This patch refactors the secret selectors to use the
`internal.cozystack.io/tenantresource` label for managing secret
visibility and removes any selectors based on it or the previous
`apps.cozystack.io/tenantresource` label, the idea being that this label
will only ever be set by the controller.
```
[controller,api] Refactor labels for the secret selector.
```
Signed-off-by: Timofei Larkin <lllamnyp@gmail.com>
This patch implements name-based selectors for
`CozystackResourceDefinitions.spec.secrets`. Application developers may
now specify secrets that should or should not be visible to end users by
specifying a `resourceNames` field with a string slice of acceptable
names. This will, for instance, let developers exclude a secret like
`postgres-dbname-superuser` that has a predictable name even if it does
not have predictable labels. Simple templates are supported, so
`postgres-{{ .name }}-superuser` is also a valid entry under
`resourceNames`.
```release-note
[lineage, controller] Let application developers determine resource
visibility for end users by name, as well as by labels.
```
Signed-off-by: Timofei Larkin <lllamnyp@gmail.com>
[cozystack-controller] Introduce new dashboard-controller
[dashboard] Introduce new dashboard based on openapi-ui
Co-authored-by: kklinch0 <kklinch0@gmail.com>
Signed-off-by: kklinch0 <kklinch0@gmail.com>
Signed-off-by: Andrei Kvapil <kvapss@gmail.com>
Many resources created as part of managed apps in cozystack (pods,
secrets, etc) do not carry predictable labels that unambiguously
indicate which app originally triggered their creation. Some resources
are managed by controllers and other custom resources and this
indirection can lead to loss of information. Other controllers sometimes
simply do not allow setting labels on controlled resources and the
latter do not inherit labels from the owner. This patch implements a
webhook that sidesteps this problem with a universal solution. On
creation of a pod/secret/PVC etc it walks through the owner references
until a HelmRelease is found that can be matched with a managed app
dynamically registered in the Cozystack API server. The pod is mutated
with labels identifying the managed app.
```release-note
[cozystack-controller] Add a mutating webhook to identify the Cozystack
managed app that ultimately owns low-level resources created in the
cluster and label these resources with a reference to said app.
```
Signed-off-by: Timofei Larkin <lllamnyp@gmail.com>
Some k8s secrets created when deploying managed applications are
unhelpful to the end user or are outright not meant to be shown, because
they contain internal credentials not meant to be presented to the user.
This patch adds an `apps.cozystack.io/tenantresource=false` label to
such resources which will be later used to filter out such secrets in
the web UI.
```release-note
[platform] Mark non-user-facing secrets as such to avoid clutter in the
dashboard and leaking internal credentials.
```
Signed-off-by: Timofei Larkin <lllamnyp@gmail.com>
- Remove duplicate values from rabbitmq README
- Use placeholders for passwords and secrets
- Fix copy-pasted postgres reference in mysql
- Fix links to cloud-init docs
- Explain CPU and memory consistently
Signed-off-by: Nick Volynkin <nick.volynkin@gmail.com>
Use the same order for values in all applications:
1. Common configuration parameters in the specified order, if exist:
- replicas
- shards
- resources
- resourcesPreset
- size
- storageClass
- external (goes last, because we don't want to promote this practice)
2. Application-specific parameters, such as database and users
3. Component-specific, each component under its own section
4. Backup
5. Bootstrap (recovery)
Signed-off-by: Nick Volynkin <nick.volynkin@gmail.com>
- Change wording for `resources` and `resourcesPreset` variables.
- Explain and give exampls of other object-type variables,
if their child fields are not annotated.
- Fix a few typos, improve wording.
- Bump all application charts to ensure that new texts are shown
immediately after updating Cozystack.
Co-authored-by: Andrei Kvapil <kvapss@gmail.com>
Signed-off-by: Nick Volynkin <nick.volynkin@gmail.com>
Signed-off-by: Andrei Kvapil <kvapss@gmail.com>
This patch removes the loophole to leave resource requests and limits
unspecified in managed apps. Any of cpu, memory, and ephemeral storage
are now filled in from the resource preset (default or user-specified)
if not explicitly specified in .Values.resources. "none" is no longer an
accepted value in resourcePresets and the primary resources now always
have some explicit value for proper billing and isolation.
Signed-off-by: Timofei Larkin <lllamnyp@gmail.com>
It was present in some apps, such as managed kubernetes, but missing in others.
bitnami/readme-generator removes enums after re-generating README,
so now we patch them back using `yq` in Makefiles.
Signed-off-by: Nick Volynkin <nick.volynkin@gmail.com>
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
- **New Features**
- Introduced advanced Helm template helpers for managing Kubernetes RBAC
(Role-Based Access Control), including access level mapping,
hierarchy-aware group subject generation, and tenant parsing.
- Added dynamic RoleBinding resources across multiple applications to
bind roles to appropriate subjects based on access levels and tenant
namespaces.
- **Bug Fixes**
- Refined tenant application roles by restricting resource permissions
to specific core Kubernetes resources, enhancing security and access
control granularity.
- **Chores**
- Updated chart versions across numerous applications to reflect new
releases.
- Added reference files linking to the shared library in multiple
application chart directories.
- Pinned package versions to specific commits for improved version
stability and tracking.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
With this change a request for a virtual machine with 3 vCPUs will
reserve exactly the same amount of physical compute, as a request for a
Clickhouse instance with `{"resources": {"cpu": "3"}}` in its values,
with the scaling factor being KubeVirt's CPU allocation ratio.
Signed-off-by: Timofei Larkin <lllamnyp@gmail.com>
This patch introduces reusable library charts that provide
backward-compatibility for users that specify their resources as
explicit requests and limits for cpu, however this input is processed so
that limits are set equal to requests except for CPU which only gets
requests. Users can now embrace the new form by directly specifying
resources in the first level of nesting (e.g. resources.cpu=100m instead
of .resources.requests.cpu=100m). The order of precedence is top-level,
then requests, then limits, ensuring that nothing will break in terms of
scheduling, however workloads that specified limits much higher than
requests might get a performance hit, now that they cannot use all this
excess capacity. This should only affect memory-hungry workloads in
low-contention environments.
Signed-off-by: Timofei Larkin <lllamnyp@gmail.com>
This patch introduces reusable library charts that provide
backward-compatibility for users that specify their resources as
explicit requests and limits for cpu, however this input is processed so
that limits are set equal to requests except for CPU which only gets
requests. Users can now embrace the new form by directly specifying
resources in the first level of nesting (e.g. resources.cpu=100m instead
of .resources.requests.cpu=100m). The order of precedence is top-level,
then requests, then limits, ensuring that nothing will break in terms of
scheduling, however workloads that specified limits much higher than
requests might get a performance hit, now that they cannot use all this
excess capacity. This should only affect memory-hungry workloads in
low-contention environments.
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
- **New Features**
- Introduced a reusable Helm library chart, "cozy-lib", providing common
templates and resource helpers for other charts.
- Added resource preset and sanitization templates to standardize
Kubernetes resource configurations.
- ClickHouse chart now depends on "cozy-lib" for improved resource
handling.
- Added a new packaging script and streamlined Helm chart packaging
processes across multiple packages.
- **Bug Fixes**
- Resource configuration logic in the ClickHouse deployment was updated
to use the new library templates, ensuring more consistent resource
definitions.
- **Chores**
- Added new Makefiles and version mapping for streamlined Helm chart
packaging and validation.
- Updated ClickHouse chart version to 0.9.0 and reflected this in
version mapping files.
- Refactored Makefile targets to consolidate packaging logic and improve
maintainability.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
This patch introduces reusable library charts that provide
backward-compatibility for users that specify their resources as
explicit requests and limits for cpu, however this input is processed so
that limits are set equal to requests except for CPU which only gets
requests. Users can now embrace the new form by directly specifying
resources in the first level of nesting (e.g. resources.cpu=100m instead
of .resources.requests.cpu=100m). The order of precedence is top-level,
then requests, then limits, ensuring that nothing will break in terms of
scheduling, however workloads that specified limits much higher than
requests might get a performance hit, now that they cannot use all this
excess capacity. This should only affect memory-hungry workloads in
low-contention environments.
Signed-off-by: Timofei Larkin <lllamnyp@gmail.com>
This patch recreates the resource presets with a non-burstable memory
allocation (request==limit) and without CPU limits. With the new presets
the difference between the larger presets became meaningless, so their
values were adjusted.
Signed-off-by: Timofei Larkin <lllamnyp@gmail.com>
