From dfc35aa6b45b5c4c1482b27d319ff3df032a073c Mon Sep 17 00:00:00 2001 From: Tao Li Date: Thu, 19 Dec 2024 10:40:20 +0800 Subject: [PATCH] feat: align several changes with PG4K chart (#180) Signed-off-by: Tao Li --- .../README.md | 10 +-- .../templates/deployment.yaml | 2 +- .../templates/deployment.yaml | 12 ++++ .../templates/rbac.yaml | 71 +++++++++++++++++++ .../values.schema.json | 15 ++++ .../values.yaml | 20 +++++- 6 files changed, 123 insertions(+), 7 deletions(-) diff --git a/charts/edb-postgres-distributed-for-kubernetes/README.md b/charts/edb-postgres-distributed-for-kubernetes/README.md index 6371210..f43b722 100644 --- a/charts/edb-postgres-distributed-for-kubernetes/README.md +++ b/charts/edb-postgres-distributed-for-kubernetes/README.md @@ -31,6 +31,7 @@ EDB Postgres Distributed for Kubernetes Helm Chart | Key | Type | Default | Description | |-----|------|---------|-------------| | additionalArgs | list | `[]` | Additional arguments to be added to the operator's args list | +| additionalEnv | list | `[]` | Array containing extra environment variables which can be templated. For example: - name: RELEASE_NAME value: "{{ .Release.Name }}" - name: MY_VAR value: "mySpecialKey" | | affinity | object | `{}` | Affinity for the operator to be installed | | cert-manager.enabled | bool | `true` | | | cert-manager.installCRDs | bool | `true` | | @@ -43,16 +44,16 @@ EDB Postgres Distributed for Kubernetes Helm Chart | config.secret | bool | `false` | Specifies whether it should be stored in a secret, instead of a configmap | | containerSecurityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"readOnlyRootFilesystem":true,"runAsGroup":10001,"runAsUser":10001}` | Container Security Context | | crds.create | bool | `true` | | +| dnsPolicy | string | `""` | | | edb-postgres-for-kubernetes-lts.crds.create | bool | `true` | | | edb-postgres-for-kubernetes-lts.enabled | bool | `true` | | | edb-postgres-for-kubernetes-lts.image.repository | string | `""` | | | fullnameOverride | string | `""` | | | global | object | `{"repository":"docker.enterprisedb.com/k8s_enterprise_pgd"}` | Global values | -| global.repository | string | `"docker.enterprisedb.com/k8s_enterprise_pgd"` | Specifies the repository where the operator image to be downloaded from. Another repository is: docker.enterprisedb.com/k8s_standard_pgd | | global.pgdImageName | string | `"postgresql-pgd:16.4-5.5.1-1"` | Specifies the name of pgd image to be used for the operator, this image will be downloaded from -global repository | | global.proxyImageName | string | `"edb-pgd-proxy:5.5.0"` | Specifies the name of pgd-proxy image to be used for the operator, this image will be downloaded from -global repository | +| global.repository | string | `"docker.enterprisedb.com/k8s_enterprise_pgd"` | Specifies the repository where the operator image to be downloaded from. Another repository is: docker.enterprisedb.com/k8s_standard_pgd | +| hostNetwork | bool | `false` | | | image.imageCredentials.create | bool | `true` | Specifies if an imagePullSecret should be created | | image.imageCredentials.name | string | `"edb-pull-secret"` | | | image.imageCredentials.password | string | `""` | | @@ -71,8 +72,10 @@ global repository | | nameOverride | string | `""` | | | nodeSelector | object | `{}` | Nodeselector for the operator to be installed | | podAnnotations | object | `{}` | Annotations to be added to the pod | +| podLabels | object | `{}` | Labels to be added to the pod | | podSecurityContext | object | `{"runAsNonRoot":true,"seccompProfile":{"type":"RuntimeDefault"}}` | Security Context for the whole pod | | priorityClassName | string | `""` | Priority indicates the importance of a Pod relative to other Pods. | +| rbac.aggregateClusterRoles | bool | `false` | Aggregate ClusterRoles to Kubernetes default user-facing roles. Ref: https://kubernetes.io/docs/reference/access-authn-authz/rbac/#user-facing-roles | | rbac.create | bool | `true` | Specifies whether ClusterRole, ClusterRoleBinding, RoleBinding and Role should be created | | replicaCount | int | `1` | | | resources | object | `{}` | | @@ -91,4 +94,3 @@ global repository | | webhook.readinessProbe.periodSeconds | int | `20` | | | webhook.validating.create | bool | `true` | | | webhook.validating.failurePolicy | string | `"Fail"` | | - diff --git a/charts/edb-postgres-distributed-for-kubernetes/charts/edb-postgres-for-kubernetes-lts/templates/deployment.yaml b/charts/edb-postgres-distributed-for-kubernetes/charts/edb-postgres-for-kubernetes-lts/templates/deployment.yaml index f5ab323..a855ec8 100644 --- a/charts/edb-postgres-distributed-for-kubernetes/charts/edb-postgres-for-kubernetes-lts/templates/deployment.yaml +++ b/charts/edb-postgres-distributed-for-kubernetes/charts/edb-postgres-for-kubernetes-lts/templates/deployment.yaml @@ -78,7 +78,7 @@ spec: - name: MONITORING_QUERIES_CONFIGMAP value: "{{ .Values.monitoringQueriesConfigMap.name }}" {{- if .Values.additionalEnv }} - {{- tpl (.Values.additionalEnvVars | toYaml) . | nindent 8 }} + {{- tpl (.Values.additionalEnv | toYaml) . | nindent 8 }} {{- end }} {{ if not .Values.config.clusterWide -}} - name: WATCH_NAMESPACE diff --git a/charts/edb-postgres-distributed-for-kubernetes/templates/deployment.yaml b/charts/edb-postgres-distributed-for-kubernetes/templates/deployment.yaml index d6ef87a..462d1d6 100644 --- a/charts/edb-postgres-distributed-for-kubernetes/templates/deployment.yaml +++ b/charts/edb-postgres-distributed-for-kubernetes/templates/deployment.yaml @@ -41,11 +41,20 @@ spec: labels: control-plane: controller-manager {{- include "edb-postgres-distributed-for-kubernetes.selectorLabels" . | nindent 8 }} + {{- with .Values.podLabels }} + {{- toYaml . | nindent 8 }} + {{- end }} spec: {{- with .Values.imagePullSecrets }} imagePullSecrets: {{- toYaml . | nindent 8 }} {{- end }} + {{- if .Values.hostNetwork }} + hostNetwork: {{ .Values.hostNetwork }} + {{- end }} + {{- if .Values.dnsPolicy }} + dnsPolicy: {{ .Values.dnsPolicy }} + {{- end }} containers: - args: - controller @@ -70,6 +79,9 @@ spec: valueFrom: fieldRef: fieldPath: metadata.namespace + {{- if .Values.additionalEnv }} + {{- tpl (.Values.additionalEnv | toYaml) . | nindent 8 }} + {{- end }} image: "{{- include "edb-postgres-distributed-for-kubernetes.operatorImageName" . }}" imagePullPolicy: {{ .Values.image.pullPolicy }} livenessProbe: diff --git a/charts/edb-postgres-distributed-for-kubernetes/templates/rbac.yaml b/charts/edb-postgres-distributed-for-kubernetes/templates/rbac.yaml index 82c92a7..213ac43 100644 --- a/charts/edb-postgres-distributed-for-kubernetes/templates/rbac.yaml +++ b/charts/edb-postgres-distributed-for-kubernetes/templates/rbac.yaml @@ -425,4 +425,75 @@ subjects: - kind: ServiceAccount name: {{ include "edb-postgres-distributed-for-kubernetes.serviceAccountName" . }} namespace: {{ .Release.Namespace }} + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ include "edb-postgres-distributed-for-kubernetes.fullname" . }}-view + labels: + {{- include "edb-postgres-distributed-for-kubernetes.labels" . | nindent 4 }} + {{- if .Values.rbac.aggregateClusterRoles }} + rbac.authorization.k8s.io/aggregate-to-view: "true" + rbac.authorization.k8s.io/aggregate-to-edit: "true" + rbac.authorization.k8s.io/aggregate-to-admin: "true" + {{- end }} +rules: +- apiGroups: + - postgresql.k8s.enterprisedb.io + resources: + - backups + - clusters + - poolers + - scheduledbackups + verbs: + - get + - list + - watch +- apiGroups: + - pgd.k8s.enterprisedb.io + resources: + - pgdgroups + - pgdgroupcleanups + verbs: + - get + - list + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ include "edb-postgres-distributed-for-kubernetes.fullname" . }}-edit + labels: + {{- include "edb-postgres-distributed-for-kubernetes.labels" . | nindent 4 }} + {{- if .Values.rbac.aggregateClusterRoles }} + rbac.authorization.k8s.io/aggregate-to-edit: "true" + rbac.authorization.k8s.io/aggregate-to-admin: "true" + {{- end }} +rules: +- apiGroups: + - postgresql.k8s.enterprisedb.io + resources: + - backups + - clusters + - poolers + - scheduledbackups + verbs: + - create + - delete + - deletecollection + - patch + - update +- apiGroups: + - pgd.k8s.enterprisedb.io + resources: + - pgdgroups + - pgdgroupcleanups + verbs: + - create + - delete + - deletecollection + - patch + - update +--- {{- end }} diff --git a/charts/edb-postgres-distributed-for-kubernetes/values.schema.json b/charts/edb-postgres-distributed-for-kubernetes/values.schema.json index 65ab7dc..e4b60ab 100644 --- a/charts/edb-postgres-distributed-for-kubernetes/values.schema.json +++ b/charts/edb-postgres-distributed-for-kubernetes/values.schema.json @@ -5,6 +5,9 @@ "additionalArgs": { "type": "array" }, + "additionalEnv": { + "type": "array" + }, "affinity": { "type": "object" }, @@ -86,6 +89,9 @@ } } }, + "dnsPolicy": { + "type": "string" + }, "edb-postgres-for-kubernetes-lts": { "type": "object", "properties": { @@ -127,6 +133,9 @@ } } }, + "hostNetwork": { + "type": "boolean" + }, "image": { "type": "object", "properties": { @@ -224,6 +233,9 @@ "podAnnotations": { "type": "object" }, + "podLabels": { + "type": "object" + }, "podSecurityContext": { "type": "object", "properties": { @@ -246,6 +258,9 @@ "rbac": { "type": "object", "properties": { + "aggregateClusterRoles": { + "type": "boolean" + }, "create": { "type": "boolean" } diff --git a/charts/edb-postgres-distributed-for-kubernetes/values.yaml b/charts/edb-postgres-distributed-for-kubernetes/values.yaml index 9ca1b6d..c8205ee 100644 --- a/charts/edb-postgres-distributed-for-kubernetes/values.yaml +++ b/charts/edb-postgres-distributed-for-kubernetes/values.yaml @@ -55,6 +55,9 @@ imagePullSecrets: nameOverride: "" fullnameOverride: "" +hostNetwork: false +dnsPolicy: "" + crds: create: true @@ -105,6 +108,14 @@ config: # -- Additional arguments to be added to the operator's args list additionalArgs: [] +# -- Array containing extra environment variables which can be templated. +# For example: +# - name: RELEASE_NAME +# value: "{{ .Release.Name }}" +# - name: MY_VAR +# value: "mySpecialKey" +additionalEnv: [] + serviceAccount: # -- Specifies whether the service account should be created create: true @@ -115,11 +126,16 @@ serviceAccount: rbac: # -- Specifies whether ClusterRole, ClusterRoleBinding, RoleBinding and Role should be created create: true + # -- Aggregate ClusterRoles to Kubernetes default user-facing roles. + # Ref: https://kubernetes.io/docs/reference/access-authn-authz/rbac/#user-facing-roles + aggregateClusterRoles: false -# -- Annotations to be added to the pod -podAnnotations: {} # -- Annotations to be added to all other resources commonAnnotations: {} +# -- Annotations to be added to the pod +podAnnotations: {} +# -- Labels to be added to the pod +podLabels: {} # -- Container Security Context containerSecurityContext: