From 0869192125b018c64e5120c59b0fa0ffdda8e734 Mon Sep 17 00:00:00 2001 From: Jonathan Hess Date: Tue, 17 Oct 2023 13:00:27 -0600 Subject: [PATCH] wip: Add helm configuration for the operator --- Makefile | 25 + config/crd/bases/_.yaml | 25 + helm/cloud-sql-operator-crds/.helmignore | 23 + helm/cloud-sql-operator-crds/Chart.yaml | 38 + ...xyworkloads.cloudsql.cloud.google.com.yaml | 1867 +++++++++++++++++ helm/cloud-sql-operator-crds/values.yaml | 16 + helm/cloud-sql-operator/Chart.yaml | 31 +- helm/cloud-sql-operator/csql-icon.webp | Bin 0 -> 1770 bytes .../templates/Certificate-serving-cert.yaml | 27 + .../templates/ClusterRole-manager-role.yaml | 91 + .../templates/ClusterRole-metrics-reader.yaml | 23 + .../templates/ClusterRole-proxy-role.yaml | 31 + ...lusterRoleBinding-manager-rolebinding.yaml | 26 + .../ClusterRoleBinding-proxy-rolebinding.yaml | 26 + .../templates/ConfigMap-manager-config.yaml | 41 + .../templates/Issuer-selfsigned-issuer.yaml | 21 + ...n-mutating-core-webhook-configuration.yaml | 43 + ...ration-mutating-webhook-configuration.yaml | 41 + helm/cloud-sql-operator/templates/NOTES.txt | 24 +- .../templates/Role-leader-election-role.yaml | 51 + ...leBinding-leader-election-rolebinding.yaml | 27 + ...ce-controller-manager-metrics-service.yaml | 29 + .../templates/Service-webhook-service.yaml | 26 + .../ServiceAccount-controller-manager.yaml | 19 + ...tion-validating-webhook-configuration.yaml | 41 + .../templates/deployment.yaml | 121 +- helm/cloud-sql-operator/templates/hpa.yaml | 32 - .../cloud-sql-operator/templates/ingress.yaml | 61 - .../cloud-sql-operator/templates/service.yaml | 15 - .../templates/serviceaccount.yaml | 13 - .../templates/tests/test-connection.yaml | 15 - helm/cloud-sql-operator/values.yaml | 82 +- tools/build-identifier.sh | 17 +- tools/helm-install-operator.sh | 65 + tools/install_to_helm.go | 121 ++ 35 files changed, 2897 insertions(+), 257 deletions(-) create mode 100644 config/crd/bases/_.yaml create mode 100644 helm/cloud-sql-operator-crds/.helmignore create mode 100644 helm/cloud-sql-operator-crds/Chart.yaml create mode 100644 helm/cloud-sql-operator-crds/templates/CustomResourceDefinition-authproxyworkloads.cloudsql.cloud.google.com.yaml create mode 100644 helm/cloud-sql-operator-crds/values.yaml create mode 100644 helm/cloud-sql-operator/csql-icon.webp create mode 100644 helm/cloud-sql-operator/templates/Certificate-serving-cert.yaml create mode 100644 helm/cloud-sql-operator/templates/ClusterRole-manager-role.yaml create mode 100644 helm/cloud-sql-operator/templates/ClusterRole-metrics-reader.yaml create mode 100644 helm/cloud-sql-operator/templates/ClusterRole-proxy-role.yaml create mode 100644 helm/cloud-sql-operator/templates/ClusterRoleBinding-manager-rolebinding.yaml create mode 100644 helm/cloud-sql-operator/templates/ClusterRoleBinding-proxy-rolebinding.yaml create mode 100644 helm/cloud-sql-operator/templates/ConfigMap-manager-config.yaml create mode 100644 helm/cloud-sql-operator/templates/Issuer-selfsigned-issuer.yaml create mode 100644 helm/cloud-sql-operator/templates/MutatingWebhookConfiguration-mutating-core-webhook-configuration.yaml create mode 100644 helm/cloud-sql-operator/templates/MutatingWebhookConfiguration-mutating-webhook-configuration.yaml create mode 100644 helm/cloud-sql-operator/templates/Role-leader-election-role.yaml create mode 100644 helm/cloud-sql-operator/templates/RoleBinding-leader-election-rolebinding.yaml create mode 100644 helm/cloud-sql-operator/templates/Service-controller-manager-metrics-service.yaml create mode 100644 helm/cloud-sql-operator/templates/Service-webhook-service.yaml create mode 100644 helm/cloud-sql-operator/templates/ServiceAccount-controller-manager.yaml create mode 100644 helm/cloud-sql-operator/templates/ValidatingWebhookConfiguration-validating-webhook-configuration.yaml delete mode 100644 helm/cloud-sql-operator/templates/hpa.yaml delete mode 100644 helm/cloud-sql-operator/templates/ingress.yaml delete mode 100644 helm/cloud-sql-operator/templates/service.yaml delete mode 100644 helm/cloud-sql-operator/templates/serviceaccount.yaml delete mode 100644 helm/cloud-sql-operator/templates/tests/test-connection.yaml create mode 100755 tools/helm-install-operator.sh create mode 100644 tools/install_to_helm.go diff --git a/Makefile b/Makefile index 6e9a3a57..b02368b2 100644 --- a/Makefile +++ b/Makefile @@ -243,6 +243,31 @@ installer/install.sh: ## Build install shell script to deploy the operator sed 's/__VERSION__/v$(VERSION)/g' | \ sed 's/__CERT_MANAGER_VERSION__/$(CERT_MANAGER_VERSION)/g' > $@ +## +# Update helm chart +.PHONY: helm_generate +helm_generate: helm installer/cloud-sql-proxy-operator.yaml bin/install_to_helm + bin/install_to_helm \ + -installYaml=installer/cloud-sql-proxy-operator.yaml \ + -operatorChartDir=helm/cloud-sql-operator + -crdChartDir=helm/cloud-sql-operator-crds + +.PHONY: helm_e2e_build_deploy +helm_e2e_build_deploy: helm e2e_image_push e2e_cert_manager_deploy helm_e2e_install + +.PHONY: helm_e2e_install +helm_e2e_install: helm + KUBECONFIG_E2E=$(KUBECONFIG_E2E) \ + PRIVATE_KUBECONFIG_E2E=$(PRIVATE_KUBECONFIG_E2E) \ + E2E_OPERATOR_URL=$(E2E_OPERATOR_URL) \ + tools/helm-install-operator.sh + +.PHONY: helm_lint +helm_lint: helm + helm lint helm/cloud-sql-operator + +bin/install_to_helm: tools/install_to_helm.go + go build -o $@ $< ## ##@ Google Cloud End to End Test diff --git a/config/crd/bases/_.yaml b/config/crd/bases/_.yaml new file mode 100644 index 00000000..109558d8 --- /dev/null +++ b/config/crd/bases/_.yaml @@ -0,0 +1,25 @@ +# Copyright 2023 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.13.0 +spec: + group: "" + names: + kind: "" + plural: "" + scope: "" + versions: null diff --git a/helm/cloud-sql-operator-crds/.helmignore b/helm/cloud-sql-operator-crds/.helmignore new file mode 100644 index 00000000..0e8a0eb3 --- /dev/null +++ b/helm/cloud-sql-operator-crds/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/helm/cloud-sql-operator-crds/Chart.yaml b/helm/cloud-sql-operator-crds/Chart.yaml new file mode 100644 index 00000000..a0cd1ea3 --- /dev/null +++ b/helm/cloud-sql-operator-crds/Chart.yaml @@ -0,0 +1,38 @@ +# Copyright 2023 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v2 +name: cloud-sql-operator-crds +description: A Helm chart for Kubernetes + +# A chart can be either an 'application' or a 'library' chart. +# +# Application charts are a collection of templates that can be packaged into versioned archives +# to be deployed. +# +# Library charts provide useful utilities or functions for the chart developer. They're included as +# a dependency of application charts to inject those utilities and functions into the rendering +# pipeline. Library charts do not define any templates and therefore cannot be deployed. +type: application + +# This is the chart version. This version number should be incremented each time you make changes +# to the chart and its templates, including the app version. +# Versions are expected to follow Semantic Versioning (https://semver.org/) +version: 0.1.0 + +# This is the version number of the application being deployed. This version number should be +# incremented each time you make changes to the application. Versions are not expected to +# follow Semantic Versioning. They should reflect the version the application is using. +# It is recommended to use it with quotes. +appVersion: "1.2.0" diff --git a/helm/cloud-sql-operator-crds/templates/CustomResourceDefinition-authproxyworkloads.cloudsql.cloud.google.com.yaml b/helm/cloud-sql-operator-crds/templates/CustomResourceDefinition-authproxyworkloads.cloudsql.cloud.google.com.yaml new file mode 100644 index 00000000..033d36b5 --- /dev/null +++ b/helm/cloud-sql-operator-crds/templates/CustomResourceDefinition-authproxyworkloads.cloudsql.cloud.google.com.yaml @@ -0,0 +1,1867 @@ +# Copyright 2023 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + cert-manager.io/inject-ca-from: {{ .Values.operatorNamespace }}/{{ .Values.operatorName }}-serving-cert + controller-gen.kubebuilder.io/version: v0.13.0 + name: authproxyworkloads.cloudsql.cloud.google.com +spec: + conversion: + strategy: Webhook + webhook: + clientConfig: + service: + name: {{ .Values.operatorName }}-webhook-service + namespace: {{ .Values.operatorNamespace }} + path: /convert + conversionReviewVersions: + - v1 + group: cloudsql.cloud.google.com + names: + kind: AuthProxyWorkload + listKind: AuthProxyWorkloadList + plural: authproxyworkloads + singular: authproxyworkload + scope: Namespaced + versions: + - name: v1 + schema: + openAPIV3Schema: + description: AuthProxyWorkload declares how a Cloud SQL Proxy container should + be applied to a matching set of workloads, and shows the status of those + proxy containers. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: AuthProxyWorkloadSpec describes where and how to configure + the proxy. + properties: + authProxyContainer: + description: AuthProxyContainer describes the resources and config + for the Auth Proxy container. + properties: + adminServer: + description: AdminServer specifies the config for the proxy's + admin service which is available to other containers in the + same pod. + properties: + enableAPIs: + description: 'EnableAPIs specifies the list of admin APIs + to enable. At least one API must be enabled. Possible values: + - "Debug" will enable pprof debugging by setting the `--debug` + cli flag. - "QuitQuitQuit" will enable pprof debugging by + setting the `--quitquitquit` cli flag.' + items: + type: string + minItems: 1 + type: array + port: + description: Port the port for the proxy's localhost-only + admin server. This sets the proxy container's CLI argument + `--admin-port` + format: int32 + minimum: 1 + type: integer + type: object + container: + description: Container is debugging parameter that when specified + will override the proxy container with a completely custom Container + spec. + properties: + args: + description: 'Arguments to the entrypoint. The container image''s + CMD is used if this is not provided. Variable references + $(VAR_NAME) are expanded using the container''s environment. + If a variable cannot be resolved, the reference in the input + string will be unchanged. Double $$ are reduced to a single + $, which allows for escaping the $(VAR_NAME) syntax: i.e. + "$$(VAR_NAME)" will produce the string literal "$(VAR_NAME)". + Escaped references will never be expanded, regardless of + whether the variable exists or not. Cannot be updated. More + info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell' + items: + type: string + type: array + command: + description: 'Entrypoint array. Not executed within a shell. + The container image''s ENTRYPOINT is used if this is not + provided. Variable references $(VAR_NAME) are expanded using + the container''s environment. If a variable cannot be resolved, + the reference in the input string will be unchanged. Double + $$ are reduced to a single $, which allows for escaping + the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" will produce + the string literal "$(VAR_NAME)". Escaped references will + never be expanded, regardless of whether the variable exists + or not. Cannot be updated. More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell' + items: + type: string + type: array + env: + description: List of environment variables to set in the container. + Cannot be updated. + items: + description: EnvVar represents an environment variable present + in a Container. + properties: + name: + description: Name of the environment variable. Must + be a C_IDENTIFIER. + type: string + value: + description: 'Variable references $(VAR_NAME) are expanded + using the previously defined environment variables + in the container and any service environment variables. + If a variable cannot be resolved, the reference in + the input string will be unchanged. Double $$ are + reduced to a single $, which allows for escaping the + $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" will produce + the string literal "$(VAR_NAME)". Escaped references + will never be expanded, regardless of whether the + variable exists or not. Defaults to "".' + type: string + valueFrom: + description: Source for the environment variable's value. + Cannot be used if value is not empty. + properties: + configMapKeyRef: + description: Selects a key of a ConfigMap. + properties: + key: + description: The key to select. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: Specify whether the ConfigMap or + its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + fieldRef: + description: 'Selects a field of the pod: supports + metadata.name, metadata.namespace, `metadata.labels['''']`, + `metadata.annotations['''']`, spec.nodeName, + spec.serviceAccountName, status.hostIP, status.podIP, + status.podIPs.' + properties: + apiVersion: + description: Version of the schema the FieldPath + is written in terms of, defaults to "v1". + type: string + fieldPath: + description: Path of the field to select in + the specified API version. + type: string + required: + - fieldPath + type: object + x-kubernetes-map-type: atomic + resourceFieldRef: + description: 'Selects a resource of the container: + only resources limits and requests (limits.cpu, + limits.memory, limits.ephemeral-storage, requests.cpu, + requests.memory and requests.ephemeral-storage) + are currently supported.' + properties: + containerName: + description: 'Container name: required for volumes, + optional for env vars' + type: string + divisor: + anyOf: + - type: integer + - type: string + description: Specifies the output format of + the exposed resources, defaults to "1" + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + resource: + description: 'Required: resource to select' + type: string + required: + - resource + type: object + x-kubernetes-map-type: atomic + secretKeyRef: + description: Selects a key of a secret in the pod's + namespace + properties: + key: + description: The key of the secret to select + from. Must be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: Specify whether the Secret or its + key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + required: + - name + type: object + type: array + envFrom: + description: List of sources to populate environment variables + in the container. The keys defined within a source must + be a C_IDENTIFIER. All invalid keys will be reported as + an event when the container is starting. When a key exists + in multiple sources, the value associated with the last + source will take precedence. Values defined by an Env with + a duplicate key will take precedence. Cannot be updated. + items: + description: EnvFromSource represents the source of a set + of ConfigMaps + properties: + configMapRef: + description: The ConfigMap to select from + properties: + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + optional: + description: Specify whether the ConfigMap must + be defined + type: boolean + type: object + x-kubernetes-map-type: atomic + prefix: + description: An optional identifier to prepend to each + key in the ConfigMap. Must be a C_IDENTIFIER. + type: string + secretRef: + description: The Secret to select from + properties: + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + optional: + description: Specify whether the Secret must be + defined + type: boolean + type: object + x-kubernetes-map-type: atomic + type: object + type: array + image: + description: 'Container image name. More info: https://kubernetes.io/docs/concepts/containers/images + This field is optional to allow higher level config management + to default or override container images in workload controllers + like Deployments and StatefulSets.' + type: string + imagePullPolicy: + description: 'Image pull policy. One of Always, Never, IfNotPresent. + Defaults to Always if :latest tag is specified, or IfNotPresent + otherwise. Cannot be updated. More info: https://kubernetes.io/docs/concepts/containers/images#updating-images' + type: string + lifecycle: + description: Actions that the management system should take + in response to container lifecycle events. Cannot be updated. + properties: + postStart: + description: 'PostStart is called immediately after a + container is created. If the handler fails, the container + is terminated and restarted according to its restart + policy. Other management of the container blocks until + the hook completes. More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks' + properties: + exec: + description: Exec specifies the action to take. + properties: + command: + description: Command is the command line to execute + inside the container, the working directory + for the command is root ('/') in the container's + filesystem. The command is simply exec'd, it + is not run inside a shell, so traditional shell + instructions ('|', etc) won't work. To use a + shell, you need to explicitly call out to that + shell. Exit status of 0 is treated as live/healthy + and non-zero is unhealthy. + items: + type: string + type: array + type: object + httpGet: + description: HTTPGet specifies the http request to + perform. + properties: + host: + description: Host name to connect to, defaults + to the pod IP. You probably want to set "Host" + in httpHeaders instead. + type: string + httpHeaders: + description: Custom headers to set in the request. + HTTP allows repeated headers. + items: + description: HTTPHeader describes a custom header + to be used in HTTP probes + properties: + name: + description: The header field name. This + will be canonicalized upon output, so + case-variant names will be understood + as the same header. + type: string + value: + description: The header field value + type: string + required: + - name + - value + type: object + type: array + path: + description: Path to access on the HTTP server. + type: string + port: + anyOf: + - type: integer + - type: string + description: Name or number of the port to access + on the container. Number must be in the range + 1 to 65535. Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: Scheme to use for connecting to the + host. Defaults to HTTP. + type: string + required: + - port + type: object + tcpSocket: + description: Deprecated. TCPSocket is NOT supported + as a LifecycleHandler and kept for the backward + compatibility. There are no validation of this field + and lifecycle hooks will fail in runtime when tcp + handler is specified. + properties: + host: + description: 'Optional: Host name to connect to, + defaults to the pod IP.' + type: string + port: + anyOf: + - type: integer + - type: string + description: Number or name of the port to access + on the container. Number must be in the range + 1 to 65535. Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + type: object + preStop: + description: 'PreStop is called immediately before a container + is terminated due to an API request or management event + such as liveness/startup probe failure, preemption, + resource contention, etc. The handler is not called + if the container crashes or exits. The Pod''s termination + grace period countdown begins before the PreStop hook + is executed. Regardless of the outcome of the handler, + the container will eventually terminate within the Pod''s + termination grace period (unless delayed by finalizers). + Other management of the container blocks until the hook + completes or until the termination grace period is reached. + More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks' + properties: + exec: + description: Exec specifies the action to take. + properties: + command: + description: Command is the command line to execute + inside the container, the working directory + for the command is root ('/') in the container's + filesystem. The command is simply exec'd, it + is not run inside a shell, so traditional shell + instructions ('|', etc) won't work. To use a + shell, you need to explicitly call out to that + shell. Exit status of 0 is treated as live/healthy + and non-zero is unhealthy. + items: + type: string + type: array + type: object + httpGet: + description: HTTPGet specifies the http request to + perform. + properties: + host: + description: Host name to connect to, defaults + to the pod IP. You probably want to set "Host" + in httpHeaders instead. + type: string + httpHeaders: + description: Custom headers to set in the request. + HTTP allows repeated headers. + items: + description: HTTPHeader describes a custom header + to be used in HTTP probes + properties: + name: + description: The header field name. This + will be canonicalized upon output, so + case-variant names will be understood + as the same header. + type: string + value: + description: The header field value + type: string + required: + - name + - value + type: object + type: array + path: + description: Path to access on the HTTP server. + type: string + port: + anyOf: + - type: integer + - type: string + description: Name or number of the port to access + on the container. Number must be in the range + 1 to 65535. Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: Scheme to use for connecting to the + host. Defaults to HTTP. + type: string + required: + - port + type: object + tcpSocket: + description: Deprecated. TCPSocket is NOT supported + as a LifecycleHandler and kept for the backward + compatibility. There are no validation of this field + and lifecycle hooks will fail in runtime when tcp + handler is specified. + properties: + host: + description: 'Optional: Host name to connect to, + defaults to the pod IP.' + type: string + port: + anyOf: + - type: integer + - type: string + description: Number or name of the port to access + on the container. Number must be in the range + 1 to 65535. Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + type: object + type: object + livenessProbe: + description: 'Periodic probe of container liveness. Container + will be restarted if the probe fails. Cannot be updated. + More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + properties: + exec: + description: Exec specifies the action to take. + properties: + command: + description: Command is the command line to execute + inside the container, the working directory for + the command is root ('/') in the container's filesystem. + The command is simply exec'd, it is not run inside + a shell, so traditional shell instructions ('|', + etc) won't work. To use a shell, you need to explicitly + call out to that shell. Exit status of 0 is treated + as live/healthy and non-zero is unhealthy. + items: + type: string + type: array + type: object + failureThreshold: + description: Minimum consecutive failures for the probe + to be considered failed after having succeeded. Defaults + to 3. Minimum value is 1. + format: int32 + type: integer + grpc: + description: GRPC specifies an action involving a GRPC + port. + properties: + port: + description: Port number of the gRPC service. Number + must be in the range 1 to 65535. + format: int32 + type: integer + service: + description: "Service is the name of the service to + place in the gRPC HealthCheckRequest (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). + \n If this is not specified, the default behavior + is defined by gRPC." + type: string + required: + - port + type: object + httpGet: + description: HTTPGet specifies the http request to perform. + properties: + host: + description: Host name to connect to, defaults to + the pod IP. You probably want to set "Host" in httpHeaders + instead. + type: string + httpHeaders: + description: Custom headers to set in the request. + HTTP allows repeated headers. + items: + description: HTTPHeader describes a custom header + to be used in HTTP probes + properties: + name: + description: The header field name. This will + be canonicalized upon output, so case-variant + names will be understood as the same header. + type: string + value: + description: The header field value + type: string + required: + - name + - value + type: object + type: array + path: + description: Path to access on the HTTP server. + type: string + port: + anyOf: + - type: integer + - type: string + description: Name or number of the port to access + on the container. Number must be in the range 1 + to 65535. Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: Scheme to use for connecting to the host. + Defaults to HTTP. + type: string + required: + - port + type: object + initialDelaySeconds: + description: 'Number of seconds after the container has + started before liveness probes are initiated. More info: + https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + periodSeconds: + description: How often (in seconds) to perform the probe. + Default to 10 seconds. Minimum value is 1. + format: int32 + type: integer + successThreshold: + description: Minimum consecutive successes for the probe + to be considered successful after having failed. Defaults + to 1. Must be 1 for liveness and startup. Minimum value + is 1. + format: int32 + type: integer + tcpSocket: + description: TCPSocket specifies an action involving a + TCP port. + properties: + host: + description: 'Optional: Host name to connect to, defaults + to the pod IP.' + type: string + port: + anyOf: + - type: integer + - type: string + description: Number or name of the port to access + on the container. Number must be in the range 1 + to 65535. Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + terminationGracePeriodSeconds: + description: Optional duration in seconds the pod needs + to terminate gracefully upon probe failure. The grace + period is the duration in seconds after the processes + running in the pod are sent a termination signal and + the time when the processes are forcibly halted with + a kill signal. Set this value longer than the expected + cleanup time for your process. If this value is nil, + the pod's terminationGracePeriodSeconds will be used. + Otherwise, this value overrides the value provided by + the pod spec. Value must be non-negative integer. The + value zero indicates stop immediately via the kill signal + (no opportunity to shut down). This is a beta field + and requires enabling ProbeTerminationGracePeriod feature + gate. Minimum value is 1. spec.terminationGracePeriodSeconds + is used if unset. + format: int64 + type: integer + timeoutSeconds: + description: 'Number of seconds after which the probe + times out. Defaults to 1 second. Minimum value is 1. + More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + type: object + name: + description: Name of the container specified as a DNS_LABEL. + Each container in a pod must have a unique name (DNS_LABEL). + Cannot be updated. + type: string + ports: + description: List of ports to expose from the container. Not + specifying a port here DOES NOT prevent that port from being + exposed. Any port which is listening on the default "0.0.0.0" + address inside a container will be accessible from the network. + Modifying this array with strategic merge patch may corrupt + the data. For more information See https://github.com/kubernetes/kubernetes/issues/108255. + Cannot be updated. + items: + description: ContainerPort represents a network port in + a single container. + properties: + containerPort: + description: Number of port to expose on the pod's IP + address. This must be a valid port number, 0 < x < + 65536. + format: int32 + type: integer + hostIP: + description: What host IP to bind the external port + to. + type: string + hostPort: + description: Number of port to expose on the host. If + specified, this must be a valid port number, 0 < x + < 65536. If HostNetwork is specified, this must match + ContainerPort. Most containers do not need this. + format: int32 + type: integer + name: + description: If specified, this must be an IANA_SVC_NAME + and unique within the pod. Each named port in a pod + must have a unique name. Name for the port that can + be referred to by services. + type: string + protocol: + default: TCP + description: Protocol for port. Must be UDP, TCP, or + SCTP. Defaults to "TCP". + type: string + required: + - containerPort + type: object + type: array + x-kubernetes-list-map-keys: + - containerPort + - protocol + x-kubernetes-list-type: map + readinessProbe: + description: 'Periodic probe of container service readiness. + Container will be removed from service endpoints if the + probe fails. Cannot be updated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + properties: + exec: + description: Exec specifies the action to take. + properties: + command: + description: Command is the command line to execute + inside the container, the working directory for + the command is root ('/') in the container's filesystem. + The command is simply exec'd, it is not run inside + a shell, so traditional shell instructions ('|', + etc) won't work. To use a shell, you need to explicitly + call out to that shell. Exit status of 0 is treated + as live/healthy and non-zero is unhealthy. + items: + type: string + type: array + type: object + failureThreshold: + description: Minimum consecutive failures for the probe + to be considered failed after having succeeded. Defaults + to 3. Minimum value is 1. + format: int32 + type: integer + grpc: + description: GRPC specifies an action involving a GRPC + port. + properties: + port: + description: Port number of the gRPC service. Number + must be in the range 1 to 65535. + format: int32 + type: integer + service: + description: "Service is the name of the service to + place in the gRPC HealthCheckRequest (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). + \n If this is not specified, the default behavior + is defined by gRPC." + type: string + required: + - port + type: object + httpGet: + description: HTTPGet specifies the http request to perform. + properties: + host: + description: Host name to connect to, defaults to + the pod IP. You probably want to set "Host" in httpHeaders + instead. + type: string + httpHeaders: + description: Custom headers to set in the request. + HTTP allows repeated headers. + items: + description: HTTPHeader describes a custom header + to be used in HTTP probes + properties: + name: + description: The header field name. This will + be canonicalized upon output, so case-variant + names will be understood as the same header. + type: string + value: + description: The header field value + type: string + required: + - name + - value + type: object + type: array + path: + description: Path to access on the HTTP server. + type: string + port: + anyOf: + - type: integer + - type: string + description: Name or number of the port to access + on the container. Number must be in the range 1 + to 65535. Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: Scheme to use for connecting to the host. + Defaults to HTTP. + type: string + required: + - port + type: object + initialDelaySeconds: + description: 'Number of seconds after the container has + started before liveness probes are initiated. More info: + https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + periodSeconds: + description: How often (in seconds) to perform the probe. + Default to 10 seconds. Minimum value is 1. + format: int32 + type: integer + successThreshold: + description: Minimum consecutive successes for the probe + to be considered successful after having failed. Defaults + to 1. Must be 1 for liveness and startup. Minimum value + is 1. + format: int32 + type: integer + tcpSocket: + description: TCPSocket specifies an action involving a + TCP port. + properties: + host: + description: 'Optional: Host name to connect to, defaults + to the pod IP.' + type: string + port: + anyOf: + - type: integer + - type: string + description: Number or name of the port to access + on the container. Number must be in the range 1 + to 65535. Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + terminationGracePeriodSeconds: + description: Optional duration in seconds the pod needs + to terminate gracefully upon probe failure. The grace + period is the duration in seconds after the processes + running in the pod are sent a termination signal and + the time when the processes are forcibly halted with + a kill signal. Set this value longer than the expected + cleanup time for your process. If this value is nil, + the pod's terminationGracePeriodSeconds will be used. + Otherwise, this value overrides the value provided by + the pod spec. Value must be non-negative integer. The + value zero indicates stop immediately via the kill signal + (no opportunity to shut down). This is a beta field + and requires enabling ProbeTerminationGracePeriod feature + gate. Minimum value is 1. spec.terminationGracePeriodSeconds + is used if unset. + format: int64 + type: integer + timeoutSeconds: + description: 'Number of seconds after which the probe + times out. Defaults to 1 second. Minimum value is 1. + More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + type: object + resizePolicy: + description: Resources resize policy for the container. + items: + description: ContainerResizePolicy represents resource resize + policy for the container. + properties: + resourceName: + description: 'Name of the resource to which this resource + resize policy applies. Supported values: cpu, memory.' + type: string + restartPolicy: + description: Restart policy to apply when specified + resource is resized. If not specified, it defaults + to NotRequired. + type: string + required: + - resourceName + - restartPolicy + type: object + type: array + x-kubernetes-list-type: atomic + resources: + description: 'Compute Resources required by this container. + Cannot be updated. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + properties: + claims: + description: "Claims lists the names of resources, defined + in spec.resourceClaims, that are used by this container. + \n This is an alpha field and requires enabling the + DynamicResourceAllocation feature gate. \n This field + is immutable. It can only be set for containers." + items: + description: ResourceClaim references one entry in PodSpec.ResourceClaims. + properties: + name: + description: Name must match the name of one entry + in pod.spec.resourceClaims of the Pod where this + field is used. It makes that resource available + inside a container. + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Limits describes the maximum amount of compute + resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Requests describes the minimum amount of + compute resources required. If Requests is omitted for + a container, it defaults to Limits if that is explicitly + specified, otherwise to an implementation-defined value. + Requests cannot exceed Limits. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + type: object + restartPolicy: + description: 'RestartPolicy defines the restart behavior of + individual containers in a pod. This field may only be set + for init containers, and the only allowed value is "Always". + For non-init containers or when this field is not specified, + the restart behavior is defined by the Pod''s restart policy + and the container type. Setting the RestartPolicy as "Always" + for the init container will have the following effect: this + init container will be continually restarted on exit until + all regular containers have terminated. Once all regular + containers have completed, all init containers with restartPolicy + "Always" will be shut down. This lifecycle differs from + normal init containers and is often referred to as a "sidecar" + container. Although this init container still starts in + the init container sequence, it does not wait for the container + to complete before proceeding to the next init container. + Instead, the next init container starts immediately after + this init container is started, or after any startupProbe + has successfully completed.' + type: string + securityContext: + description: 'SecurityContext defines the security options + the container should be run with. If set, the fields of + SecurityContext override the equivalent fields of PodSecurityContext. + More info: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/' + properties: + allowPrivilegeEscalation: + description: 'AllowPrivilegeEscalation controls whether + a process can gain more privileges than its parent process. + This bool directly controls if the no_new_privs flag + will be set on the container process. AllowPrivilegeEscalation + is true always when the container is: 1) run as Privileged + 2) has CAP_SYS_ADMIN Note that this field cannot be + set when spec.os.name is windows.' + type: boolean + capabilities: + description: The capabilities to add/drop when running + containers. Defaults to the default set of capabilities + granted by the container runtime. Note that this field + cannot be set when spec.os.name is windows. + properties: + add: + description: Added capabilities + items: + description: Capability represent POSIX capabilities + type + type: string + type: array + drop: + description: Removed capabilities + items: + description: Capability represent POSIX capabilities + type + type: string + type: array + type: object + privileged: + description: Run container in privileged mode. Processes + in privileged containers are essentially equivalent + to root on the host. Defaults to false. Note that this + field cannot be set when spec.os.name is windows. + type: boolean + procMount: + description: procMount denotes the type of proc mount + to use for the containers. The default is DefaultProcMount + which uses the container runtime defaults for readonly + paths and masked paths. This requires the ProcMountType + feature flag to be enabled. Note that this field cannot + be set when spec.os.name is windows. + type: string + readOnlyRootFilesystem: + description: Whether this container has a read-only root + filesystem. Default is false. Note that this field cannot + be set when spec.os.name is windows. + type: boolean + runAsGroup: + description: The GID to run the entrypoint of the container + process. Uses runtime default if unset. May also be + set in PodSecurityContext. If set in both SecurityContext + and PodSecurityContext, the value specified in SecurityContext + takes precedence. Note that this field cannot be set + when spec.os.name is windows. + format: int64 + type: integer + runAsNonRoot: + description: Indicates that the container must run as + a non-root user. If true, the Kubelet will validate + the image at runtime to ensure that it does not run + as UID 0 (root) and fail to start the container if it + does. If unset or false, no such validation will be + performed. May also be set in PodSecurityContext. If + set in both SecurityContext and PodSecurityContext, + the value specified in SecurityContext takes precedence. + type: boolean + runAsUser: + description: The UID to run the entrypoint of the container + process. Defaults to user specified in image metadata + if unspecified. May also be set in PodSecurityContext. If + set in both SecurityContext and PodSecurityContext, + the value specified in SecurityContext takes precedence. + Note that this field cannot be set when spec.os.name + is windows. + format: int64 + type: integer + seLinuxOptions: + description: The SELinux context to be applied to the + container. If unspecified, the container runtime will + allocate a random SELinux context for each container. May + also be set in PodSecurityContext. If set in both SecurityContext + and PodSecurityContext, the value specified in SecurityContext + takes precedence. Note that this field cannot be set + when spec.os.name is windows. + properties: + level: + description: Level is SELinux level label that applies + to the container. + type: string + role: + description: Role is a SELinux role label that applies + to the container. + type: string + type: + description: Type is a SELinux type label that applies + to the container. + type: string + user: + description: User is a SELinux user label that applies + to the container. + type: string + type: object + seccompProfile: + description: The seccomp options to use by this container. + If seccomp options are provided at both the pod & container + level, the container options override the pod options. + Note that this field cannot be set when spec.os.name + is windows. + properties: + localhostProfile: + description: localhostProfile indicates a profile + defined in a file on the node should be used. The + profile must be preconfigured on the node to work. + Must be a descending path, relative to the kubelet's + configured seccomp profile location. Must be set + if type is "Localhost". Must NOT be set for any + other type. + type: string + type: + description: "type indicates which kind of seccomp + profile will be applied. Valid options are: \n Localhost + - a profile defined in a file on the node should + be used. RuntimeDefault - the container