diff --git a/apis/installer/v1alpha1/kubevault_operator_types.go b/apis/installer/v1alpha1/kubevault_operator_types.go
index 8ed4dc7c..f726e9d7 100644
--- a/apis/installer/v1alpha1/kubevault_operator_types.go
+++ b/apis/installer/v1alpha1/kubevault_operator_types.go
@@ -78,6 +78,8 @@ type KubevaultOperatorSpec struct {
License string `json:"license"`
// +optional
ClusterName string `json:"clusterName"`
+ // +optional
+ RecommendationEngine RecommendationEngineConfig `json:"recommendationEngine"`
}
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
@@ -89,3 +91,10 @@ type KubevaultOperatorList struct {
// Items is a list of KubevaultOperator CRD objects
Items []KubevaultOperator `json:"items,omitempty"`
}
+
+type RecommendationEngineConfig struct {
+ RecommendationResyncPeriod metav1.Duration `json:"recommendationResyncPeriod"`
+ GenRotateTLSRecommendationBeforeExpiryYear int `json:"genRotateTLSRecommendationBeforeExpiryYear"`
+ GenRotateTLSRecommendationBeforeExpiryMonth int `json:"genRotateTLSRecommendationBeforeExpiryMonth"`
+ GenRotateTLSRecommendationBeforeExpiryDay int `json:"genRotateTLSRecommendationBeforeExpiryDay"`
+}
diff --git a/apis/installer/v1alpha1/zz_generated.deepcopy.go b/apis/installer/v1alpha1/zz_generated.deepcopy.go
index 90f1c17e..b17c1c71 100644
--- a/apis/installer/v1alpha1/zz_generated.deepcopy.go
+++ b/apis/installer/v1alpha1/zz_generated.deepcopy.go
@@ -426,6 +426,7 @@ func (in *KubevaultOperatorSpec) DeepCopyInto(out *KubevaultOperatorSpec) {
in.ServiceAccount.DeepCopyInto(&out.ServiceAccount)
out.Apiserver = in.Apiserver
in.Monitoring.DeepCopyInto(&out.Monitoring)
+ out.RecommendationEngine = in.RecommendationEngine
return
}
@@ -645,6 +646,23 @@ func (in *Monitoring) DeepCopy() *Monitoring {
return out
}
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *RecommendationEngineConfig) DeepCopyInto(out *RecommendationEngineConfig) {
+ *out = *in
+ out.RecommendationResyncPeriod = in.RecommendationResyncPeriod
+ return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RecommendationEngineConfig.
+func (in *RecommendationEngineConfig) DeepCopy() *RecommendationEngineConfig {
+ if in == nil {
+ return nil
+ }
+ out := new(RecommendationEngineConfig)
+ in.DeepCopyInto(out)
+ return out
+}
+
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *RegistryRef) DeepCopyInto(out *RegistryRef) {
*out = *in
diff --git a/charts/kubevault-operator/README.md b/charts/kubevault-operator/README.md
index 8974a306..80a34c86 100644
--- a/charts/kubevault-operator/README.md
+++ b/charts/kubevault-operator/README.md
@@ -45,38 +45,42 @@ The command removes all the Kubernetes components associated with the chart and
The following table lists the configurable parameters of the `kubevault-operator` chart and their default values.
-| Parameter | Description | Default |
-|--------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------------------------------------|
-| nameOverride | Overrides name template | "" |
-| fullnameOverride | Overrides fullname template | "" |
-| replicaCount | Number of KubeVault operator replicas to create (only 1 is supported) | 1 |
-| license | License for the product. Get a license by following the steps from [here](https://kubevault.com/docs/latest/setup/install/enterprise/#get-a-trial-license).
Example:
`helm install appscode/kubevault-operator \`
`--set-file license=/path/to/license/file`
`or`
`helm install appscode/kubevault-operator \`
`--set license=` | "" |
-| registryFQDN | Docker registry fqdn used to pull docker images Set this to use docker registry hosted at ${registryFQDN}/${registry}/${image} | "" |
-| operator.registry | Docker registry used to pull KubeVault operator image | kubevault |
-| operator.repository | KubeVault operator container image | vault-operator |
-| operator.tag | KubeVault operator container image tag | "" |
-| operator.resources | Compute Resources required by the operator container | {} |
-| operator.securityContext | requests: cpu: 100m memory: 128Mi Security options the operator container should run with | {} |
-| imagePullSecrets | Specify an array of imagePullSecrets. Secrets must be manually created in the namespace.
