diff --git a/apis/installer/v1alpha1/kubedb_webhook_server_types.go b/apis/installer/v1alpha1/kubedb_webhook_server_types.go index 0d34cab31..775037104 100644 --- a/apis/installer/v1alpha1/kubedb_webhook_server_types.go +++ b/apis/installer/v1alpha1/kubedb_webhook_server_types.go @@ -47,16 +47,12 @@ type KubedbWebhookServerSpec struct { //+optional NameOverride string `json:"nameOverride"` //+optional - FullnameOverride string `json:"fullnameOverride"` - ReplicaCount int32 `json:"replicaCount"` - RegistryFQDN string `json:"registryFQDN"` - // +optional - License string `json:"license"` - // +optional - LicenseSecretName string `json:"licenseSecretName"` - Server Container `json:"server"` - FeatureGates map[string]bool `json:"featureGates"` - ImagePullPolicy string `json:"imagePullPolicy"` + FullnameOverride string `json:"fullnameOverride"` + ReplicaCount int32 `json:"replicaCount"` + RegistryFQDN string `json:"registryFQDN"` + Server Container `json:"server"` + FeatureGates map[string]bool `json:"featureGates"` + ImagePullPolicy string `json:"imagePullPolicy"` //+optional ImagePullSecrets []string `json:"imagePullSecrets"` //+optional diff --git a/charts/kubedb-webhook-server/README.md b/charts/kubedb-webhook-server/README.md index c6f32bc11..10eac83e6 100644 --- a/charts/kubedb-webhook-server/README.md +++ b/charts/kubedb-webhook-server/README.md @@ -45,68 +45,66 @@ The command removes all the Kubernetes components associated with the chart and The following table lists the configurable parameters of the `kubedb-webhook-server` chart and their default values. -| Parameter | Description | Default | -|--------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------| -| nameOverride | Overrides name template | "" | -| fullnameOverride | Overrides fullname template | "" | -| replicaCount | Number of KubeDB webhook server replicas to create (only 1 is supported) | 1 | -| license | License for the product. Get a license by following the steps from [here](https://kubedb.run/docs/latest/setup/install/enterprise#get-a-trial-license).
Example:
`helm install appscode/kubedb-ops-manager \`
`--set-file license=/path/to/license/file`
`or`
`helm install appscode/kubedb-ops-manager \`
`--set license=` | "" | -| licenseSecretName | Name of Secret with the license as key.txt key | "" | -| registryFQDN | Docker registry fqdn used to pull KubeDB related images Set this to use docker registry hosted at ${registryFQDN}/${registry}/${image} | ghcr.io | -| server.registry | Docker registry used to pull KubeDB webhook server image | kubedb | -| server.repository | KubeDB webhook server container image | kubedb-webhook-server | -| server.tag | KubeDB webhook server container image tag | "" | -| server.securityContext | Security options this container should run with | {"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"readOnlyRootFilesystem":true,"runAsNonRoot":true,"runAsUser":65534} | -| server.resources | Compute Resources required by this container | {} | -| featureGates.Druid | | true | -| featureGates.Elasticsearch | | true | -| featureGates.FerretDB | | false | -| featureGates.Kafka | | true | -| featureGates.MariaDB | | true | -| featureGates.Memcached | | false | -| featureGates.MicrosoftSQLServer | | false | -| featureGates.MongoDB | | true | -| featureGates.MySQL | | true | -| featureGates.PerconaXtraDB | | true | -| featureGates.PgBouncer | | true | -| featureGates.Pgpool | | true | -| featureGates.Postgres | | true | -| featureGates.ProxySQL | | true | -| featureGates.RabbitMQ | | false | -| featureGates.Redis | | true | -| featureGates.Singlestore | | false | -| featureGates.Solr | | true | -| featureGates.ZooKeeper | | false | -| imagePullSecrets | Specify an array of imagePullSecrets. Secrets must be manually created in the namespace.
Example:
`helm template charts/kubedb-webhook-server \`
`--set imagePullSecrets[0].name=sec0 \`
`--set imagePullSecrets[1].name=sec1` | [] | -| imagePullPolicy | Container image pull policy | IfNotPresent | -| criticalAddon | If true, installs KubeDB webhook server as critical addon | false | -| logLevel | Log level for webhook server | 3 | -| annotations | Annotations applied to webhook server deployment | {} | -| podAnnotations | Annotations passed to webhook server pod(s). | {} | -| nodeSelector | Node labels for pod assignment | {"kubernetes.io/os":"linux"} | -| tolerations | Tolerations for pod assignment | [] | -| affinity | Affinity rules for pod assignment | {} | -| podSecurityContext | Security options the webhook server pod should run with. | {} | -| serviceAccount.create | Specifies whether a service account should be created | true | -| serviceAccount.annotations | Annotations to add to the service account | {} | -| serviceAccount.name | The name of the service account to use. If not set and create is true, a name is generated using the fullname template | | -| apiserver.groupPriorityMinimum | The minimum priority the webhook api group should have at least. Please see https://github.com/kubernetes/kube-aggregator/blob/release-1.9/pkg/apis/apiregistration/v1beta1/types.go#L58-L64 for more information on proper values of this field. | 10000 | -| apiserver.versionPriority | The ordering of the webhook api inside of the group. Please see https://github.com/kubernetes/kube-aggregator/blob/release-1.9/pkg/apis/apiregistration/v1beta1/types.go#L66-L70 for more information on proper values of this field | 15 | -| apiserver.enableMutatingWebhook | If true, mutating webhook is configured for KubeDB CRDss | true | -| apiserver.enableValidatingWebhook | If true, validating webhook is configured for KubeDB CRDss | true | -| apiserver.ca | CA certificate used by the Kubernetes api server. This field is automatically assigned by the webhook server. | not-ca-cert | -| apiserver.useKubeapiserverFqdnForAks | If true, uses kube-apiserver FQDN for AKS cluster to workaround https://github.com/Azure/AKS/issues/522 (default true) | true | -| apiserver.healthcheck.enabled | healthcheck configures the readiness and liveliness probes for the webhook server pod. | false | -| apiserver.port | Port used to expose the webhook server apiserver | 8443 | -| apiserver.servingCerts.generate | If true, generates on install/upgrade the certs that allow the kube-apiserver (and potentially ServiceMonitor) to authenticate webhook servers pods. Otherwise specify certs in `apiserver.servingCerts.{caCrt, serverCrt, serverKey}`. | true | -| apiserver.servingCerts.caCrt | CA certficate used by serving certificate of webhook server. | "" | -| apiserver.servingCerts.serverCrt | Serving certficate used by webhook server. | "" | -| apiserver.servingCerts.serverKey | Private key for the serving certificate used by webhook server. | "" | -| apiserver.webhook.failurePolicy | | Ignore | -| monitoring.agent | Name of monitoring agent (one of "prometheus.io", "prometheus.io/operator", "prometheus.io/builtin") | "" | -| monitoring.serviceMonitor.labels | Specify the labels for ServiceMonitor. Prometheus crd will select ServiceMonitor using these labels. Only usable when monitoring agent is `prometheus.io/webhook server`. | {"monitoring.appscode.com/prometheus":"auto"} | -| hostNetwork | If true, uses HostNetwork for pods. This is required in EKS using Cilium with VxLAN overlay | false | -| defaultSeccompProfileType | | "" | +| Parameter | Description | Default | +|--------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------| +| nameOverride | Overrides name template | "" | +| fullnameOverride | Overrides fullname template | "" | +| replicaCount | Number of KubeDB webhook server replicas to create (only 1 is supported) | 1 | +| registryFQDN | Docker registry fqdn used to pull KubeDB related images Set this to use docker registry hosted at ${registryFQDN}/${registry}/${image} | ghcr.io | +| server.registry | Docker registry used to pull KubeDB webhook server image | kubedb | +| server.repository | KubeDB webhook server container image | kubedb-webhook-server | +| server.tag | KubeDB webhook server container image tag | "" | +| server.securityContext | Security options this container should run with | {"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"readOnlyRootFilesystem":true,"runAsNonRoot":true,"runAsUser":65534} | +| server.resources | Compute Resources required by this container | {} | +| featureGates.Druid | | true | +| featureGates.Elasticsearch | | true | +| featureGates.FerretDB | | false | +| featureGates.Kafka | | true | +| featureGates.MariaDB | | true | +| featureGates.Memcached | | false | +| featureGates.MicrosoftSQLServer | | false | +| featureGates.MongoDB | | true | +| featureGates.MySQL | | true | +| featureGates.PerconaXtraDB | | true | +| featureGates.PgBouncer | | true | +| featureGates.Pgpool | | true | +| featureGates.Postgres | | true | +| featureGates.ProxySQL | | true | +| featureGates.RabbitMQ | | false | +| featureGates.Redis | | true | +| featureGates.Singlestore | | false | +| featureGates.Solr | | true | +| featureGates.ZooKeeper | | false | +| imagePullSecrets | Specify an array of imagePullSecrets. Secrets must be manually created in the namespace.
