Upgrade service catalog from v0.1.11 to v0.1.28 (#120)

Major flaws reported by kyma team has been fixed: - kubernetes-retired/service-catalog#2025 - kubernetes-retired/service-catalog#1879 - kubernetes-retired/service-catalog#2006 Enabled namespaced broker feature.
kyma-project · Aug 7, 2018 · 1f8d471 · 1f8d471
1 parent 247ecb3
commit 1f8d471
Show file tree

Hide file tree

Showing 5 changed files with 116 additions and 19 deletions.
diff --git a/resources/core/charts/service-catalog/charts/catalog/Chart.yaml b/resources/core/charts/service-catalog/charts/catalog/Chart.yaml
@@ -1,4 +1,3 @@
 name: catalog
 description: service-catalog API server and controller-manager helm chart
-version: 0.1.11
-
+version: 0.1.28
diff --git a/resources/core/charts/service-catalog/charts/catalog/templates/apiserver-deployment.yaml b/resources/core/charts/service-catalog/charts/catalog/templates/apiserver-deployment.yaml
@@ -22,25 +22,27 @@ spec:
         app: {{ template "fullname" . }}-apiserver
         chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
         release: "{{ .Release.Name }}"
+        releaseRevision: "{{ .Release.Revision }}"
         heritage: "{{ .Release.Service }}"
+      {{ if .Values.apiserver.annotations }}
       annotations:
-        checksum/config: {{ include (print $.Template.BasePath "/apiserver-secret.yaml") . | sha256sum }}
+{{ toYaml .Values.apiserver.annotations | indent 8 }}
+      {{- end }}
     spec:
       serviceAccountName: "{{ .Values.apiserver.serviceAccount }}"
       containers:
       - name: apiserver
         image: {{ .Values.image }}
         imagePullPolicy: {{ .Values.imagePullPolicy }}
         resources:
-          requests:
-            memory: 20Mi
+{{ toYaml .Values.apiserver.resources | indent 10 }}
         args:
         - apiserver
         {{ if .Values.apiserver.audit.activated -}}
         - --audit-log-path
         - {{ .Values.apiserver.audit.logPath }}
         {{- end}}
-        - --admission-control
+        - --enable-admission-plugins
         - "KubernetesNamespaceLifecycle,DefaultServicePlan,ServiceBindingsLifecycle,ServicePlanChangeValidator,BrokerAuthSarCheck"
         - --secure-port
         - "8443"
@@ -62,9 +64,9 @@ spec:
         - --feature-gates
         - OriginatingIdentity=true
         {{- end }}
-        {{- if .Values.namespacedServiceBrokerEnabled }}
+        {{- if .Values.namespacedServiceBrokerDisabled }}
         - --feature-gates
-        - NamespacedServiceBroker=true
+        - NamespacedServiceBroker=false
         {{- end }}
         {{- if .Values.apiserver.serveOpenAPISpec }}
         - --serve-openapi-spec
@@ -75,6 +77,7 @@ spec:
         - name: apiserver-cert
           mountPath: /var/run/kubernetes-service-catalog
           readOnly: true
+        {{- if .Values.apiserver.healthcheck.enabled }}
         readinessProbe:
           httpGet:
             port: 8443
@@ -95,13 +98,13 @@ spec:
           periodSeconds: 10
           successThreshold: 1
           timeoutSeconds: 2
+        {{- end }}
       {{- if and (eq .Values.apiserver.storage.type "etcd") .Values.apiserver.storage.etcd.useEmbedded }}
       - name: etcd
-        image: quay.io/coreos/etcd:v3.2.13
+        image: quay.io/coreos/etcd:latest
         imagePullPolicy: Always
         resources:
-          requests:
-            memory: 30Mi
+{{ toYaml .Values.apiserver.storage.etcd.resources | indent 10 }}
         env:
         - name: ETCD_DATA_DIR
           value: /etcd-data-dir
@@ -135,6 +138,10 @@ spec:
           successThreshold: 1
           timeoutSeconds: 2
       {{- end }}
+      {{ if .Values.apiserver.nodeSelector }}
+      nodeSelector:
+         {{ .Values.apiserver.nodeSelector }}
+      {{ end }}
       volumes:
       - name: apiserver-cert
         secret:

