From daa4db4a32d8edcf9c36ae4255a10bfe20565dea Mon Sep 17 00:00:00 2001 From: Tao Li Date: Tue, 3 Dec 2024 16:41:34 +0800 Subject: [PATCH 1/4] feat: support user facing role Signed-off-by: Tao Li --- .../README.md | 1 + .../templates/rbac.yaml | 71 +++++++++++++++++++ .../values.schema.json | 3 + .../values.yaml | 3 + 4 files changed, 78 insertions(+) diff --git a/charts/edb-postgres-distributed-for-kubernetes/README.md b/charts/edb-postgres-distributed-for-kubernetes/README.md index 6371210..48d73f6 100644 --- a/charts/edb-postgres-distributed-for-kubernetes/README.md +++ b/charts/edb-postgres-distributed-for-kubernetes/README.md @@ -73,6 +73,7 @@ global repository | | podAnnotations | object | `{}` | Annotations to be added to the pod | | podSecurityContext | object | `{"runAsNonRoot":true,"seccompProfile":{"type":"RuntimeDefault"}}` | Security Context for the whole pod | | priorityClassName | string | `""` | Priority indicates the importance of a Pod relative to other Pods. | +| rbac.aggregateClusterRoles | bool | `false` | Aggregate ClusterRoles to Kubernetes default user-facing roles. Ref: https://kubernetes.io/docs/reference/access-authn-authz/rbac/#user-facing-roles | | rbac.create | bool | `true` | Specifies whether ClusterRole, ClusterRoleBinding, RoleBinding and Role should be created | | replicaCount | int | `1` | | | resources | object | `{}` | | diff --git a/charts/edb-postgres-distributed-for-kubernetes/templates/rbac.yaml b/charts/edb-postgres-distributed-for-kubernetes/templates/rbac.yaml index 82c92a7..213ac43 100644 --- a/charts/edb-postgres-distributed-for-kubernetes/templates/rbac.yaml +++ b/charts/edb-postgres-distributed-for-kubernetes/templates/rbac.yaml @@ -425,4 +425,75 @@ subjects: - kind: ServiceAccount name: {{ include "edb-postgres-distributed-for-kubernetes.serviceAccountName" . }} namespace: {{ .Release.Namespace }} + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ include "edb-postgres-distributed-for-kubernetes.fullname" . }}-view + labels: + {{- include "edb-postgres-distributed-for-kubernetes.labels" . | nindent 4 }} + {{- if .Values.rbac.aggregateClusterRoles }} + rbac.authorization.k8s.io/aggregate-to-view: "true" + rbac.authorization.k8s.io/aggregate-to-edit: "true" + rbac.authorization.k8s.io/aggregate-to-admin: "true" + {{- end }} +rules: +- apiGroups: + - postgresql.k8s.enterprisedb.io + resources: + - backups + - clusters + - poolers + - scheduledbackups + verbs: + - get + - list + - watch +- apiGroups: + - pgd.k8s.enterprisedb.io + resources: + - pgdgroups + - pgdgroupcleanups + verbs: + - get + - list + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ include "edb-postgres-distributed-for-kubernetes.fullname" . }}-edit + labels: + {{- include "edb-postgres-distributed-for-kubernetes.labels" . | nindent 4 }} + {{- if .Values.rbac.aggregateClusterRoles }} + rbac.authorization.k8s.io/aggregate-to-edit: "true" + rbac.authorization.k8s.io/aggregate-to-admin: "true" + {{- end }} +rules: +- apiGroups: + - postgresql.k8s.enterprisedb.io + resources: + - backups + - clusters + - poolers + - scheduledbackups + verbs: + - create + - delete + - deletecollection + - patch + - update +- apiGroups: + - pgd.k8s.enterprisedb.io + resources: + - pgdgroups + - pgdgroupcleanups + verbs: + - create + - delete + - deletecollection + - patch + - update +--- {{- end }} diff --git a/charts/edb-postgres-distributed-for-kubernetes/values.schema.json b/charts/edb-postgres-distributed-for-kubernetes/values.schema.json index 65ab7dc..d678b80 100644 --- a/charts/edb-postgres-distributed-for-kubernetes/values.schema.json +++ b/charts/edb-postgres-distributed-for-kubernetes/values.schema.json @@ -246,6 +246,9 @@ "rbac": { "type": "object", "properties": { + "aggregateClusterRoles": { + "type": "boolean" + }, "create": { "type": "boolean" } diff --git a/charts/edb-postgres-distributed-for-kubernetes/values.yaml b/charts/edb-postgres-distributed-for-kubernetes/values.yaml index 9ca1b6d..901347b 100644 --- a/charts/edb-postgres-distributed-for-kubernetes/values.yaml +++ b/charts/edb-postgres-distributed-for-kubernetes/values.yaml @@ -115,6 +115,9 @@ serviceAccount: rbac: # -- Specifies whether ClusterRole, ClusterRoleBinding, RoleBinding and Role should be created create: true + # -- Aggregate ClusterRoles to Kubernetes default user-facing roles. + # Ref: https://kubernetes.io/docs/reference/access-authn-authz/rbac/#user-facing-roles + aggregateClusterRoles: false # -- Annotations to be added to the pod podAnnotations: {} From a71a4e533e8f61900b55576126044d4ee9c6f8de Mon Sep 17 00:00:00 2001 From: Tao Li Date: Tue, 3 Dec 2024 16:59:22 +0800 Subject: [PATCH 2/4] feat: support for additionalEnv Signed-off-by: Tao Li --- charts/edb-postgres-distributed-for-kubernetes/README.md | 1 + .../templates/deployment.yaml | 2 +- .../templates/deployment.yaml | 3 +++ .../values.schema.json | 3 +++ .../edb-postgres-distributed-for-kubernetes/values.yaml | 8 ++++++++ 5 files changed, 16 insertions(+), 1 deletion(-) diff --git a/charts/edb-postgres-distributed-for-kubernetes/README.md b/charts/edb-postgres-distributed-for-kubernetes/README.md index 48d73f6..b152bb7 100644 --- a/charts/edb-postgres-distributed-for-kubernetes/README.md +++ b/charts/edb-postgres-distributed-for-kubernetes/README.md @@ -31,6 +31,7 @@ EDB Postgres Distributed for Kubernetes Helm Chart | Key | Type | Default | Description | |-----|------|---------|-------------| | additionalArgs | list | `[]` | Additional arguments to be added to the operator's args list | +| additionalEnv | list | `[]` | Array containing extra environment variables which can be templated. For example: - name: RELEASE_NAME value: "{{ .Release.Name }}" - name: MY_VAR value: "mySpecialKey" | | affinity | object | `{}` | Affinity for the operator to be installed | | cert-manager.enabled | bool | `true` | | | cert-manager.installCRDs | bool | `true` | | diff --git a/charts/edb-postgres-distributed-for-kubernetes/charts/edb-postgres-for-kubernetes-lts/templates/deployment.yaml b/charts/edb-postgres-distributed-for-kubernetes/charts/edb-postgres-for-kubernetes-lts/templates/deployment.yaml index f5ab323..a855ec8 100644 --- a/charts/edb-postgres-distributed-for-kubernetes/charts/edb-postgres-for-kubernetes-lts/templates/deployment.yaml +++ b/charts/edb-postgres-distributed-for-kubernetes/charts/edb-postgres-for-kubernetes-lts/templates/deployment.yaml @@ -78,7 +78,7 @@ spec: - name: MONITORING_QUERIES_CONFIGMAP value: "{{ .Values.monitoringQueriesConfigMap.name }}" {{- if .Values.additionalEnv }} - {{- tpl (.Values.additionalEnvVars | toYaml) . | nindent 8 }} + {{- tpl (.Values.additionalEnv | toYaml) . | nindent 8 }} {{- end }} {{ if not .Values.config.clusterWide -}} - name: WATCH_NAMESPACE diff --git a/charts/edb-postgres-distributed-for-kubernetes/templates/deployment.yaml b/charts/edb-postgres-distributed-for-kubernetes/templates/deployment.yaml index d6ef87a..84cecaf 100644 --- a/charts/edb-postgres-distributed-for-kubernetes/templates/deployment.yaml +++ b/charts/edb-postgres-distributed-for-kubernetes/templates/deployment.yaml @@ -70,6 +70,9 @@ spec: valueFrom: fieldRef: fieldPath: metadata.namespace + {{- if .Values.additionalEnv }} + {{- tpl (.Values.additionalEnv | toYaml) . | nindent 8 }} + {{- end }} image: "{{- include "edb-postgres-distributed-for-kubernetes.operatorImageName" . }}" imagePullPolicy: {{ .Values.image.pullPolicy }} livenessProbe: diff --git a/charts/edb-postgres-distributed-for-kubernetes/values.schema.json b/charts/edb-postgres-distributed-for-kubernetes/values.schema.json index d678b80..77de540 100644 --- a/charts/edb-postgres-distributed-for-kubernetes/values.schema.json +++ b/charts/edb-postgres-distributed-for-kubernetes/values.schema.json @@ -5,6 +5,9 @@ "additionalArgs": { "type": "array" }, + "additionalEnv": { + "type": "array" + }, "affinity": { "type": "object" }, diff --git a/charts/edb-postgres-distributed-for-kubernetes/values.yaml b/charts/edb-postgres-distributed-for-kubernetes/values.yaml index 901347b..10048e8 100644 --- a/charts/edb-postgres-distributed-for-kubernetes/values.yaml +++ b/charts/edb-postgres-distributed-for-kubernetes/values.yaml @@ -105,6 +105,14 @@ config: # -- Additional arguments to be added to the operator's args list additionalArgs: [] +# -- Array containing extra environment variables which can be templated. +# For example: +# - name: RELEASE_NAME +# value: "{{ .Release.Name }}" +# - name: MY_VAR +# value: "mySpecialKey" +additionalEnv: [] + serviceAccount: # -- Specifies whether the service account should be created create: true From d721d9f6d1afdd36aac1ce61ff827683efcdfa84 Mon Sep 17 00:00:00 2001 From: Tao Li Date: Tue, 3 Dec 2024 20:32:55 +0800 Subject: [PATCH 3/4] feat: support for podAnnotations Signed-off-by: Tao Li --- charts/edb-postgres-distributed-for-kubernetes/README.md | 1 + .../templates/deployment.yaml | 3 +++ .../values.schema.json | 3 +++ charts/edb-postgres-distributed-for-kubernetes/values.yaml | 6 ++++-- 4 files changed, 11 insertions(+), 2 deletions(-) diff --git a/charts/edb-postgres-distributed-for-kubernetes/README.md b/charts/edb-postgres-distributed-for-kubernetes/README.md index b152bb7..209ef9b 100644 --- a/charts/edb-postgres-distributed-for-kubernetes/README.md +++ b/charts/edb-postgres-distributed-for-kubernetes/README.md @@ -72,6 +72,7 @@ global repository | | nameOverride | string | `""` | | | nodeSelector | object | `{}` | Nodeselector for the operator to be installed | | podAnnotations | object | `{}` | Annotations to be added to the pod | +| podLabels | object | `{}` | Labels to be added to the pod | | podSecurityContext | object | `{"runAsNonRoot":true,"seccompProfile":{"type":"RuntimeDefault"}}` | Security Context for the whole pod | | priorityClassName | string | `""` | Priority indicates the importance of a Pod relative to other Pods. | | rbac.aggregateClusterRoles | bool | `false` | Aggregate ClusterRoles to Kubernetes default user-facing roles. Ref: https://kubernetes.io/docs/reference/access-authn-authz/rbac/#user-facing-roles | diff --git a/charts/edb-postgres-distributed-for-kubernetes/templates/deployment.yaml b/charts/edb-postgres-distributed-for-kubernetes/templates/deployment.yaml index 84cecaf..6dffb27 100644 --- a/charts/edb-postgres-distributed-for-kubernetes/templates/deployment.yaml +++ b/charts/edb-postgres-distributed-for-kubernetes/templates/deployment.yaml @@ -41,6 +41,9 @@ spec: labels: control-plane: controller-manager {{- include "edb-postgres-distributed-for-kubernetes.selectorLabels" . | nindent 8 }} + {{- with .Values.podLabels }} + {{- toYaml . | nindent 8 }} + {{- end }} spec: {{- with .Values.imagePullSecrets }} imagePullSecrets: diff --git a/charts/edb-postgres-distributed-for-kubernetes/values.schema.json b/charts/edb-postgres-distributed-for-kubernetes/values.schema.json index 77de540..a5a414b 100644 --- a/charts/edb-postgres-distributed-for-kubernetes/values.schema.json +++ b/charts/edb-postgres-distributed-for-kubernetes/values.schema.json @@ -227,6 +227,9 @@ "podAnnotations": { "type": "object" }, + "podLabels": { + "type": "object" + }, "podSecurityContext": { "type": "object", "properties": { diff --git a/charts/edb-postgres-distributed-for-kubernetes/values.yaml b/charts/edb-postgres-distributed-for-kubernetes/values.yaml index 10048e8..d9c2fdb 100644 --- a/charts/edb-postgres-distributed-for-kubernetes/values.yaml +++ b/charts/edb-postgres-distributed-for-kubernetes/values.yaml @@ -127,10 +127,12 @@ rbac: # Ref: https://kubernetes.io/docs/reference/access-authn-authz/rbac/#user-facing-roles aggregateClusterRoles: false -# -- Annotations to be added to the pod -podAnnotations: {} # -- Annotations to be added to all other resources commonAnnotations: {} +# -- Annotations to be added to the pod +podAnnotations: {} +# -- Labels to be added to the pod +podLabels: {} # -- Container Security Context containerSecurityContext: From 0aa9aceda8ffd2abfa8921fcad3d59621ec3cedf Mon Sep 17 00:00:00 2001 From: Tao Li Date: Wed, 4 Dec 2024 09:35:48 +0800 Subject: [PATCH 4/4] feat: support hostnetwork and dnsPolicy for operator pod Signed-off-by: Tao Li --- charts/edb-postgres-distributed-for-kubernetes/README.md | 7 +++---- .../templates/deployment.yaml | 6 ++++++ .../values.schema.json | 6 ++++++ charts/edb-postgres-distributed-for-kubernetes/values.yaml | 3 +++ 4 files changed, 18 insertions(+), 4 deletions(-) diff --git a/charts/edb-postgres-distributed-for-kubernetes/README.md b/charts/edb-postgres-distributed-for-kubernetes/README.md index 209ef9b..f43b722 100644 --- a/charts/edb-postgres-distributed-for-kubernetes/README.md +++ b/charts/edb-postgres-distributed-for-kubernetes/README.md @@ -44,16 +44,16 @@ EDB Postgres Distributed for Kubernetes Helm Chart | config.secret | bool | `false` | Specifies whether it should be stored in a secret, instead of a configmap | | containerSecurityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"readOnlyRootFilesystem":true,"runAsGroup":10001,"runAsUser":10001}` | Container Security Context | | crds.create | bool | `true` | | +| dnsPolicy | string | `""` | | | edb-postgres-for-kubernetes-lts.crds.create | bool | `true` | | | edb-postgres-for-kubernetes-lts.enabled | bool | `true` | | | edb-postgres-for-kubernetes-lts.image.repository | string | `""` | | | fullnameOverride | string | `""` | | | global | object | `{"repository":"docker.enterprisedb.com/k8s_enterprise_pgd"}` | Global values | -| global.repository | string | `"docker.enterprisedb.com/k8s_enterprise_pgd"` | Specifies the repository where the operator image to be downloaded from. Another repository is: docker.enterprisedb.com/k8s_standard_pgd | | global.pgdImageName | string | `"postgresql-pgd:16.4-5.5.1-1"` | Specifies the name of pgd image to be used for the operator, this image will be downloaded from -global repository | | global.proxyImageName | string | `"edb-pgd-proxy:5.5.0"` | Specifies the name of pgd-proxy image to be used for the operator, this image will be downloaded from -global repository | +| global.repository | string | `"docker.enterprisedb.com/k8s_enterprise_pgd"` | Specifies the repository where the operator image to be downloaded from. Another repository is: docker.enterprisedb.com/k8s_standard_pgd | +| hostNetwork | bool | `false` | | | image.imageCredentials.create | bool | `true` | Specifies if an imagePullSecret should be created | | image.imageCredentials.name | string | `"edb-pull-secret"` | | | image.imageCredentials.password | string | `""` | | @@ -94,4 +94,3 @@ global repository | | webhook.readinessProbe.periodSeconds | int | `20` | | | webhook.validating.create | bool | `true` | | | webhook.validating.failurePolicy | string | `"Fail"` | | - diff --git a/charts/edb-postgres-distributed-for-kubernetes/templates/deployment.yaml b/charts/edb-postgres-distributed-for-kubernetes/templates/deployment.yaml index 6dffb27..462d1d6 100644 --- a/charts/edb-postgres-distributed-for-kubernetes/templates/deployment.yaml +++ b/charts/edb-postgres-distributed-for-kubernetes/templates/deployment.yaml @@ -49,6 +49,12 @@ spec: imagePullSecrets: {{- toYaml . | nindent 8 }} {{- end }} + {{- if .Values.hostNetwork }} + hostNetwork: {{ .Values.hostNetwork }} + {{- end }} + {{- if .Values.dnsPolicy }} + dnsPolicy: {{ .Values.dnsPolicy }} + {{- end }} containers: - args: - controller diff --git a/charts/edb-postgres-distributed-for-kubernetes/values.schema.json b/charts/edb-postgres-distributed-for-kubernetes/values.schema.json index a5a414b..e4b60ab 100644 --- a/charts/edb-postgres-distributed-for-kubernetes/values.schema.json +++ b/charts/edb-postgres-distributed-for-kubernetes/values.schema.json @@ -89,6 +89,9 @@ } } }, + "dnsPolicy": { + "type": "string" + }, "edb-postgres-for-kubernetes-lts": { "type": "object", "properties": { @@ -130,6 +133,9 @@ } } }, + "hostNetwork": { + "type": "boolean" + }, "image": { "type": "object", "properties": { diff --git a/charts/edb-postgres-distributed-for-kubernetes/values.yaml b/charts/edb-postgres-distributed-for-kubernetes/values.yaml index d9c2fdb..c8205ee 100644 --- a/charts/edb-postgres-distributed-for-kubernetes/values.yaml +++ b/charts/edb-postgres-distributed-for-kubernetes/values.yaml @@ -55,6 +55,9 @@ imagePullSecrets: nameOverride: "" fullnameOverride: "" +hostNetwork: false +dnsPolicy: "" + crds: create: true