Example:
`helm template charts/kubevault-operator \`
`--set imagePullSecrets[0].name=sec0 \`
`--set imagePullSecrets[1].name=sec1` | [] |
-| imagePullPolicy | Container image pull policy | IfNotPresent |
-| criticalAddon | If true, installs KubeVault operator as critical addon | false |
-| logLevel | Log level for operator | 3 |
-| annotations | Annotations applied to operator deployment | {} |
-| podAnnotations | Annotations passed to operator pod(s). | {} |
-| nodeSelector | Node labels for pod assignment | {"kubernetes.io/os":"linux"} |
-| tolerations | Tolerations for pod assignment | [] |
-| affinity | Affinity rules for pod assignment | {} |
-| podSecurityContext | Security options the operator pod should run with. | {} |
-| serviceAccount.create | Specifies whether a service account should be created | true |
-| serviceAccount.annotations | Annotations to add to the service account | {} |
-| serviceAccount.name | The name of the service account to use. If not set and create is true, a name is generated using the fullname template | "" |
-| apiserver.useKubeapiserverFqdnForAks | If true, uses kube-apiserver FQDN for AKS cluster to workaround https://github.com/Azure/AKS/issues/522 (default true) | true |
-| apiserver.healthcheck.enabled | healthcheck configures the readiness and liveliness probes for the operator pod. | true |
-| apiserver.healthcheck.probePort | The port the probe endpoint binds to | 8081 |
-| monitoring.bindPort | The port the metric endpoint binds to | 8080 |
-| monitoring.agent | Name of monitoring agent (one of "prometheus.io", "prometheus.io/operator", "prometheus.io/builtin") | "" |
-| monitoring.serviceMonitor.labels | Specify the labels for ServiceMonitor. Prometheus crd will select ServiceMonitor using these labels. Only usable when monitoring agent is `prometheus.io/operator`. | {} |
-| clusterName | Name of cluster used in a multi-cluster setup | "" |
+| Parameter | Description | Default |
+|------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------------------------------------|
+| nameOverride | Overrides name template | "" |
+| fullnameOverride | Overrides fullname template | "" |
+| replicaCount | Number of KubeVault operator replicas to create (only 1 is supported) | 1 |
+| license | License for the product. Get a license by following the steps from [here](https://kubevault.com/docs/latest/setup/install/enterprise/#get-a-trial-license).
Example:
`helm install appscode/kubevault-operator \`
`--set-file license=/path/to/license/file`
`or`
`helm install appscode/kubevault-operator \`
`--set license=` | "" |
+| registryFQDN | Docker registry fqdn used to pull docker images Set this to use docker registry hosted at ${registryFQDN}/${registry}/${image} | "" |
+| operator.registry | Docker registry used to pull KubeVault operator image | kubevault |
+| operator.repository | KubeVault operator container image | vault-operator |
+| operator.tag | KubeVault operator container image tag | "" |
+| operator.resources | Compute Resources required by the operator container | {} |
+| operator.securityContext | requests: cpu: 100m memory: 128Mi Security options the operator container should run with | {} |
+| imagePullSecrets | Specify an array of imagePullSecrets. Secrets must be manually created in the namespace.
Example:
`helm template charts/kubevault-operator \`
`--set imagePullSecrets[0].name=sec0 \`
`--set imagePullSecrets[1].name=sec1` | [] |
+| imagePullPolicy | Container image pull policy | IfNotPresent |
+| criticalAddon | If true, installs KubeVault operator as critical addon | false |
+| logLevel | Log level for operator | 3 |
+| annotations | Annotations applied to operator deployment | {} |
+| podAnnotations | Annotations passed to operator pod(s). | {} |
+| nodeSelector | Node labels for pod assignment | {"kubernetes.io/os":"linux"} |
+| tolerations | Tolerations for pod assignment | [] |
+| affinity | Affinity rules for pod assignment | {} |
+| podSecurityContext | Security options the operator pod should run with. | {} |
+| serviceAccount.create | Specifies whether a service account should be created | true |
+| serviceAccount.annotations | Annotations to add to the service account | {} |
+| serviceAccount.name | The name of the service account to use. If not set and create is true, a name is generated using the fullname template | "" |
+| apiserver.useKubeapiserverFqdnForAks | If true, uses kube-apiserver FQDN for AKS cluster to workaround https://github.com/Azure/AKS/issues/522 (default true) | true |
+| apiserver.healthcheck.enabled | healthcheck configures the readiness and liveliness probes for the operator pod. | true |
+| apiserver.healthcheck.probePort | The port the probe endpoint binds to | 8081 |
+| monitoring.bindPort | The port the metric endpoint binds to | 8080 |
+| monitoring.agent | Name of monitoring agent (one of "prometheus.io", "prometheus.io/operator", "prometheus.io/builtin") | "" |
+| monitoring.serviceMonitor.labels | Specify the labels for ServiceMonitor. Prometheus crd will select ServiceMonitor using these labels. Only usable when monitoring agent is `prometheus.io/operator`. | {} |
+| clusterName | Name of cluster used in a multi-cluster setup | "" |
+| recommendationEngine.recommendationResyncPeriod | Recommendation will be generated after every given duration based on the resource status at that moment. Default value is one hour. The flag accepts a integer 64 bit value in nanosecond for time.Duration. Ref: https://pkg.go.dev/time#Duration | 1h0m0s |
+| recommendationEngine.genRotateTLSRecommendationBeforeExpiryYear | Rotate TLS recommendation will be generated before given year of expiration. It also depends on gen-rotate-tls-recommendation-before-expiry-month and gen-rotate-tls-recommendation-before-expiry-year. Default values are 0(zero) for gen-rotate-tls-recommendation-before-expiry-year, 1(one) for gen-rotate-tls-recommendation-before-expiry-month, 0(zero) for gen-rotate-tls-recommendation-before-expiry-day flags. | 0 |
+| recommendationEngine.genRotateTLSRecommendationBeforeExpiryMonth | Rotate TLS recommendation will be generated before given month of expiration. It also depends on gen-rotate-tls-recommendation-before-expiry-year and gen-rotate-tls-recommendation-before-expiry-day flag. By default it is set as 1(one). | 1 |
+| recommendationEngine.genRotateTLSRecommendationBeforeExpiryDay | Rotate TLS recommendation will be generated before given day of expiration. It also depends on gen-rotate-tls-recommendation-before-expiry-year and gen-rotate-tls-recommendation-before-expiry-month flag. By default it is set as 0(zero). | 0 |
Specify each parameter using the `--set key=value[,key=value]` argument to `helm upgrade -i`. For example:
diff --git a/charts/kubevault-operator/crds/supervisor.appscode.com_recommendations.yaml b/charts/kubevault-operator/crds/supervisor.appscode.com_recommendations.yaml
new file mode 100644
index 00000000..29659a34
--- /dev/null
+++ b/charts/kubevault-operator/crds/supervisor.appscode.com_recommendations.yaml
@@ -0,0 +1,365 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ creationTimestamp: null
+ name: recommendations.supervisor.appscode.com
+spec:
+ group: supervisor.appscode.com
+ names:
+ kind: Recommendation
+ listKind: RecommendationList
+ plural: recommendations
+ singular: recommendation
+ scope: Namespaced
+ versions:
+ - additionalPrinterColumns:
+ - jsonPath: .status.phase
+ name: Status
+ type: string
+ - jsonPath: .status.outdated
+ name: Outdated
+ type: boolean
+ - jsonPath: .metadata.creationTimestamp
+ name: Age
+ type: date
+ name: v1alpha1
+ schema:
+ openAPIV3Schema:
+ description: Recommendation is the Schema for the recommendations API
+ properties:
+ apiVersion:
+ description: 'APIVersion defines the versioned schema of this representation
+ of an object. Servers should convert recognized schemas to the latest
+ internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+ type: string
+ kind:
+ description: 'Kind is a string value representing the REST resource this
+ object represents. Servers may infer this from the endpoint the client
+ submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: RecommendationSpec defines the desired state of Recommendation
+ properties:
+ backoffLimit:
+ description: BackoffLimit specifies the number of retries before marking
+ this recommendation failed. By default set as five(5). If BackoffLimit
+ is zero(0), the operation will be tried to executed only once.
+ format: int32
+ maximum: 10
+ minimum: 0
+ type: integer
+ deadline:
+ description: The recommendation will be executed within the given
+ Deadline. To maintain deadline, Parallelism can be compromised.
+ format: date-time
+ type: string
+ description:
+ description: Description specifies the reason why this recommendation
+ is generated.
+ type: string
+ operation:
+ description: Operation holds a kubernetes object yaml which will be
+ applied when this recommendation will be executed. It should be
+ a valid kubernetes resource yaml containing apiVersion, kind and
+ metadata fields.
+ type: object
+ x-kubernetes-embedded-resource: true
+ x-kubernetes-preserve-unknown-fields: true
+ recommender:
+ description: Recommender holds the name and namespace of the component
+ which generate this recommendation.
+ properties:
+ name:
+ description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+ type: string
+ namespace:
+ description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
+ type: string
+ required:
+ - name
+ type: object
+ requireExplicitApproval:
+ description: If RequireExplicitApproval is set to `true` then the
+ Recommendation must be Approved manually. Recommendation won't be
+ executed without manual approval and any kind of ApprovalPolicy
+ will be ignored.
+ type: boolean
+ rules:
+ description: 'Rules defines OperationPhaseRules. It contains three
+ identification rules of successful execution of the operation, progressing
+ execution of the operation & failed execution of the operation.
+ Example: rules: success: `has(self.status.phase) && self.status.phase
+ == ''Successful''` inProgress: `has(self.status.phase) && self.status.phase
+ == ''Progressing''` failed: `has(self.status.phase) && self.status.phase
+ == ''Failed''`'
+ properties:
+ failed:
+ description: 'Failed defines a rule to identify that applied operation
+ is failed. Example: inProgress: `has(self.status.phase) && self.status.phase
+ == ''Failed''` Here self.status.phase is pointing to .status.phase
+ field of the Operation object. When .status.phase field presents
+ and becomes `Failed`, the Failed rule will satisfy.'
+ type: string
+ inProgress:
+ description: 'InProgress defines a rule to identify that applied
+ operation is progressing. Example: inProgress: `has(self.status.phase)
+ && self.status.phase == ''Progressing''` Here self.status.phase
+ is pointing to .status.phase field of the Operation object.
+ When .status.phase field presents and becomes `Progressing`,
+ the InProgress rule will satisfy.'
+ type: string
+ success:
+ description: 'Success defines a rule to identify the successful
+ execution of the operation. Example: success: `has(self.status.phase)
+ && self.status.phase == ''Successful''` Here self.status.phase
+ is pointing to .status.phase field of the Operation object.
+ When .status.phase field presents and becomes `Successful`,
+ the Success rule will satisfy.'
+ type: string
+ required:
+ - failed
+ - inProgress
+ - success
+ type: object
+ target:
+ description: Target specifies the APIGroup, Kind & Name of the target
+ resource for which the recommendation is generated
+ properties:
+ apiGroup:
+ description: APIGroup is the group for the resource being referenced.
+ If APIGroup is not specified, the specified Kind must be in
+ the core API group. For any other third-party types, APIGroup
+ is required.
+ type: string
+ kind:
+ description: Kind is the type of resource being referenced
+ type: string
+ name:
+ description: Name is the name of resource being referenced
+ type: string
+ required:
+ - kind
+ - name
+ type: object
+ required:
+ - operation
+ - recommender
+ - rules
+ - target
+ type: object
+ status:
+ description: RecommendationStatus defines the observed state of Recommendation
+ properties:
+ approvalStatus:
+ default: Pending
+ description: 'Specifies the Approval Status of the Recommendation.
+ Possible values are `Pending`, `Approved`, `Rejected` Pending: Recommendation
+ is yet to Approved or Rejected Approved: Recommendation is permitted
+ to execute. Rejected: Recommendation is rejected and never be executed.'
+ enum:
+ - Pending
+ - Approved
+ - Rejected
+ type: string
+ approvedWindow:
+ description: ApprovedWindow specifies the time window configuration
+ for the Recommendation execution.
