diff --git a/charts/victoria-metrics-k8s-stack/README.md b/charts/victoria-metrics-k8s-stack/README.md index fcc41bcfe..99baf66be 100644 --- a/charts/victoria-metrics-k8s-stack/README.md +++ b/charts/victoria-metrics-k8s-stack/README.md @@ -60,6 +60,39 @@ vmagent: - url: "https://insert.vmcluster.domain.com/insert/0/prometheus/api/v1/write" ``` +### ArgoCD issues + +When deploying K8s stack using ArgoCD without Cert Manager (`.Values.victoria-metrics-operator.admissionWebhooks.certManager.enabled: false`) +it will rerender operator's webhook certificates on each sync since Helm `lookup` function is not respected by ArgoCD. +To prevent this please update you K8s stack Application `spec.syncPolicy` and `spec.ignoreDifferences` with a following: + +```yaml +apiVersion: argoproj.io/v1alpha1 +kind: Application +... +spec: + ... + syncPolicy: + syncOptions: + # https://argo-cd.readthedocs.io/en/stable/user-guide/sync-options/#respect-ignore-difference-configs + # argocd must also ignore difference during apply stage + # otherwise it ll silently override changes and cause a problem + - RespectIgnoreDifferences=true + ignoreDifferences: + - group: "" + kind: Secret + name: -validation + namespace: kube-system + jsonPointers: + - /data + - group: admissionregistration.k8s.io + kind: ValidatingWebhookConfiguration + name: -admission + jqPathExpressions: + - '.webhooks[]?.clientConfig.caBundle' +``` +where `` is output of `{{ include "vm-operator.fullname" }}` for your setup + ### Rules and dashboards This chart by default install multiple dashboards and recording rules from [kube-prometheus](https://github.com/prometheus-operator/kube-prometheus) diff --git a/charts/victoria-metrics-k8s-stack/README.md.gotmpl b/charts/victoria-metrics-k8s-stack/README.md.gotmpl index cf0e4e730..d4ec6d618 100644 --- a/charts/victoria-metrics-k8s-stack/README.md.gotmpl +++ b/charts/victoria-metrics-k8s-stack/README.md.gotmpl @@ -62,6 +62,39 @@ vmagent: - url: "https://insert.vmcluster.domain.com/insert/0/prometheus/api/v1/write" ``` +### ArgoCD issues + +When deploying K8s stack using ArgoCD without Cert Manager (`.Values.victoria-metrics-operator.admissionWebhooks.certManager.enabled: false`) +it will rerender operator's webhook certificates on each sync since Helm `lookup` function is not respected by ArgoCD. +To prevent this please update you K8s stack Application `spec.syncPolicy` and `spec.ignoreDifferences` with a following: + +```yaml +apiVersion: argoproj.io/v1alpha1 +kind: Application +... +spec: + ... + syncPolicy: + syncOptions: + # https://argo-cd.readthedocs.io/en/stable/user-guide/sync-options/#respect-ignore-difference-configs + # argocd must also ignore difference during apply stage + # otherwise it ll silently override changes and cause a problem + - RespectIgnoreDifferences=true + ignoreDifferences: + - group: "" + kind: Secret + name: -validation + namespace: kube-system + jsonPointers: + - /data + - group: admissionregistration.k8s.io + kind: ValidatingWebhookConfiguration + name: -admission + jqPathExpressions: + - '.webhooks[]?.clientConfig.caBundle' +``` +where `` is output of `{{"{{"}} include "vm-operator.fullname" {{"}}"}}` for your setup + ### Rules and dashboards This chart by default install multiple dashboards and recording rules from [kube-prometheus](https://github.com/prometheus-operator/kube-prometheus) diff --git a/charts/victoria-metrics-operator/CHANGELOG.md b/charts/victoria-metrics-operator/CHANGELOG.md index 29bda18b0..3b59df262 100644 --- a/charts/victoria-metrics-operator/CHANGELOG.md +++ b/charts/victoria-metrics-operator/CHANGELOG.md @@ -8,6 +8,8 @@ - Use static container names in a pod - Updated operator service scrape config - Added `.Values.vmstorage.service.ipFamilies` and `.Values.vmstorage.service.ipFamilyPolicy` for service IP family management +- Enabled webhook by default +- Generate webhook certificate when Cert Manager is not enabled ## 0.34.0 diff --git a/charts/victoria-metrics-operator/README.md b/charts/victoria-metrics-operator/README.md index b1352906a..0379c8fda 100644 --- a/charts/victoria-metrics-operator/README.md +++ b/charts/victoria-metrics-operator/README.md @@ -10,6 +10,38 @@ Victoria Metrics Operator * Install the follow packages: ``git``, ``kubectl``, ``helm``, ``helm-docs``. See this [tutorial](../../REQUIREMENTS.md). * PV support on underlying infrastructure. +## ArgoCD issues + +When running operator using ArgoCD without Cert Manager (`.Values.admissionWebhooks.certManager.enabled: false`) it will rerender webhook certificates +on each sync since Helm `lookup` function is not respected by ArgoCD. To prevent this please update you operator Application `spec.syncPolicy` and `spec.ignoreDifferences` with a following: + +```yaml +apiVersion: argoproj.io/v1alpha1 +kind: Application +... +spec: + ... + syncPolicy: + syncOptions: + # https://argo-cd.readthedocs.io/en/stable/user-guide/sync-options/#respect-ignore-difference-configs + # argocd must also ignore difference during apply stage + # otherwise it ll silently override changes and cause a problem + - RespectIgnoreDifferences=true + ignoreDifferences: + - group: "" + kind: Secret + name: -validation + namespace: kube-system + jsonPointers: + - /data + - group: admissionregistration.k8s.io + kind: ValidatingWebhookConfiguration + name: -admission + jqPathExpressions: + - '.webhooks[]?.clientConfig.caBundle' +``` +where `` is output of `{{ include "vm-operator.fullname" }}` for your setup + ## Upgrade guide During release an issue with helm CRD was discovered. So for upgrade from version less then 0.1.3 you have to two options: @@ -139,11 +171,11 @@ Change the values according to the need of the environment in ``victoria-metrics | Key | Type | Default | Description | |-----|------|---------|-------------| -| admissionWebhooks | object | `{"caBundle":"","certManager":{"enabled":false,"issuer":{}},"enabled":false,"enabledCRDValidation":{"vmagent":true,"vmalert":true,"vmalertmanager":true,"vmalertmanagerConfig":true,"vmauth":true,"vmcluster":true,"vmrule":true,"vmsingle":true,"vmuser":true},"policy":"Fail"}` | Configures resource validation | -| admissionWebhooks.caBundle | string | `""` | with keys: tls.key, tls.crt, ca.crt | +| admissionWebhooks | object | `{"certManager":{"enabled":false,"issuer":{}},"enabled":true,"enabledCRDValidation":{"vlogs":true,"vmagent":true,"vmalert":true,"vmalertmanager":true,"vmalertmanagerconfig":true,"vmauth":true,"vmcluster":true,"vmrule":true,"vmsingle":true,"vmuser":true},"keepTLSSecret":false,"policy":"Fail","tls":{"caCert":null,"cert":null,"key":null}}` | Configures resource validation | +| admissionWebhooks.certManager | object | `{"enabled":false,"issuer":{}}` | with keys: tls.key, tls.crt, ca.crt | | admissionWebhooks.certManager.enabled | bool | `false` | Enables cert creation and injection by cert-manager. | | admissionWebhooks.certManager.issuer | object | `{}` | If needed, provide own issuer. Operator will create self-signed if empty. | -| admissionWebhooks.enabled | bool | `false` | Enables validation webhook. | +| admissionWebhooks.enabled | bool | `true` | Enables validation webhook. | | admissionWebhooks.policy | string | `"Fail"` | What to do in case, when operator not available to validate request. | | affinity | object | `{}` | Pod affinity | | annotations | object | `{}` | Annotations to be added to the all resources | @@ -161,6 +193,7 @@ Change the values according to the need of the environment in ``victoria-metrics | extraVolumeMounts | list | `[]` | Extra Volume Mounts for the container | | extraVolumes | list | `[]` | Extra Volumes for the pod | | fullnameOverride | string | `""` | Overrides the full name of server component | +| global.cluster.dnsDomain | string | `"cluster.local"` | | | global.image.registry | string | `""` | | | global.imagePullSecrets | list | `[]` | | | image.pullPolicy | string | `"IfNotPresent"` | Image pull policy | @@ -215,4 +248,4 @@ Change the values according to the need of the environment in ``victoria-metrics | serviceMonitor | object | `{"annotations":{},"basicAuth":{},"enabled":false,"extraLabels":{},"interval":"","relabelings":[],"scheme":"","scrapeTimeout":"","tlsConfig":{}}` | configures monitoring with serviceScrape. VMServiceScrape must be pre-installed | | tolerations | list | `[]` | Array of tolerations object. Ref: [https://kubernetes.io/docs/concepts/configuration/assign-pod-node/](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/) | | topologySpreadConstraints | list | `[]` | Pod Topology Spread Constraints. Ref: [https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/](https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/) | -| watchNamespace | string | `""` | | \ No newline at end of file +| watchNamespace | string | `""` | | diff --git a/charts/victoria-metrics-operator/README.md.gotmpl b/charts/victoria-metrics-operator/README.md.gotmpl index 364c385f2..d83471a7d 100644 --- a/charts/victoria-metrics-operator/README.md.gotmpl +++ b/charts/victoria-metrics-operator/README.md.gotmpl @@ -10,6 +10,38 @@ * Install the follow packages: ``git``, ``kubectl``, ``helm``, ``helm-docs``. See this [tutorial](../../REQUIREMENTS.md). * PV support on underlying infrastructure. +## ArgoCD issues + +When running operator using ArgoCD without Cert Manager (`.Values.admissionWebhooks.certManager.enabled: false`) it will rerender webhook certificates +on each sync since Helm `lookup` function is not respected by ArgoCD. To prevent this please update you operator Application `spec.syncPolicy` and `spec.ignoreDifferences` with a following: + +```yaml +apiVersion: argoproj.io/v1alpha1 +kind: Application +... +spec: + ... + syncPolicy: + syncOptions: + # https://argo-cd.readthedocs.io/en/stable/user-guide/sync-options/#respect-ignore-difference-configs + # argocd must also ignore difference during apply stage + # otherwise it ll silently override changes and cause a problem + - RespectIgnoreDifferences=true + ignoreDifferences: + - group: "" + kind: Secret + name: -validation + namespace: kube-system + jsonPointers: + - /data + - group: admissionregistration.k8s.io + kind: ValidatingWebhookConfiguration + name: -admission + jqPathExpressions: + - '.webhooks[]?.clientConfig.caBundle' +``` +where `` is output of `{{"{{"}} include "vm-operator.fullname" {{"}}"}}` for your setup + ## Upgrade guide During release an issue with helm CRD was discovered. So for upgrade from version less then 0.1.3 you have to two options: @@ -137,4 +169,4 @@ The following tables lists the configurable parameters of the chart and their de Change the values according to the need of the environment in ``victoria-metrics-operator/values.yaml`` file. -{{ template "chart.valuesTable" . }} \ No newline at end of file +{{ template "chart.valuesTable" . }} diff --git a/charts/victoria-metrics-operator/templates/_helpers.tpl b/charts/victoria-metrics-operator/templates/_helpers.tpl index 8a14eb671..620badbcd 100644 --- a/charts/victoria-metrics-operator/templates/_helpers.tpl +++ b/charts/victoria-metrics-operator/templates/_helpers.tpl @@ -62,9 +62,49 @@ helm.sh/chart: {{ include "vm-operator.chart" . }} app.kubernetes.io/managed-by: {{ .Release.Service | trunc 63 | trimSuffix "-" }} {{- end -}} +{{/* +Create unified annotations for vm-operator components +*/}} +{{- define "vm-operator.annotations" -}} +helm.sh/resource-policy: keep +meta.helm.sh/release-namespace: {{ .Release.Namespace }} +meta.helm.sh/release-name: {{ .Release.Name }} +{{- end -}} + {{/* Create the name of service account and clusterRole for cleanup-hook */}} {{- define "vm-operator.cleanupHookName" -}} {{- printf "%s-%s" (include "vm-operator.fullname" .) "cleanup-hook" | replace "+" "_" | trunc 63 | trimSuffix "-" }} {{- end }} + +{{/* +Generate certificates for webhook +*/}} +{{- define "vm-operator.certs" -}} +{{- $webhook := .Values.admissionWebhooks -}} +{{- $tls := $webhook.tls -}} +{{- $serviceName := (include "vm-operator.fullname" .) -}} +{{- $secretName := (printf "%s-validation" $serviceName) -}} +{{- $secret := lookup "v1" "Secret" .Release.Namespace $secretName -}} +{{- if (and $tls.caCert $tls.cert $tls.key) -}} +caCert: {{ $tls.caCert | b64enc }} +clientCert: {{ $tls.cert | b64enc }} +clientKey: {{ $tls.key | b64enc }} +{{- else if and $webhook.keepTLSSecret $secret -}} +caCert: {{ index $secret.data "ca.crt" }} +clientCert: {{ index $secret.data "tls.crt" }} +clientKey: {{ index $secret.data "tls.key" }} +{{- else -}} +{{- $altNames := default list -}} +{{- $namePrefix := (printf "%s.%s" $serviceName .Release.Namespace) -}} +{{- $altNames = append $altNames $namePrefix -}} +{{- $altNames = append $altNames (printf "%s.svc" $namePrefix) -}} +{{- $altNames = append $altNames (printf "%s.svc.%s" $namePrefix .Values.global.cluster.dnsDomain) -}} +{{- $ca := genCA "vm-operator-ca" 3650 -}} +{{- $cert := genSignedCert $serviceName nil $altNames 3650 $ca -}} +caCert: {{ $ca.Cert | b64enc }} +clientCert: {{ $cert.Cert | b64enc }} +clientKey: {{ $cert.Key | b64enc }} +{{- end -}} +{{- end -}} diff --git a/charts/victoria-metrics-operator/templates/certmanager.yaml b/charts/victoria-metrics-operator/templates/certmanager.yaml deleted file mode 100644 index 1e26aee39..000000000 --- a/charts/victoria-metrics-operator/templates/certmanager.yaml +++ /dev/null @@ -1,57 +0,0 @@ -{{- if .Values.admissionWebhooks.certManager.enabled -}} -{{- if not .Values.admissionWebhooks.certManager.issuer -}} -apiVersion: cert-manager.io/v1 -kind: Issuer -metadata: - name: {{ template "vm-operator.fullname" . }}-root - namespace: {{ .Release.Namespace }} -spec: - selfSigned: {} ---- -apiVersion: cert-manager.io/v1 -kind: Certificate -metadata: - name: {{ template "vm-operator.fullname" . }}-root-ca - namespace: {{ .Release.Namespace }} -spec: - secretName: {{ template "vm-operator.fullname" . }}-root-ca - duration: 63800h0m0s - issuerRef: - name: {{ template "vm-operator.fullname" . }}-root - commonName: "ca.validation.victoriametrics" - isCA: true ---- -apiVersion: cert-manager.io/v1 -kind: Issuer -metadata: - name: {{ template "vm-operator.fullname" . }}-issuer - namespace: {{ .Release.Namespace }} -spec: - ca: - secretName: {{ template "vm-operator.fullname" . }}-root-ca -{{- end }} ---- -# actual cert part for operator -apiVersion: cert-manager.io/v1 -kind: Certificate -metadata: - name: {{ template "vm-operator.fullname" . }}-validation - namespace: {{ .Release.Namespace }} -spec: - secretName: {{ template "vm-operator.fullname" . }}-validation - duration: 45800h0m0s - issuerRef: - {{- if .Values.admissionWebhooks.certManager.issuer }} - {{- range $k, $v := .Values.admissionWebhooks.certManager.issuer }} - {{ $k}}: {{ $v}} - {{- end }} - {{- else }} - name: {{ template "vm-operator.fullname" . }}-issuer - {{- end }} - dnsNames: - - {{ template "vm-operator.fullname" . }} - - {{ template "vm-operator.fullname" . }}.{{ .Release.Namespace }} - - {{ template "vm-operator.fullname" . }}.{{ .Release.Namespace }}.svc -{{- end -}} - - diff --git a/charts/victoria-metrics-operator/templates/crd.yaml b/charts/victoria-metrics-operator/templates/crd.yaml index 4cd13c4d0..260db9e30 100644 --- a/charts/victoria-metrics-operator/templates/crd.yaml +++ b/charts/victoria-metrics-operator/templates/crd.yaml @@ -3,13 +3,13 @@ {{- /* see this pull request https://github.com/VictoriaMetrics/helm-charts/pull/771 for details */ -}} {{- if .Values.createCRD }} {{- $files := .Files }} -{{- $fileContentsList := $files.Get "crd.yaml" | splitList "---" }} -{{- range $fileContentsList }} - {{- $fileContents := . | fromYaml }} - {{- $newAnnotations := dict "helm.sh/resource-policy" "keep" | merge $fileContents.metadata.annotations }} - {{- $newMetadata := dict "annotations" $newAnnotations | merge $fileContents.metadata }} - {{- $newFileContents := dict "metadata" $newMetadata | merge $fileContents }} - {{- $newFileContents | toYaml }} +{{- $crds := $files.Get "crd.yaml" | splitList "---" }} +{{- $labels := (include "vm-operator.labels" .) | fromYaml -}} +{{- $annotations := (include "vm-operator.annotations" .) | fromYaml -}} +{{- $extra := dict "metadata" (dict "annotations" $annotations "labels" $labels) -}} +{{- range $crds }} + {{- $crd := . | fromYaml }} + {{- toYaml (merge $crd $extra) }} {{- print "\n---\n" }} {{- end }} -{{- end }} \ No newline at end of file +{{- end }} diff --git a/charts/victoria-metrics-operator/templates/service.yaml b/charts/victoria-metrics-operator/templates/service.yaml index 60c70db77..1c962a8fa 100644 --- a/charts/victoria-metrics-operator/templates/service.yaml +++ b/charts/victoria-metrics-operator/templates/service.yaml @@ -38,9 +38,9 @@ spec: ports: - name: http port: 8080 - targetPort: 8080 + targetPort: http protocol: TCP - name: webhook port: 443 - targetPort: 9443 + targetPort: webhook selector: {{ include "vm-operator.selectorLabels" . | nindent 4 }} diff --git a/charts/victoria-metrics-operator/templates/webhook.yaml b/charts/victoria-metrics-operator/templates/webhook.yaml index d6daea1a6..f8a8856ea 100644 --- a/charts/victoria-metrics-operator/templates/webhook.yaml +++ b/charts/victoria-metrics-operator/templates/webhook.yaml @@ -1,4 +1,5 @@ -{{- if and .Values.admissionWebhooks.enabled }} +{{- if .Values.admissionWebhooks.enabled }} +{{- $tls := fromYaml (include "vm-operator.certs" .) }} apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingWebhookConfiguration metadata: @@ -8,25 +9,28 @@ metadata: certmanager.k8s.io/inject-ca-from: {{ printf "%s/%s-validation" .Release.Namespace ( include "vm-operator.fullname" .) | quote }} cert-manager.io/inject-ca-from: {{ printf "%s/%s-validation" .Release.Namespace (include "vm-operator.fullname" .) | quote }} {{- end }} - labels: -{{ include "vm-operator.labels" . | indent 4 }} -{{- with .Values.extraLabels }} -{{ toYaml . | indent 4 }} -{{- end }} + {{- $ctx := merge (deepCopy .) (dict "extraLabels" .Values.extraLabels) }} + labels: {{ include "vm-operator.labels" $ctx | nindent 4 }} webhooks: -{{- if .Values.admissionWebhooks.enabledCRDValidation.vmagent }} +{{- range $name, $enabled := .Values.admissionWebhooks.enabledCRDValidation }} +{{- if $enabled }} - clientConfig: service: - namespace: {{ .Release.Namespace }} - name: {{ include "vm-operator.fullname" . }} - path: /validate-operator-victoriametrics-com-v1beta1-vmagent - {{- if and .Values.admissionWebhooks.caBundle (not .Values.admissionWebhooks.certManager.enabled) }} - caBundle: {{ .Values.admissionWebhooks.caBundle }} + namespace: {{ $.Release.Namespace }} + name: {{ include "vm-operator.fullname" $ }} + path: /validate-operator-victoriametrics-com-v1beta1-{{ $name }} + {{- if not $.Values.admissionWebhooks.certManager.enabled }} + caBundle: {{ $tls.caCert }} {{- end }} - failurePolicy: {{.Values.admissionWebhooks.policy}} - name: vmagent.victoriametrics.com - admissionReviewVersions: [ "v1", "v1beta1" ] + failurePolicy: {{ $.Values.admissionWebhooks.policy }} + name: {{ $name }}.victoriametrics.com + admissionReviewVersions: ["v1", "v1beta1"] sideEffects: None + objectSelector: + matchExpressions: + - key: app.kubernetes.io/name + operator: NotIn + values: [{{ include "vm-operator.name" $ }}] rules: - apiGroups: - operator.victoriametrics.com @@ -36,198 +40,76 @@ webhooks: - CREATE - UPDATE resources: - - vmagents + - {{ $name }}{{ ternary "" "s" (hasSuffix "s" $name) }} {{- end }} -{{- if .Values.admissionWebhooks.enabledCRDValidation.vmalert }} - - clientConfig: - service: - namespace: {{ .Release.Namespace }} - name: {{ include "vm-operator.fullname" . }} - path: /validate-operator-victoriametrics-com-v1beta1-vmalert - {{- if and .Values.admissionWebhooks.caBundle (not .Values.admissionWebhooks.certManager.enabled) }} - caBundle: {{ .Values.admissionWebhooks.caBundle }} - {{- end }} - failurePolicy: {{.Values.admissionWebhooks.policy}} - name: vmalert.victoriametrics.com - admissionReviewVersions: [ "v1", "v1beta1" ] - sideEffects: None - rules: - - apiGroups: - - operator.victoriametrics.com - apiVersions: - - v1beta1 - operations: - - CREATE - - UPDATE - resources: - - vmalerts - {{- end }} -{{- if .Values.admissionWebhooks.enabledCRDValidation.vmalertmanager }} - - clientConfig: - service: - namespace: {{ .Release.Namespace }} - name: {{ include "vm-operator.fullname" . }} - path: /validate-operator-victoriametrics-com-v1beta1-vmalertmanager - {{- if and .Values.admissionWebhooks.caBundle (not .Values.admissionWebhooks.certManager.enabled) }} - caBundle: {{ .Values.admissionWebhooks.caBundle }} - {{- end }} - failurePolicy: {{.Values.admissionWebhooks.policy}} - name: vmalertmanager.victoriametrics.com - admissionReviewVersions: [ "v1", "v1beta1" ] - sideEffects: None - rules: - - apiGroups: - - operator.victoriametrics.com - apiVersions: - - v1beta1 - operations: - - CREATE - - UPDATE - resources: - - vmalertmanagers - {{- end }} -{{- if .Values.admissionWebhooks.enabledCRDValidation.vmauth }} - - clientConfig: - service: - namespace: {{ .Release.Namespace }} - name: {{ include "vm-operator.fullname" . }} - path: /validate-operator-victoriametrics-com-v1beta1-vmauth - {{- if and .Values.admissionWebhooks.caBundle (not .Values.admissionWebhooks.certManager.enabled) }} - caBundle: {{ .Values.admissionWebhooks.caBundle }} - {{- end }} - failurePolicy: Ignore - name: vmauth.victoriametrics.com - admissionReviewVersions: [ "v1", "v1beta1" ] - sideEffects: None - rules: - - apiGroups: - - operator.victoriametrics.com - apiVersions: - - v1beta1 - operations: - - CREATE - - UPDATE - resources: - - vmauths - {{- end }} -{{- if .Values.admissionWebhooks.enabledCRDValidation.vmcluster }} - - clientConfig: - service: - namespace: {{ .Release.Namespace }} - name: {{ include "vm-operator.fullname" . }} - path: /validate-operator-victoriametrics-com-v1beta1-vmcluster - {{- if and .Values.admissionWebhooks.caBundle (not .Values.admissionWebhooks.certManager.enabled) }} - caBundle: {{ .Values.admissionWebhooks.caBundle }} - {{- end }} - failurePolicy: {{.Values.admissionWebhooks.policy}} - name: vmcluster.victoriametrics.com - admissionReviewVersions: [ "v1", "v1beta1" ] - sideEffects: None - rules: - - apiGroups: - - operator.victoriametrics.com - apiVersions: - - v1beta1 - operations: - - CREATE - - UPDATE - resources: - - vmclusters - {{- end }} -{{- if .Values.admissionWebhooks.enabledCRDValidation.vmsingle }} - - clientConfig: - service: - namespace: {{ .Release.Namespace }} - name: {{ include "vm-operator.fullname" . }} - path: /validate-operator-victoriametrics-com-v1beta1-vmsingle - {{- if and .Values.admissionWebhooks.caBundle (not .Values.admissionWebhooks.certManager.enabled) }} - caBundle: {{ .Values.admissionWebhooks.caBundle }} - {{- end }} - failurePolicy: {{.Values.admissionWebhooks.policy}} - name: vmsingle.victoriametrics.com - admissionReviewVersions: [ "v1", "v1beta1" ] - sideEffects: None - rules: - - apiGroups: - - operator.victoriametrics.com - apiVersions: - - v1beta1 - operations: - - CREATE - - UPDATE - resources: - - vmsingles - {{- end }} -{{- if .Values.admissionWebhooks.enabledCRDValidation.vmuser }} - - clientConfig: - service: - namespace: {{ .Release.Namespace }} - name: {{ include "vm-operator.fullname" . }} - path: /validate-operator-victoriametrics-com-v1beta1-vmuser - {{- if and .Values.admissionWebhooks.caBundle (not .Values.admissionWebhooks.certManager.enabled) }} - caBundle: {{ .Values.admissionWebhooks.caBundle }} - {{- end }} - failurePolicy: {{.Values.admissionWebhooks.policy}} - name: vmuser.victoriametrics.com - admissionReviewVersions: [ "v1", "v1beta1" ] - sideEffects: None - rules: - - apiGroups: - - operator.victoriametrics.com - apiVersions: - - v1beta1 - operations: - - CREATE - - UPDATE - resources: - - vmusers - {{- end }} -{{- if .Values.admissionWebhooks.enabledCRDValidation.vmrule }} - - clientConfig: - service: - namespace: {{ .Release.Namespace }} - name: {{ include "vm-operator.fullname" . }} - path: /validate-operator-victoriametrics-com-v1beta1-vmrule - {{- if and .Values.admissionWebhooks.caBundle (not .Values.admissionWebhooks.certManager.enabled) }} - caBundle: {{ .Values.admissionWebhooks.caBundle }} - {{- end }} - failurePolicy: {{.Values.admissionWebhooks.policy}} - name: vmrule.victoriametrics.com - admissionReviewVersions: [ "v1", "v1beta1" ] - sideEffects: None - rules: - - apiGroups: - - operator.victoriametrics.com - apiVersions: - - v1beta1 - operations: - - CREATE - - UPDATE - resources: - - vmrules {{- end }} -{{- if .Values.admissionWebhooks.enabledCRDValidation.vmalertmanagerConfig }} - - clientConfig: - service: - namespace: {{ .Release.Namespace }} - name: {{ include "vm-operator.fullname" . }} - path: /validate-operator-victoriametrics-com-v1beta1-vmalertmanagerconfig - {{- if and .Values.admissionWebhooks.caBundle (not .Values.admissionWebhooks.certManager.enabled) }} - caBundle: {{ .Values.admissionWebhooks.caBundle }} - {{- end }} - failurePolicy: {{.Values.admissionWebhooks.policy}} - name: vmalertmanagerconfig.victoriametrics.com - admissionReviewVersions: [ "v1", "v1beta1" ] - sideEffects: None - rules: - - apiGroups: - - operator.victoriametrics.com - apiVersions: - - v1beta1 - operations: - - CREATE - - UPDATE - resources: - - vmalertmanagerconfigs +{{- if .Values.admissionWebhooks.certManager.enabled }} +{{- if not .Values.admissionWebhooks.certManager.issuer -}} +--- +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + name: {{ template "vm-operator.fullname" . }}-root + namespace: {{ .Release.Namespace }} +spec: + selfSigned: {} +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: {{ template "vm-operator.fullname" . }}-root-ca + namespace: {{ .Release.Namespace }} +spec: + secretName: {{ template "vm-operator.fullname" . }}-root-ca + duration: 63800h0m0s + issuerRef: + name: {{ template "vm-operator.fullname" . }}-root + commonName: "ca.validation.victoriametrics" + isCA: true +--- +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + name: {{ template "vm-operator.fullname" . }}-issuer + namespace: {{ .Release.Namespace }} +spec: + ca: + secretName: {{ template "vm-operator.fullname" . }}-root-ca {{- end }} +--- +# actual cert part for operator +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: {{ template "vm-operator.fullname" . }}-validation + namespace: {{ .Release.Namespace }} +spec: + secretName: {{ template "vm-operator.fullname" . }}-validation + duration: 45800h0m0s + issuerRef: + {{- if .Values.admissionWebhooks.certManager.issuer }} + {{- range $k, $v := .Values.admissionWebhooks.certManager.issuer }} + {{ $k}}: {{ $v}} + {{- end }} + {{- else }} + name: {{ template "vm-operator.fullname" . }}-issuer + {{- end }} + dnsNames: + - {{ template "vm-operator.fullname" . }} + - {{ template "vm-operator.fullname" . }}.{{ .Release.Namespace }} + - {{ template "vm-operator.fullname" . }}.{{ .Release.Namespace }}.svc +{{- else }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "vm-operator.fullname" . }}-validation + namespace: {{ .Release.Namespace }} + labels: {{ include "vm-operator.labels" . | nindent 4 }} +type: kubernetes.io/tls +data: + ca.crt: {{ $tls.caCert }} + tls.crt: {{ $tls.clientCert }} + tls.key: {{ $tls.clientKey }} +{{- end -}} {{- end }} diff --git a/charts/victoria-metrics-operator/values.yaml b/charts/victoria-metrics-operator/values.yaml index 33215580b..4051be88b 100644 --- a/charts/victoria-metrics-operator/values.yaml +++ b/charts/victoria-metrics-operator/values.yaml @@ -2,6 +2,8 @@ global: image: registry: "" imagePullSecrets: [] + cluster: + dnsDomain: cluster.local # Default values for victoria-metrics. # This is a YAML-formatted file. # Declare variables to be passed into your templates. @@ -179,28 +181,34 @@ extraContainers: # -- Configures resource validation admissionWebhooks: # -- Enables validation webhook. - enabled: false + enabled: true enabledCRDValidation: vmagent: true vmalert: true vmsingle: true vmauth: true vmrule: true - vmalertmanagerConfig: true + vmalertmanagerconfig: true vmalertmanager: true vmcluster: true vmuser: true + vlogs: true # -- What to do in case, when operator not available to validate request. policy: Fail # -- Enables custom ca bundle, if you are not using cert-manager. # -- in case of custom ca, you have to create secret - {{chart-name}}-validation # -- with keys: tls.key, tls.crt, ca.crt - caBundle: "" certManager: # -- Enables cert creation and injection by cert-manager. enabled: false # --If needed, provide own issuer. Operator will create self-signed if empty. issuer: {} + keepTLSSecret: false + # tls specifies TLS cert/key for the webhook + tls: + caCert: + cert: + key: # -- configures monitoring with serviceScrape. VMServiceScrape must be pre-installed serviceMonitor: