diff --git a/chart/kubedb/README.md b/chart/kubedb/README.md index aaa9889f2..f9ce118c7 100644 --- a/chart/kubedb/README.md +++ b/chart/kubedb/README.md @@ -23,6 +23,7 @@ To install the chart with the release name `my-release`: ```console $ helm install appscode/kubedb --name my-release ``` + The command deploys KubeDB operator on the Kubernetes cluster in the default configuration. The [configuration](#configuration) section lists the parameters that can be configured during installation. > **Tip**: List all releases using `helm list` @@ -39,26 +40,27 @@ The command removes all the Kubernetes components associated with the chart and ## Configuration -The following tables lists the configurable parameters of the KubeDB chart and their default values. - - -| Parameter | Description | Default | -| -----------------------------------| ------------------------------------------------------------------ | ------------------ | -| `replicaCount` | Number of kubedb operator replicas to create (only 1 is supported) | `1` | -| `dockerRegistry` | Docker registry used to pull KubeDB related images | `kubedb` | -| `imageTags.operator` | Tag of KubeDB operator image | `0.8.0-beta.2` | -| `imageTags.exporter` | Tag of KubeDB operator image | `0.8.0-beta.2` | -| `imageTags.apiserver` | Tag of KubeDB server image | `0.1.0-beta.2` | -| `imagePullSecrets` | Specify image pull secrets | `nil` (does not add image pull secrets to deployed pods) | -| `imagePullPolicy` | Image pull policy | `IfNotPresent` | -| `criticalAddon` | If true, installs KubeDB operator as critical addon | `false` | -| `rbac.create` | If `true`, create and use RBAC resources | `true` | -| `serviceAccount.create` | If `true`, create a new service account | `true` | -| `serviceAccount.name` | Service account to be used. If not set and `serviceAccount.create` is `true`, a name is generated using the fullname template | `` | -| `apiserver.groupPriorityMinimum` | The minimum priority the group should have. | 10000 | -| `apiserver.versionPriority` | The ordering of this API inside of the group. | 15 | -| `apiserver.enableAdmissionWebhook` | Configure apiserver as admission webhooks for KubeDB CRDs | false | -| `apiserver.ca` | CA certificate used by main Kubernetes api server | `` | +The following table lists the configurable parameters of the KubeDB chart and their default values. + + +| Parameter | Description | Default | +| ----------------------------------- | ------------------------------------------------------------------ | ------------------ | +| `replicaCount` | Number of kubedb operator replicas to create (only 1 is supported) | `1` | +| `kubedb.registry` | Docker registry used to pull Kubedb operator image | `kubedb` | +| `kubedb.repository` | Kubedb operator container image | `operator` | +| `kubedb.tag` | Kubedb operator container image tag | `0.8.0-beta.2` | +| `imagePullSecrets` | Specify image pull secrets | `nil` (does not add image pull secrets to deployed pods) | +| `imagePullPolicy` | Image pull policy | `IfNotPresent` | +| `criticalAddon` | If true, installs KubeDB operator as critical addon | `false` | +| `rbac.create` | If `true`, create and use RBAC resources | `true` | +| `serviceAccount.create` | If `true`, create a new service account | `true` | +| `serviceAccount.name` | Service account to be used. If not set and `serviceAccount.create` is `true`, a name is generated using the fullname template | `` | +| `apiserver.groupPriorityMinimum` | The minimum priority the group should have. | 10000 | +| `apiserver.versionPriority` | The ordering of this API inside of the group. | 15 | +| `apiserver.enableValidatingWebhook` | Enable validating webhooks for KubeDB CRDs | false | +| `apiserver.enableMutatingWebhook` | Enable mutating webhooks for KubeDB CRDs | false | +| `apiserver.ca` | CA certificate used by main Kubernetes api server | `` | +| `enableAnalytics` | Send usage events to Google Analytics | `true` | Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. For example: @@ -79,7 +81,7 @@ By default the chart will not install the recommended RBAC roles and rolebinding You need to have the flag `--authorization-mode=RBAC` on the api server. See the following document for how to enable [RBAC](https://kubernetes.io/docs/admin/authorization/rbac/). -To determine if your cluster supports RBAC, run the the following command: +To determine if your cluster supports RBAC, run the following command: ```console $ kubectl api-versions | grep rbac diff --git a/chart/kubedb/templates/apiregistration.yaml b/chart/kubedb/templates/apiregistration.yaml index 0b7366583..01c1aa436 100644 --- a/chart/kubedb/templates/apiregistration.yaml +++ b/chart/kubedb/templates/apiregistration.yaml @@ -6,14 +6,33 @@ apiVersion: apiregistration.k8s.io/v1beta1 kind: APIService metadata: - name: v1alpha1.admission.kubedb.com + name: v1alpha1.validators.kubedb.com labels: chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" app: "{{ template "kubedb.name" . }}" heritage: "{{ .Release.Service }}" release: "{{ .Release.Name }}" spec: - group: admission.kubedb.com + group: validators.kubedb.com + version: v1alpha1 + service: + namespace: {{ .Release.Namespace }} + name: {{ template "kubedb.fullname" . }} + caBundle: {{ b64enc $ca.Cert }} + groupPriorityMinimum: {{ .Values.apiserver.groupPriorityMinimum }} + versionPriority: {{ .Values.apiserver.versionPriority }} +--- +apiVersion: apiregistration.k8s.io/v1beta1 +kind: APIService +metadata: + name: v1alpha1.mutators.kubedb.com + labels: + chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" + app: "{{ template "kubedb.name" . }}" + heritage: "{{ .Release.Service }}" + release: "{{ .Release.Name }}" +spec: + group: mutators.kubedb.com version: v1alpha1 service: namespace: {{ .Release.Namespace }} @@ -26,6 +45,7 @@ apiVersion: v1 kind: Secret metadata: name: {{ template "kubedb.fullname" . }}-apiserver-cert + namespace: {{ .Release.Namespace }} labels: chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" app: "{{ template "kubedb.name" . }}" diff --git a/chart/kubedb/templates/deployment.yaml b/chart/kubedb/templates/deployment.yaml index 8faab95f6..2e5da9e29 100644 --- a/chart/kubedb/templates/deployment.yaml +++ b/chart/kubedb/templates/deployment.yaml @@ -2,13 +2,12 @@ apiVersion: apps/v1beta1 kind: Deployment metadata: name: {{ template "kubedb.fullname" . }} + namespace: {{ .Release.Namespace }} labels: chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" app: "{{ template "kubedb.name" . }}" heritage: "{{ .Release.Service }}" release: "{{ .Release.Name }}" - initializers: - pending: [] spec: replicas: {{ .Values.replicaCount }} selector: @@ -32,31 +31,26 @@ spec: {{- end }} containers: - name: operator - image: {{ .Values.dockerRegistry }}/operator:{{ .Values.imageTags.operator }} + image: {{ .Values.kubedb.registry }}/{{ .Values.kubedb.repository }}:{{ .Values.kubedb.tag }} imagePullPolicy: {{ .Values.imagePullPolicy }} args: - run - --v=3 - - --docker-registry={{ .Values.dockerRegistry }} - - --exporter-tag={{ .Values.imageTags.exporter }} + - --docker-registry={{ .Values.kubedb.registry }} + - --exporter-tag={{ .Values.kubedb.tag }} - --governing-service=kubedb - --rbac={{ .Values.rbac.create }} + - --secure-port=8443 + - --audit-log-path=- + - --tls-cert-file=/var/serving-cert/tls.crt + - --tls-private-key-file=/var/serving-cert/tls.key + - --enable-analytics={{ .Values.enableAnalytics }} env: - name: OPERATOR_NAMESPACE valueFrom: fieldRef: apiVersion: v1 fieldPath: metadata.namespace - - name: server - image: {{ .Values.dockerRegistry }}/kubedb-server:{{ .Values.imageTags.apiserver }} - imagePullPolicy: {{ .Values.imagePullPolicy }} - args: - - run - - --v=3 - - --secure-port=8443 - - --audit-log-path=- - - --tls-cert-file=/var/serving-cert/tls.crt - - --tls-private-key-file=/var/serving-cert/tls.key ports: - containerPort: 8443 volumeMounts: diff --git a/chart/kubedb/templates/mutating-webhook.yaml b/chart/kubedb/templates/mutating-webhook.yaml new file mode 100644 index 000000000..aa4d6ddf6 --- /dev/null +++ b/chart/kubedb/templates/mutating-webhook.yaml @@ -0,0 +1,103 @@ +{{- if .Values.apiserver.enableMutatingWebhook }} +apiVersion: admissionregistration.k8s.io/v1beta1 +kind: MutatingWebhookConfiguration +metadata: + name: mutators.kubedb.com + labels: + chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" + app: "{{ template "kubedb.name" . }}" + heritage: "{{ .Release.Service }}" + release: "{{ .Release.Name }}" +webhooks: +- name: elasticsearch.mutators.kubedb.com + clientConfig: + service: + namespace: default + name: kubernetes + path: /apis/mutators.kubedb.com/v1alpha1/elasticsearchs + caBundle: {{ b64enc .Values.apiserver.ca }} + rules: + - apiGroups: ["kubedb.com"] + apiVersions: ["*"] + resources: ["elasticsearches"] + operations: ["CREATE", "UPDATE", "DELETE"] + failurePolicy: Fail +- name: postgres.mutators.kubedb.com + clientConfig: + service: + namespace: default + name: kubernetes + path: /apis/mutators.kubedb.com/v1alpha1/postgress + caBundle: {{ b64enc .Values.apiserver.ca }} + rules: + - apiGroups: ["kubedb.com"] + apiVersions: ["*"] + resources: ["postgreses"] + operations: ["CREATE", "UPDATE", "DELETE"] + failurePolicy: Fail +- name: mysql.mutators.kubedb.com + clientConfig: + service: + namespace: default + name: kubernetes + path: /apis/mutators.kubedb.com/v1alpha1/mysqls + caBundle: {{ b64enc .Values.apiserver.ca }} + rules: + - apiGroups: ["kubedb.com"] + apiVersions: ["*"] + resources: ["mysqls"] + operations: ["CREATE", "UPDATE", "DELETE"] + failurePolicy: Fail +- name: mongodb.mutators.kubedb.com + clientConfig: + service: + namespace: default + name: kubernetes + path: /apis/mutators.kubedb.com/v1alpha1/mongodbs + caBundle: {{ b64enc .Values.apiserver.ca }} + rules: + - apiGroups: ["kubedb.com"] + apiVersions: ["*"] + resources: ["mongodbs"] + operations: ["CREATE", "UPDATE", "DELETE"] + failurePolicy: Fail +- name: redis.mutators.kubedb.com + clientConfig: + service: + namespace: default + name: kubernetes + path: /apis/mutators.kubedb.com/v1alpha1/rediss + caBundle: {{ b64enc .Values.apiserver.ca }} + rules: + - apiGroups: ["kubedb.com"] + apiVersions: ["*"] + resources: ["redises"] + operations: ["CREATE", "UPDATE", "DELETE"] + failurePolicy: Fail +- name: memcached.mutators.kubedb.com + clientConfig: + service: + namespace: default + name: kubernetes + path: /apis/mutators.kubedb.com/v1alpha1/memcacheds + caBundle: {{ b64enc .Values.apiserver.ca }} + rules: + - apiGroups: ["kubedb.com"] + apiVersions: ["*"] + resources: ["memcacheds"] + operations: ["CREATE", "UPDATE", "DELETE"] + failurePolicy: Fail +- name: snapshot.mutators.kubedb.com + clientConfig: + service: + namespace: default + name: kubernetes + path: /apis/mutators.kubedb.com/v1alpha1/snapshots + caBundle: {{ b64enc .Values.apiserver.ca }} + rules: + - apiGroups: ["kubedb.com"] + apiVersions: ["*"] + resources: ["snapshots"] + operations: ["CREATE", "UPDATE"] + failurePolicy: Fail +{{ end }} diff --git a/chart/kubedb/templates/service-account.yaml b/chart/kubedb/templates/service-account.yaml index 0948f95f7..981f9f7a9 100644 --- a/chart/kubedb/templates/service-account.yaml +++ b/chart/kubedb/templates/service-account.yaml @@ -3,6 +3,7 @@ apiVersion: v1 kind: ServiceAccount metadata: name: {{ template "kubedb.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} labels: chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" app: "{{ template "kubedb.name" . }}" diff --git a/chart/kubedb/templates/service.yaml b/chart/kubedb/templates/service.yaml index 829eeccfa..a4cabaa58 100644 --- a/chart/kubedb/templates/service.yaml +++ b/chart/kubedb/templates/service.yaml @@ -2,6 +2,7 @@ apiVersion: v1 kind: Service metadata: name: {{ template "kubedb.fullname" . }} + namespace: {{ .Release.Namespace }} labels: app: "{{ template "kubedb.name" . }}" chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" diff --git a/chart/kubedb/templates/validating-webhook-configuration.yaml b/chart/kubedb/templates/validating-webhook.yaml similarity index 74% rename from chart/kubedb/templates/validating-webhook-configuration.yaml rename to chart/kubedb/templates/validating-webhook.yaml index 5921f558b..cbcd7480b 100644 --- a/chart/kubedb/templates/validating-webhook-configuration.yaml +++ b/chart/kubedb/templates/validating-webhook.yaml @@ -1,20 +1,20 @@ -{{- if .Values.apiserver.enableAdmissionWebhook }} +{{- if .Values.apiserver.enableValidatingWebhook }} apiVersion: admissionregistration.k8s.io/v1beta1 kind: ValidatingWebhookConfiguration metadata: - name: admission.kubedb.com + name: validators.kubedb.com labels: chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" app: "{{ template "kubedb.name" . }}" heritage: "{{ .Release.Service }}" release: "{{ .Release.Name }}" webhooks: -- name: elasticsearch.admission.kubedb.com +- name: elasticsearch.validators.kubedb.com clientConfig: service: namespace: default name: kubernetes - path: /apis/admission.kubedb.com/v1alpha1/elasticsearchreviews + path: /apis/validators.kubedb.com/v1alpha1/elasticsearchs caBundle: {{ b64enc .Values.apiserver.ca }} rules: - apiGroups: ["kubedb.com"] @@ -22,12 +22,12 @@ webhooks: resources: ["elasticsearches"] operations: ["CREATE", "UPDATE", "DELETE"] failurePolicy: Fail -- name: postgres.admission.kubedb.com +- name: postgres.validators.kubedb.com clientConfig: service: namespace: default name: kubernetes - path: /apis/admission.kubedb.com/v1alpha1/postgresreviews + path: /apis/validators.kubedb.com/v1alpha1/postgress caBundle: {{ b64enc .Values.apiserver.ca }} rules: - apiGroups: ["kubedb.com"] @@ -35,12 +35,12 @@ webhooks: resources: ["postgreses"] operations: ["CREATE", "UPDATE", "DELETE"] failurePolicy: Fail -- name: mysql.admission.kubedb.com +- name: mysql.validators.kubedb.com clientConfig: service: namespace: default name: kubernetes - path: /apis/admission.kubedb.com/v1alpha1/mysqlreviews + path: /apis/validators.kubedb.com/v1alpha1/mysqls caBundle: {{ b64enc .Values.apiserver.ca }} rules: - apiGroups: ["kubedb.com"] @@ -48,12 +48,12 @@ webhooks: resources: ["mysqls"] operations: ["CREATE", "UPDATE", "DELETE"] failurePolicy: Fail -- name: mongodb.admission.kubedb.com +- name: mongodb.validators.kubedb.com clientConfig: service: namespace: default name: kubernetes - path: /apis/admission.kubedb.com/v1alpha1/mongodbreviews + path: /apis/validators.kubedb.com/v1alpha1/mongodbs caBundle: {{ b64enc .Values.apiserver.ca }} rules: - apiGroups: ["kubedb.com"] @@ -61,12 +61,12 @@ webhooks: resources: ["mongodbs"] operations: ["CREATE", "UPDATE", "DELETE"] failurePolicy: Fail -- name: redis.admission.kubedb.com +- name: redis.validators.kubedb.com clientConfig: service: namespace: default name: kubernetes - path: /apis/admission.kubedb.com/v1alpha1/redisreviews + path: /apis/validators.kubedb.com/v1alpha1/rediss caBundle: {{ b64enc .Values.apiserver.ca }} rules: - apiGroups: ["kubedb.com"] @@ -74,12 +74,12 @@ webhooks: resources: ["redises"] operations: ["CREATE", "UPDATE", "DELETE"] failurePolicy: Fail -- name: memcached.admission.kubedb.com +- name: memcached.validators.kubedb.com clientConfig: service: namespace: default name: kubernetes - path: /apis/admission.kubedb.com/v1alpha1/memcachedreviews + path: /apis/validators.kubedb.com/v1alpha1/memcacheds caBundle: {{ b64enc .Values.apiserver.ca }} rules: - apiGroups: ["kubedb.com"] @@ -87,12 +87,12 @@ webhooks: resources: ["memcacheds"] operations: ["CREATE", "UPDATE", "DELETE"] failurePolicy: Fail -- name: snapshot.admission.kubedb.com +- name: snapshot.validators.kubedb.com clientConfig: service: namespace: default name: kubernetes - path: /apis/admission.kubedb.com/v1alpha1/snapshotreviews + path: /apis/validators.kubedb.com/v1alpha1/snapshots caBundle: {{ b64enc .Values.apiserver.ca }} rules: - apiGroups: ["kubedb.com"] diff --git a/chart/kubedb/values.yaml b/chart/kubedb/values.yaml index e56f04991..c84931d4a 100644 --- a/chart/kubedb/values.yaml +++ b/chart/kubedb/values.yaml @@ -1,18 +1,13 @@ ## ## KubeDB chart configuration ## -# Docker registry containing KubeDB images -dockerRegistry: kubedb -## Tags for Docker images -imageTags: - ## Docker image tag containing KubeDB operator - operator: 0.8.0-beta.2 - ## Docker image tag containing KubeDB exporter - exporter: 0.8.0-beta.2 - ## Docker image tag containing KubeDB apiserver - apiserver: 0.1.0-beta.2 # Declare variables to be passed into your templates. replicaCount: 1 +# Docker registry containing Kubedb images +kubedb: + registry: kubedb + repository: operator + tag: 0.8.0-beta.2 ## Optionally specify an array of imagePullSecrets. ## Secrets must be manually created in the namespace. ## ref: https://kubernetes.io/docs/concepts/containers/images/#specifying-imagepullsecrets-on-a-pod @@ -47,7 +42,12 @@ apiserver: # https://github.com/kubernetes/kube-aggregator/blob/release-1.9/pkg/apis/apiregistration/v1beta1/types.go#L66-L70 # for more information on proper values of this field versionPriority: 15 - # enableAdmissionWebhook is used to configure apiserver as admission webhook for KubeDB CRDs - enableAdmissionWebhook: false + # enableMutatingWebhook is used to configure mutating webhook for KubeDB CRDs + enableMutatingWebhook: false + # enableValidatingWebhook is used to configure validating webhook for KubeDB CRDs + enableValidatingWebhook: false # CA certificate used by main Kubernetes api server ca: + +# Send usage events to Google Analytics +enableAnalytics: true diff --git a/docs/setup/install.md b/docs/setup/install.md index 9841c10db..cd68ace86 100644 --- a/docs/setup/install.md +++ b/docs/setup/install.md @@ -71,12 +71,14 @@ options: -h, --help show brief help -n, --namespace=NAMESPACE specify namespace (default: kube-system) --rbac create RBAC roles and bindings (default: true) - --docker-registry docker registry used to pull kubedb images (default: appscode) - --image-pull-secret name of secret used to pull kubedb operator images - --run-on-master run kubedb operator on master - --enable-admission-webhook configure admission webhook for kubedb CRDs - --uninstall uninstall kubedb - --purge purges kubedb crd objects and crds + --docker-registry docker registry used to pull KubeDB images (default: appscode) + --image-pull-secret name of secret used to pull KubeDB operator images + --run-on-master run KubeDB operator on master + --enable-validating-webhook enable/disable validating webhooks for KubeDB CRDs + --enable-mutating-webhook enable/disable mutating webhooks for KubeDB CRDs + --enable-analytics send usage events to Google Analytics (default: true) + --uninstall uninstall KubeDB + --purge purges KubeDB crd objects and crds ``` If you would like to run KubeDB operator pod in `master` instances, pass the `--run-on-master` flag: @@ -104,11 +106,11 @@ $ curl -fsSL https://raw.githubusercontent.com/kubedb/cli/0.8.0-beta.2/hack/depl | bash -s -- --docker-registry=MY_REGISTRY [--image-pull-secret=SECRET_NAME] [--rbac] ``` -KubeDB implements a [validating admission webhook](https://kubernetes.io/docs/admin/admission-controllers/#validatingadmissionwebhook-alpha-in-18-beta-in-19) to validate KubeDB CRDs. This is enabled by default for Kubernetes 1.9.0 or later releases. To disable this feature, pass the `--enable-admission-webhook=false` flag. +KubeDB implements [validating and mutating admission webhooks](https://kubernetes.io/docs/admin/admission-controllers/#validatingadmissionwebhook-alpha-in-18-beta-in-19) for KubeDB CRDs. This is enabled by default for Kubernetes 1.9.0 or later releases. To disable this feature, pass the `--enable-validating-webhook=false` and `--enable-mutating-webhook=false` flag respectively. ```console $ curl -fsSL https://raw.githubusercontent.com/kubedb/cli/0.8.0-beta.2/hack/deploy/kubedb.sh \ - | bash -s -- --enable-admission-webhook [--rbac] + | bash -s -- --enable-validating-webhook=false --enable-mutating-webhook=false [--rbac] ``` ### Using