runtime + default profile should be used. Unconfined - no + profile should be applied." + type: string + required: + - type + type: object + windowsOptions: + description: The Windows specific settings applied to + all containers. If unspecified, the options from the + PodSecurityContext will be used. If set in both SecurityContext + and PodSecurityContext, the value specified in SecurityContext + takes precedence. Note that this field cannot be set + when spec.os.name is linux. + properties: + gmsaCredentialSpec: + description: GMSACredentialSpec is where the GMSA + admission webhook (https://github.com/kubernetes-sigs/windows-gmsa) + inlines the contents of the GMSA credential spec + named by the GMSACredentialSpecName field. + type: string + gmsaCredentialSpecName: + description: GMSACredentialSpecName is the name of + the GMSA credential spec to use. + type: string + hostProcess: + description: HostProcess determines if a container + should be run as a 'Host Process' container. All + of a Pod's containers must have the same effective + HostProcess value (it is not allowed to have a mix + of HostProcess containers and non-HostProcess containers). + In addition, if HostProcess is true then HostNetwork + must also be set to true. + type: boolean + runAsUserName: + description: The UserName in Windows to run the entrypoint + of the container process. Defaults to the user specified + in image metadata if unspecified. May also be set + in PodSecurityContext. If set in both SecurityContext + and PodSecurityContext, the value specified in SecurityContext + takes precedence. + type: string + type: object + type: object + startupProbe: + description: 'StartupProbe indicates that the Pod has successfully + initialized. If specified, no other probes are executed + until this completes successfully. If this probe fails, + the Pod will be restarted, just as if the livenessProbe + failed. This can be used to provide different probe parameters + at the beginning of a Pod''s lifecycle, when it might take + a long time to load data or warm a cache, than during steady-state + operation. This cannot be updated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + properties: + exec: + description: Exec specifies the action to take. + properties: + command: + description: Command is the command line to execute + inside the container, the working directory for + the command is root ('/') in the container's filesystem. + The command is simply exec'd, it is not run inside + a shell, so traditional shell instructions ('|', + etc) won't work. To use a shell, you need to explicitly + call out to that shell. Exit status of 0 is treated + as live/healthy and non-zero is unhealthy. + items: + type: string + type: array + type: object + failureThreshold: + description: Minimum consecutive failures for the probe + to be considered failed after having succeeded. Defaults + to 3. Minimum value is 1. + format: int32 + type: integer + grpc: + description: GRPC specifies an action involving a GRPC + port. + properties: + port: + description: Port number of the gRPC service. Number + must be in the range 1 to 65535. + format: int32 + type: integer + service: + description: "Service is the name of the service to + place in the gRPC HealthCheckRequest (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). + \n If this is not specified, the default behavior + is defined by gRPC." + type: string + required: + - port + type: object + httpGet: + description: HTTPGet specifies the http request to perform. + properties: + host: + description: Host name to connect to, defaults to + the pod IP. You probably want to set "Host" in httpHeaders + instead. + type: string + httpHeaders: + description: Custom headers to set in the request. + HTTP allows repeated headers. + items: + description: HTTPHeader describes a custom header + to be used in HTTP probes + properties: + name: + description: The header field name. This will + be canonicalized upon output, so case-variant + names will be understood as the same header. + type: string + value: + description: The header field value + type: string + required: + - name + - value + type: object + type: array + path: + description: Path to access on the HTTP server. + type: string + port: + anyOf: + - type: integer + - type: string + description: Name or number of the port to access + on the container. Number must be in the range 1 + to 65535. Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: Scheme to use for connecting to the host. + Defaults to HTTP. + type: string + required: + - port + type: object + initialDelaySeconds: + description: 'Number of seconds after the container has + started before liveness probes are initiated. More info: + https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + periodSeconds: + description: How often (in seconds) to perform the probe. + Default to 10 seconds. Minimum value is 1. + format: int32 + type: integer + successThreshold: + description: Minimum consecutive successes for the probe + to be considered successful after having failed. Defaults + to 1. Must be 1 for liveness and startup. Minimum value + is 1. + format: int32 + type: integer + tcpSocket: + description: TCPSocket specifies an action involving a + TCP port. + properties: + host: + description: 'Optional: Host name to connect to, defaults + to the pod IP.' + type: string + port: + anyOf: + - type: integer + - type: string + description: Number or name of the port to access + on the container. Number must be in the range 1 + to 65535. Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + terminationGracePeriodSeconds: + description: Optional duration in seconds the pod needs + to terminate gracefully upon probe failure. The grace + period is the duration in seconds after the processes + running in the pod are sent a termination signal and + the time when the processes are forcibly halted with + a kill signal. Set this value longer than the expected + cleanup time for your process. If this value is nil, + the pod's terminationGracePeriodSeconds will be used. + Otherwise, this value overrides the value provided by + the pod spec. Value must be non-negative integer. The + value zero indicates stop immediately via the kill signal + (no opportunity to shut down). This is a beta field + and requires enabling ProbeTerminationGracePeriod feature + gate. Minimum value is 1. spec.terminationGracePeriodSeconds + is used if unset. + format: int64 + type: integer + timeoutSeconds: + description: 'Number of seconds after which the probe + times out. Defaults to 1 second. Minimum value is 1. + More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + type: object + stdin: + description: Whether this container should allocate a buffer + for stdin in the container runtime. If this is not set, + reads from stdin in the container will always result in + EOF. Default is false. + type: boolean + stdinOnce: + description: Whether the container runtime should close the + stdin channel after it has been opened by a single attach. + When stdin is true the stdin stream will remain open across + multiple attach sessions. If stdinOnce is set to true, stdin + is opened on container start, is empty until the first client + attaches to stdin, and then remains open and accepts data + until the client disconnects, at which time stdin is closed + and remains closed until the container is restarted. If + this flag is false, a container processes that reads from + stdin will never receive an EOF. Default is false + type: boolean + terminationMessagePath: + description: 'Optional: Path at which the file to which the + container''s termination message will be written is mounted + into the container''s filesystem. Message written is intended + to be brief final status, such as an assertion failure message. + Will be truncated by the node if greater than 4096 bytes. + The total message length across all containers will be limited + to 12kb. Defaults to /dev/termination-log. Cannot be updated.' + type: string + terminationMessagePolicy: + description: Indicate how the termination message should be + populated. File will use the contents of terminationMessagePath + to populate the container status message on both success + and failure. FallbackToLogsOnError will use the last chunk + of container log output if the termination message file + is empty and the container exited with an error. The log + output is limited to 2048 bytes or 80 lines, whichever is + smaller. Defaults to File. Cannot be updated. + type: string + tty: + description: Whether this container should allocate a TTY + for itself, also requires 'stdin' to be true. Default is + false. + type: boolean + volumeDevices: + description: volumeDevices is the list of block devices to + be used by the container. + items: + description: volumeDevice describes a mapping of a raw block + device within a container. + properties: + devicePath: + description: devicePath is the path inside of the container + that the device will be mapped to. + type: string + name: + description: name must match the name of a persistentVolumeClaim + in the pod + type: string + required: + - devicePath + - name + type: object + type: array + volumeMounts: + description: Pod volumes to mount into the container's filesystem. + Cannot be updated. + items: + description: VolumeMount describes a mounting of a Volume + within a container. + properties: + mountPath: + description: Path within the container at which the + volume should be mounted. Must not contain ':'. + type: string + mountPropagation: + description: mountPropagation determines how mounts + are propagated from the host to container and the + other way around. When not set, MountPropagationNone + is used. This field is beta in 1.10. + type: string + name: + description: This must match the Name of a Volume. + type: string + readOnly: + description: Mounted read-only if true, read-write otherwise + (false or unspecified). Defaults to false. + type: boolean + subPath: + description: Path within the volume from which the container's + volume should be mounted. Defaults to "" (volume's + root). + type: string + subPathExpr: + description: Expanded path within the volume from which + the container's volume should be mounted. Behaves + similarly to SubPath but environment variable references + $(VAR_NAME) are expanded using the container's environment. + Defaults to "" (volume's root). SubPathExpr and SubPath + are mutually exclusive. + type: string + required: + - mountPath + - name + type: object + type: array + workingDir: + description: Container's working directory. If not specified, + the container runtime's default will be used, which might + be configured in the container image. Cannot be updated. + type: string + required: + - name + type: object + image: + description: "Image is the URL to the proxy image. Optional, by + default the operator will use the latest Cloud SQL Auth Proxy + version as of the release of the operator. \n The operator ensures + that all workloads configured with the default proxy image are + upgraded automatically to use to the latest released proxy image. + \n When the customer upgrades the operator, the operator upgrades + all workloads using the default proxy image to the latest proxy + image. The change to the proxy container image is applied in + accordance with the RolloutStrategy." + type: string + maxConnections: + description: MaxConnections limits the number of connections. + Default value is no limit. This sets the proxy container's CLI + argument `--max-connections` + format: int64 + minimum: 0 + type: integer + maxSigtermDelay: + description: MaxSigtermDelay is the maximum number of seconds + to wait for connections to close after receiving a TERM signal. + This sets the proxy container's CLI argument `--max-sigterm-delay` + and configures `terminationGracePeriodSeconds` on the workload's + PodSpec. + format: int64 + minimum: 0 + type: integer + resources: + description: Resources specifies the resources required for the + proxy pod. + properties: + claims: + description: "Claims lists the names of resources, defined + in spec.resourceClaims, that are used by this container. + \n This is an alpha field and requires enabling the DynamicResourceAllocation + feature gate. \n This field is immutable. It can only be + set for containers." + items: + description: ResourceClaim references one entry in PodSpec.ResourceClaims. + properties: + name: + description: Name must match the name of one entry in + pod.spec.resourceClaims of the Pod where this field + is used. It makes that resource available inside a + container. + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Limits describes the maximum amount of compute + resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Requests describes the minimum amount of compute + resources required. If Requests is omitted for a container, + it defaults to Limits if that is explicitly specified, otherwise + to an implementation-defined value. Requests cannot exceed + Limits. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + type: object + rolloutStrategy: + default: Workload + description: 'RolloutStrategy indicates the strategy to use when + rolling out changes to the workloads affected by the results. + When this is set to `Workload`, changes to this resource will + be automatically applied to a running Deployment, StatefulSet, + DaemonSet, or ReplicaSet in accordance with the Strategy set + on that workload. When this is set to `None`, the operator will + take no action to roll out changes to affected workloads. `Workload` + will be used by default if no value is set. See: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy' + enum: + - Workload + - None + type: string + sqlAdminAPIEndpoint: + description: SQLAdminAPIEndpoint is a debugging parameter that + when specified will change the Google Cloud api endpoint used + by the proxy. + type: string + telemetry: + description: Telemetry specifies how the proxy should expose telemetry. + Optional, by default + properties: + disableMetrics: + description: DisableMetrics disables Cloud Monitoring testintegration + (used with telemetryProject) This sets the proxy container's + CLI argument `--disable-metrics` + type: boolean + disableTraces: + description: DisableTraces disables Cloud Trace testintegration + (used with telemetryProject) This sets the proxy container's + CLI argument `--disable-traces` + type: boolean + httpPort: + description: HTTPPort the port for Prometheus and health check + server. This sets the proxy container's CLI argument `--http-port` + format: int32 + type: integer + prometheus: + description: Prometheus Enables Prometheus HTTP endpoint /metrics + on localhost This sets the proxy container's CLI argument + `--prometheus` + type: boolean + prometheusNamespace: + description: PrometheusNamespace is used the provided Prometheus + namespace for metrics This sets the proxy container's CLI + argument `--prometheus-namespace` + type: string + quotaProject: + description: QuotaProject Specifies the project to use for + Cloud SQL Admin API quota tracking. The IAM principal must + have the "serviceusage.services.use" permission for the + given project. See https://cloud.google.com/service-usage/docs/overview + and https://cloud.google.com/storage/docs/requester-pays + This sets the proxy container's CLI argument `--quota-project` + type: string + telemetryPrefix: + description: TelemetryPrefix is the prefix for Cloud Monitoring + metrics. This sets the proxy container's CLI argument `--telemetry-prefix` + type: string + telemetryProject: + description: TelemetryProject enables Cloud Monitoring and + Cloud Trace with the provided project ID. This sets the + proxy container's CLI argument `--telemetry-project` + type: string + telemetrySampleRate: + description: TelemetrySampleRate is the Cloud Trace sample + rate. A smaller number means more traces. This sets the + proxy container's CLI argument `--telemetry-sample-rate` + type: integer + type: object + type: object + instances: + description: Instances describes the Cloud SQL instances to configure + on the proxy container. + items: + description: "InstanceSpec describes the configuration for how the + proxy should expose a Cloud SQL database instance to a workload. + \n In the minimum recommended configuration, the operator will + choose a non-conflicting TCP port and set environment variables + MY_DB_SERVER_PORT MY_DB_SERVER_HOST with the value of the TCP + port and hostname. The application can read these values to connect + to the database through the proxy. For example: \n `{ \"connectionString\":\"my-project:us-central1:my-db-server\", + \"portEnvName\":\"MY_DB_SERVER_PORT\" \"hostEnvName\":\"MY_DB_SERVER_HOST\" + }` \n If you want to assign a specific port number for a database, + set the `port` field. For example: \n `{ \"connectionString\":\"my-project:us-central1:my-db-server\", + \"port\":5000 }`" + properties: + autoIAMAuthN: + description: AutoIAMAuthN (optional) Enables IAM Authentication + for this instance. Default value is false. + type: boolean + connectionString: + description: ConnectionString is the connection string for the + Cloud SQL Instance in the format `project_id:region:instance_name` + pattern: ^([^:]+(:[^:]+)?):([^:]+):([^:]+)$ + type: string + hostEnvName: + description: HostEnvName The name of the environment variable + containing this instances tcp hostname Optional, when set + this environment variable will be added to all containers + in the workload. + type: string + port: + description: Port (optional) sets the tcp port for this instance. + If not set, a value will be automatically assigned by the + operator and set as an environment variable on all containers + in the workload named according to PortEnvName. The operator + will choose a port so that it does not conflict with other + ports on the workload. + format: int32 + minimum: 1 + type: integer + portEnvName: + description: PortEnvName is name of the environment variable + containing this instance's tcp port. Optional, when set this + environment variable will be added to all containers in the + workload. + type: string + privateIP: + description: PrivateIP (optional) Enable connection to the Cloud + SQL instance's private ip for this instance. Default value + is false. + type: boolean + psc: + description: PSC (optional) Enable connection to the Cloud SQL + instance's private service connect endpoint. May not be used + with PrivateIP. Default value is false. + type: boolean + unixSocketPath: + description: UnixSocketPath is the path to the unix socket where + the proxy will listen for connnections. This will be mounted + to all containers in the pod. + type: string + unixSocketPathEnvName: + description: UnixSocketPathEnvName is the environment variable + containing the value of UnixSocketPath. + type: string + type: object + minItems: 1 + type: array + workloadSelector: + description: Workload selects the workload where the proxy container + will be added. + properties: + kind: + description: 'Kind specifies what kind of workload Supported kinds: + Deployment, StatefulSet, Pod, ReplicaSet,DaemonSet, Job, CronJob + Example: "Deployment" "Deployment.v1" or "Deployment.v1.apps".' + pattern: \w+(\.\w+)* + type: string + name: + description: Name specifies the name of the resource to select. + type: string + selector: + description: Selector (optional) selects resources using labels. + See "Label selectors" in the kubernetes docs https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector + that contains values, a key, and an operator that relates + the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are In, NotIn, + Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If + the operator is In or NotIn, the values array must + be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced + during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A + single {key,value} in the matchLabels map is equivalent + to an element of matchExpressions, whose key field is "key", + the operator is "In", and the values array contains only + "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + required: + - kind + type: object + required: + - instances + - workloadSelector + type: object + status: + description: AuthProxyWorkloadStatus presents the observed state of AuthProxyWorkload + using standard Kubernetes Conditions. + properties: + WorkloadStatus: + description: WorkloadStatus presents the observed status of individual + workloads that match this AuthProxyWorkload resource. + items: + description: WorkloadStatus presents the status for how this AuthProxyWorkload + resource was applied to a specific workload. + properties: + conditions: + description: "Conditions show the status of the AuthProxyWorkload + resource on this matching workload. \n The \"UpToDate\" condition + indicates that the proxy was successfully applied to all matching + workloads. See ConditionUpToDate." + items: + description: "Condition contains details for one aspect of + the current state of this API Resource. --- This struct + is intended for direct use as an array at the field path + .status.conditions. For example, \n type FooStatus struct{ + // Represents the observations of a foo's current state. + // Known .status.conditions.type are: \"Available\", \"Progressing\", + and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge + // +listType=map // +listMapKey=type Conditions []metav1.Condition + `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" + protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields + }" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition + transitioned from one status to another. This should + be when the underlying condition changed. If that is + not known, then using the time when the API field changed + is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating + details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation + that the condition was set based upon. For instance, + if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration + is 9, the condition is out of date with respect to the + current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier + indicating the reason for the condition's last transition. + Producers of specific condition types may define expected + values and meanings for this field, and whether the + values are considered a guaranteed API. The value should + be a CamelCase string. This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, + Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + --- Many .condition.type values are consistent across + resources like Available, but because arbitrary conditions + can be useful (see .node.status.conditions), the ability + to deconflict is important. The regex it matches is + (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + kind: + description: Kind Version Namespace Name identify the specific + workload. + enum: + - Pod + - Deployment + - StatefulSet + - ReplicaSet + - DaemonSet + - Job + - CronJob + type: string + name: + type: string + namespace: + type: string + version: + type: string + required: + - conditions + type: object + type: array + conditions: + description: "Conditions show the overall status of the AuthProxyWorkload + resource on all matching workloads. \n The \"UpToDate\" condition + indicates that the proxy was successfully applied to all matching + workloads. See ConditionUpToDate." + items: + description: "Condition contains details for one aspect of the current + state of this API Resource. --- This struct is intended for direct + use as an array at the field path .status.conditions. For example, + \n type FooStatus struct{ // Represents the observations of a + foo's current state. // Known .status.conditions.type are: \"Available\", + \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge + // +listType=map // +listMapKey=type Conditions []metav1.Condition + `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" + protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition + transitioned from one status to another. This should be when + the underlying condition changed. If that is not known, then + using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating + details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation + that the condition was set based upon. For instance, if .metadata.generation + is currently 12, but the .status.conditions[x].observedGeneration + is 9, the condition is out of date with respect to the current + state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating + the reason for the condition's last transition. Producers + of specific condition types may define expected values and + meanings for this field, and whether the values are considered + a guaranteed API. The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + --- Many .condition.type values are consistent across resources + like Available, but because arbitrary conditions can be useful + (see .node.status.conditions), the ability to deconflict is + important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + type: object + type: object + served: true + storage: true + subresources: + status: {} \ No newline at end of file diff --git a/helm/cloud-sql-operator-crds/values.yaml b/helm/cloud-sql-operator-crds/values.yaml new file mode 100644 index 00000000..a37b512e --- /dev/null +++ b/helm/cloud-sql-operator-crds/values.yaml @@ -0,0 +1,16 @@ +# Copyright 2023 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +operatorNamespace: "cloud-sql-proxy-operator-system" +operatorName: "cloud-sql-proxy-operator" \ No newline at end of file diff --git a/helm/cloud-sql-operator/Chart.yaml b/helm/cloud-sql-operator/Chart.yaml index f334e14e..8b319f84 100644 --- a/helm/cloud-sql-operator/Chart.yaml +++ b/helm/cloud-sql-operator/Chart.yaml @@ -1,6 +1,20 @@ +# Copyright 2023 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + apiVersion: v2 name: cloud-sql-operator -description: A Helm chart for Kubernetes +description: A helm chart for the Cloud SQL Auth Proxy Operator # A chart can be either an 'application' or a 'library' chart. # @@ -21,4 +35,17 @@ version: 0.1.0 # incremented each time you make changes to the application. Versions are not expected to # follow Semantic Versioning. They should reflect the version the application is using. # It is recommended to use it with quotes. -appVersion: "1.16.0" +appVersion: "1.2.0" + +icon: https://lh3.googleusercontent.com/W3UEBKN5fp9DlpOe7N8rDi738TxH2BV61XKxmF3EFL15utdzE-rK99XBSnOjtXOKFyDf2-FnXnY=s48-w48-rw + +## Add cert-manager chart as a dependency +#dependencies: +#- name: cloud-sql-operator-crds +# version: v1.13.1 +# repository: ./charts/ +# alias: cloud-sql-operator-crds +# version: v1.13.1 +# repository: https://charts.jetstack.io +# alias: cert-manager +# condition: cert-manager.enabled \ No newline at end of file diff --git a/helm/cloud-sql-operator/csql-icon.webp b/helm/cloud-sql-operator/csql-icon.webp new file mode 100644 index 0000000000000000000000000000000000000000..7925071da64ce3769139e99389b3941c76a3d85a GIT binary patch literal 1770 zcmV)}P%L9d-`423J zC4afGs=?1JT zFnMGtB-gg2NY3An4>F~xK+MciR#HTZR?LhRXggS#6;Wb2AhRS!lB7sd>Mzpk!@o2; z&C|Os2VejKY;4=MZQJH&d$xVqwr$(CSKD?Q2X5O&l03WHyGA|TM{qmEcjzM9u=mvG z=C-9wK%{tfnp~TUq&AL&T_@-N4U2<;!i&LD=qvz47FmgBj=neyBH#Ic_sR8p^Qy6V zRoRkt26C^r=fXN=GKxj=%Cm2x&fL9UpyxUOQ!+R?*wEql6;86 zq;IXp+@@7!WyA7dAa`&eW77^mOffh&W**Z~7+9-AwI!R~TQaKw5jBC#Ns^!UFG`j)Eee0w6<{ynFJZO?p~ThR(D z8<%ee3jc@p%a{Q`D|Y6O-28{rM>x+O<48^dqRY&~rO3h3>o4`fxy@N;&HUcJX(s-j zqu>09V!=0^z%^*8v`AiK6wE|`NDt%+*Uuikr_a%6)3UH}(b#hEMR47Y>TV|)FRuC8 zk@q^jX%wY5kvxs8Fg9r*GixAIJ69AoE(!yO3nP~+6`Ba=etmCEBxx~U-C11mwiB2} zP&J4fBAglqOc_|?72`0Y$FN{C!9N9wbG(BEap>L)a%8e z7j0tqDNDE$4HfR}K3nJD+N!rxAKBkg0fM^=H^1dJ>Z#{e9EL9vP!g-u@b}9LG zr{hL@K6tcRpXBOD+A<}?B>1l=O!N@@T_it+mBqQT%GK?9+gNA~7h2&dCE8Q5ni&v1 zjLv)2G2sj;?=v?fTMvjTd3SPguh!P7G;Op23ujK&$LOU`o${+Ur6FYzcPFy#fCw@b zAi_$8CuvuIu%Hz({cz~X`X9Q1KEksH$gWHVR$M3-CzT4}Lf8Hho2u`Pu0so%Y%YDa ze^Z=ik4Ypq05M`_21HDfGD+q%`q5Qw%0#O6lLG`qQK_=So44_F{IFo4-xc)zHMtf_ zX2q2-89fMG0m;^M+|6m)EY#YLQk#{qBm=T!L9SYR3xv{lCo=jp=|vGI7==!-XRdT2 z+Vn$VITvk8EFey9>X~F>`-#1iByH}x^!ev^jNH5pNm2}m9MAAD21m#3G48A_ zAP0DO>o%!G86e8c%onocaC7M6Q;&{%5w&12hxkNdJwf*Pt}t_?Iz^%0HkA5$?I4~w zy7q^_D_*JaZ!qE+01=v4TQ2F_R$6NbwWfCIp)Nd_jo-iNAm$WPU65qfz8n9hTwf1f zl5I*ApWG`$XY?rEsn+Lou5JNhL6~M4$iBT=>cKxR*=G^BF{f&Ers~gV!9TUo=m(j) znhOU&Bqd3V!>oQ@A5p$4qnELhLd@RspS}|NPu3^zB*TTijGDf^mpyZC%)D^=h&T*9 z^XiwZ5)c{IbTJbrTm2l;_sDc}=*j#axq%jZiKGUj#dNHiYz4%C3tgMItI3OIKWGzt z*NvMel5KB(q{jsnFI9L2jjna~GO;UFw!{J;?wNX4YbuW#aFOo=k{kj=p1460E!o>j zTp-!@!=tTqp;V_*%g7-EBCbSwqwQ_)XuN({|WD92wZ~aG! z8Gxt}E4j*2;%~E`DE)9}Tu#BsK=1.18-0" .Capabilities.KubeVersion.GitVersion)) }} - {{- if not (hasKey .Values.ingress.annotations "kubernetes.io/ingress.class") }} - {{- $_ := set .Values.ingress.annotations "kubernetes.io/ingress.class" .Values.ingress.className}} - {{- end }} -{{- end }} -{{- if semverCompare ">=1.19-0" .Capabilities.KubeVersion.GitVersion -}} -apiVersion: networking.k8s.io/v1 -{{- else if semverCompare ">=1.14-0" .Capabilities.KubeVersion.GitVersion -}} -apiVersion: networking.k8s.io/v1beta1 -{{- else -}} -apiVersion: extensions/v1beta1 -{{- end }} -kind: Ingress -metadata: - name: {{ $fullName }} - labels: - {{- include "cloud-sql-operator.labels" . | nindent 4 }} - {{- with .Values.ingress.annotations }} - annotations: - {{- toYaml . | nindent 4 }} - {{- end }} -spec: - {{- if and .Values.ingress.className (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion) }} - ingressClassName: {{ .Values.ingress.className }} - {{- end }} - {{- if .Values.ingress.tls }} - tls: - {{- range .Values.ingress.tls }} - - hosts: - {{- range .hosts }} - - {{ . | quote }} - {{- end }} - secretName: {{ .secretName }} - {{- end }} - {{- end }} - rules: - {{- range .Values.ingress.hosts }} - - host: {{ .host | quote }} - http: - paths: - {{- range .paths }} - - path: {{ .path }} - {{- if and .pathType (semverCompare ">=1.18-0" $.Capabilities.KubeVersion.GitVersion) }} - pathType: {{ .pathType }} - {{- end }} - backend: - {{- if semverCompare ">=1.19-0" $.Capabilities.KubeVersion.GitVersion }} - service: - name: {{ $fullName }} - port: - number: {{ $svcPort }} - {{- else }} - serviceName: {{ $fullName }} - servicePort: {{ $svcPort }} - {{- end }} - {{- end }} - {{- end }} -{{- end }} diff --git a/helm/cloud-sql-operator/templates/service.yaml b/helm/cloud-sql-operator/templates/service.yaml deleted file mode 100644 index dc1984b3..00000000 --- a/helm/cloud-sql-operator/templates/service.yaml +++ /dev/null @@ -1,15 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: {{ include "cloud-sql-operator.fullname" . }} - labels: - {{- include "cloud-sql-operator.labels" . | nindent 4 }} -spec: - type: {{ .Values.service.type }} - ports: - - port: {{ .Values.service.port }} - targetPort: http - protocol: TCP - name: http - selector: - {{- include "cloud-sql-operator.selectorLabels" . | nindent 4 }} diff --git a/helm/cloud-sql-operator/templates/serviceaccount.yaml b/helm/cloud-sql-operator/templates/serviceaccount.yaml deleted file mode 100644 index 4fac4614..00000000 --- a/helm/cloud-sql-operator/templates/serviceaccount.yaml +++ /dev/null @@ -1,13 +0,0 @@ -{{- if .Values.serviceAccount.create -}} -apiVersion: v1 -kind: ServiceAccount -metadata: - name: {{ include "cloud-sql-operator.serviceAccountName" . }} - labels: - {{- include "cloud-sql-operator.labels" . | nindent 4 }} - {{- with .Values.serviceAccount.annotations }} - annotations: - {{- toYaml . | nindent 4 }} - {{- end }} -automountServiceAccountToken: {{ .Values.serviceAccount.automount }} -{{- end }} diff --git a/helm/cloud-sql-operator/templates/tests/test-connection.yaml b/helm/cloud-sql-operator/templates/tests/test-connection.yaml deleted file mode 100644 index 92b04df1..00000000 --- a/helm/cloud-sql-operator/templates/tests/test-connection.yaml +++ /dev/null @@ -1,15 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: "{{ include "cloud-sql-operator.fullname" . }}-test-connection" - labels: - {{- include "cloud-sql-operator.labels" . | nindent 4 }} - annotations: - "helm.sh/hook": test -spec: - containers: - - name: wget - image: busybox - command: ['wget'] - args: ['{{ include "cloud-sql-operator.fullname" . }}:{{ .Values.service.port }}'] - restartPolicy: Never diff --git a/helm/cloud-sql-operator/values.yaml b/helm/cloud-sql-operator/values.yaml index 160a334f..4cde724c 100644 --- a/helm/cloud-sql-operator/values.yaml +++ b/helm/cloud-sql-operator/values.yaml @@ -1,64 +1,50 @@ +# Copyright 2023 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + # Default values for cloud-sql-operator. # This is a YAML-formatted file. # Declare variables to be passed into your templates. -replicaCount: 1 - image: - repository: nginx + repository: gcr.io/cloud-sql-connectors/cloud-sql-operator/cloud-sql-proxy-operator pullPolicy: IfNotPresent # Overrides the image tag whose default is the chart appVersion. tag: "" +replicaCount: 2 imagePullSecrets: [] nameOverride: "" fullnameOverride: "" -serviceAccount: - # Specifies whether a service account should be created - create: true - # Automatically mount a ServiceAccount's API credentials? - automount: true - # Annotations to add to the service account - annotations: {} - # The name of the service account to use. - # If not set and create is true, a name is generated using the fullname template - name: "" +podAnnotations: + kubectl.kubernetes.io/default-container: manager -podAnnotations: {} -podLabels: {} +podLabels: + control-plane: controller-manager -podSecurityContext: {} +podSecurityContext: + runAsNonRoot: true # fsGroup: 2000 -securityContext: {} +securityContext: + runAsNonRoot: true # capabilities: # drop: # - ALL # readOnlyRootFilesystem: true - # runAsNonRoot: true # runAsUser: 1000 -service: - type: ClusterIP - port: 80 - -ingress: - enabled: false - className: "" - annotations: {} - # kubernetes.io/ingress.class: nginx - # kubernetes.io/tls-acme: "true" - hosts: - - host: chart-example.local - paths: - - path: / - pathType: ImplementationSpecific - tls: [] - # - secretName: chart-example-tls - # hosts: - # - chart-example.local - resources: {} # We usually recommend not to specify default resources and to leave this as a conscious # choice for the user. This also increases chances charts run on environments with little @@ -71,26 +57,6 @@ resources: {} # cpu: 100m # memory: 128Mi -autoscaling: - enabled: false - minReplicas: 1 - maxReplicas: 100 - targetCPUUtilizationPercentage: 80 - # targetMemoryUtilizationPercentage: 80 - -# Additional volumes on the output Deployment definition. -volumes: [] -# - name: foo -# secret: -# secretName: mysecret -# optional: false - -# Additional volumeMounts on the output Deployment definition. -volumeMounts: [] -# - name: foo -# mountPath: "/etc/foo" -# readOnly: true - nodeSelector: {} tolerations: [] diff --git a/tools/build-identifier.sh b/tools/build-identifier.sh index 7d3c82f8..d40d2c6a 100755 --- a/tools/build-identifier.sh +++ b/tools/build-identifier.sh @@ -23,14 +23,19 @@ if [[ -n ${RELEASE_TEST_BUILD_ID:-} ]] ; then fi NOW=$(date -u "+%Y%m%dT%H%M" | tr -d "\n") -GIT_HEAD=$( git rev-parse HEAD | tr -d "\n") +if [[ -d .git ]] ; then + GIT_HEAD=$( git rev-parse HEAD | tr -d "\n") + + if git diff HEAD --exit-code --quiet ; then + # git working dir is clean. + IMAGE_VERSION="$GIT_HEAD" + else + # git working dir is dirty, append "dirty" and the timestamp + IMAGE_VERSION="$GIT_HEAD-dirty-${NOW}" + fi -if git diff HEAD --exit-code --quiet ; then - # git working dir is clean. - IMAGE_VERSION="$GIT_HEAD" else - # git working dir is dirty, append "dirty" and the timestamp - IMAGE_VERSION="$GIT_HEAD-dirty-${NOW}" + IMAGE_VERSION="0000000-dirty-${NOW}" fi echo -n "$IMAGE_VERSION" diff --git a/tools/helm-install-operator.sh b/tools/helm-install-operator.sh new file mode 100755 index 00000000..d264f4ae --- /dev/null +++ b/tools/helm-install-operator.sh @@ -0,0 +1,65 @@ +#!/usr/bin/env bash +# Copyright 2023 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +function install() { + helm repo update --kubeconfig "${KUBECONFIG}" + + helm --kubeconfig "${KUBECONFIG}" uninstall cloud-sql-proxy-operator || true + + helm --kubeconfig "${KUBECONFIG}" uninstall cloud-sql-proxy-operator-crds || true + + kubectl delete ns helm-cloud-sql-operator || true + + helm --kubeconfig "${KUBECONFIG}" "install" --replace \ + cloud-sql-proxy-operator-crds "$PROJECT_DIR/helm/cloud-sql-operator-crds" \ + --set "operatorNamespace=helm-cloud-sql-operator" \ + --set "operatorName=cloud-sql-proxy-operator" + + helm --kubeconfig "${KUBECONFIG}" "install" --replace \ + cloud-sql-proxy-operator "$PROJECT_DIR/helm/cloud-sql-operator" \ + --create-namespace \ + --namespace helm-cloud-sql-operator \ + --set "image.repository=$E2E_OPERATOR_URL" +} + + +# Configure script to fail on any command error +set -euxo pipefail + +# Find project directory, cd to project directory +SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd ) +PROJECT_DIR=$( dirname "$SCRIPT_DIR") +cd "$PROJECT_DIR" + +# Validate input environment variables +#expects KUBECONFIG to be set by the caller +if [[ -z "${KUBECONFIG_E2E:-}" ]]; then + echo "expects KUBECONFIG_E2E to be the path to the kubeconfig file for kubectl." + exit 1 +fi +if [[ -z "${PRIVATE_KUBECONFIG_E2E:-}" ]]; then + echo "expects PRIVATE_KUBECONFIG_E2E to be the path to the kubeconfig file for kubectl." + exit 1 +fi + +#expects E2E_OPERATOR_URL to be set by the caller +if [[ -z "${E2E_OPERATOR_URL:-}" ]]; then + echo "expects E2E_OPERATOR_URL to be the URL to the operator image." + exit 1 +fi + +export KUBECONFIG=$KUBECONFIG_E2E +install + diff --git a/tools/install_to_helm.go b/tools/install_to_helm.go new file mode 100644 index 00000000..e2297fc6 --- /dev/null +++ b/tools/install_to_helm.go @@ -0,0 +1,121 @@ +// Copyright 2023 Google LLC +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +// Copies the static yaml installer output and turns it into a helm chart +// template +package main + +import ( + "bytes" + "flag" + "fmt" + "os" + "path" + "strings" + + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "sigs.k8s.io/yaml" +) + +type document struct { + metav1.TypeMeta `json:",inline"` + // Standard object's metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +optional + metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"` +} + +func main() { + installYaml := flag.String("installYaml", "", "The install yaml file") + operatorChartDir := flag.String("operatorChartDir", "", "The operator helm chart directory") + crdChartDir := flag.String("crdChartDir", "", "The crd helm chart directory") + flag.Parse() + fmt.Printf("Converting install yaml %v to helm chart at %v and %v.", *installYaml, *operatorChartDir, *crdChartDir) + read(*installYaml, *operatorChartDir, *crdChartDir) +} + +func read(installYaml, operatorChartDir, crdChardDir string) { + // read the output.yaml file + data, err := os.ReadFile(installYaml) + if err != nil { + panic(err) + } + + // Split on '---' + docs := bytes.Split(data, []byte{'\n', '-', '-', '-', '\n'}) + fmt.Println("Starting docs...") + fmt.Println() + for i, docBytes := range docs { + + var doc document + if err := yaml.Unmarshal(docBytes, &doc); err != nil { + panic(err) + } + fmt.Printf("Doc %d\n", i) + // print the fields to the console + fmt.Printf("%d, %v %v\n", i, doc.Kind, doc.Name) + + var filename = fmt.Sprintf("%s-%s.yaml", doc.Kind, strings.Replace(doc.Name, "cloud-sql-proxy-operator-", "", 1)) + + var filePath string + var content []byte + switch doc.Kind { + case "Namespace": + filePath = path.Join(crdChardDir, "templates", filename) + content = makeCrdChartReplacements(docBytes) + case "Deployment": + // ignore the deployment, this is a custom-written chart + case "CustomResourceDefinition": + filePath = path.Join(crdChardDir, "templates", filename) + content = makeCrdChartReplacements(docBytes) + default: + filePath = path.Join(operatorChartDir, "templates", filename) + content = makeChartReplacements(docBytes) + } + + if filePath == "" { + continue + } + + err := os.WriteFile(filePath, content, 0644) + if err != nil { + panic(err) + } + } + +} + +func makeChartReplacements(data []byte) []byte { + content := string(data) + + // Namespace + content = strings.Replace(content, "cloud-sql-proxy-operator-system", "{{ .Release.Namespace }}", -1) + + // Name + content = strings.Replace(content, "cloud-sql-proxy-operator", "{{ .Release.Name }}", -1) + + return []byte(content) +} + +func makeCrdChartReplacements(data []byte) []byte { + content := string(data) + + // Namespace + content = strings.Replace(content, "cloud-sql-proxy-operator-system", "{{ .Values.operatorNamespace }}", -1) + + // Name + content = strings.Replace(content, "cloud-sql-proxy-operator", "{{ .Values.operatorName }}", -1) + + return []byte(content) +}