diff --git a/charts/aiven-operator-crds/Chart.yaml b/charts/aiven-operator-crds/Chart.yaml index c3a2683..325ac5d 100644 --- a/charts/aiven-operator-crds/Chart.yaml +++ b/charts/aiven-operator-crds/Chart.yaml @@ -2,8 +2,8 @@ apiVersion: v2 name: aiven-operator-crds description: A Helm chart to deploy the aiven operator custom resource definitions type: application -version: v0.25.0 -appVersion: v0.25.0 +version: v0.26.0 +appVersion: v0.26.0 maintainers: - name: byashimov url: https://www.aiven.io diff --git a/charts/aiven-operator-crds/templates/aiven.io_cassandras.yaml b/charts/aiven-operator-crds/templates/aiven.io_cassandras.yaml index 156e2ac..a34b88b 100644 --- a/charts/aiven-operator-crds/templates/aiven.io_cassandras.yaml +++ b/charts/aiven-operator-crds/templates/aiven.io_cassandras.yaml @@ -225,7 +225,7 @@ spec: description: Cassandra specific user configuration options properties: additional_backup_regions: - description: Deprecated. Additional Cloud Regions for Backup Replication + description: Additional Cloud Regions for Backup Replication items: type: string maxItems: 1 @@ -290,7 +290,6 @@ spec: cassandra_version: description: Cassandra version enum: - - "4" - "4.1" pattern: ^[0-9]+(\.[0-9]+)?$ type: string diff --git a/charts/aiven-operator-crds/templates/aiven.io_clickhouses.yaml b/charts/aiven-operator-crds/templates/aiven.io_clickhouses.yaml index 61d12fb..318e0c3 100644 --- a/charts/aiven-operator-crds/templates/aiven.io_clickhouses.yaml +++ b/charts/aiven-operator-crds/templates/aiven.io_clickhouses.yaml @@ -340,6 +340,11 @@ spec: VPC or another type of private network type: boolean type: object + recovery_basebackup_name: + description: Name of the basebackup to restore in forked service + maxLength: 128 + pattern: ^[a-zA-Z0-9-_:.+]+$ + type: string service_log: description: Store logs for the service so that they are available diff --git a/charts/aiven-operator-crds/templates/aiven.io_flinks.yaml b/charts/aiven-operator-crds/templates/aiven.io_flinks.yaml new file mode 100644 index 0000000..4d886de --- /dev/null +++ b/charts/aiven-operator-crds/templates/aiven.io_flinks.yaml @@ -0,0 +1,410 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.15.0 + name: flinks.aiven.io +spec: + group: aiven.io + names: + kind: Flink + listKind: FlinkList + plural: flinks + singular: flink + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .spec.project + name: Project + type: string + - jsonPath: .spec.cloudName + name: Region + type: string + - jsonPath: .spec.plan + name: Plan + type: string + - jsonPath: .status.state + name: State + type: string + name: v1alpha1 + schema: + openAPIV3Schema: + description: |- + Flink is the Schema for the flinks API. + Info "Exposes secret keys": `FLINK_HOST`, `FLINK_PORT`, `FLINK_USER`, `FLINK_PASSWORD`, `FLINK_URI`, `FLINK_HOSTS` + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: FlinkSpec defines the desired state of Flink + properties: + authSecretRef: + description: Authentication reference to Aiven token in a secret + properties: + key: + minLength: 1 + type: string + name: + minLength: 1 + type: string + required: + - key + - name + type: object + cloudName: + description: Cloud the service runs in. + maxLength: 256 + type: string + connInfoSecretTarget: + description: Secret configuration. + properties: + annotations: + additionalProperties: + type: string + description: Annotations added to the secret + type: object + x-kubernetes-preserve-unknown-fields: true + labels: + additionalProperties: + type: string + description: Labels added to the secret + type: object + x-kubernetes-preserve-unknown-fields: true + name: + description: + Name of the secret resource to be created. By default, + it is equal to the resource name + type: string + x-kubernetes-validations: + - message: Value is immutable + rule: self == oldSelf + prefix: + description: |- + Prefix for the secret's keys. + Added "as is" without any transformations. + By default, is equal to the kind name in uppercase + underscore, e.g. `KAFKA_`, `REDIS_`, etc. + type: string + required: + - name + type: object + connInfoSecretTargetDisabled: + description: + When true, the secret containing connection information + will not be created, defaults to false. This field cannot be changed + after resource creation. + type: boolean + x-kubernetes-validations: + - message: connInfoSecretTargetDisabled is immutable. + rule: self == oldSelf + disk_space: + description: |- + The disk space of the service, possible values depend on the service type, the cloud provider and the project. + Reducing will result in the service re-balancing. + The removal of this field does not change the value. + pattern: (?i)^[1-9][0-9]*(GiB|G)?$ + type: string + maintenanceWindowDow: + description: + Day of week when maintenance operations should be performed. + One monday, tuesday, wednesday, etc. + enum: + - monday + - tuesday + - wednesday + - thursday + - friday + - saturday + - sunday + type: string + maintenanceWindowTime: + description: + Time of day when maintenance operations should be performed. + UTC time in HH:mm:ss format. + maxLength: 8 + type: string + plan: + description: Subscription plan. + maxLength: 128 + type: string + project: + description: Identifies the project this resource belongs to + maxLength: 63 + pattern: ^[a-zA-Z0-9_-]+$ + type: string + x-kubernetes-validations: + - message: Value is immutable + rule: self == oldSelf + projectVPCRef: + description: + ProjectVPCRef reference to ProjectVPC resource to use + its ID as ProjectVPCID automatically + properties: + name: + minLength: 1 + type: string + namespace: + minLength: 1 + type: string + required: + - name + type: object + projectVpcId: + description: Identifier of the VPC the service should be in, if any. + maxLength: 36 + type: string + serviceIntegrations: + description: + Service integrations to specify when creating a service. + Not applied after initial service creation + items: + description: + Service integrations to specify when creating a service. + Not applied after initial service creation + properties: + integrationType: + enum: + - read_replica + type: string + sourceServiceName: + maxLength: 64 + minLength: 1 + type: string + required: + - integrationType + - sourceServiceName + type: object + maxItems: 1 + type: array + x-kubernetes-validations: + - message: Value is immutable + rule: self == oldSelf + tags: + additionalProperties: + type: string + description: + Tags are key-value pairs that allow you to categorize + services. + type: object + technicalEmails: + description: + Defines the email addresses that will receive alerts + about upcoming maintenance updates or warnings about service instability. + items: + properties: + email: + description: Email address. + pattern: ^[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}$ + type: string + required: + - email + type: object + maxItems: 10 + type: array + terminationProtection: + description: + Prevent service from being deleted. It is recommended + to have this enabled for all services. + type: boolean + userConfig: + description: Cassandra specific user configuration options + properties: + additional_backup_regions: + description: Deprecated. Additional Cloud Regions for Backup Replication + items: + type: string + maxItems: 1 + type: array + flink_version: + description: Flink major version + enum: + - "1.19" + type: string + x-kubernetes-validations: + - message: Value is immutable + rule: self == oldSelf + ip_filter: + description: + Allow incoming connections from CIDR address block, + e.g. '10.20.0.0/16' + items: + description: + CIDR address block, either as a string, or in a + dict with an optional description field + properties: + description: + description: Description for IP filter list entry + maxLength: 1024 + type: string + network: + description: CIDR address block + maxLength: 43 + type: string + required: + - network + type: object + maxItems: 1024 + type: array + number_of_task_slots: + description: + Task slots per node. For a 3 node plan, total number + of task slots is 3x this value + maximum: 1024 + minimum: 1 + type: integer + pekko_ask_timeout_s: + description: + Timeout in seconds used for all futures and blocking + Pekko requests + maximum: 60 + minimum: 5 + type: integer + pekko_framesize_b: + description: + Maximum size in bytes for messages exchanged between + the JobManager and the TaskManagers + maximum: 52428800 + minimum: 1048576 + type: integer + privatelink_access: + description: + Allow access to selected service components through + Privatelink + properties: + flink: + description: Enable flink + type: boolean + prometheus: + description: Enable prometheus + type: boolean + type: object + public_access: + description: + Allow access to selected service ports from the public + Internet + properties: + flink: + description: + Allow clients to connect to flink from the public + internet for service nodes that are in a project VPC or + another type of private network + type: boolean + type: object + service_log: + description: + Store logs for the service so that they are available + in the HTTP API and console. + type: boolean + static_ips: + description: Use static public IP addresses + type: boolean + type: object + required: + - plan + - project + type: object + x-kubernetes-validations: + - message: + connInfoSecretTargetDisabled can only be set during resource + creation. + rule: has(oldSelf.connInfoSecretTargetDisabled) == has(self.connInfoSecretTargetDisabled) + status: + description: ServiceStatus defines the observed state of service + properties: + conditions: + description: + Conditions represent the latest available observations + of a service state + items: + description: + "Condition contains details for one aspect of the current + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + state: + description: Service state + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} diff --git a/charts/aiven-operator-crds/templates/aiven.io_grafanas.yaml b/charts/aiven-operator-crds/templates/aiven.io_grafanas.yaml index 091b772..3791a9c 100644 --- a/charts/aiven-operator-crds/templates/aiven.io_grafanas.yaml +++ b/charts/aiven-operator-crds/templates/aiven.io_grafanas.yaml @@ -232,8 +232,9 @@ spec: type: array alerting_enabled: description: - Enable or disable Grafana legacy alerting functionality. - This should not be enabled with unified_alerting_enabled. + "DEPRECATED: setting has no effect with Grafana 11 + and onward. Enable or disable Grafana legacy alerting functionality. + This should not be enabled with unified_alerting_enabled." type: boolean alerting_error_or_timeout: description: @@ -256,8 +257,8 @@ spec: alerting rules enum: - alerting - - no_data - keep_state + - no_data - ok type: string allow_embedding: @@ -370,6 +371,11 @@ spec: description: Token URL maxLength: 2048 type: string + use_refresh_token: + description: + Set to true to use refresh token and check access + token expiration. + type: boolean required: - api_url - auth_url @@ -433,14 +439,14 @@ spec: type: array api_url: description: - API URL. This only needs to be set when using - self hosted GitLab + This only needs to be set when using self hosted + GitLab maxLength: 2048 type: string auth_url: description: - Authorization URL. This only needs to be set - when using self hosted GitLab + This only needs to be set when using self hosted + GitLab maxLength: 2048 type: string client_id: @@ -455,8 +461,8 @@ spec: type: string token_url: description: - Token URL. This only needs to be set when using - self hosted GitLab + This only needs to be set when using self hosted + GitLab maxLength: 2048 type: string required: @@ -499,8 +505,8 @@ spec: value." enum: - lax - - strict - none + - strict type: string custom_domain: description: @@ -510,7 +516,8 @@ spec: type: string dashboard_previews_enabled: description: - This feature is new in Grafana 9 and is quite resource + Enable browsing of dashboards in grid (pictures) + mode. This feature is new in Grafana 9 and is quite resource intensive. It may cause low-end plans to work more slowly while the dashboard previews are rendering. type: boolean @@ -633,7 +640,7 @@ spec: maxLength: 2048 type: string provider: - description: Provider type + description: External image store provider enum: - s3 type: string @@ -676,7 +683,7 @@ spec: maxItems: 1024 type: array metrics_enabled: - description: Enable Grafana /metrics endpoint + description: Enable Grafana's /metrics endpoint type: boolean oauth_allow_insecure_email_lookup: description: @@ -783,9 +790,9 @@ spec: Either OpportunisticStartTLS, MandatoryStartTLS or NoStartTLS. Default is OpportunisticStartTLS. enum: - - OpportunisticStartTLS - MandatoryStartTLS - NoStartTLS + - OpportunisticStartTLS type: string username: description: Username for SMTP authentication @@ -805,7 +812,7 @@ spec: Enable or disable Grafana unified alerting functionality. By default this is enabled and any legacy alerts will be migrated on upgrade to Grafana 9+. To stay on legacy alerting, set unified_alerting_enabled - to false and alerting_enabled to true. See https://grafana.com/docs/grafana/latest/alerting/set-up/migrating-alerts/ + to false and alerting_enabled to true. See https://grafana.com/docs/grafana/latest/alerting/ for more details. type: boolean user_auto_assign_org: @@ -816,9 +823,9 @@ spec: user_auto_assign_org_role: description: Set role for new signups. Defaults to Viewer enum: - - Viewer - Admin - Editor + - Viewer type: string viewers_can_edit: description: diff --git a/charts/aiven-operator-crds/templates/aiven.io_kafkaconnects.yaml b/charts/aiven-operator-crds/templates/aiven.io_kafkaconnects.yaml index 0414c14..dfbfe1b 100644 --- a/charts/aiven-operator-crds/templates/aiven.io_kafkaconnects.yaml +++ b/charts/aiven-operator-crds/templates/aiven.io_kafkaconnects.yaml @@ -210,8 +210,8 @@ spec: Defines what client configurations can be overridden by the connector. Default is None enum: - - None - All + - None type: string consumer_auto_offset_reset: description: @@ -238,8 +238,8 @@ spec: is the default, but read_committed can be used if consume-exactly-once behavior is desired. enum: - - read_uncommitted - read_committed + - read_uncommitted type: string consumer_max_partition_fetch_bytes: description: @@ -309,10 +309,10 @@ spec: 'none' which is the default and equivalent to no compression. enum: - gzip - - snappy - lz4 - - zstd - none + - snappy + - zstd type: string producer_linger_ms: description: @@ -413,10 +413,13 @@ spec: supported. Secrets can be referenced in connector config with ${::}" items: - description: SecretProvider + description: + Configure external secret providers in order to + reference external secrets in connector configuration. Currently + Hashicorp Vault and AWS Secrets Manager are supported. properties: aws: - description: AWS config for Secret Provider + description: AWS secret provider configuration properties: access_key: description: Access key used to authenticate with aws @@ -447,7 +450,7 @@ spec: secrets in connector config. type: string vault: - description: Vault Config for Secret Provider + description: Vault secret provider configuration properties: address: description: Address of the Vault server diff --git a/charts/aiven-operator-crds/templates/aiven.io_kafkas.yaml b/charts/aiven-operator-crds/templates/aiven.io_kafkas.yaml index 81af8ee..ee2e9e3 100644 --- a/charts/aiven-operator-crds/templates/aiven.io_kafkas.yaml +++ b/charts/aiven-operator-crds/templates/aiven.io_kafkas.yaml @@ -291,11 +291,11 @@ spec: codec set by the producer.(Default: producer)" enum: - gzip - - snappy - lz4 - - zstd - - uncompressed - producer + - snappy + - uncompressed + - zstd type: string connections_max_idle_ms: description: @@ -379,9 +379,9 @@ spec: "The default cleanup policy for segments beyond the retention window (Default: delete)" enum: - - delete - compact - compact,delete + - delete type: string log_flush_interval_messages: description: @@ -661,8 +661,8 @@ spec: Defines what client configurations can be overridden by the connector. Default is None enum: - - None - All + - None type: string consumer_auto_offset_reset: description: @@ -689,8 +689,8 @@ spec: is the default, but read_committed can be used if consume-exactly-once behavior is desired. enum: - - read_uncommitted - read_committed + - read_uncommitted type: string consumer_max_partition_fetch_bytes: description: @@ -760,10 +760,10 @@ spec: 'none' which is the default and equivalent to no compression. enum: - gzip - - snappy - lz4 - - zstd - none + - snappy + - zstd type: string producer_linger_ms: description: @@ -813,10 +813,13 @@ spec: supported. Secrets can be referenced in connector config with ${::}" items: - description: SecretProvider + description: + Configure external secret providers in order to + reference external secrets in connector configuration. Currently + Hashicorp Vault and AWS Secrets Manager are supported. properties: aws: - description: AWS config for Secret Provider + description: AWS secret provider configuration properties: access_key: description: Access key used to authenticate with aws @@ -847,7 +850,7 @@ spec: secrets in connector config. type: string vault: - description: Vault Config for Secret Provider + description: Vault secret provider configuration properties: address: description: Address of the Vault server @@ -926,8 +929,8 @@ spec: Name strategy to use when selecting subject for storing schemas enum: - - topic_name - record_name + - topic_name - topic_record_name type: string name_strategy_validation: @@ -944,10 +947,10 @@ spec: for the full set of in-sync replicas to acknowledge the record. enum: - - all - "-1" - "0" - "1" + - all type: string producer_compression_type: description: @@ -957,10 +960,10 @@ spec: 'none' which is the default and equivalent to no compression. enum: - gzip - - snappy - lz4 - - zstd - none + - snappy + - zstd type: string producer_linger_ms: description: @@ -1000,10 +1003,8 @@ spec: kafka_version: description: Kafka major version enum: - - "3.4" - - "3.5" - - "3.6" - "3.7" + - "3.8" type: string letsencrypt_sasl_privatelink: description: Use Letsencrypt CA for Kafka SASL via Privatelink @@ -1118,6 +1119,19 @@ spec: a secondary cluster and Karapace / Schema Registry there must not participate in leader election. Defaults to `true`. type: boolean + retriable_errors_silenced: + description: + If enabled, kafka errors which can be retried + or custom errors specified for the service will not be raised, + instead, a warning log is emitted. This will denoise issue + tracking systems, i.e. sentry. Defaults to `true`. + type: boolean + schema_reader_strict_mode: + description: + If enabled, causes the Karapace schema-registry + service to shutdown when there are invalid schema records + in the `_schemas` topic. Defaults to `false`. + type: boolean topic_name: description: The durable single partition topic that acts @@ -1138,6 +1152,18 @@ spec: Store logs for the service so that they are available in the HTTP API and console. type: boolean + single_zone: + description: Single-zone configuration + properties: + enabled: + description: + Whether to allocate nodes on the same Availability + Zone or spread across zones available. By default service + nodes are spread across different AZs. The single AZ support + is best-effort and may temporarily allocate nodes in different + AZs e.g. in case of capacity limitations in one AZ. + type: boolean + type: object static_ips: description: Use static public IP addresses type: boolean diff --git a/charts/aiven-operator-crds/templates/aiven.io_mysqls.yaml b/charts/aiven-operator-crds/templates/aiven.io_mysqls.yaml index b7eefee..c3b65e1 100644 --- a/charts/aiven-operator-crds/templates/aiven.io_mysqls.yaml +++ b/charts/aiven-operator-crds/templates/aiven.io_mysqls.yaml @@ -495,14 +495,26 @@ spec: The storage engine for in-memory internal temporary tables. enum: - - TempTable - MEMORY + - TempTable + type: string + log_output: + description: + The slow log output destination when slow_query_log + is ON. To enable MySQL AI Insights, choose INSIGHTS. To + use MySQL AI Insights and the mysql.slow_log table at the + same time, choose INSIGHTS,TABLE. To only use the mysql.slow_log + table, choose TABLE. To silence slow logs, choose NONE. + enum: + - INSIGHTS + - INSIGHTS,TABLE + - NONE + - TABLE type: string long_query_time: description: The slow_query_logs work as SQL statements that - take more than long_query_time seconds to execute. Default - is 10s + take more than long_query_time seconds to execute. maximum: 3600 minimum: 0 type: number @@ -546,7 +558,7 @@ spec: description: Slow query log enables capturing of slow queries. Setting slow_query_log to false also truncates the mysql.slow_log - table. Default is off + table. type: boolean sort_buffer_size: description: diff --git a/charts/aiven-operator-crds/templates/aiven.io_opensearches.yaml b/charts/aiven-operator-crds/templates/aiven.io_opensearches.yaml index 3b23172..31eace5 100644 --- a/charts/aiven-operator-crds/templates/aiven.io_opensearches.yaml +++ b/charts/aiven-operator-crds/templates/aiven.io_opensearches.yaml @@ -231,9 +231,10 @@ spec: maxItems: 1 type: array azure_migration: + description: Azure migration settings properties: account: - description: Azure account name + description: Account name pattern: ^[^\r\n]*$ type: string base_path: @@ -263,12 +264,28 @@ spec: description: Defines the DNS suffix for Azure Storage endpoints. pattern: ^[^\r\n]*$ type: string + include_aliases: + description: + Whether to restore aliases alongside their associated + indexes. Default is true. + type: boolean + indices: + description: + A comma-delimited list of indices to restore + from the snapshot. Multi-index syntax is supported. + pattern: ^(\*?[a-z0-9._-]*\*?|-\*?[a-z0-9._-]*\*?)(,(\*?[a-z0-9._-]*\*?|-\*?[a-z0-9._-]*\*?))*[,]?$ + type: string key: description: Azure account secret key. One of key or sas_token should be specified pattern: ^[^\r\n]*$ type: string + restore_global_state: + description: + If true, restore the cluster state. Defaults + to false + type: boolean sas_token: description: A shared access signatures (SAS) token. One of @@ -283,6 +300,7 @@ spec: - account - base_path - container + - indices - snapshot_name type: object custom_domain: @@ -293,13 +311,14 @@ spec: type: string disable_replication_factor_adjustment: description: - "DEPRECATED: Disable automatic replication factor - adjustment for multi-node services. By default, Aiven ensures - all indexes are replicated at least to two nodes. Note: Due - to potential data loss in case of losing a service node, this - setting can no longer be activated." + "Disable automatic replication factor adjustment + for multi-node services. By default, Aiven ensures all indexes + are replicated at least to two nodes. Note: Due to potential + data loss in case of losing a service node, this setting can + not be activated unless specifically allowed for the project." type: boolean gcs_migration: + description: Google Cloud Storage migration settings properties: base_path: description: @@ -328,6 +347,22 @@ spec: description: Google Cloud Storage credentials file content pattern: ^[^\r\n]*$ type: string + include_aliases: + description: + Whether to restore aliases alongside their associated + indexes. Default is true. + type: boolean + indices: + description: + A comma-delimited list of indices to restore + from the snapshot. Multi-index syntax is supported. + pattern: ^(\*?[a-z0-9._-]*\*?|-\*?[a-z0-9._-]*\*?)(,(\*?[a-z0-9._-]*\*?|-\*?[a-z0-9._-]*\*?))*[,]?$ + type: string + restore_global_state: + description: + If true, restore the cluster state. Defaults + to false + type: boolean snapshot_name: description: The snapshot name to restore from pattern: ^[^\r\n]*$ @@ -336,6 +371,7 @@ spec: - base_path - bucket - credentials + - indices - snapshot_name type: object index_patterns: @@ -589,7 +625,7 @@ spec: The number of login attempts allowed before login is blocked maximum: 2147483647 - minimum: 0 + minimum: 1 type: integer authentication_backend: description: internal_authentication_backend_limiting.authentication_backend @@ -645,7 +681,7 @@ spec: The duration of time that login remains blocked after a failed login maximum: 36000 - minimum: 1 + minimum: 0 type: integer max_blocked_clients: description: The maximum number of blocked IP addresses @@ -664,7 +700,7 @@ spec: The window of time in which the value for `allowed_tries` is enforced maximum: 36000 - minimum: 1 + minimum: 0 type: integer type: description: The type of rate limiting @@ -685,7 +721,7 @@ spec: description: How many concurrent incoming/outgoing shard recoveries (normally replicas) are allowed to happen on a node. Defaults - to 2. + to node cpu count * 2. maximum: 16 minimum: 2 type: integer @@ -874,6 +910,257 @@ spec: maxLength: 1024 pattern: ^[^\r\n]*$ type: string + search.insights.top_queries: + properties: + cpu: + description: Top N queries monitoring by CPU + properties: + enabled: + description: + Enable or disable top N query monitoring + by the metric + type: boolean + top_n_size: + description: + Specify the value of N for the top N + queries by the metric + minimum: 1 + type: integer + window_size: + description: + The window size of the top N queries + by the metric + pattern: ^(\*?[a-z0-9._-]*\*?|-\*?[a-z0-9._-]*\*?)(,(\*?[a-z0-9._-]*\*?|-\*?[a-z0-9._-]*\*?))*[,]?$ + type: string + type: object + latency: + description: Top N queries monitoring by latency + properties: + enabled: + description: + Enable or disable top N query monitoring + by the metric + type: boolean + top_n_size: + description: + Specify the value of N for the top N + queries by the metric + minimum: 1 + type: integer + window_size: + description: + The window size of the top N queries + by the metric + pattern: ^(\*?[a-z0-9._-]*\*?|-\*?[a-z0-9._-]*\*?)(,(\*?[a-z0-9._-]*\*?|-\*?[a-z0-9._-]*\*?))*[,]?$ + type: string + type: object + memory: + description: Top N queries monitoring by memory + properties: + enabled: + description: + Enable or disable top N query monitoring + by the metric + type: boolean + top_n_size: + description: + Specify the value of N for the top N + queries by the metric + minimum: 1 + type: integer + window_size: + description: + The window size of the top N queries + by the metric + pattern: ^(\*?[a-z0-9._-]*\*?|-\*?[a-z0-9._-]*\*?)(,(\*?[a-z0-9._-]*\*?|-\*?[a-z0-9._-]*\*?))*[,]?