Helm @@ -131,17 +133,13 @@ curl -fsSL -o onessl https://github.com/kubepack/onessl/releases/download/0.1.0/ && chmod +x onessl \ && sudo mv onessl /usr/local/bin/ -# Kubernetes 1.8.x -$ helm repo add appscode https://charts.appscode.com/stable/ -$ helm repo update -$ helm install appscode/kubedb --name my-release - # Kubernetes 1.9.0 or later $ helm repo add appscode https://charts.appscode.com/stable/ $ helm repo update $ helm install appscode/kubedb --name my-release \ --set apiserver.ca="$(onessl get kube-ca)" \ - --set apiserver.enableAdmissionWebhook=true + --set apiserver.enableValidatingWebhook=true \ + --set apiserver.enableMutatingWebhook=true ``` To see the detailed configuration options, visit [here](https://github.com/kubedb/cli/tree/master/chart/kubedb). diff --git a/hack/deploy/kubedb.sh b/hack/deploy/kubedb.sh index 200748321..b25103066 100755 --- a/hack/deploy/kubedb.sh +++ b/hack/deploy/kubedb.sh @@ -2,6 +2,7 @@ set -eou pipefail crds=(elasticsearches memcacheds mongodbs mysqls postgreses redises snapshots dormantdatabases) +apiServices=(v1alpha1.validators v1alpha1.mutators) echo "checking kubeconfig context" kubectl config current-context || { echo "Set a context (kubectl use-context ) out of the following:"; echo; kubectl config get-contexts; exit 1; } @@ -13,6 +14,46 @@ function cleanup { } trap cleanup EXIT +# ref: https://github.com/appscodelabs/libbuild/blob/master/common/lib.sh#L55 +inside_git_repo() { + git rev-parse --is-inside-work-tree > /dev/null 2>&1 + inside_git=$? + if [ "$inside_git" -ne 0 ]; then + echo "Not inside a git repository" + exit 1 + fi +} + +detect_tag() { + inside_git_repo + + # http://stackoverflow.com/a/1404862/3476121 + git_tag=$(git describe --exact-match --abbrev=0 2>/dev/null || echo '') + + commit_hash=$(git rev-parse --verify HEAD) + git_branch=$(git rev-parse --abbrev-ref HEAD) + commit_timestamp=$(git show -s --format=%ct) + + if [ "$git_tag" != '' ]; then + TAG=$git_tag + TAG_STRATEGY='git_tag' + elif [ "$git_branch" != 'master' ] && [ "$git_branch" != 'HEAD' ] && [[ "$git_branch" != release-* ]]; then + TAG=$git_branch + TAG_STRATEGY='git_branch' + else + hash_ver=$(git describe --tags --always --dirty) + TAG="${hash_ver}" + TAG_STRATEGY='commit_hash' + fi + + export TAG + export TAG_STRATEGY + export git_tag + export git_branch + export commit_hash + export commit_timestamp +} + # https://stackoverflow.com/a/677212/244009 if [ -x "$(command -v onessl)" ]; then export ONESSL=onessl @@ -20,19 +61,19 @@ else # ref: https://stackoverflow.com/a/27776822/244009 case "$(uname -s)" in Darwin) - curl -fsSL -o onessl https://github.com/kubepack/onessl/releases/download/0.1.0/onessl-darwin-amd64 + curl -fsSL -o onessl https://github.com/kubepack/onessl/releases/download/0.3.0/onessl-darwin-amd64 chmod +x onessl export ONESSL=./onessl ;; Linux) - curl -fsSL -o onessl https://github.com/kubepack/onessl/releases/download/0.1.0/onessl-linux-amd64 + curl -fsSL -o onessl https://github.com/kubepack/onessl/releases/download/0.3.0/onessl-linux-amd64 chmod +x onessl export ONESSL=./onessl ;; CYGWIN*|MINGW32*|MSYS*) - curl -fsSL -o onessl.exe https://github.com/kubepack/onessl/releases/download/0.1.0/onessl-windows-amd64.exe + curl -fsSL -o onessl.exe https://github.com/kubepack/onessl/releases/download/0.3.0/onessl-windows-amd64.exe chmod +x onessl.exe export ONESSL=./onessl.exe ;; @@ -50,20 +91,27 @@ export KUBEDB_NAMESPACE=kube-system export KUBEDB_SERVICE_ACCOUNT=kubedb-operator export KUBEDB_ENABLE_RBAC=true export KUBEDB_RUN_ON_MASTER=0 -export KUBEDB_ENABLE_ADMISSION_WEBHOOK=false +export KUBEDB_ENABLE_VALIDATING_WEBHOOK=false +export KUBEDB_ENABLE_MUTATING_WEBHOOK=false export KUBEDB_DOCKER_REGISTRY=kubedb +export KUBEDB_OPERATOR_TAG=0.8.0-beta.2 export KUBEDB_IMAGE_PULL_SECRET= +export KUBEDB_IMAGE_PULL_POLICY=IfNotPresent +export KUBEDB_ENABLE_ANALYTICS=true export KUBEDB_UNINSTALL=0 export KUBEDB_PURGE=0 export APPSCODE_ENV=${APPSCODE_ENV:-prod} export SCRIPT_LOCATION="curl -fsSL https://raw.githubusercontent.com/kubedb/cli/0.8.0-beta.2/" if [ "$APPSCODE_ENV" = "dev" ]; then + detect_tag export SCRIPT_LOCATION="cat " + export KUBEDB_OPERATOR_TAG=$TAG + export KUBEDB_IMAGE_PULL_POLICY=Always fi KUBE_APISERVER_VERSION=$(kubectl version -o=json | $ONESSL jsonpath '{.serverVersion.gitVersion}') -$ONESSL semver --check='<1.9.0' $KUBE_APISERVER_VERSION || { export KUBEDB_ENABLE_ADMISSION_WEBHOOK=true; } +$ONESSL semver --check='<1.9.0' $KUBE_APISERVER_VERSION || { export KUBEDB_ENABLE_VALIDATING_WEBHOOK=true; export KUBEDB_ENABLE_MUTATING_WEBHOOK=true; } show_help() { echo "kubedb.sh - install kubedb operator" @@ -74,12 +122,14 @@ show_help() { echo "-h, --help show brief help" echo "-n, --namespace=NAMESPACE specify namespace (default: kube-system)" echo " --rbac create RBAC roles and bindings (default: true)" - echo " --docker-registry docker registry used to pull kubedb images (default: appscode)" - echo " --image-pull-secret name of secret used