From 575d096671e9bedc48da06a9ff81d143cd053211 Mon Sep 17 00:00:00 2001 From: Andrei Kvapil Date: Thu, 18 Jul 2024 14:21:44 +0200 Subject: [PATCH] Add nats-operator --- packages/system/nats-operator/Chart.yaml | 3 + packages/system/nats-operator/Makefile | 10 + .../charts/nats-operator/.helmignore | 24 ++ .../charts/nats-operator/Chart.yaml | 22 ++ .../nats-operator/config/client-auth.json | 25 ++ .../crds/customresourcedefinition.yaml | 305 ++++++++++++++++++ .../charts/nats-operator/templates/NOTES.txt | 26 ++ .../nats-operator/templates/_helpers.tpl | 44 +++ .../nats-operator/templates/deployment.yaml | 130 ++++++++ .../nats-operator/templates/natscluster.yaml | 70 ++++ .../charts/nats-operator/templates/rbac.yaml | 108 +++++++ .../nats-operator/templates/secret.yaml | 12 + .../templates/serviceaccount.yaml | 9 + .../charts/nats-operator/values.yaml | 191 +++++++++++ packages/system/nats-operator/values.yaml | 6 + 15 files changed, 985 insertions(+) create mode 100644 packages/system/nats-operator/Chart.yaml create mode 100644 packages/system/nats-operator/Makefile create mode 100644 packages/system/nats-operator/charts/nats-operator/.helmignore create mode 100644 packages/system/nats-operator/charts/nats-operator/Chart.yaml create mode 100644 packages/system/nats-operator/charts/nats-operator/config/client-auth.json create mode 100644 packages/system/nats-operator/charts/nats-operator/crds/customresourcedefinition.yaml create mode 100644 packages/system/nats-operator/charts/nats-operator/templates/NOTES.txt create mode 100644 packages/system/nats-operator/charts/nats-operator/templates/_helpers.tpl create mode 100644 packages/system/nats-operator/charts/nats-operator/templates/deployment.yaml create mode 100644 packages/system/nats-operator/charts/nats-operator/templates/natscluster.yaml create mode 100644 packages/system/nats-operator/charts/nats-operator/templates/rbac.yaml create mode 100644 packages/system/nats-operator/charts/nats-operator/templates/secret.yaml create mode 100644 packages/system/nats-operator/charts/nats-operator/templates/serviceaccount.yaml create mode 100644 packages/system/nats-operator/charts/nats-operator/values.yaml create mode 100644 packages/system/nats-operator/values.yaml diff --git a/packages/system/nats-operator/Chart.yaml b/packages/system/nats-operator/Chart.yaml new file mode 100644 index 00000000..3bedb2a8 --- /dev/null +++ b/packages/system/nats-operator/Chart.yaml @@ -0,0 +1,3 @@ +apiVersion: v2 +name: cozy-nats-operator +version: 0.0.0 # Placeholder, the actual version will be automatically set during the build process diff --git a/packages/system/nats-operator/Makefile b/packages/system/nats-operator/Makefile new file mode 100644 index 00000000..133dd6e0 --- /dev/null +++ b/packages/system/nats-operator/Makefile @@ -0,0 +1,10 @@ +export NAME=nats-operator +export NAMESPACE=cozy-$(NAME) + +include ../../../scripts/package-system.mk + +update: + rm -rf charts + helm repo add nats https://nats-io.github.io/k8s/helm/charts/ + helm repo update nats + helm pull nats/nats-operator --untar --untardir charts diff --git a/packages/system/nats-operator/charts/nats-operator/.helmignore b/packages/system/nats-operator/charts/nats-operator/.helmignore new file mode 100644 index 00000000..623e2043 --- /dev/null +++ b/packages/system/nats-operator/charts/nats-operator/.helmignore @@ -0,0 +1,24 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj + +# Chart specific files +README.md diff --git a/packages/system/nats-operator/charts/nats-operator/Chart.yaml b/packages/system/nats-operator/charts/nats-operator/Chart.yaml new file mode 100644 index 00000000..6349c0d0 --- /dev/null +++ b/packages/system/nats-operator/charts/nats-operator/Chart.yaml @@ -0,0 +1,22 @@ +apiVersion: v2 +appVersion: 0.8.3 +description: NATS operator creates/configures/manages nats clusters atop Kubernetes +home: https://github.com/nats-io/nats-operator +icon: https://nats.io/img/nats-icon-color.png +keywords: +- addressing +- discovery +- messaging +- nats +- operator +- pubsub +maintainers: +- email: richerlariviere@gmail.com + name: richerlariviere +- email: wally@nats.io + name: Waldemar Quevedo + url: https://github.com/wallyqs +name: nats-operator +sources: +- https://github.com/nats-io/nats-operator +version: 0.8.3 diff --git a/packages/system/nats-operator/charts/nats-operator/config/client-auth.json b/packages/system/nats-operator/charts/nats-operator/config/client-auth.json new file mode 100644 index 00000000..911c259a --- /dev/null +++ b/packages/system/nats-operator/charts/nats-operator/config/client-auth.json @@ -0,0 +1,25 @@ +{ + "users": [ + {{- if and (.Values.cluster.auth.username) (not .Values.cluster.auth.users) }} + { + "username": "{{ .Values.cluster.auth.username }}", + "password": "{{ .Values.cluster.auth.password }}" + } + {{- end }} + + {{- if .Values.cluster.auth.users }} + {{ $length := len .Values.cluster.auth.users }} + {{- range $index, $user := .Values.cluster.auth.users }} + { + "username": "{{ $user.username }}", + "password": "{{ $user.password }}" + {{- if $user.permissions }}, + "permissions": {{ toJson $user.permissions | replace "\\u003e" ">"}} + {{- end}} + }{{- if lt (add1 $index) $length }},{{ end }} + {{- end}} + {{- end }} + ]{{- if .Values.cluster.auth.defaultPermissions }}, + "default_permissions": {{ toJson .Values.cluster.auth.defaultPermissions | replace "\\u003e" ">" }} + {{- end}} +} diff --git a/packages/system/nats-operator/charts/nats-operator/crds/customresourcedefinition.yaml b/packages/system/nats-operator/charts/nats-operator/crds/customresourcedefinition.yaml new file mode 100644 index 00000000..d2dfd71b --- /dev/null +++ b/packages/system/nats-operator/charts/nats-operator/crds/customresourcedefinition.yaml @@ -0,0 +1,305 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: natsclusters.nats.io + annotations: + "helm.sh/hook": "crd-install" + "helm.sh/hook-delete-policy": "before-hook-creation" +spec: + group: nats.io + scope: Namespaced + names: + kind: NatsCluster + listKind: NatsClusterList + plural: natsclusters + singular: natscluster + shortNames: + - nats + versions: + - name: v1alpha2 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + properties: + spec: + type: object + properties: + size: + type: integer + version: + type: string + serverImage: + type: string + natsConfig: + type: object + properties: + debug: + type: boolean + trace: + type: boolean + write_deadline: + type: string + maxConnections: + type: integer + maxPayload: + type: integer + maxPending: + type: integer + maxSubscriptions: + type: integer + maxControlLine: + type: integer + disableLogtime: + type: boolean + useServerName: + type: boolean + paused: + type: boolean + pod: + type: object + properties: + labels: + x-kubernetes-preserve-unknown-fields: true + type: object + annotations: + x-kubernetes-preserve-unknown-fields: true + type: object + nodeSelector: + x-kubernetes-preserve-unknown-fields: true + type: object + antiAffinity: + type: boolean + resources: + x-kubernetes-preserve-unknown-fields: true + type: object + tolerations: + type: array + items: + x-kubernetes-preserve-unknown-fields: true + type: object + natsEnv: + type: array + items: + x-kubernetes-preserve-unknown-fields: true + type: object + enableConfigReload: + type: boolean + reloaderImage: + type: string + reloaderImageTag: + type: string + reloaderImagePullPolicy: + type: string + reloaderResources: + x-kubernetes-preserve-unknown-fields: true + type: object + enableMetrics: + type: boolean + metricsImage: + type: string + metricsImageTag: + type: string + metricsImagePullPolicy: + type: string + enableClientsHostPort: + type: boolean + advertiseExternalIP: + type: boolean + bootconfigImage: + type: string + bootconfigImageTag: + type: string + volumeMounts: + type: array + items: + x-kubernetes-preserve-unknown-fields: true + type: object + tls: + type: object + properties: + serverSecret: + type: string + serverSecretCAFileName: + type: string + serverSecretKeyFileName: + type: string + serverSecretCertFileName: + type: string + routesSecret: + type: string + routesSecretCAFileName: + type: string + routesSecretKeyFileName: + type: string + routesSecretCertFileName: + type: string + gatewaySecret: + type: string + gatewaySecretCAFileName: + type: string + gatewaySecretKeyFileName: + type: string + gatewaySecretCertFileName: + type: string + leafnodeSecret: + type: string + leafnodeSecretCAFileName: + type: string + leafnodeSecretKeyFileName: + type: string + leafnodeSecretCertFileName: + type: string + websocketSecret: + type: string + websocketSecretCAFileName: + type: string + websocketSecretKeyFileName: + type: string + websocketSecretCertFileName: + type: string + websocketTLSTimeout: + type: number + enableHttps: + type: boolean + clientsTLSTimeout: + type: number + routesTLSTimeout: + type: number + gatewaysTLSTimeout: + type: number + leafnodesTLSTimeout: + type: number + verify: + type: boolean + cipherSuites: + type: array + items: + type: string + curvePreferences: + type: array + items: + type: string + auth: + type: object + properties: + enableServiceAccounts: + type: boolean + clientsAuthSecret: + type: string + clientsAuthFile: + type: string + clientsAuthTimeout: + type: integer + tlsVerifyAndMap: + type: boolean + lameDuckDurationSeconds: + type: integer + noAdvertise: + type: boolean + template: + x-kubernetes-preserve-unknown-fields: true + type: object + extraRoutes: + type: array + items: + type: object + properties: + cluster: + type: string + route: + type: string + gatewayConfig: + type: object + properties: + name: + type: string + hostPort: + type: integer + rejectUnknown: + type: boolean + gateways: + type: array + items: + type: object + properties: + name: + type: string + url: + type: string + leafnodeConfig: + type: object + properties: + port: + type: integer + remotes: + type: array + items: + type: object + properties: + url: + type: string + urls: + type: array + items: + type: string + credentials: + type: string + operatorConfig: + type: object + properties: + secret: + type: string + systemAccount: + type: string + resolver: + type: string + websocketConfig: + type: object + properties: + port: + type: integer + handshakeTimeout: + type: integer + compression: + type: boolean + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: natsserviceroles.nats.io + annotations: + "helm.sh/hook": "crd-install" + "helm.sh/hook-delete-policy": "before-hook-creation" +spec: + group: nats.io + scope: Namespaced + names: + kind: NatsServiceRole + listKind: NatsServiceRoleList + plural: natsserviceroles + singular: natsservicerole + versions: + - name: v1alpha2 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + properties: + spec: + type: object + properties: + permissions: + type: object + properties: + publish: + type: array + items: + type: string + subscribe: + type: array + items: + type: string diff --git a/packages/system/nats-operator/charts/nats-operator/templates/NOTES.txt b/packages/system/nats-operator/charts/nats-operator/templates/NOTES.txt new file mode 100644 index 00000000..73170e51 --- /dev/null +++ b/packages/system/nats-operator/charts/nats-operator/templates/NOTES.txt @@ -0,0 +1,26 @@ +** Please be patient while the chart is being deployed ** +{{- if .Values.clusterScoped }} + +** WARNING ! **: You've installed a cluster-scoped NATS Operator. Make sure that there are no other deployments of NATS Operator in the Kubernetes cluster. +{{- if not (eq .Release.Namespace "nats-io") }} + +** WARNING ! **: The namespace must be "nats-io" however you used "{{ .Release.Namespace }}" ! +{{- end }} +{{- end}} + +NATS can be accessed via port 4222 on the following DNS name from within your cluster: + + nats-cluster.{{ .Release.Namespace }}.svc.cluster.local + +NATS monitoring service can be accessed via port 8222 on the following DNS name from within your cluster: + + nats-cluster-mgmt.{{ .Release.Namespace }}.svc.cluster.local + +To access the Monitoring svc from outside the cluster, follow the steps below: + +1. Get the name of a pod from the cluster that was deployed, then use port-forward to connect top it. For example: + + kubectl get pods -l nats_cluster=nats-cluster + kubectl port-forward nats-cluster-1 8222 + +2. Open a browser and access the NATS monitoring browsing to the Monitoring URL diff --git a/packages/system/nats-operator/charts/nats-operator/templates/_helpers.tpl b/packages/system/nats-operator/charts/nats-operator/templates/_helpers.tpl new file mode 100644 index 00000000..d4f09d25 --- /dev/null +++ b/packages/system/nats-operator/charts/nats-operator/templates/_helpers.tpl @@ -0,0 +1,44 @@ +{{/* vim: set filetype=mustache: */}} + +{{/* +Expand the name of the chart. +*/}} +{{- define "nats.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +*/}} +{{- define "nats.fullname" -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{- define "nats.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Common labels +*/}} +{{- define "nats.labels" -}} +app.kubernetes.io/name: {{ template "nats.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +app.kubernetes.io/component: "operator" +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +helm.sh/chart: {{ include "nats.chart" . }} +{{- end -}} + +{{/* +Selector labels +*/}} +{{- define "nats.selectorLabels" -}} +app.kubernetes.io/name: {{ include "nats.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +app.kubernetes.io/component: "operator" +{{- end -}} \ No newline at end of file diff --git a/packages/system/nats-operator/charts/nats-operator/templates/deployment.yaml b/packages/system/nats-operator/charts/nats-operator/templates/deployment.yaml new file mode 100644 index 00000000..06716f92 --- /dev/null +++ b/packages/system/nats-operator/charts/nats-operator/templates/deployment.yaml @@ -0,0 +1,130 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ template "nats.fullname" . }} +{{- if and .Values.clusterScoped .Values.cluster.namespace }} + namespace: {{ .Values.cluster.namespace }} +{{- end }} + + labels: + {{- include "nats.labels" . | nindent 4 }} + app: {{ template "nats.name" . }} + chart: {{ template "nats.