From 7710e9413db6c888f483619836f202095a33682a Mon Sep 17 00:00:00 2001 From: Michael Hoffmann Date: Wed, 18 Aug 2021 15:07:18 +0200 Subject: [PATCH] add testing/linting ci jobs; add CRDs repo; sync CRDs; fix some chart issues; make webhooks toggleable --- .github/workflows/test.yaml | 33 ++ .gitignore | 2 +- README.md | 22 +- .../.helmignore | 23 ++ .../aiven-kubernetes-operator-crds/Chart.yaml | 9 + .../templates}/crds.yaml | 308 +++++++++--------- .../values.yaml | 0 charts/aiven-kubernetes-operator/.helmignore | 3 + charts/aiven-kubernetes-operator/Chart.yaml | 4 +- .../ci/test-values.yaml | 2 + .../templates/_helpers.tpl | 7 + .../{cert-manager.yaml => certificate.yaml} | 9 +- .../templates/cluster_role.yaml | 7 + .../templates/deployment.yaml | 73 +++-- ..._cert_manager_if_webhooks_are_enabled.yaml | 8 + .../mutating_webhook_configuration.yaml | 9 +- .../templates/service.yaml | 6 +- .../validating_webhook_configuration.yaml | 6 +- charts/aiven-kubernetes-operator/values.yaml | 14 +- 19 files changed, 348 insertions(+), 197 deletions(-) create mode 100644 .github/workflows/test.yaml create mode 100644 charts/aiven-kubernetes-operator-crds/.helmignore create mode 100644 charts/aiven-kubernetes-operator-crds/Chart.yaml rename charts/{aiven-kubernetes-operator/crds => aiven-kubernetes-operator-crds/templates}/crds.yaml (95%) create mode 100644 charts/aiven-kubernetes-operator-crds/values.yaml create mode 100644 charts/aiven-kubernetes-operator/ci/test-values.yaml rename charts/aiven-kubernetes-operator/templates/{cert-manager.yaml => certificate.yaml} (87%) create mode 100644 charts/aiven-kubernetes-operator/templates/ensure_cert_manager_if_webhooks_are_enabled.yaml diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml new file mode 100644 index 0000000..e4fb729 --- /dev/null +++ b/.github/workflows/test.yaml @@ -0,0 +1,33 @@ +name: Test Charts + +on: pull_request + +jobs: + test: + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v2 + with: + fetch-depth: 0 + + - name: Set up Helm + uses: azure/setup-helm@v1 + with: + version: v3.4.0 + + - uses: actions/setup-python@v2 + with: + python-version: 3.7 + + - name: Set up chart-testing + uses: helm/chart-testing-action@v2.1.0 + + - name: Create kind cluster + uses: helm/kind-action@v1.2.0 + + - name: Install aiven-kubernetes-operator CRDs + run: helm install charts/aiven-kubernetes-operator-crds --generate-name + + - name: Test aiven-kubernetes-operator chart + run: ct install --charts charts/aiven-kubernetes-operator diff --git a/.gitignore b/.gitignore index 1c9bb1d..ce3fcb8 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -my-values.yaml +my-values.*.yaml diff --git a/README.md b/README.md index cafee5f..bc7b0f8 100644 --- a/README.md +++ b/README.md @@ -10,12 +10,24 @@ helm add repo aiven https://aiven-helm-charts.github.io && helm repo update ## Installing a chart from the repository +### Installing the aiven-kubernetes-operator-crds chart + +```bash +helm install aiven/aiven-kubernetes-operator-crds --generate-name +``` + ### Installing the aiven-kubernetes-operator chart +Before installing the `aiven-kubernetes-operator` chart, please make sure to have the CRDs chart installed. + +Installation with webhooks enabled ( requires a cert-manager deployment in the cluster ): + +```bash +helm install aiven/aiven-kubernetes-operator --generate-name +``` + +Without webhooks enabled: + ```bash -helm install \ - aiven/aiven-kubernetes-operator \ - --generate-name \ - --namespace aiven-kubernetes-operator-system \ - --create-namespace +helm install aiven/aiven-kubernetes-operator --generate-name --set webhooks.enabled=false ``` diff --git a/charts/aiven-kubernetes-operator-crds/.helmignore b/charts/aiven-kubernetes-operator-crds/.helmignore new file mode 100644 index 0000000..0e8a0eb --- /dev/null +++ b/charts/aiven-kubernetes-operator-crds/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/charts/aiven-kubernetes-operator-crds/Chart.yaml b/charts/aiven-kubernetes-operator-crds/Chart.yaml new file mode 100644 index 0000000..ff73729 --- /dev/null +++ b/charts/aiven-kubernetes-operator-crds/Chart.yaml @@ -0,0 +1,9 @@ +apiVersion: v2 +name: aiven-kubernetes-operator-crds +description: A Helm chart to deploy the aiven k8s operator custom resource definitions +type: application +version: v0.1.0 +appVersion: v0.0.1 +maintainers: +- name: mhoffm-aiven + url: https://www.aiven.io diff --git a/charts/aiven-kubernetes-operator/crds/crds.yaml b/charts/aiven-kubernetes-operator-crds/templates/crds.yaml similarity index 95% rename from charts/aiven-kubernetes-operator/crds/crds.yaml rename to charts/aiven-kubernetes-operator-crds/templates/crds.yaml index 5a8de57..2ab1e5c 100644 --- a/charts/aiven-kubernetes-operator/crds/crds.yaml +++ b/charts/aiven-kubernetes-operator-crds/templates/crds.yaml @@ -5,19 +5,6 @@ metadata: controller-gen.kubebuilder.io/version: v0.4.1 name: connectionpools.aiven.io spec: - conversion: - strategy: Webhook - webhook: - clientConfig: - caBundle: Cg== - service: - name: webhook-service - namespace: system - path: /convert - port: 443 - conversionReviewVersions: - - v1 - - v1beta1 group: aiven.io names: kind: ConnectionPool @@ -186,19 +173,6 @@ metadata: controller-gen.kubebuilder.io/version: v0.4.1 name: databases.aiven.io spec: - conversion: - strategy: Webhook - webhook: - clientConfig: - caBundle: Cg== - service: - name: webhook-service - namespace: system - path: /convert - port: 443 - conversionReviewVersions: - - v1 - - v1beta1 group: aiven.io names: kind: Database @@ -337,19 +311,6 @@ metadata: controller-gen.kubebuilder.io/version: v0.4.1 name: kafkaacls.aiven.io spec: - conversion: - strategy: Webhook - webhook: - clientConfig: - caBundle: Cg== - service: - name: webhook-service - namespace: system - path: /convert - port: 443 - conversionReviewVersions: - - v1 - - v1beta1 group: aiven.io names: kind: KafkaACL @@ -502,24 +463,156 @@ status: --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.4.1 + name: kafkaconnectors.aiven.io +spec: + group: aiven.io + names: + kind: KafkaConnector + listKind: KafkaConnectorList + plural: kafkaconnectors + singular: kafkaconnector + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .spec.serviceName + name: Service Name + type: string + - jsonPath: .spec.project + name: Project + type: string + - jsonPath: .spec.ConnectorClass + name: Connector Class + type: string + name: v1alpha1 + schema: + openAPIV3Schema: + description: KafkaConnector is the Schema for the kafkaconnectors API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: KafkaConnectorSpec defines the desired state of KafkaConnector + properties: + authSecretRef: + description: Authentication reference to Aiven token in a secret + properties: + key: + minLength: 1 + type: string + name: + minLength: 1 + type: string + required: + - key + - name + type: object + connectorClass: + description: The Java class of the connector. + maxLength: 1024 + type: string + connectorSpecificConfig: + additionalProperties: + type: string + description: 'The connector specific configuration To use secrets as sources for values you should write `configOption: secretRef:key:value`' + type: object + project: + description: Target project. + format: ^[a-zA-Z0-9_-]*$ + maxLength: 63 + type: string + serviceName: + description: Service name. + maxLength: 63 + type: string + required: + - authSecretRef + - connectorClass + - connectorSpecificConfig + - project + - serviceName + type: object + status: + description: KafkaConnectorStatus defines the observed state of KafkaConnector + properties: + conditions: + description: Conditions represent the latest available observations of an kafka connector state + items: + description: "Condition contains details for one aspect of the current state of this API Resource. --- This struct is intended for direct use as an array at the field path .status.conditions. For example, type FooStatus struct{ // Represents the observations of a foo's current state. // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge // +listType=map // +listMapKey=type Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + state: + description: State represents the state of the kafka connector + type: string + required: + - conditions + - state + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition metadata: annotations: controller-gen.kubebuilder.io/version: v0.4.1 name: kafkaconnects.aiven.io spec: - conversion: - strategy: Webhook - webhook: - clientConfig: - caBundle: Cg== - service: - name: webhook-service - namespace: system - path: /convert - port: 443 - conversionReviewVersions: - - v1 - - v1beta1 group: aiven.io names: kind: KafkaConnect @@ -735,19 +828,6 @@ metadata: controller-gen.kubebuilder.io/version: v0.4.1 name: kafkas.aiven.io spec: - conversion: - strategy: Webhook - webhook: - clientConfig: - caBundle: Cg== - service: - name: webhook-service - namespace: system - path: /convert - port: 443 - conversionReviewVersions: - - v1 - - v1beta1 group: aiven.io names: kind: Kafka @@ -1320,19 +1400,6 @@ metadata: controller-gen.kubebuilder.io/version: v0.4.1 name: kafkaschemas.aiven.io spec: - conversion: - strategy: Webhook - webhook: - clientConfig: - caBundle: Cg== - service: - name: webhook-service - namespace: system - path: /convert - port: 443 - conversionReviewVersions: - - v1 - - v1beta1 group: aiven.io names: kind: KafkaSchema @@ -1493,19 +1560,6 @@ metadata: controller-gen.kubebuilder.io/version: v0.4.1 name: kafkatopics.aiven.io spec: - conversion: - strategy: Webhook - webhook: - clientConfig: - caBundle: Cg== - service: - name: webhook-service - namespace: system - path: /convert - port: 443 - conversionReviewVersions: - - v1 - - v1beta1 group: aiven.io names: kind: KafkaTopic @@ -1738,7 +1792,7 @@ spec: type: object type: array state: - description: State kafka topic state + description: State represents the state of the kafka topic type: string required: - conditions @@ -1763,19 +1817,6 @@ metadata: controller-gen.kubebuilder.io/version: v0.4.1 name: postgresqls.aiven.io spec: - conversion: - strategy: Webhook - webhook: - clientConfig: - caBundle: Cg== - service: - name: webhook-service - namespace: system - path: /convert - port: 443 - conversionReviewVersions: - - v1 - - v1beta1 group: aiven.io names: kind: PostgreSQL @@ -2334,19 +2375,6 @@ metadata: controller-gen.kubebuilder.io/version: v0.4.1 name: projects.aiven.io spec: - conversion: - strategy: Webhook - webhook: - clientConfig: - caBundle: Cg== - service: - name: webhook-service - namespace: system - path: /convert - port: 443 - conversionReviewVersions: - - v1 - - v1beta1 group: aiven.io names: kind: Project @@ -2415,6 +2443,11 @@ spec: description: Extra text to be included in all project invoices, e.g. purchase order or cost center number maxLength: 1000 type: string + billingGroupId: + description: BillingGroup ID + maxLength: 36 + minLength: 36 + type: string cardId: description: Credit card ID maxLength: 64 @@ -2535,19 +2568,6 @@ metadata: controller-gen.kubebuilder.io/version: v0.4.1 name: projectvpcs.aiven.io spec: - conversion: - strategy: Webhook - webhook: - clientConfig: - caBundle: Cg== - service: - name: webhook-service - namespace: system - path: /convert - port: 443 - conversionReviewVersions: - - v1 - - v1beta1 group: aiven.io names: kind: ProjectVPC @@ -2687,19 +2707,6 @@ metadata: controller-gen.kubebuilder.io/version: v0.4.1 name: serviceintegrations.aiven.io spec: - conversion: - strategy: Webhook - webhook: - clientConfig: - caBundle: Cg== - service: - name: webhook-service - namespace: system - path: /convert - port: 443 - conversionReviewVersions: - - v1 - - v1beta1 group: aiven.io names: kind: ServiceIntegration @@ -2951,19 +2958,6 @@ metadata: controller-gen.kubebuilder.io/version: v0.4.1 name: serviceusers.aiven.io spec: - conversion: - strategy: Webhook - webhook: - clientConfig: - caBundle: Cg== - service: - name: webhook-service - namespace: system - path: /convert - port: 443 - conversionReviewVersions: - - v1 - - v1beta1 group: aiven.io names: kind: ServiceUser diff --git a/charts/aiven-kubernetes-operator-crds/values.yaml b/charts/aiven-kubernetes-operator-crds/values.yaml new file mode 100644 index 0000000..e69de29 diff --git a/charts/aiven-kubernetes-operator/.helmignore b/charts/aiven-kubernetes-operator/.helmignore index 0e8a0eb..1122445 100644 --- a/charts/aiven-kubernetes-operator/.helmignore +++ b/charts/aiven-kubernetes-operator/.helmignore @@ -21,3 +21,6 @@ .idea/ *.tmproj .vscode/ + +# ci specific config +ci/ diff --git a/charts/aiven-kubernetes-operator/Chart.yaml b/charts/aiven-kubernetes-operator/Chart.yaml index 1f02a45..f20e5d7 100644 --- a/charts/aiven-kubernetes-operator/Chart.yaml +++ b/charts/aiven-kubernetes-operator/Chart.yaml @@ -2,8 +2,8 @@ apiVersion: v2 name: aiven-kubernetes-operator description: A Helm chart to deploy the aiven k8s operator type: application -version: 0.1.0-alpha.1 -appVersion: 0.0.1 +version: v0.1.0 +appVersion: v0.0.1 maintainers: - name: mhoffm-aiven url: https://www.aiven.io diff --git a/charts/aiven-kubernetes-operator/ci/test-values.yaml b/charts/aiven-kubernetes-operator/ci/test-values.yaml new file mode 100644 index 0000000..55f3ea1 --- /dev/null +++ b/charts/aiven-kubernetes-operator/ci/test-values.yaml @@ -0,0 +1,2 @@ +webhooks: + enabled: false diff --git a/charts/aiven-kubernetes-operator/templates/_helpers.tpl b/charts/aiven-kubernetes-operator/templates/_helpers.tpl index 7271c28..a063c98 100644 --- a/charts/aiven-kubernetes-operator/templates/_helpers.tpl +++ b/charts/aiven-kubernetes-operator/templates/_helpers.tpl @@ -65,3 +65,10 @@ Create the name of the service account to use {{- default "default" .Values.serviceAccount.name }} {{- end }} {{- end }} + +{{/* +Common annotation our custom resource +*/}} +{{- define "aiven-kubernetes-operator.ca_injection_annotation" -}} +cert-manager.io/inject-ca-from: {{ include "aiven-kubernetes-operator.namespace" . }}/webhook-server-cert +{{- end }} diff --git a/charts/aiven-kubernetes-operator/templates/cert-manager.yaml b/charts/aiven-kubernetes-operator/templates/certificate.yaml similarity index 87% rename from charts/aiven-kubernetes-operator/templates/cert-manager.yaml rename to charts/aiven-kubernetes-operator/templates/certificate.yaml index 13edc84..1d2aad8 100644 --- a/charts/aiven-kubernetes-operator/templates/cert-manager.yaml +++ b/charts/aiven-kubernetes-operator/templates/certificate.yaml @@ -1,7 +1,9 @@ +{{- if .Values.webhooks.enabled }} + apiVersion: cert-manager.io/v1 kind: Certificate metadata: - name: {{ include "aiven-kubernetes-operator.fullname" . }}-serving-cert + name: {{ include "aiven-kubernetes-operator.fullname" . }}-webhook-certificate namespace: {{ include "aiven-kubernetes-operator.namespace" . }} labels: {{- include "aiven-kubernetes-operator.labels" . | nindent 4 }} @@ -13,7 +15,9 @@ spec: kind: Issuer name: {{ include "aiven-kubernetes-operator.fullname" . }}-selfsigned-issuer secretName: webhook-server-cert + --- + apiVersion: cert-manager.io/v1 kind: Issuer metadata: @@ -23,4 +27,7 @@ metadata: {{- include "aiven-kubernetes-operator.labels" . | nindent 4 }} spec: selfSigned: {} + --- + +{{- end }} diff --git a/charts/aiven-kubernetes-operator/templates/cluster_role.yaml b/charts/aiven-kubernetes-operator/templates/cluster_role.yaml index 76017b0..c6407f3 100644 --- a/charts/aiven-kubernetes-operator/templates/cluster_role.yaml +++ b/charts/aiven-kubernetes-operator/templates/cluster_role.yaml @@ -6,6 +6,13 @@ metadata: labels: {{- include "aiven-kubernetes-operator.labels" . | nindent 4 }} rules: +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch - apiGroups: - "" resources: diff --git a/charts/aiven-kubernetes-operator/templates/deployment.yaml b/charts/aiven-kubernetes-operator/templates/deployment.yaml index 455ec1b..a42a821 100644 --- a/charts/aiven-kubernetes-operator/templates/deployment.yaml +++ b/charts/aiven-kubernetes-operator/templates/deployment.yaml @@ -4,60 +4,89 @@ metadata: name: {{ include "aiven-kubernetes-operator.fullname" . }} namespace: {{ include "aiven-kubernetes-operator.namespace" . }} labels: - {{- include "aiven-kubernetes-operator.labels" . | nindent 4 }} +{{- include "aiven-kubernetes-operator.labels" . | nindent 4 }} spec: replicas: {{ .Values.replicaCount }} selector: matchLabels: - {{- include "aiven-kubernetes-operator.selectorLabels" . | nindent 6 }} +{{- include "aiven-kubernetes-operator.selectorLabels" . | nindent 6 }} template: metadata: - {{- with .Values.podAnnotations }} +{{- with .Values.podAnnotations }} annotations: - {{- toYaml . | nindent 8 }} - {{- end }} +{{- toYaml . | nindent 8 }} +{{- end }} labels: - {{- include "aiven-kubernetes-operator.selectorLabels" . | nindent 8 }} +{{- include "aiven-kubernetes-operator.selectorLabels" . | nindent 8 }} spec: - {{- with .Values.imagePullSecrets }} + terminationGracePeriodSeconds: 10 + +{{- with .Values.imagePullSecrets }} imagePullSecrets: - {{- toYaml . | nindent 8 }} - {{- end }} +{{- toYaml . | nindent 8 }} +{{- end }} + containers: - name: {{ .Chart.Name }} image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" imagePullPolicy: {{ .Values.image.pullPolicy }} + env: + +{{- if ( not .Values.webhooks.enabled ) }} + - name: ENABLE_WEBHOOKS + value: "false" +{{- end }} + ports: + - name: metrics + containerPort: 8080 + protocol: TCP + +{{- if .Values.webhooks.enabled }} - name: webhook containerPort: 9443 protocol: TCP +{{- end }} + livenessProbe: + initialDelaySeconds: 15 + periodSeconds: 10 tcpSocket: - port: webhook + port: metrics readinessProbe: + initialDelaySeconds: 5 + periodSeconds: 10 tcpSocket: - port: webhook + port: metrics resources: - {{- toYaml .Values.resources | nindent 12 }} +{{- toYaml .Values.resources | nindent 12 }} + +{{- if .Values.webhooks.enabled }} volumeMounts: - mountPath: /tmp/k8s-webhook-server/serving-certs name: webhook-server-cert readOnly: true - terminationGracePeriodSeconds: 10 +{{- end }} + +{{- if .Values.webhooks.enabled }} volumes: - name: webhook-server-cert secret: defaultMode: 420 secretName: webhook-server-cert - {{- with .Values.nodeSelector }} +{{- end }} + +{{- with .Values.nodeSelector }} nodeSelector: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.affinity }} +{{- toYaml . | nindent 8 }} +{{- end }} + +{{- with .Values.affinity }} affinity: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.tolerations }} +{{- toYaml . | nindent 8 }} +{{- end }} + +{{- with .Values.tolerations }} tolerations: - {{- toYaml . | nindent 8 }} - {{- end }} +{{- toYaml . | nindent 8 }} +{{- end }} diff --git a/charts/aiven-kubernetes-operator/templates/ensure_cert_manager_if_webhooks_are_enabled.yaml b/charts/aiven-kubernetes-operator/templates/ensure_cert_manager_if_webhooks_are_enabled.yaml new file mode 100644 index 0000000..625aaa2 --- /dev/null +++ b/charts/aiven-kubernetes-operator/templates/ensure_cert_manager_if_webhooks_are_enabled.yaml @@ -0,0 +1,8 @@ +{{- if .Values.webhooks.enabled }} + +{{- if not (.Capabilities.APIVersions.Has "cert-manager.io/v1") -}} + {{- fail "Required Cert Manager CRDs are missing even though Webhooks are enabled and Cert Manager is required" }} +{{ end }} + +{{ end }} + diff --git a/charts/aiven-kubernetes-operator/templates/mutating_webhook_configuration.yaml b/charts/aiven-kubernetes-operator/templates/mutating_webhook_configuration.yaml index 435b6a7..c977e10 100644 --- a/charts/aiven-kubernetes-operator/templates/mutating_webhook_configuration.yaml +++ b/charts/aiven-kubernetes-operator/templates/mutating_webhook_configuration.yaml @@ -1,12 +1,15 @@ +{{- if .Values.webhooks.enabled }} + apiVersion: admissionregistration.k8s.io/v1 kind: MutatingWebhookConfiguration metadata: annotations: - cert-manager.io/inject-ca-from: {{ include "aiven-kubernetes-operator.namespace" . }}/{{ include "aiven-kubernetes-operator.fullname" . }}-serving-cert +{{- include "aiven-kubernetes-operator.ca_injection_annotation" . | nindent 4 }} name: {{ include "aiven-kubernetes-operator.fullname" . }}-mutating-webhook-configuration namespace: {{ include "aiven-kubernetes-operator.namespace" . }} labels: - {{- include "aiven-kubernetes-operator.labels" . | nindent 4 }} +{{- include "aiven-kubernetes-operator.labels" . | nindent 4 }} + webhooks: - admissionReviewVersions: - v1 @@ -248,3 +251,5 @@ webhooks: resources: - serviceusers sideEffects: None + +{{- end }} diff --git a/charts/aiven-kubernetes-operator/templates/service.yaml b/charts/aiven-kubernetes-operator/templates/service.yaml index c799486..2067043 100644 --- a/charts/aiven-kubernetes-operator/templates/service.yaml +++ b/charts/aiven-kubernetes-operator/templates/service.yaml @@ -1,3 +1,5 @@ +{{- if .Values.webhooks.enabled }} + apiVersion: v1 kind: Service metadata: @@ -7,9 +9,11 @@ metadata: {{- include "aiven-kubernetes-operator.labels" . | nindent 4 }} spec: ports: - - port: {{ .Values.service.webhookPort }} + - port: {{ .Values.webhooks.servicePort }} targetPort: webhook protocol: TCP name: webhook selector: {{- include "aiven-kubernetes-operator.selectorLabels" . | nindent 4 }} + +{{- end }} diff --git a/charts/aiven-kubernetes-operator/templates/validating_webhook_configuration.yaml b/charts/aiven-kubernetes-operator/templates/validating_webhook_configuration.yaml index ad04378..3a09c05 100644 --- a/charts/aiven-kubernetes-operator/templates/validating_webhook_configuration.yaml +++ b/charts/aiven-kubernetes-operator/templates/validating_webhook_configuration.yaml @@ -1,8 +1,10 @@ +{{- if .Values.webhooks.enabled }} + apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingWebhookConfiguration metadata: annotations: - cert-manager.io/inject-ca-from: {{ include "aiven-kubernetes-operator.namespace" . }}/{{ include "aiven-kubernetes-operator.fullname" . }}-serving-cert +{{- include "aiven-kubernetes-operator.ca_injection_annotation" . | nindent 4 }} name: {{ include "aiven-kubernetes-operator.fullname" . }}-validating-webhook-configuration namespace: {{ include "aiven-kubernetes-operator.namespace" . }} labels: @@ -255,3 +257,5 @@ webhooks: resources: - serviceusers sideEffects: None + +{{- end }} diff --git a/charts/aiven-kubernetes-operator/values.yaml b/charts/aiven-kubernetes-operator/values.yaml index 4db46c0..f7f91c9 100644 --- a/charts/aiven-kubernetes-operator/values.yaml +++ b/charts/aiven-kubernetes-operator/values.yaml @@ -3,14 +3,21 @@ replicaCount: 1 nameOverride: "" fullnameOverride: "" +# webhhook configuration +webhooks: + enabled: true + servicePort: 443 + +# generic deployment configurations image: - repository: aiven/aiven-kubernetes-operator + repository: aivenoy/aiven-kubernetes-operator pullPolicy: IfNotPresent - # default is .Chart.AppVersion but can be overrided here + # default is .Chart.AppVersion but can be overriden here tag: "" imagePullSecrets: [] + resources: limits: cpu: 100m @@ -19,9 +26,6 @@ resources: cpu: 100m memory: 128Mi -service: - webhookPort: 443 - podAnnotations: {} nodeSelector: {}