
service:
|
||||
name: {{ $fullName }}-webhook
|
||||
namespace: {{ .Release.Namespace }}
|
||||
path: /validate-mariadb-mmontes-io-v1alpha1-backup
|
||||
{{ if not .Values.webhook.certificate.certManager }}
|
||||
caBundle: {{ $ca.Cert | b64enc }}
|
||||
{{ end }}
|
||||
path: /validate-k8s-mariadb-com-v1alpha1-backup
|
||||
failurePolicy: Fail
|
||||
name: vbackup.kb.io
|
||||
rules:
|
||||
- apiGroups:
|
||||
- mariadb.mmontes.io
|
||||
- k8s.mariadb.com
|
||||
apiVersions:
|
||||
- v1alpha1
|
||||
operations:
|
||||
@@ -112,15 +78,12 @@ webhooks:
|
||||
service:
|
||||
name: {{ $fullName }}-webhook
|
||||
namespace: {{ .Release.Namespace }}
|
||||
path: /validate-mariadb-mmontes-io-v1alpha1-connection
|
||||
{{ if not .Values.webhook.certificate.certManager }}
|
||||
caBundle: {{ $ca.Cert | b64enc }}
|
||||
{{ end }}
|
||||
path: /validate-k8s-mariadb-com-v1alpha1-connection
|
||||
failurePolicy: Fail
|
||||
name: vconnection.kb.io
|
||||
rules:
|
||||
- apiGroups:
|
||||
- mariadb.mmontes.io
|
||||
- k8s.mariadb.com
|
||||
apiVersions:
|
||||
- v1alpha1
|
||||
operations:
|
||||
@@ -135,15 +98,12 @@ webhooks:
|
||||
service:
|
||||
name: {{ $fullName }}-webhook
|
||||
namespace: {{ .Release.Namespace }}
|
||||
path: /validate-mariadb-mmontes-io-v1alpha1-database
|
||||
{{ if not .Values.webhook.certificate.certManager }}
|
||||
caBundle: {{ $ca.Cert | b64enc }}
|
||||
{{ end }}
|
||||
path: /validate-k8s-mariadb-com-v1alpha1-database
|
||||
failurePolicy: Fail
|
||||
name: vdatabase.kb.io
|
||||
rules:
|
||||
- apiGroups:
|
||||
- mariadb.mmontes.io
|
||||
- k8s.mariadb.com
|
||||
apiVersions:
|
||||
- v1alpha1
|
||||
operations:
|
||||
@@ -158,15 +118,12 @@ webhooks:
|
||||
service:
|
||||
name: {{ $fullName }}-webhook
|
||||
namespace: {{ .Release.Namespace }}
|
||||
path: /validate-mariadb-mmontes-io-v1alpha1-grant
|
||||
{{ if not .Values.webhook.certificate.certManager }}
|
||||
caBundle: {{ $ca.Cert | b64enc }}
|
||||
{{ end }}
|
||||
path: /validate-k8s-mariadb-com-v1alpha1-grant
|
||||
failurePolicy: Fail
|
||||
name: vgrant.kb.io
|
||||
rules:
|
||||
- apiGroups:
|
||||
- mariadb.mmontes.io
|
||||
- k8s.mariadb.com
|
||||
apiVersions:
|
||||
- v1alpha1
|
||||
operations:
|
||||
@@ -181,15 +138,12 @@ webhooks:
|
||||
service:
|
||||
name: {{ $fullName }}-webhook
|
||||
namespace: {{ .Release.Namespace }}
|
||||
path: /validate-mariadb-mmontes-io-v1alpha1-mariadb
|
||||
{{ if not .Values.webhook.certificate.certManager }}
|
||||
caBundle: {{ $ca.Cert | b64enc }}
|
||||
{{ end }}
|
||||
path: /validate-k8s-mariadb-com-v1alpha1-mariadb
|
||||
failurePolicy: Fail
|
||||
name: vmariadb.kb.io
|
||||
rules:
|
||||
- apiGroups:
|
||||
- mariadb.mmontes.io
|
||||
- k8s.mariadb.com
|
||||
apiVersions:
|
||||
- v1alpha1
|
||||
operations:
|
||||
@@ -198,21 +152,38 @@ webhooks:
|
||||
resources:
|
||||
- mariadbs
|
||||
sideEffects: None
|
||||
- admissionReviewVersions:
|
||||
- v1
|
||||
clientConfig:
|
||||
service:
|
||||
name: {{ $fullName }}-webhook
|
||||
namespace: {{ .Release.Namespace }}
|
||||
path: /validate-k8s-mariadb-com-v1alpha1-maxscale
|
||||
failurePolicy: Fail
|
||||
name: vmaxscale.kb.io
|
||||
rules:
|
||||
- apiGroups:
|
||||
- k8s.mariadb.com
|
||||
apiVersions:
|
||||
- v1alpha1
|
||||
operations:
|
||||
- CREATE
|
||||
- UPDATE
|
||||
resources:
|
||||
- maxscales
|
||||
sideEffects: None
|
||||
- admissionReviewVersions:
|
||||
- v1
|
||||
clientConfig:
|
||||
service:
|
||||
name: {{ $fullName }}-webhook
|
||||
namespace: {{ .Release.Namespace }}
|
||||
path: /validate-mariadb-mmontes-io-v1alpha1-restore
|
||||
{{ if not .Values.webhook.certificate.certManager }}
|
||||
caBundle: {{ $ca.Cert | b64enc }}
|
||||
{{ end }}
|
||||
path: /validate-k8s-mariadb-com-v1alpha1-restore
|
||||
failurePolicy: Fail
|
||||
name: vrestore.kb.io
|
||||
rules:
|
||||
- apiGroups:
|
||||
- mariadb.mmontes.io
|
||||
- k8s.mariadb.com
|
||||
apiVersions:
|
||||
- v1alpha1
|
||||
operations:
|
||||
@@ -227,15 +198,12 @@ webhooks:
|
||||
service:
|
||||
name: {{ $fullName }}-webhook
|
||||
namespace: {{ .Release.Namespace }}
|
||||
path: /validate-mariadb-mmontes-io-v1alpha1-sqljob
|
||||
{{ if not .Values.webhook.certificate.certManager }}
|
||||
caBundle: {{ $ca.Cert | b64enc }}
|
||||
{{ end }}
|
||||
path: /validate-k8s-mariadb-com-v1alpha1-sqljob
|
||||
failurePolicy: Fail
|
||||
name: vsqljob.kb.io
|
||||
rules:
|
||||
- apiGroups:
|
||||
- mariadb.mmontes.io
|
||||
- k8s.mariadb.com
|
||||
apiVersions:
|
||||
- v1alpha1
|
||||
operations:
|
||||
@@ -250,15 +218,12 @@ webhooks:
|
||||
service:
|
||||
name: {{ $fullName }}-webhook
|
||||
namespace: {{ .Release.Namespace }}
|
||||
path: /validate-mariadb-mmontes-io-v1alpha1-user
|
||||
{{ if not .Values.webhook.certificate.certManager }}
|
||||
caBundle: {{ $ca.Cert | b64enc }}
|
||||
{{ end }}
|
||||
path: /validate-k8s-mariadb-com-v1alpha1-user
|
||||
failurePolicy: Fail
|
||||
name: vuser.kb.io
|
||||
rules:
|
||||
- apiGroups:
|
||||
- mariadb.mmontes.io
|
||||
- k8s.mariadb.com
|
||||
apiVersions:
|
||||
- v1alpha1
|
||||
operations:
|
||||
|
||||
@@ -1,10 +1,14 @@
|
||||
{{ $fullName := include "mariadb-operator.fullname" . }}
|
||||
apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
metadata:
|
||||
name: {{ include "mariadb-operator.fullname" . }}-webhook
|
||||
name: {{ $fullName }}-webhook
|
||||
labels:
|
||||
{{ include "mariadb-operator-webhook.labels" . | nindent 4 }}
|
||||
spec:
|
||||
{{ if .Values.webhook.ha.enabled }}
|
||||
replicas: {{ .Values.webhook.ha.replicas}}
|
||||
{{ end }}
|
||||
selector:
|
||||
matchLabels:
|
||||
{{ include "mariadb-operator-webhook.selectorLabels" . | nindent 6 }}
|
||||
@@ -46,12 +50,18 @@ spec:
|
||||
name: webhook
|
||||
args:
|
||||
- webhook
|
||||
- --cert-dir={{ .Values.webhook.certificate.path }}
|
||||
{{- if .Values.webhook.cert.certManager.enabled }}
|
||||
- --ca-cert-path={{ .Values.webhook.cert.path }}/ca.crt
|
||||
{{- else }}
|
||||
- --ca-cert-path={{ .Values.webhook.cert.caPath }}/tls.crt
|
||||
{{- end }}
|
||||
- --cert-dir={{ .Values.webhook.cert.path }}
|
||||
- --dns-name={{ $fullName }}-webhook.{{ .Release.Namespace }}.svc
|
||||
- --port={{ .Values.webhook.port }}
|
||||
- --metrics-addr=:8080
|
||||
- --health-addr=:8081
|
||||
- --log-level={{ .Values.logLevel }}
|
||||
{{- range .Values.extrArgs }}
|
||||
{{- range .Values.webhook.extrArgs }}
|
||||
- {{ . }}
|
||||
{{- end }}
|
||||
ports:
|
||||
