From 9aba48f9e35e8688e478f8f1efc87c0fc1507538 Mon Sep 17 00:00:00 2001 From: Tamal Saha Date: Sat, 29 Sep 2018 14:29:26 -0700 Subject: [PATCH 1/6] Enable webhooks by default Signed-off-by: Tamal Saha --- chart/kubedb/README.md | 4 ++-- chart/kubedb/templates/mutating-webhook.yaml | 14 +++++++------- chart/kubedb/templates/validating-webhook.yaml | 18 +++++++++--------- chart/kubedb/values.yaml | 4 ++-- 4 files changed, 20 insertions(+), 20 deletions(-) diff --git a/chart/kubedb/README.md b/chart/kubedb/README.md index e0a355265..d0b1e111b 100644 --- a/chart/kubedb/README.md +++ b/chart/kubedb/README.md @@ -64,8 +64,8 @@ The following table lists the configurable parameters of the KubeDB chart and th | `serviceAccount.name` | Service account to be used. If not set and `serviceAccount.create` is `true`, a name is generated using the fullname template | `` | | `apiserver.groupPriorityMinimum` | The minimum priority the group should have. | 10000 | | `apiserver.versionPriority` | The ordering of this API inside of the group. | 15 | -| `apiserver.enableValidatingWebhook` | Enable validating webhooks for KubeDB CRDs | false | -| `apiserver.enableMutatingWebhook` | Enable mutating webhooks for KubeDB CRDs | false | +| `apiserver.enableValidatingWebhook` | Enable validating webhooks for KubeDB CRDs | `true` | +| `apiserver.enableMutatingWebhook` | Enable mutating webhooks for KubeDB CRDs | `true` | | `apiserver.ca` | CA certificate used by main Kubernetes api server | `` | | `apiserver.enableStatusSubresource` | If true, uses status sub resource for crds | `false` | | `enableAnalytics` | Send usage events to Google Analytics | `true` | diff --git a/chart/kubedb/templates/mutating-webhook.yaml b/chart/kubedb/templates/mutating-webhook.yaml index 95292ce3d..dc5cedc08 100644 --- a/chart/kubedb/templates/mutating-webhook.yaml +++ b/chart/kubedb/templates/mutating-webhook.yaml @@ -18,7 +18,7 @@ webhooks: namespace: default name: kubernetes path: /apis/mutators.kubedb.com/v1alpha1/elasticsearches - caBundle: {{ b64enc .Values.apiserver.ca }} + caBundle: {{ default "" .Values.apiserver.ca | b64enc }} rules: - apiGroups: ["kubedb.com"] apiVersions: ["*"] @@ -31,7 +31,7 @@ webhooks: namespace: default name: kubernetes path: /apis/mutators.kubedb.com/v1alpha1/postgreses - caBundle: {{ b64enc .Values.apiserver.ca }} + caBundle: {{ default "" .Values.apiserver.ca | b64enc }} rules: - apiGroups: ["kubedb.com"] apiVersions: ["*"] @@ -44,7 +44,7 @@ webhooks: namespace: default name: kubernetes path: /apis/mutators.kubedb.com/v1alpha1/mysqls - caBundle: {{ b64enc .Values.apiserver.ca }} + caBundle: {{ default "" .Values.apiserver.ca | b64enc }} rules: - apiGroups: ["kubedb.com"] apiVersions: ["*"] @@ -57,7 +57,7 @@ webhooks: namespace: default name: kubernetes path: /apis/mutators.kubedb.com/v1alpha1/mongodbs - caBundle: {{ b64enc .Values.apiserver.ca }} + caBundle: {{ default "" .Values.apiserver.ca | b64enc }} rules: - apiGroups: ["kubedb.com"] apiVersions: ["*"] @@ -70,7 +70,7 @@ webhooks: namespace: default name: kubernetes path: /apis/mutators.kubedb.com/v1alpha1/redises - caBundle: {{ b64enc .Values.apiserver.ca }} + caBundle: {{ default "" .Values.apiserver.ca | b64enc }} rules: - apiGroups: ["kubedb.com"] apiVersions: ["*"] @@ -83,7 +83,7 @@ webhooks: namespace: default name: kubernetes path: /apis/mutators.kubedb.com/v1alpha1/memcacheds - caBundle: {{ b64enc .Values.apiserver.ca }} + caBundle: {{ default "" .Values.apiserver.ca | b64enc }} rules: - apiGroups: ["kubedb.com"] apiVersions: ["*"] @@ -96,7 +96,7 @@ webhooks: namespace: default name: kubernetes path: /apis/mutators.kubedb.com/v1alpha1/etcds - caBundle: {{ b64enc .Values.apiserver.ca }} + caBundle: {{ default "" .Values.apiserver.ca | b64enc }} rules: - apiGroups: ["kubedb.com"] apiVersions: ["*"] diff --git a/chart/kubedb/templates/validating-webhook.yaml b/chart/kubedb/templates/validating-webhook.yaml index 00ed4ae4a..b00b074eb 100644 --- a/chart/kubedb/templates/validating-webhook.yaml +++ b/chart/kubedb/templates/validating-webhook.yaml @@ -18,7 +18,7 @@ webhooks: namespace: default name: kubernetes path: /apis/validators.kubedb.com/v1alpha1/elasticsearches - caBundle: {{ b64enc .Values.apiserver.ca }} + caBundle: {{ default "" .Values.apiserver.ca | b64enc }} rules: - apiGroups: ["kubedb.com"] apiVersions: ["*"] @@ -31,7 +31,7 @@ webhooks: namespace: default name: kubernetes path: /apis/validators.kubedb.com/v1alpha1/postgreses - caBundle: {{ b64enc .Values.apiserver.ca }} + caBundle: {{ default "" .Values.apiserver.ca | b64enc }} rules: - apiGroups: ["kubedb.com"] apiVersions: ["*"] @@ -44,7 +44,7 @@ webhooks: namespace: default name: kubernetes path: /apis/validators.kubedb.com/v1alpha1/mysqls - caBundle: {{ b64enc .Values.apiserver.ca }} + caBundle: {{ default "" .Values.apiserver.ca | b64enc }} rules: - apiGroups: ["kubedb.com"] apiVersions: ["*"] @@ -57,7 +57,7 @@ webhooks: namespace: default name: kubernetes path: /apis/validators.kubedb.com/v1alpha1/mongodbs - caBundle: {{ b64enc .Values.apiserver.ca }} + caBundle: {{ default "" .Values.apiserver.ca | b64enc }} rules: - apiGroups: ["kubedb.com"] apiVersions: ["*"] @@ -70,7 +70,7 @@ webhooks: namespace: default name: kubernetes path: /apis/validators.kubedb.com/v1alpha1/redises - caBundle: {{ b64enc .Values.apiserver.ca }} + caBundle: {{ default "" .Values.apiserver.ca | b64enc }} rules: - apiGroups: ["kubedb.com"] apiVersions: ["*"] @@ -83,7 +83,7 @@ webhooks: namespace: default name: kubernetes path: /apis/validators.kubedb.com/v1alpha1/memcacheds - caBundle: {{ b64enc .Values.apiserver.ca }} + caBundle: {{ default "" .Values.apiserver.ca | b64enc }} rules: - apiGroups: ["kubedb.com"] apiVersions: ["*"] @@ -96,7 +96,7 @@ webhooks: namespace: default name: kubernetes path: /apis/validators.kubedb.com/v1alpha1/etcds - caBundle: {{ b64enc .Values.apiserver.ca }} + caBundle: {{ default "" .Values.apiserver.ca | b64enc }} rules: - apiGroups: ["kubedb.com"] apiVersions: ["*"] @@ -109,7 +109,7 @@ webhooks: namespace: default name: kubernetes path: /apis/validators.kubedb.com/v1alpha1/snapshots - caBundle: {{ b64enc .Values.apiserver.ca }} + caBundle: {{ default "" .Values.apiserver.ca | b64enc }} rules: - apiGroups: ["kubedb.com"] apiVersions: ["*"] @@ -122,7 +122,7 @@ webhooks: namespace: default name: kubernetes path: /apis/validators.kubedb.com/v1alpha1/dormantdatabases - caBundle: {{ b64enc .Values.apiserver.ca }} + caBundle: {{ default "" .Values.apiserver.ca | b64enc }} rules: - apiGroups: ["kubedb.com"] apiVersions: ["*"] diff --git a/chart/kubedb/values.yaml b/chart/kubedb/values.yaml index fd9492c06..d0ec0f958 100644 --- a/chart/kubedb/values.yaml +++ b/chart/kubedb/values.yaml @@ -66,9 +66,9 @@ apiserver: # for more information on proper values of this field versionPriority: 15 # enableMutatingWebhook is used to configure mutating webhook for KubeDB CRDs - enableMutatingWebhook: false + enableMutatingWebhook: true # enableValidatingWebhook is used to configure validating webhook for KubeDB CRDs - enableValidatingWebhook: false + enableValidatingWebhook: true # CA certificate used by main Kubernetes api server ca: # If true, uses status sub resource for crds. From 533deeddf442634d58d6a2828719c053512ce8b8 Mon Sep 17 00:00:00 2001 From: Tamal Saha Date: Sat, 29 Sep 2018 14:59:51 -0700 Subject: [PATCH 2/6] Enable status sub resource by inspection of Kube version --- chart/kubedb/README.md | 2 +- chart/kubedb/templates/deployment.yaml | 9 +++++++-- chart/kubedb/values.yaml | 5 +++-- 3 files changed, 11 insertions(+), 5 deletions(-) diff --git a/chart/kubedb/README.md b/chart/kubedb/README.md index d0b1e111b..7dd545c34 100644 --- a/chart/kubedb/README.md +++ b/chart/kubedb/README.md @@ -67,7 +67,7 @@ The following table lists the configurable parameters of the KubeDB chart and th | `apiserver.enableValidatingWebhook` | Enable validating webhooks for KubeDB CRDs | `true` | | `apiserver.enableMutatingWebhook` | Enable mutating webhooks for KubeDB CRDs | `true` | | `apiserver.ca` | CA certificate used by main Kubernetes api server | `` | -| `apiserver.enableStatusSubresource` | If true, uses status sub resource for crds | `false` | +| `apiserver.disableStatusSubresource` | If true, disables status sub resource for crds. Otherwise enables based on Kubernetes version | `false` | | `enableAnalytics` | Send usage events to Google Analytics | `true` | diff --git a/chart/kubedb/templates/deployment.yaml b/chart/kubedb/templates/deployment.yaml index 4db22a60d..5a4ddd7c0 100644 --- a/chart/kubedb/templates/deployment.yaml +++ b/chart/kubedb/templates/deployment.yaml @@ -1,4 +1,7 @@ -apiVersion: apps/v1beta1 +# GKE returns Major:"1", Minor:"10+" +{{- $major := default "0" .Capabilities.KubeVersion.Major | trimSuffix "+" | int64 }} +{{- $minor := default "0" .Capabilities.KubeVersion.Minor | trimSuffix "+" | int64 }} +apiVersion: apps/v1 kind: Deployment metadata: name: {{ template "kubedb.fullname" . }} @@ -46,7 +49,9 @@ spec: - --audit-log-path=- - --tls-cert-file=/var/serving-cert/tls.crt - --tls-private-key-file=/var/serving-cert/tls.key - - --enable-status-subresource={{ .Values.apiserver.enableStatusSubresource }} +{{- if and (not .Values.apiserver.disableStatusSubresource) (ge $major 1) (ge $minor 11) }} + - --enable-status-subresource=true +{{- end }} - --enable-analytics={{ .Values.enableAnalytics }} env: - name: OPERATOR_NAMESPACE diff --git a/chart/kubedb/values.yaml b/chart/kubedb/values.yaml index d0ec0f958..606b4c61f 100644 --- a/chart/kubedb/values.yaml +++ b/chart/kubedb/values.yaml @@ -71,8 +71,9 @@ apiserver: enableValidatingWebhook: true # CA certificate used by main Kubernetes api server ca: - # If true, uses status sub resource for crds. - enableStatusSubresource: false + # If true, disables status sub resource for crds. + # Otherwise, enables status sub resource for Kubernetes version >= 1.11 and disables for other versions. + disableStatusSubresource: false # Send usage events to Google Analytics enableAnalytics: true From fd93b4d3d527bf5a4b0e263c58dc9e62009ed623 Mon Sep 17 00:00:00 2001 From: Tamal Saha Date: Sat, 29 Sep 2018 15:11:10 -0700 Subject: [PATCH 3/6] Use `not-ca-cert` as default for webhook --- chart/kubedb/templates/mutating-webhook.yaml | 14 +++++++------- chart/kubedb/templates/validating-webhook.yaml | 18 +++++++++--------- 2 files changed, 16 insertions(+), 16 deletions(-) diff --git a/chart/kubedb/templates/mutating-webhook.yaml b/chart/kubedb/templates/mutating-webhook.yaml index dc5cedc08..e5e3911ed 100644 --- a/chart/kubedb/templates/mutating-webhook.yaml +++ b/chart/kubedb/templates/mutating-webhook.yaml @@ -18,7 +18,7 @@ webhooks: namespace: default name: kubernetes path: /apis/mutators.kubedb.com/v1alpha1/elasticsearches - caBundle: {{ default "" .Values.apiserver.ca | b64enc }} + caBundle: {{ default "not-ca-cert" .Values.apiserver.ca | b64enc }} rules: - apiGroups: ["kubedb.com"] apiVersions: ["*"] @@ -31,7 +31,7 @@ webhooks: namespace: default name: kubernetes path: /apis/mutators.kubedb.com/v1alpha1/postgreses - caBundle: {{ default "" .Values.apiserver.ca | b64enc }} + caBundle: {{ default "not-ca-cert" .Values.apiserver.ca | b64enc }} rules: - apiGroups: ["kubedb.com"] apiVersions: ["*"] @@ -44,7 +44,7 @@ webhooks: namespace: default name: kubernetes path: /apis/mutators.kubedb.com/v1alpha1/mysqls - caBundle: {{ default "" .Values.apiserver.ca | b64enc }} + caBundle: {{ default "not-ca-cert" .Values.apiserver.ca | b64enc }} rules: - apiGroups: ["kubedb.com"] apiVersions: ["*"] @@ -57,7 +57,7 @@ webhooks: namespace: default name: kubernetes path: /apis/mutators.kubedb.com/v1alpha1/mongodbs - caBundle: {{ default "" .Values.apiserver.ca | b64enc }} + caBundle: {{ default "not-ca-cert" .Values.apiserver.ca | b64enc }} rules: - apiGroups: ["kubedb.com"] apiVersions: ["*"] @@ -70,7 +70,7 @@ webhooks: namespace: default name: kubernetes path: /apis/mutators.kubedb.com/v1alpha1/redises - caBundle: {{ default "" .Values.apiserver.ca | b64enc }} + caBundle: {{ default "not-ca-cert" .Values.apiserver.ca | b64enc }} rules: - apiGroups: ["kubedb.com"] apiVersions: ["*"] @@ -83,7 +83,7 @@ webhooks: namespace: default name: kubernetes path: /apis/mutators.kubedb.com/v1alpha1/memcacheds - caBundle: {{ default "" .Values.apiserver.ca | b64enc }} + caBundle: {{ default "not-ca-cert" .Values.apiserver.ca | b64enc }} rules: - apiGroups: ["kubedb.com"] apiVersions: ["*"] @@ -96,7 +96,7 @@ webhooks: namespace: default name: kubernetes path: /apis/mutators.kubedb.com/v1alpha1/etcds - caBundle: {{ default "" .Values.apiserver.ca | b64enc }} + caBundle: {{ default "not-ca-cert" .Values.apiserver.ca | b64enc }} rules: - apiGroups: ["kubedb.com"] apiVersions: ["*"] diff --git a/chart/kubedb/templates/validating-webhook.yaml b/chart/kubedb/templates/validating-webhook.yaml index b00b074eb..7a1f10879 100644 --- a/chart/kubedb/templates/validating-webhook.yaml +++ b/chart/kubedb/templates/validating-webhook.yaml @@ -18,7 +18,7 @@ webhooks: namespace: default name: kubernetes path: /apis/validators.kubedb.com/v1alpha1/elasticsearches - caBundle: {{ default "" .Values.apiserver.ca | b64enc }} + caBundle: {{ default "not-ca-cert" .Values.apiserver.ca | b64enc }} rules: - apiGroups: ["kubedb.com"] apiVersions: ["*"] @@ -31,7 +31,7 @@ webhooks: namespace: default name: kubernetes path: /apis/validators.kubedb.com/v1alpha1/postgreses - caBundle: {{ default "" .Values.apiserver.ca | b64enc }} + caBundle: {{ default "not-ca-cert" .Values.apiserver.ca | b64enc }} rules: - apiGroups: ["kubedb.com"] apiVersions: ["*"] @@ -44,7 +44,7 @@ webhooks: namespace: default name: kubernetes path: /apis/validators.kubedb.com/v1alpha1/mysqls - caBundle: {{ default "" .Values.apiserver.ca | b64enc }} + caBundle: {{ default "not-ca-cert" .Values.apiserver.ca | b64enc }} rules: - apiGroups: ["kubedb.com"] apiVersions: ["*"] @@ -57,7 +57,7 @@ webhooks: namespace: default name: kubernetes path: /apis/validators.kubedb.com/v1alpha1/mongodbs - caBundle: {{ default "" .Values.apiserver.ca | b64enc }} + caBundle: {{ default "not-ca-cert" .Values.apiserver.ca | b64enc }} rules: - apiGroups: ["kubedb.com"] apiVersions: ["*"] @@ -70,7 +70,7 @@ webhooks: namespace: default name: kubernetes path: /apis/validators.kubedb.com/v1alpha1/redises - caBundle: {{ default "" .Values.apiserver.ca | b64enc }} + caBundle: {{ default "not-ca-cert" .Values.apiserver.ca | b64enc }} rules: - apiGroups: ["kubedb.com"] apiVersions: ["*"] @@ -83,7 +83,7 @@ webhooks: namespace: default name: kubernetes path: /apis/validators.kubedb.com/v1alpha1/memcacheds - caBundle: {{ default "" .Values.apiserver.ca | b64enc }} + caBundle: {{ default "not-ca-cert" .Values.apiserver.ca | b64enc }} rules: - apiGroups: ["kubedb.com"] apiVersions: ["*"] @@ -96,7 +96,7 @@ webhooks: namespace: default name: kubernetes path: /apis/validators.kubedb.com/v1alpha1/etcds - caBundle: {{ default "" .Values.apiserver.ca | b64enc }} + caBundle: {{ default "not-ca-cert" .Values.apiserver.ca | b64enc }} rules: - apiGroups: ["kubedb.com"] apiVersions: ["*"] @@ -109,7 +109,7 @@ webhooks: namespace: default name: kubernetes path: /apis/validators.kubedb.com/v1alpha1/snapshots - caBundle: {{ default "" .Values.apiserver.ca | b64enc }} + caBundle: {{ default "not-ca-cert" .Values.apiserver.ca | b64enc }} rules: - apiGroups: ["kubedb.com"] apiVersions: ["*"] @@ -122,7 +122,7 @@ webhooks: namespace: default name: kubernetes path: /apis/validators.kubedb.com/v1alpha1/dormantdatabases - caBundle: {{ default "" .Values.apiserver.ca | b64enc }} + caBundle: {{ default "not-ca-cert" .Values.apiserver.ca | b64enc }} rules: - apiGroups: ["kubedb.com"] apiVersions: ["*"] From b94335c18d4628ed938ae553bf6938e29dbc591c Mon Sep 17 00:00:00 2001 From: Tamal Saha Date: Sat, 29 Sep 2018 15:18:59 -0700 Subject: [PATCH 4/6] Fix cleaner registry value --- chart/kubedb/README.md | 2 +- chart/kubedb/values.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/chart/kubedb/README.md b/chart/kubedb/README.md index 7dd545c34..8964051f4 100644 --- a/chart/kubedb/README.md +++ b/chart/kubedb/README.md @@ -49,7 +49,7 @@ The following table lists the configurable parameters of the KubeDB chart and th | `kubedb.registry` | Docker registry used to pull Kubedb operator image | `kubedb` | | `kubedb.repository` | Kubedb operator container image | `operator` | | `kubedb.tag` | Kubedb operator container image tag | `0.9.0-beta.0` | -| `cleaner.registry` | Docker registry used to pull Webhook cleaner image | `appcode` | +| `cleaner.registry` | Docker registry used to pull Webhook cleaner image | `appscode` | | `cleaner.repository` | Webhook cleaner container image | `kubectl` | | `cleaner.tag` | Webhook cleaner container image tag | `v1.11` | | `imagePullSecrets` | Specify image pull secrets | `nil` (does not add image pull secrets to deployed pods) | diff --git a/chart/kubedb/values.yaml b/chart/kubedb/values.yaml index 606b4c61f..2d1844b3f 100644 --- a/chart/kubedb/values.yaml +++ b/chart/kubedb/values.yaml @@ -9,7 +9,7 @@ kubedb: repository: operator tag: 0.9.0-beta.0 cleaner: - registry: appcode + registry: appscode repository: kubectl tag: v1.11 ## Optionally specify an array of imagePullSecrets. From 308bbebde20743cae30023a34ca36051a68dc4f1 Mon Sep 17 00:00:00 2001 From: Tamal Saha Date: Sat, 29 Sep 2018 18:35:12 -0700 Subject: [PATCH 5/6] Update rbac for needed to update admission webhook ca bundle --- chart/kubedb/templates/cluster-role.yaml | 11 +++++------ hack/deploy/rbac-list.yaml | 21 ++++++++++++++------- 2 files changed, 19 insertions(+), 13 deletions(-) diff --git a/chart/kubedb/templates/cluster-role.yaml b/chart/kubedb/templates/cluster-role.yaml index da0b21b08..d2a33a1b0 100644 --- a/chart/kubedb/templates/cluster-role.yaml +++ b/chart/kubedb/templates/cluster-role.yaml @@ -14,14 +14,13 @@ rules: resources: - customresourcedefinitions verbs: - - '*' + - "*" - apiGroups: - admissionregistration.k8s.io resources: - mutatingwebhookconfigurations - validatingwebhookconfigurations - verbs: - - delete + verbs: ["delete", "list", "watch", "patch"] - apiGroups: - rbac.authorization.k8s.io