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +spec: + replicas: {{ .Values.replicaCount }} + strategy: + type: {{ .Values.updateStrategy }} + {{- if eq .Values.updateStrategy "RollingUpdate" }} + rollingUpdate: + maxSurge: {{ .Values.rollingUpdateMaxSurge }} + maxUnavailable: {{ .Values.rollingUpdateMaxUnavailable }} + {{- end }} + selector: + matchLabels: + app: {{ template "nats.name" . }} + release: {{ .Release.Name }} + template: + metadata: + labels: + {{- include "nats.selectorLabels" . | nindent 8 }} + app: {{ template "nats.name" . }} + release: {{ .Release.Name }} + {{- if .Values.podLabels }} + {{- toYaml .Values.podLabels | nindent 8 }} + {{- end }} + {{- if .Values.podAnnotations }} + annotations: + {{- toYaml .Values.podAnnotations | nindent 8 }} + {{- end }} + spec: + {{- if .Values.rbacEnabled }} + serviceAccountName: nats-operator + {{- end }} + containers: + - name: nats-operator + image: {{ .Values.image.registry }}/{{ .Values.image.repository }}:{{ .Values.image.tag }} + imagePullPolicy: {{ .Values.image.pullPolicy }} + {{- if .Values.clusterScoped }} + args: + - nats-operator + - --feature-gates=ClusterScoped=true + {{- end }} + env: + - name: MY_POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: MY_POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + ports: + - name: readyz + containerPort: 8080 + {{- if .Values.livenessProbe.enabled }} + livenessProbe: + httpGet: + path: /readyz + port: readyz + initialDelaySeconds: {{ .Values.livenessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.livenessProbe.periodSeconds }} + timeoutSeconds: {{ .Values.livenessProbe.timeoutSeconds }} + successThreshold: {{ .Values.livenessProbe.successThreshold }} + failureThreshold: {{ .Values.livenessProbe.failureThreshold }} + {{- end }} + {{- if .Values.readinessProbe.enabled }} + readinessProbe: + httpGet: + path: /readyz + port: readyz + initialDelaySeconds: {{ .Values.readinessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.readinessProbe.periodSeconds }} + timeoutSeconds: {{ .Values.readinessProbe.timeoutSeconds }} + successThreshold: {{ .Values.readinessProbe.successThreshold }} + failureThreshold: {{ .Values.readinessProbe.failureThreshold }} + {{- end }} + resources: +{{ toYaml .Values.resources | indent 10}} + {{- if .Values.securityContext.enabled }} + securityContext: + fsGroup: {{ .Values.securityContext.fsGroup }} + runAsUser: {{ .Values.securityContext.runAsUser }} + {{- end }} + {{- if .Values.nodeSelector }} + nodeSelector: +{{ toYaml .Values.nodeSelector | indent 8 }} + {{- end }} + {{- if .Values.tolerations }} + tolerations: +{{ toYaml .Values.tolerations | indent 8 }} + {{- end }} + {{- if .Values.schedulerName }} + schedulerName: "{{ .Values.schedulerName}}" + {{- end }} + {{- if eq .Values.antiAffinity "hard" }} + affinity: + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - topologyKey: "kubernetes.io/hostname" + labelSelector: + matchLabels: + app: "{{ template "nats.name" . }}" + release: {{ .Release.Name | quote }} + {{- else if eq .Values.antiAffinity "soft" }} + affinity: + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 1 + podAffinityTerm: + topologyKey: kubernetes.io/hostname + labelSelector: + matchLabels: + app: "{{ template "nats.name" . }}" + release: "{{ .Release.Name }}" + {{- end }} + {{- if .Values.image.pullSecrets }} + imagePullSecrets: + {{ .Values.image.pullSecrets}} + {{- end }} diff --git a/packages/system/nats-operator/charts/nats-operator/templates/natscluster.yaml b/packages/system/nats-operator/charts/nats-operator/templates/natscluster.yaml new file mode 100644 index 00000000..7365bc27 --- /dev/null +++ b/packages/system/nats-operator/charts/nats-operator/templates/natscluster.yaml @@ -0,0 +1,70 @@ +--- +{{- if .Values.cluster.create }} +apiVersion: "nats.io/v1alpha2" +kind: "NatsCluster" +metadata: + name: {{ .Values.cluster.name }} +{{- if and .Values.clusterScoped .Values.cluster.namespace }} + namespace: {{ .Values.cluster.namespace }} +{{- end }} +spec: + size: {{ .Values.cluster.size }} + version: {{ .Values.cluster.version }} + + pod: + {{- if .Values.cluster.annotations }} + annotations: {{ toYaml .Values.cluster.annotations | nindent 6 }} + {{- end }} + {{- if .Values.cluster.resources }} + resources: {{ toYaml .Values.cluster.resources | nindent 6 }} + {{- end }} + enableConfigReload: {{ .Values.cluster.configReload.enabled }} + reloaderImage: {{ .Values.cluster.configReload.repository }} + reloaderImageTag: {{ .Values.cluster.configReload.tag }} + reloaderImagePullPolicy: {{ .Values.cluster.configReload.pullPolicy }} + {{- if .Values.cluster.configReload.resources }} + reloaderResources: {{ toYaml .Values.cluster.configReload.resources | nindent 6 }} + {{- end }} + enableMetrics: {{ .Values.cluster.metrics.enabled }} + metricsImage: {{ .Values.cluster.metrics.repository }} + metricsImageTag: {{ .Values.cluster.metrics.tag }} + metricsImagePullPolicy: {{ .Values.cluster.metrics.pullPolicy }} + {{- if .Values.cluster.auth.enabled }} + auth: + enableServiceAccounts: {{ .Values.cluster.auth.enableServiceAccounts }} + clientsAuthSecret: {{ .Values.cluster.name }}-clients-auth + clientsAuthTimeout: 5 + {{- end }} + + {{- if .Values.cluster.tls.enabled }} + tls: + # Certificates to secure the NATS client connections: + serverSecret: {{ .Values.cluster.tls.serverSecret }} + + # Certificates to secure the routes. + routesSecret: {{ .Values.cluster.tls.routesSecret }} + {{- end }} +--- +{{- if and .Values.cluster.metrics.enabled .Values.cluster.metrics.servicemonitor.enabled }} +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: {{ .Values.cluster.name }} +{{- if and .Values.clusterScoped .Values.cluster.namespace }} + namespace: {{ .Values.cluster.namespace }} +{{- end }} + labels: + app: nats + nats_cluster: {{ .Values.cluster.name }} + prometheus: {{ .Values.cluster.metrics.servicemonitor.prometheusInstance }} +spec: + jobLabel: nats-{{ .Values.cluster.name }} + selector: + matchLabels: + app: nats + nats_cluster: {{ .Values.cluster.name }} + endpoints: + - port: metrics + interval: 60s +{{- end }} +{{- end }} diff --git a/packages/system/nats-operator/charts/nats-operator/templates/rbac.yaml b/packages/system/nats-operator/charts/nats-operator/templates/rbac.yaml new file mode 100644 index 00000000..60601be9 --- /dev/null +++ b/packages/system/nats-operator/charts/nats-operator/templates/rbac.yaml @@ -0,0 +1,108 @@ +{{- if .Values.rbacEnabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: nats-io-nats-operator-crd +rules: +# Allow creating CRDs +- apiGroups: + - apiextensions.k8s.io + resources: + - customresourcedefinitions + verbs: ["get", "list", "create", "update", "watch"] +# Allow all actions on NatsClusters +- apiGroups: + - nats.io + resources: + - natsclusters + - natsserviceroles + verbs: ["*"] +# Allowed actions on Pods +- apiGroups: [""] + resources: + - pods + verbs: ["create", "watch", "get", "patch", "update", "delete", "list"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: nats-io-nats-operator-crd-binding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: nats-io-nats-operator-crd +subjects: +- kind: ServiceAccount + name: nats-operator + namespace: {{ .Release.Namespace }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +{{- if .Values.clusterScoped }} +kind: ClusterRole +{{- else }} +kind: Role +{{- end }} +metadata: + name: nats-io-nats-operator +rules: +# Allowed actions on Pods +- apiGroups: [""] + resources: + - pods + verbs: ["create", "watch", "get", "patch", "update", "delete", "list"] + +# Allowed actions on Services +- apiGroups: [""] + resources: + - services + verbs: ["create", "watch", "get", "patch", "update", "delete", "list"] + +# Allowed actions on Secrets +- apiGroups: [""] + resources: + - secrets + verbs: ["create", "watch", "get", "update", "delete", "list"] + +# Allow all actions on some special subresources +- apiGroups: [""] + resources: + - pods/exec + - pods/log + - serviceaccounts/token + - events + verbs: ["*"] + +# Allow listing Namespaces and ServiceAccounts +- apiGroups: [""] + resources: + - namespaces + - serviceaccounts + verbs: ["list", "get", "watch"] + +# Allow actions on Endpoints +- apiGroups: [""] + resources: + - endpoints + verbs: ["create", "watch", "get", "update", "delete", "list"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +{{- if .Values.clusterScoped }} +kind: ClusterRoleBinding +{{- else }} +kind: RoleBinding +{{- end }} +metadata: + name: nats-io-nats-operator-binding +roleRef: + apiGroup: rbac.authorization.k8s.io + {{- if .Values.clusterScoped }} + kind: ClusterRole + {{- else }} + kind: Role + {{- end }} + name: nats-io-nats-operator +subjects: +- kind: ServiceAccount + name: nats-operator + namespace: {{ .Release.Namespace }} +{{- end }} diff --git a/packages/system/nats-operator/charts/nats-operator/templates/secret.yaml b/packages/system/nats-operator/charts/nats-operator/templates/secret.yaml new file mode 100644 index 00000000..6991af54 --- /dev/null +++ b/packages/system/nats-operator/charts/nats-operator/templates/secret.yaml @@ -0,0 +1,12 @@ +{{- if and .Values.cluster.create .Values.cluster.auth.enabled }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Values.cluster.name }}-clients-auth +{{- if and .Values.clusterScoped .Values.cluster.namespace }} + namespace: {{ .Values.cluster.namespace }} +{{- end }} +type: Opaque +data: + clients-auth.json: {{ (tpl (.Files.Get "config/client-auth.json") . ) | b64enc }} +{{- end }} diff --git a/packages/system/nats-operator/charts/nats-operator/templates/serviceaccount.yaml b/packages/system/nats-operator/charts/nats-operator/templates/serviceaccount.yaml new file mode 100644 index 00000000..08a625f5 --- /dev/null +++ b/packages/system/nats-operator/charts/nats-operator/templates/serviceaccount.yaml @@ -0,0 +1,9 @@ +{{- if .Values.rbacEnabled }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: nats-operator +{{- if and .Values.clusterScoped .Values.cluster.namespace }} + namespace: {{ .Values.cluster.namespace }} +{{- end }} +{{- end }} diff --git a/packages/system/nats-operator/charts/nats-operator/values.yaml b/packages/system/nats-operator/charts/nats-operator/values.yaml new file mode 100644 index 00000000..d681282f --- /dev/null +++ b/packages/system/nats-operator/charts/nats-operator/values.yaml @@ -0,0 +1,191 @@ +## Specify if RBAC authorization is enabled. +## ref: https://kubernetes.io/docs/reference/access-authn-authz/rbac/ +## +rbacEnabled: true + +## Operator scope +## NOTE: If true +## * Make sure that no othe NATS operator is running in the cluster +## * The Release namespace must be "nats-io" +clusterScoped: false + +## Set default Replica Coint for the Operator +replicaCount: 1 + +image: + # natsio/nats-operator:0.8.3 + registry: docker.io + repository: natsio/nats-operator + tag: 0.8.3 + ## Specify a imagePullPolicy + ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' + ## ref: http://kubernetes.io/docs/user-guide/images/#pre-pulling-images + ## + pullPolicy: Always + ## Optionally specify an array of imagePullSecrets. + ## Secrets must be manually created in the namespace. + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## + # pullSecrets: + # - myRegistrKeySecretName + +## NATS Pod Security Context +## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ +## +securityContext: + enabled: true + fsGroup: 1001 + runAsUser: 1001 + +## NATS Node selector and tolerations for pod assignment +## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector +## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#taints-and-tolerations +## +# nodeSelector: {} +# tolerations: [] + +## Use an alternate scheduler, e.g. "stork". +## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/ +## +# schedulerName: + +## Pods anti-affinity +## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity +## +## Possible values: soft, hard +antiAffinity: soft + +## Pod annotations +## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ +## +podAnnotations: {} + +## Additional pod labels +## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ +## +podLabels: {} + +## Update strategy, can be "Recreate" or "RollingUpdate". Default is RollingUpdate. + +updateStrategy: RollingUpdate +# rollingUpdateMaxSurge: 25% +# rollingUpdateMaxUnavailable: "25% + +## Configure resource requests and limits +## ref: http://kubernetes.io/docs/user-guide/compute-resources/ +## +resources: {} +# limits: +# cpu: 100m +# memory: 64Mi +# requests: +# cpu: 10m +# memory: 64Mi + +## Configure extra options for liveness and readiness probes +## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes) +livenessProbe: + enabled: true + initialDelaySeconds: 30 + periodSeconds: 10 + timeoutSeconds: 5 + failureThreshold: 6 + successThreshold: 1 +readinessProbe: + enabled: true + initialDelaySeconds: 5 + periodSeconds: 10 + timeoutSeconds: 5 + failureThreshold: 6 + successThreshold: 1 + +cluster: + ## Create a NATS Cluster when installing the operator + create: true + + name: nats-cluster + + ## Choose namespace for cluster deployment if clusterScoped is set to true + namespace: "nats-io" + + ## Nats version + ## Image tags are listed here: https://hub.docker.com/_/nats?tab=tags + version: 1.4.1 + + ## Cluster Size + size: 3 + + ## Optional custom annotations to add to Pods in the cluster + annotations: {} + + resources: {} + # limits: + # cpu: 500m + # memory: 512Mi + # requests: + # cpu: 100m + # memory: 256Mi + + ## Client Authentication + ## ref: https://github.com/nats-io/gnatsd#authentication + ## note: token not supported only user/password will work with this chart version + ## + auth: + enabled: true + + # NOTE: Only supported in Kubernetes v1.12+ clusters having the "TokenRequest" API enabled. + enableServiceAccounts: false + + ## This is where you enter a username/password for 1 user + username: "my-user" + password: "T0pS3cr3t" + + ## This is a where you can specify 2 or more users + users: [] + # - username: "another-user-1" + # password: "another-password-1" + # - username: "another-user-2" + # password: "another-password-2" + # permissions: + # publish: ["hello.*"] + # subscribe: ["hello.world"] + + defaultPermissions: {} + # publish: ["SANDBOX.*"] + # subscribe: ["PUBLIC.>"] + + tls: + enabled: false + # serverSecret: + # routesSecret: + + ## Configuration Reload + ## NOTE: Only supported in Kubernetes v1.12+. + configReload: + enabled: false + registry: "docker.io" + repository: "connecteverything/nats-server-config-reloader" + tag: "0.2.2-v1alpha2" + pullPolicy: "IfNotPresent" + resources: {} + # limits: + # cpu: 50m + # memory: 32Mi + # requests: + # cpu: 10m + # memory: 32Mi + + ## Prometheus Metrics Exporter + ## + metrics: + enabled: false + registry: "docker.io" + repository: "synadia/prometheus-nats-exporter" + tag: "0.6.2" + pullPolicy: "IfNotPresent" + + # Prometheus Operator ServiceMonitor config + ## + servicemonitor: + enabled: false + prometheusInstance: default diff --git a/packages/system/nats-operator/values.yaml b/packages/system/nats-operator/values.yaml new file mode 100644 index 00000000..70c7291f --- /dev/null +++ b/packages/system/nats-operator/values.yaml @@ -0,0 +1,6 @@ +nats-operator: + clusterScoped: true + cluster: + create: true + metrics: + enabled: true