+ properties:
+ dates:
+ description: Dates holds a list of DateWindow when Recommendation
+ is permitted to execute
+ items:
+ properties:
+ end:
+ format: date-time
+ type: string
+ start:
+ format: date-time
+ type: string
+ required:
+ - end
+ - start
+ type: object
+ type: array
+ maintenanceWindow:
+ description: MaintenanceWindow holds the reference of the MaintenanceWindow
+ resource
+ properties:
+ apiGroup:
+ type: string
+ kind:
+ type: string
+ name:
+ description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+ type: string
+ namespace:
+ description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
+ type: string
+ required:
+ - name
+ type: object
+ window:
+ description: 'Window defines the ApprovedWindow type Possible
+ values are: Immediate: Recommendation will be executed immediately
+ NextAvailable: Recommendation will be executed in the next Available
+ window SpecificDates: Recommendation will be executed in the
+ given dates.'
+ enum:
+ - Immediate
+ - NextAvailable
+ - SpecificDates
+ type: string
+ type: object
+ comments:
+ description: Specifies Reviewer's comment.
+ type: string
+ conditions:
+ description: Conditions applied to the Recommendation.
+ items:
+ properties:
+ lastTransitionTime:
+ description: Last time the condition transitioned from one status
+ to another. This should be when the underlying condition changed. If
+ that is not known, then using the time when the API field
+ changed is acceptable.
+ format: date-time
+ type: string
+ message:
+ description: A human readable message indicating details about
+ the transition. This field may be empty.
+ type: string
+ observedGeneration:
+ description: If set, this represents the .metadata.generation
+ that the condition was set based upon. For instance, if .metadata.generation
+ is currently 12, but the .status.condition[x].observedGeneration
+ is 9, the condition is out of date with respect to the current
+ state of the instance.
+ format: int64
+ type: integer
+ reason:
+ description: The reason for the condition's last transition
+ in CamelCase. The specific API may choose whether or not this
+ field is considered a guaranteed API. This field may not be
+ empty.
+ type: string
+ status:
+ description: Status of the condition, one of True, False, Unknown.
+ type: string
+ type:
+ description: Type of condition in CamelCase or in foo.example.com/CamelCase.
+ Many .condition.type values are consistent across resources
+ like Available, but because arbitrary conditions can be useful
+ (see .node.status.conditions), the ability to deconflict is
+ important.
+ type: string
+ required:
+ - lastTransitionTime
+ - message
+ - reason
+ - status
+ - type
+ type: object
+ type: array
+ createdOperationRef:
+ description: CreatedOperationRef holds the created operation name.
+ properties:
+ name:
+ description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+ TODO: Add other useful fields. apiVersion, kind, uid?'
+ type: string
+ type: object
+ failedAttempt:
+ default: 0
+ description: FailedAttempt holds the number of times the operation
+ is failed.
+ format: int32
+ type: integer
+ observedGeneration:
+ description: observedGeneration is the most recent generation observed
+ for this resource. It corresponds to the resource's generation,
+ which is updated on mutation by the API Server.
+ format: int64
+ type: integer
+ outdated:
+ default: false
+ description: Outdated is indicating details whether the Recommendation
+ is outdated or not. If the value is `true`, then Recommendation
+ will not be executed. This indicates that after generating the Recommendation,
+ the targeted resource is changed in such a way that the generated
+ Recommendation has become outdated & can't be executed anymore.
+ type: boolean
+ parallelism:
+ default: Namespace
+ description: 'Parallelism imposes some restriction to Recommendation
+ execution. Possible values are: Namespace: Only one Recommendation
+ can be executed at a time in a namespace. Target: Only one Recommendation
+ for a given target can be executed at a time. TargetAndNamespace:
+ Only one Recommendation for a given target can be executed at a
+ time in a namespace.'
+ enum:
+ - Namespace
+ - Target
+ - TargetAndNamespace
+ type: string
+ phase:
+ description: 'Specifies the Recommendation current phase. Possible
+ values are: Pending : Recommendation misses at least one pre-requisite
+ for executing the operation. It also tells that some user action
+ is needed. Skipped : Operation is skipped because of Rejection ApprovalStatus.