to pull kubedb operator images" - echo " --run-on-master run kubedb operator on master" - echo " --enable-admission-webhook configure admission webhook for kubedb CRDs" - echo " --uninstall uninstall kubedb" - echo " --purge purges kubedb crd objects and crds" + echo " --docker-registry docker registry used to pull KubeDB images (default: appscode)" + echo " --image-pull-secret name of secret used to pull KubeDB operator images" + echo " --run-on-master run KubeDB operator on master" + echo " --enable-validating-webhook enable/disable validating webhooks for KubeDB CRDs" + echo " --enable-mutating-webhook enable/disable mutating webhooks for KubeDB CRDs" + echo " --enable-analytics send usage events to Google Analytics (default: true)" + echo " --uninstall uninstall KubeDB" + echo " --purge purges KubeDB crd objects and crds" } while test $# -gt 0; do @@ -111,12 +161,24 @@ while test $# -gt 0; do export KUBEDB_IMAGE_PULL_SECRET="name: '$secret'" shift ;; - --enable-admission-webhook*) + --enable-validating-webhook*) val=`echo $1 | sed -e 's/^[^=]*=//g'` if [ "$val" = "false" ]; then - export KUBEDB_ENABLE_ADMISSION_WEBHOOK=false - else - export KUBEDB_ENABLE_ADMISSION_WEBHOOK=true + export KUBEDB_ENABLE_VALIDATING_WEBHOOK=false + fi + shift + ;; + --enable-mutating-webhook*) + val=`echo $1 | sed -e 's/^[^=]*=//g'` + if [ "$val" = "false" ]; then + export KUBEDB_ENABLE_MUTATING_WEBHOOK=false + fi + shift + ;; + --enable-analytics*) + val=`echo $1 | sed -e 's/^[^=]*=//g'` + if [ "$val" = "false" ]; then + export KUBEDB_ENABLE_ANALYTICS=false fi shift ;; @@ -148,31 +210,6 @@ while test $# -gt 0; do done if [ "$KUBEDB_UNINSTALL" -eq 1 ]; then - # delete webhooks and apiservices - kubectl delete validatingwebhookconfiguration -l app=kubedb || true - kubectl delete mutatingwebhookconfiguration -l app=kubedb || true - kubectl delete apiservice -l app=kubedb - # delete kubedb operator - kubectl delete deployment -l app=kubedb --namespace $KUBEDB_NAMESPACE - kubectl delete service -l app=kubedb --namespace $KUBEDB_NAMESPACE - kubectl delete secret -l app=kubedb --namespace $KUBEDB_NAMESPACE - # delete RBAC objects, if --rbac flag was used. - kubectl delete serviceaccount -l app=kubedb --namespace $KUBEDB_NAMESPACE - kubectl delete clusterrolebindings -l app=kubedb - kubectl delete clusterrole -l app=kubedb - kubectl delete rolebindings -l app=kubedb --namespace $KUBEDB_NAMESPACE - kubectl delete role -l app=kubedb --namespace $KUBEDB_NAMESPACE - - echo "waiting for kubedb operator pod to stop running" - for (( ; ; )); do - pods=($(kubectl get pods --all-namespaces -l app=kubedb -o jsonpath='{range .items[*]}{.metadata.name} {end}')) - total=${#pods[*]} - if [ $total -eq 0 ] ; then - break - fi - sleep 2 - done - # https://github.com/kubernetes/kubernetes/issues/60538 if [ "$KUBEDB_PURGE" -eq 1 ]; then for crd in "${crds[@]}"; do @@ -198,8 +235,36 @@ if [ "$KUBEDB_UNINSTALL" -eq 1 ]; then # delete crd kubectl delete crd ${crd}.kubedb.com || true done + + echo "waiting 5 seconds ..." + sleep 5; fi + # delete webhooks and apiservices + kubectl delete validatingwebhookconfiguration -l app=kubedb || true + kubectl delete mutatingwebhookconfiguration -l app=kubedb || true + kubectl delete apiservice -l app=kubedb + # delete kubedb operator + kubectl delete deployment -l app=kubedb --namespace $KUBEDB_NAMESPACE + kubectl delete service -l app=kubedb --namespace $KUBEDB_NAMESPACE + kubectl delete secret -l app=kubedb --namespace $KUBEDB_NAMESPACE + # delete RBAC objects, if --rbac flag was used. + kubectl delete serviceaccount -l app=kubedb --namespace $KUBEDB_NAMESPACE + kubectl delete clusterrolebindings -l app=kubedb + kubectl delete clusterrole -l app=kubedb + kubectl delete rolebindings -l app=kubedb --namespace $KUBEDB_NAMESPACE + kubectl delete role -l app=kubedb --namespace $KUBEDB_NAMESPACE + + echo "waiting for kubedb operator pod to stop running" + for (( ; ; )); do + pods=($(kubectl get pods --all-namespaces -l app=kubedb -o jsonpath='{range .items[*]}{.metadata.name} {end}')) + total=${#pods[*]} + if [ $total -eq 0 ] ; then + break + fi + sleep 2 + done + echo echo "Successfully uninstalled KubeDB!" exit 0 @@ -209,6 +274,12 @@ echo "checking whether extended apiserver feature is enabled" $ONESSL has-keys configmap --namespace=kube-system --keys=requestheader-client-ca-file extension-apiserver-authentication || { echo "Set --requestheader-client-ca-file flag on Kubernetes apiserver"; exit 1; } echo "" +export KUBE_CA= +if [ "$KUBEDB_ENABLE_VALIDATING_WEBHOOK" = true ] || [ "$KUBEDB_ENABLE_MUTATING_WEBHOOK" = true ]; then + $ONESSL get kube-ca >/dev/null 2>&1 || { echo "Admission webhooks can't be used when kube apiserver is accesible without verifying its TLS certificate (insecure-skip-tls-verify : true)."; echo; exit 1; } + export KUBE_CA=$($ONESSL get kube-ca | $ONESSL base64) +fi + env | sort | grep KUBEDB* echo "" @@ -220,7 +291,6 @@ $ONESSL create server-cert server --domains=kubedb-operator.$KUBEDB_NAMESPACE.sv export SERVICE_SERVING_CERT_CA=$(cat ca.crt | $ONESSL base64) export TLS_SERVING_CERT=$(cat server.crt | $ONESSL base64) export TLS_SERVING_KEY=$(cat server.key | $ONESSL base64) -export KUBE_CA=$($ONESSL get kube-ca | $ONESSL base64) ${SCRIPT_LOCATION}hack/deploy/operator.yaml | $ONESSL envsubst | kubectl apply -f - @@ -237,8 +307,12 @@ if [ "$KUBEDB_RUN_ON_MASTER" -eq 1 ]; then --patch="$(${SCRIPT_LOCATION}hack/deploy/run-on-master.yaml)" fi -if [ "$KUBEDB_ENABLE_ADMISSION_WEBHOOK" = true ]; then - ${SCRIPT_LOCATION}hack/deploy/admission.yaml | $ONESSL envsubst | kubectl apply -f - +if [ "$KUBEDB_ENABLE_VALIDATING_WEBHOOK" = true ]; then + ${SCRIPT_LOCATION}hack/deploy/validating-webhook.yaml | $ONESSL envsubst | kubectl apply -f - +fi + +if [ "$KUBEDB_ENABLE_MUTATING_WEBHOOK" = true ]; then + ${SCRIPT_LOCATION}hack/deploy/mutating-webhook.yaml | $ONESSL envsubst | kubectl apply -f - fi echo @@ -246,7 +320,9 @@ echo "waiting until kubedb operator deployment is ready" $ONESSL wait-until-ready deployment kubedb-operator --namespace $KUBEDB_NAMESPACE || { echo "KubeDB operator deployment failed to be ready"; exit 1; } echo "waiting until kubedb apiservice is available" -$ONESSL wait-until-ready apiservice v1alpha1.admission.kubedb.com || { echo "KubeDB apiservice failed to be ready"; exit 1; } +for api in "${apiServices[@]}"; do + $ONESSL wait-until-ready apiservice ${api}.kubedb.com || { echo "KubeDB apiservice $api failed to be ready"; exit 1; } +done echo "waiting until kubedb crds are ready" for crd in "${crds[@]}"; do @@ -254,4 +330,4 @@ for crd in "${crds[@]}"; do done echo -echo "Successfully installed KubeDB operator!" +echo "Successfully installed KubeDB operator in $KUBEDB_NAMESPACE namespace!" diff --git a/hack/deploy/mutating-webhook.yaml b/hack/deploy/mutating-webhook.yaml new file mode 100644 index 000000000..d2cb39d07 --- /dev/null +++ b/hack/deploy/mutating-webhook.yaml @@ -0,0 +1,99 @@ +# register to intercept kubedb CRD creates / updates +apiVersion: admissionregistration.k8s.io/v1beta1 +kind: MutatingWebhookConfiguration +metadata: + name: mutators.kubedb.com + labels: + app: kubedb +webhooks: +- name: elasticsearch.mutators.kubedb.com + clientConfig: + service: + namespace: default + name: kubernetes + path: /apis/mutators.kubedb.com/v1alpha1/elasticsearchs + caBundle: ${KUBE_CA} + rules: + - apiGroups: ["kubedb.com"] + apiVersions: ["*"] + resources: ["elasticsearches"] + operations: ["CREATE", "UPDATE", "DELETE"] + failurePolicy: Fail +- name: postgres.mutators.kubedb.com + clientConfig: + service: + namespace: default + name: kubernetes + path: /apis/mutators.kubedb.com/v1alpha1/postgress + caBundle: ${KUBE_CA} + rules: + - apiGroups: ["kubedb.com"] + apiVersions: ["*"] + resources: ["postgreses"] + operations: ["CREATE", "UPDATE", "DELETE"] + failurePolicy: Fail +- name: mysql.mutators.kubedb.com + clientConfig: + service: + namespace: default + name: kubernetes + path: /apis/mutators.kubedb.com/v1alpha1/mysqls + caBundle: ${KUBE_CA} + rules: + - apiGroups: ["kubedb.com"] + apiVersions: ["*"] + resources: ["mysqls"] + operations: ["CREATE", "UPDATE", "DELETE"] + failurePolicy: Fail +- name: mongodb.mutators.kubedb.com + clientConfig: + service: + namespace: default + name: kubernetes + path: /apis/mutators.kubedb.com/v1alpha1/mongodbs + caBundle: ${KUBE_CA} + rules: + - apiGroups: ["kubedb.com"] + apiVersions: ["*"] + resources: ["mongodbs"] + operations: ["CREATE", "UPDATE", "DELETE"] + failurePolicy: Fail +- name: redis.mutators.kubedb.com + clientConfig: + service: + namespace: default + name: kubernetes + path: /apis/mutators.kubedb.com/v1alpha1/rediss + caBundle: ${KUBE_CA} + rules: + - apiGroups: ["kubedb.com"] + apiVersions: ["*"] + resources: ["redises"] + operations: ["CREATE", "UPDATE", "DELETE"] + failurePolicy: Fail +- name: memcached.mutators.kubedb.com + clientConfig: + service: + namespace: default + name: kubernetes + path: /apis/mutators.kubedb.com/v1alpha1/memcacheds + caBundle: ${KUBE_CA} + rules: + - apiGroups: ["kubedb.com"] + apiVersions: ["*"] + resources: ["memcacheds"] + operations: ["CREATE", "UPDATE", "DELETE"] + failurePolicy: Fail +- name: snapshot.mutators.kubedb.com + clientConfig: + service: + namespace: default + name: kubernetes + path: /apis/mutators.kubedb.com/v1alpha1/snapshots + caBundle: ${KUBE_CA} + rules: + - apiGroups: ["kubedb.com"] + apiVersions: ["*"] + resources: ["snapshots"] + operations: ["CREATE", "UPDATE"] + failurePolicy: Fail diff --git a/hack/deploy/operator.yaml b/hack/deploy/operator.yaml index 47a0c16b4..434656324 100644 --- a/hack/deploy/operator.yaml +++ b/hack/deploy/operator.yaml @@ -5,8 +5,6 @@ metadata: namespace: ${KUBEDB_NAMESPACE} labels: app: kubedb - initializers: - pending: [] spec: replicas: 1 selector: @@ -23,29 +21,26 @@ spec: imagePullSecrets: [${KUBEDB_IMAGE_PULL_SECRET}] containers: - name: operator - image: ${KUBEDB_DOCKER_REGISTRY}/operator:0.8.0-beta.2 + image: ${KUBEDB_DOCKER_REGISTRY}/operator:${KUBEDB_OPERATOR_TAG} + imagePullPolicy: ${KUBEDB_IMAGE_PULL_POLICY} args: - run - --v=3 - --docker-registry=${KUBEDB_DOCKER_REGISTRY} - - --exporter-tag=0.8.0-beta.2 + - --exporter-tag=${KUBEDB_OPERATOR_TAG} - --governing-service=kubedb - --rbac=${KUBEDB_ENABLE_RBAC} + - --secure-port=8443 + - --audit-log-path=- + - --tls-cert-file=/var/serving-cert/tls.crt + - --tls-private-key-file=/var/serving-cert/tls.key + - --enable-analytics=${KUBEDB_ENABLE_ANALYTICS} env: - name: OPERATOR_NAMESPACE valueFrom: fieldRef: apiVersion: v1 fieldPath: metadata.namespace - - name: server - image: ${KUBEDB_DOCKER_REGISTRY}/kubedb-server:0.1.0-beta.2 - args: - - run - - --v=3 - - --secure-port=8443 - - --audit-log-path=- - - --tls-cert-file=/var/serving-cert/tls.crt - - --tls-private-key-file=/var/serving-cert/tls.key ports: - containerPort: 8443 volumeMounts: @@ -97,12 +92,29 @@ spec: apiVersion: apiregistration.k8s.io/v1beta1 kind: APIService metadata: - name: v1alpha1.admission.kubedb.com + name: v1alpha1.validators.kubedb.com + labels: + app: kubedb +spec: + caBundle: ${SERVICE_SERVING_CERT_CA} + group: validators.kubedb.com + groupPriorityMinimum: 1000 + versionPriority: 15 + service: + name: kubedb-operator + namespace: ${KUBEDB_NAMESPACE} + version: v1alpha1 +--- +# register as aggregated apiserver +apiVersion: apiregistration.k8s.io/v1beta1 +kind: APIService +metadata: + name: v1alpha1.mutators.kubedb.com labels: app: kubedb spec: caBundle: ${SERVICE_SERVING_CERT_CA} - group: admission.kubedb.com + group: mutators.kubedb.com groupPriorityMinimum: 1000 versionPriority: 15 service: diff --git a/hack/deploy/admission.yaml b/hack/deploy/validating-webhook.yaml similarity index 73% rename from hack/deploy/admission.yaml rename to hack/deploy/validating-webhook.yaml index f76a83405..2524358ea 100644 --- a/hack/deploy/admission.yaml +++ b/hack/deploy/validating-webhook.yaml @@ -2,16 +2,16 @@ apiVersion: admissionregistration.k8s.io/v1beta1 kind: ValidatingWebhookConfiguration metadata: - name: admission.kubedb.com + name: validators.kubedb.com labels: app: kubedb webhooks: -- name: elasticsearch.admission.kubedb.com +- name: elasticsearch.validators.kubedb.com clientConfig: service: namespace: default name: kubernetes - path: /apis/admission.kubedb.com/v1alpha1/elasticsearchreviews + path: /apis/validators.kubedb.com/v1alpha1/elasticsearchs caBundle: ${KUBE_CA} rules: - apiGroups: ["kubedb.com"] @@ -19,12 +19,12 @@ webhooks: resources: ["elasticsearches"] operations: ["CREATE", "UPDATE", "DELETE"] failurePolicy: Fail -- name: postgres.admission.kubedb.com +- name: postgres.validators.kubedb.com clientConfig: service: namespace: default name: kubernetes - path: /apis/admission.kubedb.com/v1alpha1/postgresreviews + path: /apis/validators.kubedb.com/v1alpha1/postgress caBundle: ${KUBE_CA} rules: - apiGroups: ["kubedb.com"] @@ -32,12 +32,12 @@ webhooks: resources: ["postgreses"] operations: ["CREATE", "UPDATE", "DELETE"] failurePolicy: Fail -- name: mysql.admission.kubedb.com +- name: mysql.validators.kubedb.com clientConfig: service: namespace: default name: kubernetes - path: /apis/admission.kubedb.com/v1alpha1/mysqlreviews + path: /apis/validators.kubedb.com/v1alpha1/mysqls caBundle: ${KUBE_CA} rules: - apiGroups: ["kubedb.com"] @@ -45,12 +45,12 @@ webhooks: resources: ["mysqls"] operations: ["CREATE", "UPDATE", "DELETE"] failurePolicy: Fail -- name: mongodb.admission.kubedb.com +- name: mongodb.validators.kubedb.com clientConfig: service: namespace: default name: kubernetes - path: /apis/admission.kubedb.com/v1alpha1/mongodbreviews + path: /apis/validators.kubedb.com/v1alpha1/mongodbs caBundle: ${KUBE_CA} rules: - apiGroups: ["kubedb.com"] @@ -58,12 +58,12 @@ webhooks: resources: ["mongodbs"] operations: ["CREATE", "UPDATE", "DELETE"] failurePolicy: Fail -- name: redis.admission.kubedb.com +- name: redis.validators.kubedb.com clientConfig: service: namespace: default name: kubernetes - path: /apis/admission.kubedb.com/v1alpha1/redisreviews + path: /apis/validators.kubedb.com/v1alpha1/rediss caBundle: ${KUBE_CA} rules: - apiGroups: ["kubedb.com"] @@ -71,12 +71,12 @@ webhooks: resources: ["redises"] operations: ["CREATE", "UPDATE", "DELETE"] failurePolicy: Fail -- name: memcached.admission.kubedb.com +- name: memcached.validators.kubedb.com clientConfig: service: namespace: default name: kubernetes - path: /apis/admission.kubedb.com/v1alpha1/memcachedreviews + path: /apis/validators.kubedb.com/v1alpha1/memcacheds caBundle: ${KUBE_CA} rules: - apiGroups: ["kubedb.com"] @@ -84,12 +84,12 @@ webhooks: resources: ["memcacheds"] operations: ["CREATE", "UPDATE", "DELETE"] failurePolicy: Fail -- name: snapshot.admission.kubedb.com +- name: snapshot.validators.kubedb.com clientConfig: service: namespace: default name: kubernetes - path: /apis/admission.kubedb.com/v1alpha1/snapshotreviews + path: /apis/validators.kubedb.com/v1alpha1/snapshots caBundle: ${KUBE_CA} rules: - apiGroups: ["kubedb.com"]