@@ -65,7 +75,12 @@ spec:
|
||||
protocol: TCP
|
||||
name: health
|
||||
volumeMounts:
|
||||
- mountPath: {{ .Values.webhook.certificate.path }}
|
||||
{{- if not .Values.webhook.cert.certManager.enabled }}
|
||||
- mountPath: {{ .Values.webhook.cert.caPath }}
|
||||
name: ca
|
||||
readOnly: true
|
||||
{{- end }}
|
||||
- mountPath: {{ .Values.webhook.cert.path }}
|
||||
name: cert
|
||||
readOnly: true
|
||||
{{- if .Values.webhook.extraVolumeMounts }}
|
||||
@@ -73,22 +88,10 @@ spec:
|
||||
{{- end }}
|
||||
readinessProbe:
|
||||
httpGet:
|
||||
path: /healthz
|
||||
path: /readyz
|
||||
port: 8081
|
||||
initialDelaySeconds: 5
|
||||
periodSeconds: 10
|
||||
livenessProbe:
|
||||
httpGet:
|
||||
path: /healthz
|
||||
port: 8081
|
||||
initialDelaySeconds: 5
|
||||
periodSeconds: 10
|
||||
startupProbe:
|
||||
httpGet:
|
||||
path: /healthz
|
||||
port: 8081
|
||||
initialDelaySeconds: 5
|
||||
periodSeconds: 10
|
||||
initialDelaySeconds: 20
|
||||
periodSeconds: 5
|
||||
{{ with .Values.webhook.resources }}
|
||||
resources:
|
||||
{{ toYaml . | nindent 12 }}
|
||||
@@ -98,10 +101,16 @@ spec:
|
||||
{{ toYaml . | nindent 12 }}
|
||||
{{ end }}
|
||||
volumes:
|
||||
{{- if not .Values.webhook.cert.certManager.enabled }}
|
||||
- name: ca
|
||||
secret:
|
||||
defaultMode: 420
|
||||
secretName: {{ $fullName }}-webhook-ca
|
||||
{{- end }}
|
||||
- name: cert
|
||||
secret:
|
||||
defaultMode: 420
|
||||
secretName: {{ include "mariadb-operator-webhook.certificate" . }}
|
||||
secretName: {{ $fullName }}-webhook-cert
|
||||
{{- if .Values.webhook.extraVolumes }}
|
||||
{{- toYaml .Values.webhook.extraVolumes | nindent 8 }}
|
||||
{{- end }}
|
||||
|
||||
@@ -0,0 +1,25 @@
|
||||
{{- if not .Values.webhook.cert.certManager.enabled }}
|
||||
apiVersion: v1
|
||||
kind: Secret
|
||||
metadata:
|
||||
name: {{ include "mariadb-operator.fullname" . }}-webhook-ca
|
||||
labels:
|
||||
{{- include "mariadb-operator-webhook.labels" . | nindent 4 }}
|
||||
mariadb-operator.io/component: webhook
|
||||
{{- with .Values.webhook.cert.secretAnnotations }}
|
||||
annotations:
|
||||
{{- toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: Secret
|
||||
metadata:
|
||||
name: {{ include "mariadb-operator.fullname" . }}-webhook-cert
|
||||
labels:
|
||||
{{- include "mariadb-operator-webhook.labels" . | nindent 4 }}
|
||||
mariadb-operator.io/component: webhook
|
||||
{{- with .Values.webhook.cert.secretAnnotations }}
|
||||
annotations:
|
||||
{{- toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
@@ -19,11 +19,9 @@ ha:
|
||||
enabled: false
|
||||
# -- Number of replicas
|
||||
replicas: 3
|
||||
# -- Lease resource name to be used for leader election
|
||||
leaseId: mariadb.mmontes.io
|
||||
|
||||
metrics:
|
||||
# -- Enable prometheus metrics. Prometheus must be installed in the cluster
|
||||
# -- Enable operator internal metrics. Prometheus must be installed in the cluster
|
||||
enabled: false
|
||||
serviceMonitor:
|
||||
# -- Enable controller ServiceMonitor
|
||||
@@ -56,6 +54,9 @@ rbac:
|
||||
# -- Extra arguments to be passed to the controller entrypoint
|
||||
extrArgs: []
|
||||
|
||||
# -- Extra environment variables to be passed to the controller
|
||||
extraEnv: []
|
||||
|
||||
# -- Extra volumes to pass to pod.
|
||||
extraVolumes: []
|
||||
|
||||
@@ -87,31 +88,37 @@ tolerations: []
|
||||
affinity: {}
|
||||
|
||||
webhook:
|
||||
# -- Annotations for webhook configurations.
|
||||
annotations: {}
|
||||
image:
|
||||
repository: ghcr.io/mariadb-operator/mariadb-operator
|
||||
pullPolicy: IfNotPresent
|
||||
# -- Image tag to use. By default the chart appVersion is used
|
||||
tag: ""
|
||||
imagePullSecrets: []
|
||||
certificate:
|
||||
# -- Use cert-manager to issue and rotate the certificate. If set to false, a default certificate will be used.
|
||||
certManager: false
|
||||
# -- Default certificate generated when the chart is installed or upgraded.
|
||||
default:
|
||||
# -- Certificate authority expiration in days.
|
||||
caExpirationDays: 365
|
||||
# -- Certificate expiration in days.
|
||||
certExpirationDays: 365
|
||||
# -- Annotations for certificate Secret.
|
||||
annotations: {}
|
||||
# -- Helm hook to be added to the default certificate.
|
||||
hook: ""
|
||||
ha:
|
||||
# -- Enable high availability
|
||||
enabled: false
|
||||
# -- Number of replicas
|
||||
replicas: 3
|
||||
cert:
|
||||
certManager:
|
||||
# -- Whether to use cert-manager to issue and rotate the certificate. If set to false, mariadb-operator's cert-controller will be used instead.
|
||||
enabled: false
|
||||
# -- Issuer reference to be used in the Certificate resource. If not provided, a self-signed issuer will be used.
|
||||
issuerRef: {}
|
||||
# -- Duration to be used in the Certificate resource,
|
||||
duration: ""
|
||||
# -- Renew before duration to be used in the Certificate resource.
|
||||
renewBefore: ""
|
||||
# -- Annotatioms to be added to webhook TLS secret.
|
||||
secretAnnotations: {}
|
||||
# -- Labels to be added to webhook TLS secret.
|
||||
secretLabels: {}
|
||||
# -- Path where the CA certificate will be mounted.
|
||||
caPath: /tmp/k8s-webhook-server/certificate-authority
|
||||
# -- Path where the certificate will be mounted.
|
||||
path: /tmp/k8s-webhook-server/serving-certs
|
||||
# -- Port to be used by the webhook server
|
||||
port: 10250
|
||||
port: 9443
|
||||
# -- Expose the webhook server in the host network
|
||||
hostNetwork: false
|
||||
serviceMonitor:
|
||||
@@ -136,6 +143,8 @@ webhook:
|
||||
# -- The name of the service account to use.
|
||||
# If not set and enabled is true, a name is generated using the fullname template
|
||||
name: ""
|
||||
# -- Annotations for webhook configurations.
|
||||
annotations: {}
|
||||
# -- Extra arguments to be passed to the webhook entrypoint
|
||||
extrArgs: []
|
||||
# -- Extra volumes to pass to webhook Pod
|
||||
@@ -159,3 +168,71 @@ webhook:
|
||||
tolerations: []
|
||||
# -- Affinity to add to controller Pod
|
||||
affinity: {}
|
||||
|
||||
certController:
|
||||
# -- Specifies whether the cert-controller should be created.
|
||||
enabled: true
|
||||
image:
|
||||
repository: ghcr.io/mariadb-operator/mariadb-operator
|
||||
pullPolicy: IfNotPresent
|
||||
# -- Image tag to use. By default the chart appVersion is used
|
||||
tag: ""
|
||||
imagePullSecrets: []
|
||||
ha:
|
||||
# -- Enable high availability
|
||||
enabled: false
|
||||
# -- Number of replicas
|
||||
replicas: 3
|
||||
# -- CA certificate validity. It must be greater than certValidity.
|
||||
caValidity: 35064h
|
||||
# -- Certificate validity.
|
||||
certValidity: 8766h
|
||||
# -- Duration used to verify whether a certificate is valid or not.
|
||||
lookaheadValidity: 2160h
|
||||
# -- Requeue duration to ensure that certificate gets renewed.
|
||||
requeueDuration: 5m
|
||||
serviceMonitor:
|
||||
# -- Enable cert-controller ServiceMonitor. Metrics must be enabled
|
||||
enabled: true
|
||||
# -- Labels to be added to the cert-controller ServiceMonitor
|
||||
additionalLabels: {}
|
||||
# release: kube-prometheus-stack
|
||||
# -- Interval to scrape metrics
|
||||
interval: 30s
|
||||
# -- Timeout if metrics can't be retrieved in given time interval
|
||||
scrapeTimeout: 25s
|
||||
serviceAccount:
|
||||
# -- Specifies whether a service account should be created
|
||||
enabled: true
|
||||
# -- Automounts the service account token in all containers of the Pod
|
||||
automount: true
|
||||
# -- Annotations to add to the service account
|
||||
annotations: {}
|
||||
# -- Extra Labels to add to the service account
|
||||
extraLabels: {}
|
||||
# -- The name of the service account to use.
|
||||
# If not set and enabled is true, a name is generated using the fullname template
|
||||
name: ""
|
||||
# -- Extra arguments to be passed to the cert-controller entrypoint
|
||||
extrArgs: []
|
||||
# -- Extra volumes to pass to cert-controller Pod
|
||||
extraVolumes: []
|
||||
# -- Extra volumes to mount to cert-controller container
|
||||
extraVolumeMounts: []
|
||||
# -- Annotations to add to cert-controller Pod
|
||||
podAnnotations: {}
|
||||
# -- Security context to add to cert-controller Pod
|
||||
podSecurityContext: {}
|
||||
# -- Security context to add to cert-controller container
|
||||
securityContext: {}
|
||||
# -- Resources to add to cert-controller container
|
||||
resources: {}
|
||||
# requests:
|
||||
# cpu: 10m
|
||||
# memory: 32Mi
|
||||
# -- Node selectors to add to controller Pod
|
||||
nodeSelector: {}
|
||||
# -- Tolerations to add to controller Pod
|
||||
tolerations: []
|
||||
# -- Affinity to add to controller Pod
|
||||
affinity: {}
|
||||
|
||||
@@ -1,9 +1,18 @@
|
||||
#!/bin/sh
|
||||
VERSION=2
|
||||
set -o pipefail
|
||||
set -e
|
||||
|
||||
run_migrations() {
|
||||
return 0
|
||||
if ! kubectl get configmap -n cozy-system cozystack-version; then
|
||||
kubectl create configmap -n cozy-system cozystack-version --from-literal=version="$VERSION" --dry-run=client -o yaml | kubectl create -f-
|
||||
fi
|
||||
current_version=$(kubectl get configmap -n cozy-system cozystack-version -o jsonpath='{.data.version}') || true
|
||||
until [ "$current_version" = "$VERSION" ]; do
|
||||
echo "run migration: $current_version --> $VERSION"
|
||||
scripts/migrations/$current_version
|
||||
current_version=$(kubectl get configmap -n cozy-system cozystack-version -o jsonpath='{.data.version}')
|
||||
done
|
||||
}
|
||||
|
||||
flux_is_ok() {
|
||||
@@ -18,6 +27,9 @@ install_basic_charts() {
|
||||
|
||||
cd "$(dirname "$0")/.."
|
||||
|
||||
# Run migrations
|
||||
run_migrations
|
||||
|
||||
# Install namespaces
|
||||
make -C packages/core/platform namespaces-apply
|
||||
|
||||
@@ -26,9 +38,6 @@ if ! flux_is_ok; then
|
||||
install_basic_charts
|
||||
fi
|
||||
|
||||
# Run migrations
|
||||
run_migrations
|
||||
|
||||
# Reconcile Helm repositories
|
||||
kubectl annotate helmrepositories.source.toolkit.fluxcd.io -A -l cozystack.io/repository reconcile.fluxcd.io/requestedAt=$(date +"%Y-%m-%dT%H:%M:%SZ") --overwrite
|
||||
|
||||
|
||||
8
scripts/migrations/1
Executable file
8
scripts/migrations/1
Executable file
@@ -0,0 +1,8 @@
|
||||
#!/bin/sh
|
||||
|
||||
if kubectl get -n cozy-mariadb-operator secret/mariadb-operator-webhook-cert; then
|
||||
kubectl annotate -n cozy-mariadb-operator secret/mariadb-operator-webhook-cert meta.helm.sh/release-namespace=cozy-mariadb-operator meta.helm.sh/release-name=mariadb-operator
|
||||
kubectl label -n cozy-mariadb-operator secret/mariadb-operator-webhook-cert app.kubernetes.io/managed-by=Helm
|
||||
fi
|
||||
|
||||
kubectl create configmap -n cozy-system cozystack-version --from-literal=version=2 --dry-run=client -o yaml | kubectl apply -f-
|
||||
Reference in New Issue
Block a user