+ Waiting : Recommendation is waiting for the MaintenanceWindow to
+ execute the operation or waiting for others Recommendation to complete
+ far maintaining Parallelism. InProgress : The operation execution
+ is successfully started and waiting for its final status. Succeeded
+ : Operation has been successfully executed. Failed : Operation execution
+ has not completed successfully i.e. encountered an error'
+ enum:
+ - Pending
+ - Skipped
+ - Waiting
+ - InProgress
+ - Succeeded
+ - Failed
+ type: string
+ reason:
+ default: WaitingForApproval
+ description: A message indicating details about Recommendation current
+ phase.
+ type: string
+ reviewTimestamp:
+ description: Contains review timestamp
+ format: date-time
+ type: string
+ reviewer:
+ description: Specifies Reviewer's details.
+ properties:
+ apiGroup:
+ description: APIGroup holds the API group of the referenced subject.
+ Defaults to "" for ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io"
+ for User and Group subjects.
+ type: string
+ kind:
+ description: Kind of object being referenced. Values defined by
+ this API group are "User", "Group", and "ServiceAccount". If
+ the Authorizer does not recognized the kind value, the Authorizer
+ should report an error.
+ type: string
+ name:
+ description: Name of the object being referenced.
+ type: string
+ namespace:
+ description: Namespace of the referenced object. If the object
+ kind is non-namespace, such as "User" or "Group", and this value
+ is not empty the Authorizer should report an error.
+ type: string
+ required:
+ - kind
+ - name
+ type: object
+ type: object
+ type: object
+ served: true
+ storage: true
+ subresources:
+ status: {}
diff --git a/charts/kubevault-operator/templates/cluster-role.yaml b/charts/kubevault-operator/templates/cluster-role.yaml
index e75f0f0b..820b6e48 100644
--- a/charts/kubevault-operator/templates/cluster-role.yaml
+++ b/charts/kubevault-operator/templates/cluster-role.yaml
@@ -115,4 +115,8 @@ rules:
- policy
resources:
- poddisruptionbudgets
- verbs: ["get", "list", "create", "delete", "patch", "deletecollection"]
\ No newline at end of file
+ verbs: ["get", "list", "create", "delete", "patch", "deletecollection"]
+- apiGroups:
+ - supervisor.appscode.com
+ resources: ["*"]
+ verbs: ["create", "get", "list", "watch", "update", "patch"]
diff --git a/charts/kubevault-operator/templates/deployment.yaml b/charts/kubevault-operator/templates/deployment.yaml
index b730a1ce..bade06fc 100644
--- a/charts/kubevault-operator/templates/deployment.yaml
+++ b/charts/kubevault-operator/templates/deployment.yaml
@@ -45,6 +45,12 @@ spec:
- --cluster-name={{ .Values.clusterName }}
- --metrics-bind-address=:{{ .Values.monitoring.bindPort }}
- --health-probe-bind-address=:{{ .Values.apiserver.healthcheck.probePort }}
+ {{- with .Values.recommendationEngine }}
+ - --recommendation-resync-period={{ .recommendationResyncPeriod }}
+ - --gen-rotate-tls-recommendation-before-expiry-year={{ .genRotateTLSRecommendationBeforeExpiryYear }}
+ - --gen-rotate-tls-recommendation-before-expiry-month={{ .genRotateTLSRecommendationBeforeExpiryMonth }}
+ - --gen-rotate-tls-recommendation-before-expiry-day={{ .genRotateTLSRecommendationBeforeExpiryDay }}
+ {{- end }}
{{- if include "appscode.license" . }}
- --license-file=/var/run/secrets/appscode/license/key.txt
{{- end }}
diff --git a/charts/kubevault-operator/values.openapiv3_schema.yaml b/charts/kubevault-operator/values.openapiv3_schema.yaml
index e918a3ca..87a4cecd 100644
--- a/charts/kubevault-operator/values.openapiv3_schema.yaml
+++ b/charts/kubevault-operator/values.openapiv3_schema.yaml
@@ -1153,6 +1153,22 @@ properties:
type: string
type: object
type: object
+ recommendationEngine:
+ properties:
+ genRotateTLSRecommendationBeforeExpiryDay:
+ type: integer
+ genRotateTLSRecommendationBeforeExpiryMonth:
+ type: integer
+ genRotateTLSRecommendationBeforeExpiryYear:
+ type: integer
+ recommendationResyncPeriod:
+ type: string
+ required:
+ - genRotateTLSRecommendationBeforeExpiryDay
+ - genRotateTLSRecommendationBeforeExpiryMonth
+ - genRotateTLSRecommendationBeforeExpiryYear
+ - recommendationResyncPeriod
+ type: object
registryFQDN:
type: string
replicaCount:
diff --git a/charts/kubevault-operator/values.yaml b/charts/kubevault-operator/values.yaml
index c9e7a3ac..2751388f 100644
--- a/charts/kubevault-operator/values.yaml
+++ b/charts/kubevault-operator/values.yaml
@@ -97,3 +97,21 @@ monitoring:
labels: {}
# Name of cluster used in a multi-cluster setup
clusterName: ""
+recommendationEngine:
+ # Recommendation will be generated after every given duration based on the resource status at that moment.