Example:
`helm template charts/kubedb-webhook-server \`
`--set imagePullSecrets[0].name=sec0 \`
`--set imagePullSecrets[1].name=sec1` | [] | +| imagePullPolicy | Container image pull policy | IfNotPresent | +| criticalAddon | If true, installs KubeDB webhook server as critical addon | false | +| logLevel | Log level for webhook server | 3 | +| annotations | Annotations applied to webhook server deployment | {} | +| podAnnotations | Annotations passed to webhook server pod(s). | {} | +| nodeSelector | Node labels for pod assignment | {"kubernetes.io/os":"linux"} | +| tolerations | Tolerations for pod assignment | [] | +| affinity | Affinity rules for pod assignment | {} | +| podSecurityContext | Security options the webhook server pod should run with. | {} | +| serviceAccount.create | Specifies whether a service account should be created | true | +| serviceAccount.annotations | Annotations to add to the service account | {} | +| serviceAccount.name | The name of the service account to use. If not set and create is true, a name is generated using the fullname template | | +| apiserver.groupPriorityMinimum | The minimum priority the webhook api group should have at least. Please see https://github.com/kubernetes/kube-aggregator/blob/release-1.9/pkg/apis/apiregistration/v1beta1/types.go#L58-L64 for more information on proper values of this field. | 10000 | +| apiserver.versionPriority | The ordering of the webhook api inside of the group. Please see https://github.com/kubernetes/kube-aggregator/blob/release-1.9/pkg/apis/apiregistration/v1beta1/types.go#L66-L70 for more information on proper values of this field | 15 | +| apiserver.enableMutatingWebhook | If true, mutating webhook is configured for KubeDB CRDss | true | +| apiserver.enableValidatingWebhook | If true, validating webhook is configured for KubeDB CRDss | true | +| apiserver.ca | CA certificate used by the Kubernetes api server. This field is automatically assigned by the webhook server. | not-ca-cert | +| apiserver.useKubeapiserverFqdnForAks | If true, uses kube-apiserver FQDN for AKS cluster to workaround https://github.com/Azure/AKS/issues/522 (default true) | true | +| apiserver.healthcheck.enabled | healthcheck configures the readiness and liveliness probes for the webhook server pod. | false | +| apiserver.port | Port used to expose the webhook server apiserver | 8443 | +| apiserver.servingCerts.generate | If true, generates on install/upgrade the certs that allow the kube-apiserver (and potentially ServiceMonitor) to authenticate webhook servers pods. Otherwise specify certs in `apiserver.servingCerts.{caCrt, serverCrt, serverKey}`. | true | +| apiserver.servingCerts.caCrt | CA certficate used by serving certificate of webhook server. | "" | +| apiserver.servingCerts.serverCrt | Serving certficate used by webhook server. | "" | +| apiserver.servingCerts.serverKey | Private key for the serving certificate used by webhook server. | "" | +| apiserver.webhook.failurePolicy | | Ignore | +| monitoring.agent | Name of monitoring agent (one of "prometheus.io", "prometheus.io/operator", "prometheus.io/builtin") | "" | +| monitoring.serviceMonitor.labels | Specify the labels for ServiceMonitor. Prometheus crd will select ServiceMonitor using these labels. Only usable when monitoring agent is `prometheus.io/webhook server`. | {"monitoring.appscode.com/prometheus":"auto"} | +| hostNetwork | If true, uses HostNetwork for pods. This is required in EKS using Cilium with VxLAN overlay | false | +| defaultSeccompProfileType | | "" | Specify each parameter using the `--set key=value[,key=value]` argument to `helm upgrade -i`. For example: diff --git a/charts/kubedb-webhook-server/ci/ci-values.yaml b/charts/kubedb-webhook-server/ci/ci-values.yaml index ed6de0e94..00c027cc0 100644 --- a/charts/kubedb-webhook-server/ci/ci-values.yaml +++ b/charts/kubedb-webhook-server/ci/ci-values.yaml @@ -1,5 +1,4 @@ # https://github.com/helm/charts/blob/master/test/README.md#providing-custom-test-values -license: "" server: securityContext: seccompProfile: diff --git a/charts/kubedb-webhook-server/templates/_helpers.tpl b/charts/kubedb-webhook-server/templates/_helpers.tpl index 4684657a2..695a8d44f 100644 --- a/charts/kubedb-webhook-server/templates/_helpers.tpl +++ b/charts/kubedb-webhook-server/templates/_helpers.tpl @@ -62,24 +62,6 @@ Create the