diff --git a/...s/core/charts/service-catalog/charts/catalog/templates/controller-manager-deployment.yaml b/...s/core/charts/service-catalog/charts/catalog/templates/controller-manager-deployment.yaml
@@ -20,6 +20,9 @@ spec:
     metadata:
       annotations:
         prometheus.io/scrape: "{{ .Values.controllerManager.enablePrometheusScrape }}"
+      {{ if .Values.controllerManager.annotations }}
+{{ toYaml .Values.controllerManager.annotations | indent 8 }}
+      {{- end }}
       labels:
         app: {{ template "fullname" . }}-controller-manager
         chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
@@ -32,8 +35,7 @@ spec:
         image: {{ .Values.image }}
         imagePullPolicy: {{ .Values.imagePullPolicy }}
         resources:
-          requests:
-            memory: 20Mi
+{{ toYaml .Values.controllerManager.resources | indent 10 }}
         env:
         - name: K8S_NAMESPACE
           valueFrom:
@@ -43,6 +45,7 @@ spec:
         - controller-manager
         - --secure-port
         - "8444"
+        - "--cluster-id-configmap-namespace={{ .Release.Namespace }}"
         {{ if .Values.controllerManager.leaderElection.activated -}}
         - "--leader-election-namespace={{ .Release.Namespace }}"
         - "--leader-elect-resource-lock=configmaps"
@@ -78,16 +81,21 @@ spec:
         - --feature-gates
         - AsyncBindingOperations=true
         {{- end }}
-        {{- if .Values.namespacedServiceBrokerEnabled }}
+        {{- if .Values.catalogRestrictionsEnabled }}
         - --feature-gates
-        - NamespacedServiceBroker=true
+        - CatalogRestrictions=true
+        {{- end }}
+        {{- if .Values.namespacedServiceBrokerDisabled }}
+        - --feature-gates
+        - NamespacedServiceBroker=false
         {{- end }}
         ports:
         - containerPort: 8444
         volumeMounts:
         - name: service-catalog-cert
           mountPath: /var/run/kubernetes-service-catalog
           readOnly: true
+        {{- if .Values.controllerManager.healthcheck.enabled }}
         readinessProbe:
           httpGet:
             port: 8444
@@ -108,6 +116,11 @@ spec:
           periodSeconds: 10
           successThreshold: 1
           timeoutSeconds: 2
+        {{- end }}
+      {{ if .Values.controllerManager.nodeSelector }}
+      nodeSelector:
+         {{ .Values.controllerManager.nodeSelector }}
+      {{ end }}
       volumes:
       - name: service-catalog-cert
         secret:

diff --git a/resources/core/charts/service-catalog/charts/catalog/templates/rbac.yaml b/resources/core/charts/service-catalog/charts/catalog/templates/rbac.yaml
@@ -17,6 +17,12 @@ items:
   - apiGroups: [""]
     resources: ["namespaces"]
     verbs:     ["get", "list", "watch"]
+  - apiGroups: ["admissionregistration.k8s.io"]
+    resources: ["validatingwebhookconfigurations"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: ["admissionregistration.k8s.io"]
+    resources: ["mutatingwebhookconfigurations"]
+    verbs: ["get", "list", "watch"]
 # API-server service-account gets its own role
 - apiVersion: {{template "rbacApiVersion" . }}
   kind: ClusterRoleBinding
@@ -100,6 +106,20 @@ items:
   - apiGroups: ["servicecatalog.k8s.io"]
     resources: ["clusterservicebrokers/status","clusterserviceclasses/status","clusterserviceplans/status","serviceinstances/status","serviceinstances/reference","servicebindings/status"]
     verbs:     ["update"]
+  {{- if not .Values.namespacedServiceBrokerDisabled }}
+  - apiGroups: ["servicecatalog.k8s.io"]
+    resources: ["serviceclasses"]
+    verbs:     ["get","list","watch","create","patch","update","delete"]
+  - apiGroups: ["servicecatalog.k8s.io"]
+    resources: ["serviceplans"]
+    verbs:     ["get","list","watch","create","patch","update","delete"]
+  - apiGroups: ["servicecatalog.k8s.io"]
+    resources: ["servicebrokers"]
+    verbs:     ["get","list","watch"]
+  - apiGroups: ["servicecatalog.k8s.io"]
+    resources: ["servicebrokers/status","serviceclasses/status","serviceplans/status"]
+    verbs:     ["update"]
+  {{- end }}
 # give the controller-manager service account access to whats defined in its role.
 - apiVersion: {{template "rbacApiVersion" . }}
   kind: ClusterRoleBinding
@@ -115,6 +135,32 @@ items:
     name: "{{ .Values.controllerManager.serviceAccount }}"
     namespace: "{{ .Release.Namespace }}"
 
+# This gives create/update access to configmaps
+- apiVersion: {{template "rbacApiVersion" . }}
+  kind: Role
+  metadata:
+    name: "servicecatalog.k8s.io:cluster-info-configmap"
+    namespace: "{{ .Release.Namespace }}"
+  rules:
+  - apiGroups:     [""]
+    resources:     ["configmaps"]
+    resourceNames: ["cluster-info"]
+    verbs:         ["get","create","list","watch","update"]
+- apiVersion: {{template "rbacApiVersion" . }}
+  kind: RoleBinding
+  metadata:
+    name: service-catalog-controller-manager-cluster-info
+    namespace: "{{ .Release.Namespace }}"
+  roleRef:
+    apiGroup: rbac.authorization.k8s.io
+    kind: Role
+    name: "servicecatalog.k8s.io:cluster-info-configmap"
+  subjects:
+  - apiGroup: ""
+    kind: ServiceAccount
+    name: "{{ .Values.controllerManager.serviceAccount }}"
+    namespace: "{{ .Release.Namespace }}"
+
 # This gives create/update access to configmaps in deployment namespace for leader election
 - apiVersion: {{template "rbacApiVersion" . }}
   kind: Role
@@ -132,7 +178,7 @@ items:
 - apiVersion: {{template "rbacApiVersion" . }}
   kind: RoleBinding
   metadata:
-    name: service-catalog-controller-manager
+    name: service-catalog-controller-manager-leader-election
     namespace: "{{ .Release.Namespace }}"
   roleRef:
     apiGroup: rbac.authorization.k8s.io

diff --git a/resources/core/charts/service-catalog/charts/catalog/values.yaml b/resources/core/charts/service-catalog/charts/catalog/values.yaml
@@ -1,6 +1,6 @@
 # Default values for Service Catalog
 # service-catalog image to use
-image: quay.io/kubernetes-service-catalog/service-catalog:v0.1.11
+image: quay.io/kubernetes-service-catalog/service-catalog:v0.1.28
 # imagePullPolicy for the service-catalog; valid values are "IfNotPresent",
 # "Never", and "Always"
 imagePullPolicy: Always
@@ -10,6 +10,10 @@ useAggregator: true
 ##
 rbacEnable: true
 apiserver:
+  # annotations is a collection of annotations to add to the apiserver pods.
+  annotations: {}
+  # nodeSelector to apply to the apiserver pods
+  nodeSelector: 
   # PodPreset is an optional feature and can be enabled by uncommenting the line below
   # featureGates: "PodPreset=true"
   aggregator:
@@ -28,6 +32,9 @@ apiserver:
     # https://github.com/kubernetes/kubernetes/blob/v1.7.0/staging/src/k8s.io/kube-aggregator/pkg/apis/apiregistration/v1beta1/types.go#L56-L61
     # for more information on proper values of this field
     versionPriority: 20
+  # healthcheck configures the readiness and liveliness probes for the apiserver pod.
+  healthcheck:
+    enabled: true
   tls:
     # Base64-encoded CA used to validate request-header authentication, when
     # receiving delegated authentication from an aggregator. If not set, the
@@ -79,7 +86,23 @@ apiserver:
   serviceAccount: service-catalog-apiserver
   # if true, makes the API server serve the OpenAPI schema (which is problematic with older versions of kubectl)
   serveOpenAPISpec: false
+  # Apiserver resource requests and limits
+  # Ref: http://kubernetes.io/docs/user-guide/compute-resources/
+  resources:
+    requests:
+      cpu: 100m
+      memory: 20Mi
+    limits:
+      cpu: 100m
+      memory: 30Mi
 controllerManager:
+  # annotations is a collection of annotations to add to the controllerManager pod.
+  annotations: {}
+  # nodeSelector to apply to the controllerManager pods
+  nodeSelector: 
+  # healthcheck configures the readiness and liveliness probes for the controllerManager pod.
+  healthcheck:
+    enabled: true
   # Log level; valid values are in the range 0 - 10
   verbosity: 1
   # Resync interval; format is a duration (`20m`, `1h`, etc)
@@ -103,9 +126,18 @@ controllerManager:
   apiserverSkipVerify: true
   # Whether the controller will expose metrics on /metrics
   enablePrometheusScrape: false
+  # Controller Manager resource requests and limits
+  # Ref: http://kubernetes.io/docs/user-guide/compute-resources/
+  resources:
+    requests:
+      cpu: 100m
+      memory: 20Mi
+    limits:
+      cpu: 100m
+      memory: 30Mi
   # Whether the OriginatingIdentity alpha feature should be enabled
 originatingIdentityEnabled: false
 # Whether the AsyncBindingOperations alpha feature should be enabled
 asyncBindingOperationsEnabled: false
-# Whether the NamespacedServiceBroker alpha feature should be enabled
-namespacedServiceBrokerEnabled: false
+# Whether the NamespacedServiceBroker alpha feature should be disabled
+namespacedServiceBrokerDisabled: false