resources: @@ -59,7 +58,7 @@ rules: - "" resources: - pods - verbs: ["deletecollection", "get", "list", "patch", "watch"] + verbs: ["*"] - apiGroups: - "" resources: @@ -84,8 +83,8 @@ rules: - kubedb.com - catalog.kubedb.com resources: - - '*' - verbs: ['*'] + - "*" + verbs: ["*"] - apiGroups: - monitoring.coreos.com resources: diff --git a/hack/deploy/rbac-list.yaml b/hack/deploy/rbac-list.yaml index 89aa20560..e43a78610 100644 --- a/hack/deploy/rbac-list.yaml +++ b/hack/deploy/rbac-list.yaml @@ -10,7 +10,13 @@ rules: resources: - customresourcedefinitions verbs: - - '*' + - "*" +- apiGroups: + - admissionregistration.k8s.io + resources: + - mutatingwebhookconfigurations + - validatingwebhookconfigurations + verbs: ["delete", "list", "watch", "patch"] - apiGroups: - rbac.authorization.k8s.io resources: @@ -48,8 +54,7 @@ rules: - "" resources: - pods - verbs: - - '*' + verbs: ["*"] - apiGroups: - "" resources: @@ -74,15 +79,17 @@ rules: - kubedb.com - catalog.kubedb.com resources: - - '*' - verbs: ['*'] + - "*" + verbs: ["*"] - apiGroups: - monitoring.coreos.com resources: - servicemonitors verbs: ["create", "delete", "get", "list", "update"] -- apiGroups: [""] - resources: ["pods/exec"] +- apiGroups: + - "" + resources: + - "pods/exec" verbs: ["create"] --- apiVersion: rbac.authorization.k8s.io/v1 From a3e2a4650e39d2c85fdb02444678408f5ede94d8 Mon Sep 17 00:00:00 2001 From: Tamal Saha Date: Sat, 29 Sep 2018 18:59:51 -0700 Subject: [PATCH 6/6] Update chart installation instructions --- chart/kubedb/README.md | 2 +- chart/kubedb/templates/NOTES.txt | 2 ++ chart/kubedb/templates/mutating-webhook.yaml | 14 ++++---- .../kubedb/templates/validating-webhook.yaml | 18 +++++----- chart/kubedb/values.yaml | 2 +- docs/setup/install.md | 33 +------------------ 6 files changed, 21 insertions(+), 50 deletions(-) diff --git a/chart/kubedb/README.md b/chart/kubedb/README.md index 8964051f4..fa5ceb6c1 100644 --- a/chart/kubedb/README.md +++ b/chart/kubedb/README.md @@ -66,7 +66,7 @@ The following table lists the configurable parameters of the KubeDB chart and th | `apiserver.versionPriority` | The ordering of this API inside of the group. | 15 | | `apiserver.enableValidatingWebhook` | Enable validating webhooks for KubeDB CRDs | `true` | | `apiserver.enableMutatingWebhook` | Enable mutating webhooks for KubeDB CRDs | `true` | -| `apiserver.ca` | CA certificate used by main Kubernetes api server | `` | +| `apiserver.ca` | CA certificate used by main Kubernetes api server | `not-ca-cert` | | `apiserver.disableStatusSubresource` | If true, disables status sub resource for crds. Otherwise enables based on Kubernetes version | `false` | | `enableAnalytics` | Send usage events to Google Analytics | `true` | diff --git a/chart/kubedb/templates/NOTES.txt b/chart/kubedb/templates/NOTES.txt index a4625a5a3..32b7fd675 100644 --- a/chart/kubedb/templates/NOTES.txt +++ b/chart/kubedb/templates/NOTES.txt @@ -1,3 +1,5 @@ To verify that KubeDB has started, run: kubectl --namespace={{ .Release.Namespace }} get deployments -l "release={{ .Release.Name }}, app={{ template "kubedb.name" . }}" + +If you have not installed appscode/kubedb-catalog chart, install it. If already installed, upgrade appscode/kubedb-catalog chart. diff --git a/chart/kubedb/templates/mutating-webhook.yaml b/chart/kubedb/templates/mutating-webhook.yaml index e5e3911ed..95292ce3d 100644 --- a/chart/kubedb/templates/mutating-webhook.yaml +++ b/chart/kubedb/templates/mutating-webhook.yaml @@ -18,7 +18,7 @@ webhooks: namespace: default name: kubernetes path: /apis/mutators.kubedb.com/v1alpha1/elasticsearches - caBundle: {{ default "not-ca-cert" .Values.apiserver.ca | b64enc }} + caBundle: {{ b64enc .Values.apiserver.ca }} rules: - apiGroups: ["kubedb.com"] apiVersions: ["*"] @@ -31,7 +31,7 @@ webhooks: namespace: default name: kubernetes path: /apis/mutators.kubedb.com/v1alpha1/postgreses - caBundle: {{ default "not-ca-cert" .Values.apiserver.ca | b64enc }} + caBundle: {{ b64enc .Values.apiserver.ca }} rules: - apiGroups: ["kubedb.com"] apiVersions: ["*"] @@ -44,7 +44,7 @@ webhooks: namespace: default name: kubernetes path: /apis/mutators.kubedb.com/v1alpha1/mysqls - caBundle: {{ default "not-ca-cert" .Values.apiserver.ca | b64enc }} + caBundle: {{ b64enc .Values.apiserver.ca }} rules: - apiGroups: ["kubedb.com"] apiVersions: ["*"] @@ -57,7 +57,7 @@ webhooks: namespace: default name: kubernetes path: /apis/mutators.kubedb.com/v1alpha1/mongodbs - caBundle: {{ default "not-ca-cert" .Values.apiserver.ca | b64enc }} + caBundle: {{ b64enc .Values.apiserver.ca }} rules: - apiGroups: ["kubedb.com"] apiVersions: ["*"] @@ -70,7 +70,7 @@ webhooks: namespace: default name: kubernetes path: /apis/mutators.kubedb.com/v1alpha1/redises - caBundle: {{ default "not-ca-cert" .Values.apiserver.ca | b64enc }} + caBundle: {{ b64enc .Values.apiserver.ca }} rules: - apiGroups: ["kubedb.com"] apiVersions: ["*"] @@ -83,7 +83,7 @@ webhooks: namespace: default name: kubernetes path: /apis/mutators.kubedb.com/v1alpha1/memcacheds - caBundle: {{ default "not-ca-cert" .Values.apiserver.ca | b64enc }} + caBundle: {{ b64enc .Values.apiserver.ca }} rules: - apiGroups: ["kubedb.com"] apiVersions: ["*"] @@ -96,7 +96,7 @@ webhooks: namespace: default name: kubernetes path: /apis/mutators.kubedb.com/v1alpha1/etcds - caBundle: {{ default "not-ca-cert" .Values.apiserver.ca | b64enc }} + caBundle: {{ b64enc .Values.apiserver.ca }} rules: - apiGroups: ["kubedb.com"] apiVersions: ["*"] diff --git a/chart/kubedb/templates/validating-webhook.yaml b/chart/kubedb/templates/validating-webhook.yaml index 7a1f10879..00ed4ae4a 100644 --- a/chart/kubedb/templates/validating-webhook.yaml +++ b/chart/kubedb/templates/validating-webhook.yaml @@ -18,7 +18,7 @@ webhooks: namespace: default name: kubernetes path: /apis/validators.kubedb.com/v1alpha1/elasticsearches - caBundle: {{ default "not-ca-cert" .Values.apiserver.ca | b64enc }} + caBundle: {{ b64enc .Values.apiserver.ca }} rules: - apiGroups: ["kubedb.com"] apiVersions: ["*"] @@ -31,7 +31,7 @@ webhooks: namespace: default name: kubernetes path: /apis/validators.kubedb.com/v1alpha1/postgreses - caBundle: {{ default "not-ca-cert" .Values.apiserver.ca | b64enc }} + caBundle: {{ b64enc .Values.apiserver.ca }} rules: - apiGroups: ["kubedb.com"] apiVersions: ["*"] @@ -44,7 +44,7 @@ webhooks: namespace: default name: kubernetes path: /apis/validators.kubedb.com/v1alpha1/mysqls - caBundle: {{ default "not-ca-cert" .Values.apiserver.ca | b64enc }} + caBundle: {{ b64enc .Values.apiserver.ca }} rules: - apiGroups: ["kubedb.com"] apiVersions: ["*"] @@ -57,7 +57,7 @@ webhooks: namespace: default name: kubernetes path: /apis/validators.kubedb.com/v1alpha1/mongodbs - caBundle: {{ default "not-ca-cert" .Values.apiserver.ca | b64enc }} + caBundle: {{ b64enc .Values.apiserver.ca }} rules: - apiGroups: ["kubedb.com"] apiVersions: ["*"] @@ -70,7 +70,7 @@ webhooks: namespace: default name: kubernetes path: /apis/validators.kubedb.com/v1alpha1/redises - caBundle: {{ default "not-ca-cert" .Values.apiserver.ca | b64enc }} + caBundle: {{ b64enc .Values.apiserver.ca }} rules: - apiGroups: ["kubedb.com"] apiVersions: ["*"] @@ -83,7 +83,7 @@ webhooks: namespace: default name: kubernetes path: /apis/validators.kubedb.com/v1alpha1/memcacheds - caBundle: {{ default "not-ca-cert" .Values.apiserver.ca | b64enc }} + caBundle: {{ b64enc .Values.apiserver.ca }} rules: - apiGroups: ["kubedb.com"] apiVersions: ["*"] @@ -96,7 +96,7 @@ webhooks: namespace: default name: kubernetes path: /apis/validators.kubedb.com/v1alpha1/etcds - caBundle: {{ default "not-ca-cert" .Values.apiserver.ca | b64enc }} + caBundle: {{ b64enc .Values.apiserver.ca }} rules: - apiGroups: ["kubedb.com"] apiVersions: ["*"] @@ -109,7 +109,7 @@ webhooks: namespace: default name: kubernetes path: /apis/validators.kubedb.com/v1alpha1/snapshots - caBundle: {{ default "not-ca-cert" .Values.apiserver.ca | b64enc }} + caBundle: {{ b64enc .Values.apiserver.ca }} rules: - apiGroups: ["kubedb.com"] apiVersions: ["*"] @@ -122,7 +122,7 @@ webhooks: namespace: default name: kubernetes path: /apis/validators.kubedb.com/v1alpha1/dormantdatabases - caBundle: {{ default "not-ca-cert" .Values.apiserver.ca | b64enc }} + caBundle: {{ b64enc .Values.apiserver.ca }} rules: - apiGroups: ["kubedb.com"] apiVersions: ["*"] diff --git a/chart/kubedb/values.yaml b/chart/kubedb/values.yaml index 2d1844b3f..6a4bd43a7 100644 --- a/chart/kubedb/values.yaml +++ b/chart/kubedb/values.yaml @@ -70,7 +70,7 @@ apiserver: # enableValidatingWebhook is used to configure validating webhook for KubeDB CRDs enableValidatingWebhook: true # CA certificate used by main Kubernetes api server - ca: + ca: not-ca-cert # If true, disables status sub resource for crds. # Otherwise, enables status sub resource for Kubernetes version >= 1.11 and disables for other versions. disableStatusSubresource: false diff --git a/docs/setup/install.md b/docs/setup/install.md index 59cf0e162..b2e4d20af 100644 --- a/docs/setup/install.md +++ b/docs/setup/install.md @@ -129,20 +129,8 @@ NAME CHART VERSION APP VERSION DESCRIPTION appscode/kubedb 0.9.0-beta.0 0.9.0-beta.0 KubeDB by AppsCode - Production ready databases ... appscode/kubedb-catalog 0.9.0-beta.0 0.9.0-beta.0 KubeDB Catalog by AppsCode - Catalog for database versions -# Step 1(a): Kubernetes 1.9.x - 1.10.x $ helm install appscode/kubedb --name kubedb-operator --version 0.9.0-beta.0 \ - --namespace kube-system \ - --set apiserver.ca="$(onessl get kube-ca)" \ - --set apiserver.enableValidatingWebhook=true \ - --set apiserver.enableMutatingWebhook=true - -# Step 1(b): Kubernetes 1.11.0 or later -$ helm install appscode/kubedb --name kubedb-operator --version 0.9.0-beta.0 \ - --namespace kube-system \ - --set apiserver.ca="$(onessl get kube-ca)" \ - --set apiserver.enableValidatingWebhook=true \ - --set apiserver.enableMutatingWebhook=true \ - --set apiserver.enableStatusSubresource=true + --namespace kube-system # Step 2: wait until crds are registered $ kubectl get crds -l app=kubedb -w @@ -168,25 +156,6 @@ snapshots.kubedb.com 6s $ helm install appscode/kubedb-catalog --name kubedb-catalog ``` -To install `onessl`, run the following commands: - -```console -# Mac OSX amd64: -curl -fsSL -o onessl https://github.com/kubepack/onessl/releases/download/0.7.0/onessl-darwin-amd64 \ - && chmod +x onessl \ - && sudo mv onessl /usr/local/bin/ - -# Linux amd64: -curl -fsSL -o onessl https://github.com/kubepack/onessl/releases/download/0.7.0/onessl-linux-amd64 \ - && chmod +x onessl \ - && sudo mv onessl /usr/local/bin/ - -# Linux arm64: -curl -fsSL -o onessl https://github.com/kubepack/onessl/releases/download/0.7.0/onessl-linux-arm64 \ - && chmod +x onessl \ - && sudo mv onessl /usr/local/bin/ -``` - To see the detailed configuration options, visit [here](https://github.com/kubedb/cli/tree/master/chart/kubedb).