name of the service account to use {{- end }} {{- end }} -{{/* -Returns the appscode license -*/}} -{{- define "appscode.license" -}} -{{- .Values.license }} -{{- end }} - -{{/* -Returns the appscode license secret name -*/}} -{{- define "appscode.licenseSecretName" -}} -{{- if .Values.licenseSecretName }} -{{- .Values.licenseSecretName -}} -{{- else if .Values.license }} -{{- printf "%s-license" (include "kubedb-webhook-server.fullname" .) -}} -{{- end }} -{{- end }} - {{/* Returns the registry used for operator docker image */}} diff --git a/charts/kubedb-webhook-server/templates/deployment.yaml b/charts/kubedb-webhook-server/templates/deployment.yaml index 32301330d..78fa71536 100644 --- a/charts/kubedb-webhook-server/templates/deployment.yaml +++ b/charts/kubedb-webhook-server/templates/deployment.yaml @@ -51,9 +51,6 @@ spec: - --enable-mutating-webhook={{ .Values.apiserver.enableMutatingWebhook }} - --enable-validating-webhook={{ .Values.apiserver.enableValidatingWebhook }} - --use-kubeapiserver-fqdn-for-aks={{ .Values.apiserver.useKubeapiserverFqdnForAks }} - {{- if include "appscode.licenseSecretName" . }} - - --license-file=/var/run/secrets/appscode/license/key.txt - {{- end }} env: - name: POD_NAME valueFrom: @@ -71,10 +68,6 @@ spec: name: tmpdir - mountPath: /var/serving-cert name: serving-cert - {{- if include "appscode.licenseSecretName" . }} - - mountPath: /var/run/secrets/appscode/license - name: license - {{- end }} {{- if .Values.apiserver.healthcheck.enabled }} readinessProbe: httpGet: @@ -99,12 +92,6 @@ spec: secret: defaultMode: 420 secretName: {{ include "kubedb-webhook-server.fullname" . }}-apiserver-cert - {{- if include "appscode.licenseSecretName" . }} - - name: license - secret: - defaultMode: 420 - secretName: {{ include "appscode.licenseSecretName" . }} - {{- end }} securityContext: {{- toYaml .Values.podSecurityContext | nindent 8 }} {{- if or .Values.tolerations $criticalAddon }} diff --git a/charts/kubedb-webhook-server/templates/license-checker-cluster-role-binding.yaml b/charts/kubedb-webhook-server/templates/license-checker-cluster-role-binding.yaml deleted file mode 100644 index 71501dd50..000000000 --- a/charts/kubedb-webhook-server/templates/license-checker-cluster-role-binding.yaml +++ /dev/null @@ -1,14 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: {{ include "kubedb-webhook-server.fullname" . }}-license-checker - labels: - {{- include "kubedb-webhook-server.labels" . | nindent 4 }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: appscode:license-checker -subjects: -- kind: ServiceAccount - name: {{ include "kubedb-webhook-server.serviceAccountName" . }} - namespace: {{ .Release.Namespace }} diff --git a/charts/kubedb-webhook-server/templates/license-checker-cluster-role.yaml b/charts/kubedb-webhook-server/templates/license-checker-cluster-role.yaml deleted file mode 100644 index 184b3c7a6..000000000 --- a/charts/kubedb-webhook-server/templates/license-checker-cluster-role.yaml +++ /dev/null @@ -1,38 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: appscode:license-checker - annotations: - "helm.sh/hook": pre-install,pre-upgrade - "helm.sh/hook-delete-policy": before-hook-creation -rules: -# Get cluster id -- apiGroups: - - "" - resources: - - namespaces - verbs: ["get"] -# Issue license -- apiGroups: - - proxyserver.licenses.appscode.com - resources: - - licenserequests - verbs: ["create"] -# Detect workload/owner of operator pod -- apiGroups: - - "" - resources: - - pods - verbs: ["get"] -- apiGroups: - - apps - resources: - - deployments - - replicasets - verbs: ["get"] -# Write events in case of license verification failure -- apiGroups: - - "" - resources: - - events - verbs: ["get", "list", "create", "patch"] diff --git a/charts/kubedb-webhook-server/templates/license-reader-cluster-role-binding.yaml b/charts/kubedb-webhook-server/templates/license-reader-cluster-role-binding.yaml deleted file mode 100644 index 7899b7a0c..000000000 --- a/charts/kubedb-webhook-server/templates/license-reader-cluster-role-binding.yaml +++ /dev/null @@ -1,14 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: {{ include "kubedb-webhook-server.fullname" . }}-license-reader - labels: - {{- include "kubedb-webhook-server.labels" . | nindent 4 }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: appscode:license-reader -subjects: -- kind: ServiceAccount - name: {{ include "kubedb-webhook-server.serviceAccountName" . }} - namespace: {{ .Release.Namespace }} diff --git a/charts/kubedb-webhook-server/templates/license-reader-cluster-role.yaml b/charts/kubedb-webhook-server/templates/license-reader-cluster-role.yaml deleted file mode 100644 index a4f05ae94..000000000 --- a/charts/kubedb-webhook-server/templates/license-reader-cluster-role.yaml +++ /dev/null @@ -1,17 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: appscode:license-reader - annotations: - "helm.sh/hook": pre-install,pre-upgrade - "helm.sh/hook-delete-policy": before-hook-creation -rules: -# Detect license server endpoint for kubedb addons -- apiGroups: - - apiregistration.k8s.io - resources: - - apiservices - verbs: ["get"] -- nonResourceURLs: - - /appscode/license - verbs: ["get"] diff --git a/charts/kubedb-webhook-server/templates/license.yaml b/charts/kubedb-webhook-server/templates/license.yaml deleted file mode 100644 index effff3833..000000000 --- a/charts/kubedb-webhook-server/templates/license.yaml +++ /dev/null @@ -1,13 +0,0 @@ -# if license file is provided, then create a secret for license -{{- if include "appscode.license" . }} -apiVersion: v1 -kind: Secret -metadata: - name: {{ include "appscode.licenseSecretName" . }} - namespace: {{ .Release.Namespace }} - labels: - {{- include "kubedb-webhook-server.labels" . | nindent 4 }} -type: Opaque -data: - key.txt: {{ include "appscode.license" . | b64enc }} -{{- end }} diff --git a/charts/kubedb-webhook-server/values.openapiv3_schema.yaml b/charts/kubedb-webhook-server/values.openapiv3_schema.yaml index 7bca3c99a..e110a33be 100644 --- a/charts/kubedb-webhook-server/values.openapiv3_schema.yaml +++ b/charts/kubedb-webhook-server/values.openapiv3_schema.yaml @@ -962,10 +962,6 @@ properties: items: type: string type: array - license: - type: string - licenseSecretName: - type: string logLevel: format: int32 type: integer diff --git a/charts/kubedb-webhook-server/values.yaml b/charts/kubedb-webhook-server/values.yaml index 0bd6da97b..944fa73b3 100644 --- a/charts/kubedb-webhook-server/values.yaml +++ b/charts/kubedb-webhook-server/values.yaml @@ -9,17 +9,6 @@ nameOverride: "" fullnameOverride: "" # Number of KubeDB webhook server replicas to create (only 1 is supported) replicaCount: 1 -# License for the product. -# Get a license by following the steps from [here](https://kubedb.run/docs/latest/setup/install/enterprise#get-a-trial-license). -# Example: -# helm install appscode/kubedb-ops-manager \ -# --set-file license=/path/to/license/file -# or -# helm install appscode/kubedb-ops-manager \ -# --set license= -license: "" -# Name of Secret with the license as key.txt key -licenseSecretName: "" # Docker registry fqdn used to pull KubeDB related images # Set this to use docker registry hosted at ${registryFQDN}/${registry}/${image} registryFQDN: ghcr.io diff --git a/charts/kubedb/README.md b/charts/kubedb/README.md index 695d0a56b..85cec7972 100644 --- a/charts/kubedb/README.md +++ b/charts/kubedb/README.md @@ -74,7 +74,7 @@ The following table lists the configurable parameters of the `kubedb` chart and | global.featureGates.ZooKeeper | | false | | global.monitoring.agent | Name of monitoring agent (one of "prometheus.io", "prometheus.io/operator", "prometheus.io/builtin") | "" | | global.monitoring.serviceMonitor.labels | Specify the labels for ServiceMonitor. Prometheus crd will select ServiceMonitor using these labels. Only usable when monitoring agent is `prometheus.io/operator`. | {"monitoring.appscode.com/prometheus":"auto"} | -| petset.enabled | If enabled, installs the petset chart | false | +| petset.enabled | If enabled, installs the petset chart | true | | sidekick.enabled | If enabled, installs the sidekick chart | true | | supervisor.enabled | If enabled, installs the supervisor chart | false | | kubedb-crd-manager.enabled | If enabled, installs the kubedb-crd-manager chart | true | diff --git a/charts/kubedb/values.openapiv3_schema.yaml b/charts/kubedb/values.openapiv3_schema.yaml index 68f2f3ee7..c1c54dcb1 100644 --- a/charts/kubedb/values.openapiv3_schema.yaml +++ b/charts/kubedb/values.openapiv3_schema.yaml @@ -8588,10 +8588,6 @@ properties: items: type: string type: array - license: - type: string - licenseSecretName: - type: string logLevel: format: int32 type: integer