$ + type: string + type: object + type: object + search_backpressure: + description: Search Backpressure Settings + properties: + mode: + description: + The search backpressure mode. Valid values + are monitor_only, enforced, or disabled. Default is + monitor_only + enum: + - disabled + - enforced + - monitor_only + type: string + node_duress: + description: Node duress settings + properties: + cpu_threshold: + description: + The CPU usage threshold (as a percentage) + required for a node to be considered to be under + duress. Default is 0.9 + maximum: 1 + minimum: 0 + type: number + heap_threshold: + description: + The heap usage threshold (as a percentage) + required for a node to be considered to be under + duress. Default is 0.7 + maximum: 1 + minimum: 0 + type: number + num_successive_breaches: + description: + The number of successive limit breaches + after which the node is considered to be under duress. + Default is 3 + minimum: 1 + type: integer + type: object + search_shard_task: + description: Search shard settings + properties: + cancellation_burst: + description: + The maximum number of search tasks to + cancel in a single iteration of the observer thread. + Default is 10.0 + minimum: 1 + type: number + cancellation_rate: + description: + The maximum number of tasks to cancel + per millisecond of elapsed time. Default is 0.003 + minimum: 0 + type: number + cancellation_ratio: + description: + The maximum number of tasks to cancel, + as a percentage of successful task completions. + Default is 0.1 + maximum: 1 + minimum: 0 + type: number + cpu_time_millis_threshold: + description: + The CPU usage threshold (in milliseconds) + required for a single search shard task before it + is considered for cancellation. Default is 15000 + minimum: 0 + type: integer + elapsed_time_millis_threshold: + description: + The elapsed time threshold (in milliseconds) + required for a single search shard task before it + is considered for cancellation. Default is 30000 + minimum: 0 + type: integer + heap_moving_average_window_size: + description: + The number of previously completed search + shard tasks to consider when calculating the rolling + average of heap usage. Default is 100 + minimum: 0 + type: integer + heap_percent_threshold: + description: + The heap usage threshold (as a percentage) + required for a single search shard task before it + is considered for cancellation. Default is 0.5 + maximum: 1 + minimum: 0 + type: number + heap_variance: + description: + The minimum variance required for a single + search shard task’s heap usage compared to the rolling + average of previously completed tasks before it + is considered for cancellation. Default is 2.0 + minimum: 0 + type: number + total_heap_percent_threshold: + description: + The heap usage threshold (as a percentage) + required for the sum of heap usages of all search + shard tasks before cancellation is applied. Default + is 0.5 + maximum: 1 + minimum: 0 + type: number + type: object + search_task: + description: Search task settings + properties: + cancellation_burst: + description: + The maximum number of search tasks to + cancel in a single iteration of the observer thread. + Default is 5.0 + minimum: 1 + type: number + cancellation_rate: + description: + The maximum number of search tasks to + cancel per millisecond of elapsed time. Default + is 0.003 + minimum: 0 + type: number + cancellation_ratio: + description: + The maximum number of search tasks to + cancel, as a percentage of successful search task + completions. Default is 0.1 + maximum: 1 + minimum: 0 + type: number + cpu_time_millis_threshold: + description: + The CPU usage threshold (in milliseconds) + required for an individual parent task before it + is considered for cancellation. Default is 30000 + minimum: 0 + type: integer + elapsed_time_millis_threshold: + description: + The elapsed time threshold (in milliseconds) + required for an individual parent task before it + is considered for cancellation. Default is 45000 + minimum: 0 + type: integer + heap_moving_average_window_size: + description: + The window size used to calculate the + rolling average of the heap usage for the completed + parent tasks. Default is 10 + minimum: 0 + type: integer + heap_percent_threshold: + description: + The heap usage threshold (as a percentage) + required for an individual parent task before it + is considered for cancellation. Default is 0.2 + maximum: 1 + minimum: 0 + type: number + heap_variance: + description: + The heap usage variance required for + an individual parent task before it is considered + for cancellation. A task is considered for cancellation + when taskHeapUsage is greater than or equal to heapUsageMovingAverage + * variance. Default is 2.0 + minimum: 0 + type: number + total_heap_percent_threshold: + description: + The heap usage threshold (as a percentage) + required for the sum of heap usages of all search + tasks before cancellation is applied. Default is + 0.5 + maximum: 1 + minimum: 0 + type: number + type: object + type: object search_max_buckets: description: Maximum number of aggregation buckets allowed @@ -882,6 +1169,91 @@ spec: maximum: 1000000 minimum: 1 type: integer + shard_indexing_pressure: + description: Shard indexing back pressure settings + properties: + enabled: + description: + Enable or disable shard indexing backpressure. + Default is false + type: boolean + enforced: + description: + Run shard indexing backpressure in shadow + mode or enforced mode. In shadow mode (value + set as false), shard indexing backpressure tracks all + granular-level metrics, but it doesn’t actually + reject any indexing requests. In enforced + mode (value set as true), shard indexing + backpressure rejects any requests to the cluster that + might cause a dip in its performance. Default + is false + type: boolean + operating_factor: + description: Operating factor + properties: + lower: + description: + Specify the lower occupancy limit of + the allocated quota of memory for the shard. If + the total memory usage of a shard is below this + limit, shard indexing backpressure + decreases the current allocated memory for that + shard. Default is 0.75 + minimum: 0 + type: number + optimal: + description: + Specify the optimal occupancy of the + allocated quota of memory for the shard. If + the total memory usage of a shard is at this level, shard + indexing backpressure doesn’t change the current + allocated memory for that shard. Default + is 0.85 + minimum: 0 + type: number + upper: + description: + Specify the upper occupancy limit of + the allocated quota of memory for the shard. If + the total memory usage of a shard is above this + limit, shard indexing backpressure + increases the current allocated memory for that + shard. Default is 0.95 + minimum: 0 + type: number + type: object + primary_parameter: + description: Primary parameter + properties: + node: + properties: + soft_limit: + description: + Define the percentage of the node-level + memory threshold + that acts as a soft indicator for strain on + a node. Default + is 0.7 + minimum: 0 + type: number + type: object + shard: + properties: + min_limit: + description: + Specify the minimum assigned quota + for a new shard in any role (coordinator, primary, + or replica). Shard + indexing backpressure increases or decreases + this allocated quota based on the inflow of + traffic for the shard. Default + is 0.001 + minimum: 0 + type: number + type: object + type: object + type: object thread_pool_analyze_queue_size: description: Size for the thread pool queue. See documentation @@ -1081,6 +1453,7 @@ spec: pattern: ^[a-zA-Z0-9-_:.]+$ type: string s3_migration: + description: AWS S3 / AWS S3 compatible migration settings properties: access_key: description: AWS Access key @@ -1116,10 +1489,26 @@ spec: to the service’s endpoint pattern: ^[^\r\n]*$ type: string + include_aliases: + description: + Whether to restore aliases alongside their associated + indexes. Default is true. + type: boolean + indices: + description: + A comma-delimited list of indices to restore + from the snapshot. Multi-index syntax is supported. + pattern: ^(\*?[a-z0-9._-]*\*?|-\*?[a-z0-9._-]*\*?)(,(\*?[a-z0-9._-]*\*?|-\*?[a-z0-9._-]*\*?))*[,]?$ + type: string region: description: S3 region pattern: ^[^\r\n]*$ type: string + restore_global_state: + description: + If true, restore the cluster state. Defaults + to false + type: boolean secret_key: description: AWS secret key pattern: ^[^\r\n]*$ @@ -1137,6 +1526,7 @@ spec: - access_key - base_path - bucket + - indices - region - secret_key - snapshot_name diff --git a/charts/aiven-operator-crds/templates/aiven.io_postgresqls.yaml b/charts/aiven-operator-crds/templates/aiven.io_postgresqls.yaml index dbec011..40bac23 100644 --- a/charts/aiven-operator-crds/templates/aiven.io_postgresqls.yaml +++ b/charts/aiven-operator-crds/templates/aiven.io_postgresqls.yaml @@ -225,7 +225,7 @@ spec: description: PostgreSQL specific user configuration options properties: additional_backup_regions: - description: Additional Cloud Regions for Backup Replication + description: Deprecated. Additional Cloud Regions for Backup Replication items: type: string maxItems: 1 @@ -519,16 +519,16 @@ spec: Controls the amount of detail written in the server log for each message that is logged. enum: - - TERSE - DEFAULT + - TERSE - VERBOSE type: string log_line_prefix: description: Choose from one of the available log formats. enum: - - "'pid=%p,user=%u,db=%d,app=%a,client=%h '" - - "'%t [%p]: [%l-1] user=%u,db=%d,app=%a,client=%h '" - "'%m [%p] %q[user=%u,db=%d,app=%a] '" + - "'%t [%p]: [%l-1] user=%u,db=%d,app=%a,client=%h '" + - "'pid=%p,user=%u,db=%d,app=%a,client=%h '" - "'pid=%p,user=%u,db=%d,app=%a,client=%h,txid=%x,qid=%Q '" type: string @@ -660,8 +660,8 @@ spec: statement statistics collection. The default value is top. enum: - all - - top - none + - top type: string temp_file_limit: description: @@ -694,8 +694,8 @@ spec: time used. enum: - all - - pl - none + - pl type: string track_io_timing: description: @@ -777,7 +777,6 @@ spec: pg_version: description: PostgreSQL major version enum: - - "12" - "13" - "14" - "15" @@ -898,8 +897,8 @@ spec: description: PGBouncer pool mode enum: - session - - transaction - statement + - transaction type: string autodb_pool_size: description: @@ -1081,8 +1080,8 @@ spec: Synchronous replication type. Note that the service plan also needs to support synchronous replication. enum: - - quorum - "off" + - quorum type: string timescaledb: description: System-wide settings for the timescaledb extension diff --git a/charts/aiven-operator-crds/templates/aiven.io_redis.yaml b/charts/aiven-operator-crds/templates/aiven.io_redis.yaml index dbf2f82..0aaa551 100644 --- a/charts/aiven-operator-crds/templates/aiven.io_redis.yaml +++ b/charts/aiven-operator-crds/templates/aiven.io_redis.yaml @@ -426,14 +426,14 @@ spec: redis_maxmemory_policy: description: Redis maxmemory-policy enum: - - noeviction + - allkeys-lfu - allkeys-lru - - volatile-lru - allkeys-random + - noeviction + - volatile-lfu + - volatile-lru - volatile-random - volatile-ttl - - volatile-lfu - - allkeys-lfu type: string redis_notify_keyspace_events: description: Set notify-keyspace-events option @@ -473,7 +473,7 @@ spec: type: boolean redis_timeout: description: Redis idle connection timeout in seconds - maximum: 31536000 + maximum: 2073600 minimum: 0 type: integer redis_version: diff --git a/charts/aiven-operator-crds/templates/aiven.io_serviceintegrationendpoints.yaml b/charts/aiven-operator-crds/templates/aiven.io_serviceintegrationendpoints.yaml index 2893db2..5e0b969 100644 --- a/charts/aiven-operator-crds/templates/aiven.io_serviceintegrationendpoints.yaml +++ b/charts/aiven-operator-crds/templates/aiven.io_serviceintegrationendpoints.yaml @@ -69,6 +69,35 @@ spec: - key - name type: object + autoscaler: + description: Autoscaler configuration values + properties: + autoscaling: + description: Configure autoscaling thresholds for a service + items: + description: Autoscaling properties for a service + properties: + cap_gb: + description: + The maximum total disk size (in gb) to allow + autoscaler to scale up to + maximum: 10000 + minimum: 50 + type: integer + type: + description: Type of autoscale event + enum: + - autoscale_disk + type: string + required: + - cap_gb + - type + type: object + maxItems: 64 + type: array + required: + - autoscaling + type: object datadog: description: Datadog configuration values properties: @@ -124,12 +153,12 @@ spec: site: description: Datadog intake site. Defaults to datadoghq.com enum: + - ap1.datadoghq.com - datadoghq.com - datadoghq.eu + - ddog-gov.com - us3.datadoghq.com - us5.datadoghq.com - - ddog-gov.com - - ap1.datadoghq.com type: string required: - datadog_api_key @@ -327,9 +356,9 @@ spec: description: Security protocol enum: - PLAINTEXT - - SSL - SASL_PLAINTEXT - SASL_SSL + - SSL type: string ssl_ca_cert: description: PEM-encoded CA certificate @@ -444,8 +473,8 @@ spec: authentication: description: Authentication method enum: - - none - basic + - none type: string basic_auth_password: description: Basic authentication password @@ -515,9 +544,9 @@ spec: format: description: Message format enum: - - rfc5424 - - rfc3164 - custom + - rfc3164 + - rfc5424 type: string key: description: PEM encoded client key diff --git a/charts/aiven-operator-crds/templates/aiven.io_serviceintegrations.yaml b/charts/aiven-operator-crds/templates/aiven.io_serviceintegrations.yaml index 825f727..4d014e3 100644 --- a/charts/aiven-operator-crds/templates/aiven.io_serviceintegrations.yaml +++ b/charts/aiven-operator-crds/templates/aiven.io_serviceintegrations.yaml @@ -73,6 +73,9 @@ spec: - key - name type: object + autoscaler: + description: Autoscaler specific user configuration options + type: object clickhouseKafka: description: Clickhouse Kafka configuration values properties: @@ -86,12 +89,12 @@ spec: Action to take when there is no initial offset in offset store or the desired offset is out of range enum: - - smallest - - earliest - beginning + - earliest + - end - largest - latest - - end + - smallest type: string columns: description: Table columns @@ -118,6 +121,7 @@ spec: description: Message data format enum: - Avro + - AvroConfluent - CSV - JSONAsString - JSONCompactEachRow @@ -125,12 +129,11 @@ spec: - JSONEachRow - JSONStringsEachRow - MsgPack + - Parquet + - RawBLOB - TSKV - TSV - TabSeparated - - RawBLOB - - AvroConfluent - - Parquet type: string date_time_input_format: description: Method to read DateTime from text input formats @@ -572,10 +575,10 @@ spec: 'none' which is the default and equivalent to no compression. enum: - gzip - - snappy - lz4 - - zstd - none + - snappy + - zstd type: string producer_linger_ms: description: diff --git a/charts/aiven-operator/Chart.yaml b/charts/aiven-operator/Chart.yaml index f8dc920..d7c6ffd 100644 --- a/charts/aiven-operator/Chart.yaml +++ b/charts/aiven-operator/Chart.yaml @@ -2,8 +2,8 @@ apiVersion: v2 name: aiven-operator description: A Helm chart to deploy the aiven operator type: application -version: v0.25.0 -appVersion: v0.25.0 +version: v0.26.0 +appVersion: v0.26.0 maintainers: - name: byashimov url: https://www.aiven.io diff --git a/charts/aiven-operator/templates/_helpers.tpl b/charts/aiven-operator/templates/_helpers.tpl index abd34ee..a09b688 100644 --- a/charts/aiven-operator/templates/_helpers.tpl +++ b/charts/aiven-operator/templates/_helpers.tpl @@ -72,3 +72,19 @@ Common annotation our custom resource {{- define "aiven-operator.ca_injection_annotation" -}} cert-manager.io/inject-ca-from: {{ include "aiven-operator.namespace" . }}/{{ include "aiven-operator.fullname" . }}-webhook-certificate {{- end }} + +{{/* +namespaceSelector for validating and mutating webhooks +*/}} +{{- define "aiven-operator.webhookNamespaceSelector" -}} +{{- with .Values.watchedNamespaces }} +namespaceSelector: + matchExpressions: + - values: + {{- range . }} + - {{ . }} + {{- end }} + key: kubernetes.io/metadata.name + operator: In +{{- end }} +{{- end }} diff --git a/charts/aiven-operator/templates/cluster_role.yaml b/charts/aiven-operator/templates/cluster_role.yaml index b8947b9..5488d1f 100644 --- a/charts/aiven-operator/templates/cluster_role.yaml +++ b/charts/aiven-operator/templates/cluster_role.yaml @@ -250,6 +250,34 @@ rules: - get - patch - update + - apiGroups: + - aiven.io + resources: + - flinks + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - aiven.io + resources: + - flinks/finalizers + verbs: + - create + - get + - update + - apiGroups: + - aiven.io + resources: + - flinks/status + verbs: + - get + - patch + - update - apiGroups: - aiven.io resources: diff --git a/charts/aiven-operator/templates/cluster_role_binding.yaml b/charts/aiven-operator/templates/cluster_role_binding.yaml index 2c0178b..d1c6683 100644 --- a/charts/aiven-operator/templates/cluster_role_binding.yaml +++ b/charts/aiven-operator/templates/cluster_role_binding.yaml @@ -1,4 +1,4 @@ -{{- if .Values.clusterRole.create -}} +{{- if and .Values.clusterRole.create (not .Values.watchedNamespaces) -}} apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: diff --git a/charts/aiven-operator/templates/deployment.yaml b/charts/aiven-operator/templates/deployment.yaml index d6a0e06..d295b9a 100644 --- a/charts/aiven-operator/templates/deployment.yaml +++ b/charts/aiven-operator/templates/deployment.yaml @@ -49,6 +49,10 @@ spec: - name: ENABLE_WEBHOOKS value: "false" {{- end }} + {{- with .Values.watchedNamespaces }} + - name: WATCHED_NAMESPACES + value: {{ . | uniq | join "," | quote }} + {{- end }} command: - /manager args: diff --git a/charts/aiven-operator/templates/mutating_webhook_configuration.yaml b/charts/aiven-operator/templates/mutating_webhook_configuration.yaml index 10924fd..8f476f8 100644 --- a/charts/aiven-operator/templates/mutating_webhook_configuration.yaml +++ b/charts/aiven-operator/templates/mutating_webhook_configuration.yaml @@ -29,6 +29,7 @@ webhooks: resources: - cassandras sideEffects: None + {{- include "aiven-operator.webhookNamespaceSelector" . | indent 4 }} - admissionReviewVersions: - v1 clientConfig: @@ -49,6 +50,7 @@ webhooks: resources: - clickhouses sideEffects: None + {{- include "aiven-operator.webhookNamespaceSelector" . | indent 4 }} - admissionReviewVersions: - v1 clientConfig: @@ -69,6 +71,7 @@ webhooks: resources: - connectionpools sideEffects: None + {{- include "aiven-operator.webhookNamespaceSelector" . | indent 4 }} - admissionReviewVersions: - v1 clientConfig: @@ -89,6 +92,28 @@ webhooks: resources: - databases sideEffects: None + {{- include "aiven-operator.webhookNamespaceSelector" . | indent 4 }} + - admissionReviewVersions: + - v1 + clientConfig: + service: + name: {{ include "aiven-operator.fullname" . }}-webhook-service + namespace: {{ include "aiven-operator.namespace" . }} + path: /mutate-aiven-io-v1alpha1-flink + failurePolicy: Fail + name: mflink.kb.io + rules: + - apiGroups: + - aiven.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - flinks + sideEffects: None + {{- include "aiven-operator.webhookNamespaceSelector" . | indent 4 }} - admissionReviewVersions: - v1 clientConfig: @@ -109,6 +134,7 @@ webhooks: resources: - grafanas sideEffects: None + {{- include "aiven-operator.webhookNamespaceSelector" . | indent 4 }} - admissionReviewVersions: - v1 clientConfig: @@ -129,6 +155,7 @@ webhooks: resources: - kafkas sideEffects: None + {{- include "aiven-operator.webhookNamespaceSelector" . | indent 4 }} - admissionReviewVersions: - v1 clientConfig: @@ -149,6 +176,7 @@ webhooks: resources: - kafkaacls sideEffects: None + {{- include "aiven-operator.webhookNamespaceSelector" . | indent 4 }} - admissionReviewVersions: - v1 clientConfig: @@ -169,6 +197,7 @@ webhooks: resources: - kafkaconnects sideEffects: None + {{- include "aiven-operator.webhookNamespaceSelector" . | indent 4 }} - admissionReviewVersions: - v1 clientConfig: @@ -189,6 +218,7 @@ webhooks: resources: - kafkaconnectors sideEffects: None + {{- include "aiven-operator.webhookNamespaceSelector" . | indent 4 }} - admissionReviewVersions: - v1 clientConfig: @@ -209,6 +239,7 @@ webhooks: resources: - kafkaschemas sideEffects: None + {{- include "aiven-operator.webhookNamespaceSelector" . | indent 4 }} - admissionReviewVersions: - v1 clientConfig: @@ -229,6 +260,7 @@ webhooks: resources: - kafkatopics sideEffects: None + {{- include "aiven-operator.webhookNamespaceSelector" . | indent 4 }} - admissionReviewVersions: - v1 clientConfig: @@ -249,6 +281,7 @@ webhooks: resources: - mysqls sideEffects: None + {{- include "aiven-operator.webhookNamespaceSelector" . | indent 4 }} - admissionReviewVersions: - v1 clientConfig: @@ -269,6 +302,7 @@ webhooks: resources: - opensearches sideEffects: None + {{- include "aiven-operator.webhookNamespaceSelector" . | indent 4 }} - admissionReviewVersions: - v1 clientConfig: @@ -289,6 +323,7 @@ webhooks: resources: - postgresqls sideEffects: None + {{- include "aiven-operator.webhookNamespaceSelector" . | indent 4 }} - admissionReviewVersions: - v1 clientConfig: @@ -309,6 +344,7 @@ webhooks: resources: - projects sideEffects: None + {{- include "aiven-operator.webhookNamespaceSelector" . | indent 4 }} - admissionReviewVersions: - v1 clientConfig: @@ -329,6 +365,7 @@ webhooks: resources: - redis sideEffects: None + {{- include "aiven-operator.webhookNamespaceSelector" . | indent 4 }} - admissionReviewVersions: - v1 clientConfig: @@ -349,6 +386,7 @@ webhooks: resources: - serviceintegrations sideEffects: None + {{- include "aiven-operator.webhookNamespaceSelector" . | indent 4 }} - admissionReviewVersions: - v1 clientConfig: @@ -369,6 +407,7 @@ webhooks: resources: - serviceintegrationendpoints sideEffects: None + {{- include "aiven-operator.webhookNamespaceSelector" . | indent 4 }} - admissionReviewVersions: - v1 clientConfig: @@ -389,5 +428,6 @@ webhooks: resources: - serviceusers sideEffects: None + {{- include "aiven-operator.webhookNamespaceSelector" . | indent 4 }} {{- end }} diff --git a/charts/aiven-operator/templates/role_binding.yaml b/charts/aiven-operator/templates/role_binding.yaml new file mode 100644 index 0000000..b6d58bd --- /dev/null +++ b/charts/aiven-operator/templates/role_binding.yaml @@ -0,0 +1,21 @@ +{{- if .Values.clusterRole.create }} +{{- $operatorNamespace := include "aiven-operator.namespace" . }} +{{- range $watchedNamespace := prepend .Values.watchedNamespaces $operatorNamespace | uniq }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ include "aiven-operator.fullname" $ }}-rolebinding + namespace: {{ $watchedNamespace }} + labels: + {{- include "aiven-operator.labels" $ | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ include "aiven-operator.fullname" $ }}-role +subjects: +- kind: ServiceAccount + name: {{ include "aiven-operator.serviceAccountName" $ }} + namespace: {{ $operatorNamespace }} +{{- end }} +{{- end }} diff --git a/charts/aiven-operator/templates/validating_webhook_configuration.yaml b/charts/aiven-operator/templates/validating_webhook_configuration.yaml index 7289462..db5832e 100644 --- a/charts/aiven-operator/templates/validating_webhook_configuration.yaml +++ b/charts/aiven-operator/templates/validating_webhook_configuration.yaml @@ -30,6 +30,7 @@ webhooks: resources: - cassandras sideEffects: None + {{- include "aiven-operator.webhookNamespaceSelector" . | indent 4 }} - admissionReviewVersions: - v1 clientConfig: @@ -51,6 +52,7 @@ webhooks: resources: - clickhouses sideEffects: None + {{- include "aiven-operator.webhookNamespaceSelector" . | indent 4 }} - admissionReviewVersions: - v1 clientConfig: @@ -72,6 +74,7 @@ webhooks: resources: - connectionpools sideEffects: None + {{- include "aiven-operator.webhookNamespaceSelector" . | indent 4 }} - admissionReviewVersions: - v1 clientConfig: @@ -93,6 +96,29 @@ webhooks: resources: - databases sideEffects: None + {{- include "aiven-operator.webhookNamespaceSelector" . | indent 4 }} + - admissionReviewVersions: + - v1 + clientConfig: + service: + name: {{ include "aiven-operator.fullname" . }}-webhook-service + namespace: {{ include "aiven-operator.namespace" . }} + path: /validate-aiven-io-v1alpha1-flink + failurePolicy: Fail + name: vflink.kb.io + rules: + - apiGroups: + - aiven.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + - DELETE + resources: + - flinks + sideEffects: None + {{- include "aiven-operator.webhookNamespaceSelector" . | indent 4 }} - admissionReviewVersions: - v1 clientConfig: @@ -114,6 +140,7 @@ webhooks: resources: - grafanas sideEffects: None + {{- include "aiven-operator.webhookNamespaceSelector" . | indent 4 }} - admissionReviewVersions: - v1 clientConfig: @@ -135,6 +162,7 @@ webhooks: resources: - kafkas sideEffects: None + {{- include "aiven-operator.webhookNamespaceSelector" . | indent 4 }} - admissionReviewVersions: - v1 clientConfig: @@ -155,6 +183,7 @@ webhooks: resources: - kafkaacls sideEffects: None + {{- include "aiven-operator.webhookNamespaceSelector" . | indent 4 }} - admissionReviewVersions: - v1 clientConfig: @@ -176,6 +205,7 @@ webhooks: resources: - kafkaconnects sideEffects: None + {{- include "aiven-operator.webhookNamespaceSelector" . | indent 4 }} - admissionReviewVersions: - v1 clientConfig: @@ -197,6 +227,7 @@ webhooks: resources: - kafkaconnectors sideEffects: None + {{- include "aiven-operator.webhookNamespaceSelector" . | indent 4 }} - admissionReviewVersions: - v1 clientConfig: @@ -217,6 +248,7 @@ webhooks: resources: - kafkaschemas sideEffects: None + {{- include "aiven-operator.webhookNamespaceSelector" . | indent 4 }} - admissionReviewVersions: - v1 clientConfig: @@ -238,6 +270,7 @@ webhooks: resources: - kafkatopics sideEffects: None + {{- include "aiven-operator.webhookNamespaceSelector" . | indent 4 }} - admissionReviewVersions: - v1 clientConfig: @@ -259,6 +292,7 @@ webhooks: resources: - mysqls sideEffects: None + {{- include "aiven-operator.webhookNamespaceSelector" . | indent 4 }} - admissionReviewVersions: - v1 clientConfig: @@ -280,6 +314,7 @@ webhooks: resources: - opensearches sideEffects: None + {{- include "aiven-operator.webhookNamespaceSelector" . | indent 4 }} - admissionReviewVersions: - v1 clientConfig: @@ -301,6 +336,7 @@ webhooks: resources: - postgresqls sideEffects: None + {{- include "aiven-operator.webhookNamespaceSelector" . | indent 4 }} - admissionReviewVersions: - v1 clientConfig: @@ -322,6 +358,7 @@ webhooks: resources: - projects sideEffects: None + {{- include "aiven-operator.webhookNamespaceSelector" . | indent 4 }} - admissionReviewVersions: - v1 clientConfig: @@ -343,6 +380,7 @@ webhooks: resources: - redis sideEffects: None + {{- include "aiven-operator.webhookNamespaceSelector" . | indent 4 }} - admissionReviewVersions: - v1 clientConfig: @@ -363,6 +401,7 @@ webhooks: resources: - serviceintegrations sideEffects: None + {{- include "aiven-operator.webhookNamespaceSelector" . | indent 4 }} - admissionReviewVersions: - v1 clientConfig: @@ -383,6 +422,7 @@ webhooks: resources: - serviceintegrationendpoints sideEffects: None + {{- include "aiven-operator.webhookNamespaceSelector" . | indent 4 }} - admissionReviewVersions: - v1 clientConfig: @@ -403,5 +443,6 @@ webhooks: resources: - serviceusers sideEffects: None + {{- include "aiven-operator.webhookNamespaceSelector" . | indent 4 }} {{- end }} diff --git a/charts/aiven-operator/values.yaml b/charts/aiven-operator/values.yaml index 34123c0..76a4abd 100644 --- a/charts/aiven-operator/values.yaml +++ b/charts/aiven-operator/values.yaml @@ -82,3 +82,7 @@ affinity: {} clusterRole: create: true + +# if empty, the operator will watch for resources in all namespaces +# regardless of this setting, the operator will always watch for resources in its own namespace +watchedNamespaces: []