+ # Default value is one hour.
+ # The flag accepts a integer 64 bit value in nanosecond for time.Duration. Ref: https://pkg.go.dev/time#Duration
+ recommendationResyncPeriod: 1h0m0s
+ # Rotate TLS recommendation will be generated before given year of expiration.
+ # It also depends on gen-rotate-tls-recommendation-before-expiry-month and gen-rotate-tls-recommendation-before-expiry-year.
+ # Default values are 0(zero) for gen-rotate-tls-recommendation-before-expiry-year, 1(one) for gen-rotate-tls-recommendation-before-expiry-month,
+ # 0(zero) for gen-rotate-tls-recommendation-before-expiry-day flags.
+ genRotateTLSRecommendationBeforeExpiryYear: 0
+ # Rotate TLS recommendation will be generated before given month of expiration.
+ # It also depends on gen-rotate-tls-recommendation-before-expiry-year and gen-rotate-tls-recommendation-before-expiry-day flag.
+ # By default it is set as 1(one).
+ genRotateTLSRecommendationBeforeExpiryMonth: 1
+ # Rotate TLS recommendation will be generated before given day of expiration.
+ # It also depends on gen-rotate-tls-recommendation-before-expiry-year and gen-rotate-tls-recommendation-before-expiry-month flag.
+ # By default it is set as 0(zero).
+ genRotateTLSRecommendationBeforeExpiryDay: 0
diff --git a/charts/kubevault/values.openapiv3_schema.yaml b/charts/kubevault/values.openapiv3_schema.yaml
index c5399c69..b354c1bf 100644
--- a/charts/kubevault/values.openapiv3_schema.yaml
+++ b/charts/kubevault/values.openapiv3_schema.yaml
@@ -1263,6 +1263,22 @@ properties:
type: string
type: object
type: object
+ recommendationEngine:
+ properties:
+ genRotateTLSRecommendationBeforeExpiryDay:
+ type: integer
+ genRotateTLSRecommendationBeforeExpiryMonth:
+ type: integer
+ genRotateTLSRecommendationBeforeExpiryYear:
+ type: integer
+ recommendationResyncPeriod:
+ type: string
+ required:
+ - genRotateTLSRecommendationBeforeExpiryDay
+ - genRotateTLSRecommendationBeforeExpiryMonth
+ - genRotateTLSRecommendationBeforeExpiryYear
+ - recommendationResyncPeriod
+ type: object
registryFQDN:
type: string
replicaCount:
diff --git a/hack/scripts/import-crds.sh b/hack/scripts/import-crds.sh
index 76217628..d2ec10cf 100755
--- a/hack/scripts/import-crds.sh
+++ b/hack/scripts/import-crds.sh
@@ -76,3 +76,7 @@ crd-importer \
crd-importer \
--input=https://github.com/kubernetes-sigs/secrets-store-csi-driver/raw/v1.1.2/config/crd/bases/secrets-store.csi.x-k8s.io_secretproviderclasses.yaml \
--out=./charts/secrets-store-reader/crds
+
+crd-importer \
+ --input=https://github.com/kubeops/supervisor/raw/v0.0.1/crds/supervisor.appscode.com_recommendations.yaml \
+ --out=./charts/kubevault-operator/crds