updated role and cleanup image (#1339)

* updated cleanup image * added leader election permissions * refactoring
VictoriaMetrics · Aug 28, 2024 · 90a7674 · 90a7674
1 parent 54089b5
commit 90a7674
Show file tree

Hide file tree

Showing 13 changed files with 189 additions and 479 deletions.
diff --git a/charts/victoria-metrics-operator/CHANGELOG.md b/charts/victoria-metrics-operator/CHANGELOG.md
@@ -2,7 +2,9 @@
 
 ## Next release
 
-- TODO
+- Made `cleanupCRD` deprecated in a favour of `crd.cleanup.enabled`
+- Made `cleanupImage` deprecated in a favour of `crd.cleanup.image`
+- Made `watchNamespace` string deprecated in a favour of `watchNamespaces` slice
 
 ## 0.34.5
 

diff --git a/charts/victoria-metrics-operator/README.md b/charts/victoria-metrics-operator/README.md
@@ -179,10 +179,14 @@ Change the values according to the need of the environment in ``victoria-metrics
 | admissionWebhooks.policy | string | `"Fail"` | What to do in case, when operator not available to validate request. |
 | affinity | object | `{}` | Pod affinity |
 | annotations | object | `{}` | Annotations to be added to the all resources |
-| cleanupCRD | bool | `false` | Tells helm to clean up all the vm resources under this release's namespace when uninstalling |
-| cleanupImage.pullPolicy | string | `"IfNotPresent"` |  |
-| cleanupImage.repository | string | `"bitnami/kubectl"` |  |
-| createCRD | bool | `true` | with this option, if you remove this chart, all crd resources will be deleted with it. |
+| cleanupCRD | bool | `false` | deprecated. See `crd.cleanup.enabled` |
+| cleanupImage | object | `{"pullPolicy":"IfNotPresent","repository":"bitnami/kubectl","tag":"{{ printf \"%s.%s\" .Capabilities.KubeVersion.Major .Capabilities.KubeVersion.Minor | replace \"+\" \"\" }}"}` | deprecated. See `crd.cleanup.image` |
+| crd.cleanup.enabled | bool | `false` | Tells helm to clean up all the vm resources under this release's namespace when uninstalling |
+| crd.cleanup.image.pullPolicy | string | `"IfNotPresent"` |  |
+| crd.cleanup.image.repository | string | `"bitnami/kubectl"` |  |
+| crd.cleanup.image.tag | string | `"{{ printf \"%s.%s\" .Capabilities.KubeVersion.Major .Capabilities.KubeVersion.Minor | replace \"+\" \"\" }}"` |  |
+| crd.create | bool | `true` | with this option, if you remove this chart, all crd resources will be deleted with it. |
+| createCRD | bool | `true` | deprecated. See `crd.create` |
 | env | list | `[]` | extra settings for the operator deployment. full list Ref: [https://github.com/VictoriaMetrics/operator/blob/master/vars.MD](https://github.com/VictoriaMetrics/operator/blob/master/vars.MD) |
 | envFrom | list | `[]` |  |
 | extraArgs | object | `{}` | operator container additional commandline arguments |
@@ -248,4 +252,5 @@ Change the values according to the need of the environment in ``victoria-metrics
 | serviceMonitor | object | `{"annotations":{},"basicAuth":{},"enabled":false,"extraLabels":{},"interval":"","relabelings":[],"scheme":"","scrapeTimeout":"","tlsConfig":{}}` | configures monitoring with serviceScrape. VMServiceScrape must be pre-installed |
 | tolerations | list | `[]` | Array of tolerations object. Ref: [https://kubernetes.io/docs/concepts/configuration/assign-pod-node/](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/) |
 | topologySpreadConstraints | list | `[]` | Pod Topology Spread Constraints. Ref: [https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/](https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/) |
-| watchNamespace | string | `""` |  |
+| watchNamespace | string | `""` | deprecated. See `watchNamespaces` |
+| watchNamespaces | list | `[]` |  |
diff --git a/charts/victoria-metrics-operator/templates/_helpers.tpl b/charts/victoria-metrics-operator/templates/_helpers.tpl
@@ -6,6 +6,12 @@ Expand the name of the chart.
 {{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
 {{- end -}}
 
+{{- define "vm-operator.cleanup.annotations" -}}
+"helm.sh/hook": pre-delete
+"helm.sh/hook-weight": "{{ .hookWeight }}"
+"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
+{{- end }}
+
 {{/*
 Create a default fully qualified app name.
 We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).

diff --git a/charts/victoria-metrics-operator/templates/cluster_role.yaml b/charts/victoria-metrics-operator/templates/cluster_role.yaml
@@ -1,88 +1,61 @@
-{{- if  and .Values.rbac.create  (not .Values.watchNamespace) -}}
+{{- $files := .Files }}
+{{- $fileContentsList := $files.Get "crd.yaml" | splitList "---" }}
+{{- $groups := dict }}
+{{- range $fileContentsList }}
+  {{- $fileContents := . | fromYaml }}
+  {{- $group := $fileContents.spec.group }}
+  {{- $plural:= $fileContents.spec.names.plural }}
+  {{- $resources := get $groups $group | default (list) }}
+  {{- $resources = concat $resources (list $plural (printf "%s/finalizers" $plural) (printf "%s/status" $plural)) }}
+  {{- $groups = set $groups $group $resources }}
+{{- end }}
+
+{{- $rules := default dict }}
+{{- $verbs := dict "admin" (list "*") "view" (list "get" "list" "watch") }}
+{{- range $group, $resources := $groups }}
+  {{- range $name, $v := $verbs }}
+    {{- $r := index $rules $name | default list -}}
+    {{- $r = append $r (dict "apiGroups" (list $group) "resources" $resources "verbs" $v) -}}
+    {{- $_ := set $rules $name $r }}
+  {{- end }}
+{{- end -}}
+
+{{- if .Values.rbac.create }}
+---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   name: {{ template "vm-operator.fullname" . }}
-  labels:
-{{ include "vm-operator.labels" . | indent 4 }}
+  {{- $ctx := merge (deepCopy .) (dict "extraLabels" .Values.extraLabels) }}
+  labels: {{ include "vm-operator.labels" $ctx | nindent 4 }}
+  {{- with .Values.annotations }}
+  annotations: {{ toYaml . | nindent 4 }}
+  {{- end }}
 rules:
 - apiGroups:
   - ""
   resources:
   - configmaps
   - configmaps/finalizers
-  verbs:
-  - "*"
-- apiGroups:
-  - ""
-  resources:
   - endpoints
-  verbs:
-  - "*"
-- apiGroups:
-  - ""
-  resources:
   - events
-  verbs:
-  - "*"
-- apiGroups:
-  - ""
-  resources:
-  - namespaces
-  verbs:
-  - get
-  - list
-  - watch
-- apiGroups:
-  - ""
-  resources:
   - persistentvolumeclaims
   - persistentvolumeclaims/finalizers
-  verbs:
-  - "*"
-- apiGroups:
-  - ""
-  resources:
   - pods
-  verbs:
-  - "*"
-- apiGroups:
-  - ""
-  resources:
   - secrets
   - secrets/finalizers
-  verbs:
-  - "*"
-- apiGroups:
-  - ""
-  resources:
   - services
   - services/finalizers
+  - serviceaccounts
+  - serviceaccounts/finalizers
   verbs:
   - "*"
 - apiGroups:
   - ""
   resources:
-    - serviceaccounts
-    - serviceaccounts/finalizers
-  verbs:
-  - "*"
-- apiGroups:
-  - ""
-  resources:
-  - events
-  verbs:
-  - create
-- apiGroups:
-  - ""
-  resources:
+  - configmaps/status
   - nodes
   - nodes/proxy
-  - services
-  - endpoints
-  - pods
-  - endpointslices
-  - configmaps
   - nodes/metrics
   - namespaces
   verbs:
@@ -106,76 +79,6 @@ rules:
   - "*"
   verbs:
   - "*"
-- apiGroups:
-  - operator.victoriametrics.com
-  resources:
-  - vlogs
-  - vlogs/finalizers
-  - vmagents
-  - vmagents/finalizers
-  - vmalertmanagers
-  - vmalertmanagers/finalizers
-  - vmalertmanagerconfigs
-  - vmalertmanagerconfigs/finalizers
-  - vmalerts
-  - vmalerts/finalizers
-  - vmauths
-  - vmauths/finalizers
-  - vmusers
-  - vmusers/finalizers
-  - vmclusters
-  - vmclusters/finalizers
-  - vmpodscrapes
-  - vmpodscrapes/finalizers
-  - vmrules
-  - vmrules/finalizers
-  - vmservicescrapes
-  - vmservicescrapes/finalizers
-  - vmprobes
-  - vmprobes/finalizers
-  - vmsingles
-  - vmsingles/finalizers
-  - vmnodescrapes
-  - vmnodescrapes/finalizers
-  - vmstaticscrapes
-  - vmstaticscrapes/finalizers
-  - vmscrapeconfigs
-  - vmscrapeconfigs/finalizers
-  verbs:
-      - '*'
-- apiGroups:
-  - operator.victoriametrics.com
-  resources:
-  - vlogs/status
-  - vmagents/status
-  - vmalertmanagers/status
-  - vmalertmanagerconfigs/status
-  - vmalerts/status
-  - vmclusters/status
-  - vmpodscrapes/status
-  - vmscrapeconfigs/status
-  - vmrules/status
-  - vmservicescrapes/status
-  - vmprobes/status
-  - vmsingles/status
-  - vmscrapeconfig/status
-  - vmusers/status
-  - vmauths/status
-  - vmstaticscrapes/status
-  - vmnodescrapes/status
-  verbs:
-  - get
-  - patch
-  - update
-- apiGroups:
-  - extensions
-  - networking.k8s.io
-  resources:
-  - ingresses
-  verbs:
-  - get
-  - list
-  - watch
 - nonResourceURLs:
   - /metrics
   - /metrics/resources
@@ -225,17 +128,11 @@ rules:
   - horizontalpodautoscalers
 - apiGroups:
   - networking.k8s.io
-  - extensions
   resources:
   - ingresses
   - ingresses/finalizers
   verbs:
-  - create
-  - delete
-  - get
-  - patch
-  - update
-  - watch
+  - "*"
 - apiGroups:
   - apiextensions.k8s.io
   resources:
@@ -251,4 +148,42 @@ rules:
   - list
   - watch
   - get
-{{- end -}}
+{{ toYaml $rules.admin }}
+{{- end }}
+{{- if or .Values.cleanupCRD .Values.crd.cleanup.enabled }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ include "vm-operator.cleanupHookName" . }}
+  namespace: {{ .Release.Namespace }}
+  labels: {{ include "vm-operator.labels" . | nindent 4 }}
+  annotations: {{ include "vm-operator.cleanup.annotations" (dict "hookWeight" "-5") | nindent 4 }}
+rules: {{ toYaml $rules.admin | nindent 2 }}
+{{- end }}
+
+{{- if or .Values.createCRD .Values.crd.create .Values.rbac.aggregatedClusterRoles.enabled }}
+{{- /* This template generates readonly and admin cluster roles for */ -}}
+{{- /* each CRD present in the helm chart.  The clusterroles use the */ -}}
+{{- /* kubernetes clusterrole aggregation feature to include these */ -}}
+{{- /* cluster roles into the default view and admin roles */ -}}
+{{- /* See https://kubernetes.io/docs/reference/access-authn-authz/rbac/#aggregated-clusterroles */}}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: victoriametrics:admin
+  labels:
+    {{- include "vm-operator.labels" . | nindent 4 }}
+    {{- .Values.rbac.aggregatedClusterRoles.labels.admin | toYaml | nindent 4 }}
+rules: {{ toYaml $rules.admin | nindent 2 }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: victoriametrics:view
+  labels:
+    {{- include "vm-operator.labels" . | nindent 4 }}
+    {{- .Values.rbac.aggregatedClusterRoles.labels.view | toYaml | nindent 4 }}
+rules: {{ toYaml $rules.view | nindent 2 }}
+{{- end }}
diff --git a/charts/victoria-metrics-operator/templates/clusterrole_binding.yaml b/charts/victoria-metrics-operator/templates/clusterrole_binding.yaml
diff --git a/charts/victoria-metrics-operator/templates/crb.yaml b/charts/victoria-metrics-operator/templates/crb.yaml
@@ -0,0 +1,37 @@
+{{- if .Values.rbac.create -}}
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ include "vm-operator.fullname" . }}
+  {{- $ctx := merge (deepCopy .) (dict "extraLabels" .Values.extraLabels) }}
+  labels: {{ include "vm-operator.labels" $ctx | nindent 4 }}
+  {{- with .Values.annotations }}
+  annotations: {{ toYaml . | nindent 4 }}
+  {{- end }}
+subjects:
+- kind: ServiceAccount
+  name: {{ template "vm-operator.serviceAccountName" . }}
+  namespace: {{ .Release.Namespace }}
+roleRef:
+  kind: ClusterRole
+  name: {{ include "vm-operator.fullname" . }}
+  apiGroup: rbac.authorization.k8s.io
+{{- end -}}
+{{- if or .Values.cleanupCRD .Values.crd.cleanup.enabled }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ include "vm-operator.cleanupHookName" . }}
+  namespace: {{ .Release.Namespace }}
+  labels: {{ include "vm-operator.labels" . | nindent 4 }}
+  annotations: {{ include "vm-operator.cleanup.annotations" (dict "hookWeight" "-4") | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ include "vm-operator.cleanupHookName" . }}
+subjects:
+- kind: ServiceAccount
+  name: {{ include "vm-operator.cleanupHookName" . }}
+  namespace: {{ .Release.Namespace }}
+{{- end }}