diff --git a/charts/victoria-metrics-operator/CHANGELOG.md b/charts/victoria-metrics-operator/CHANGELOG.md index 39b87bdc6..65f89b0b0 100644 --- a/charts/victoria-metrics-operator/CHANGELOG.md +++ b/charts/victoria-metrics-operator/CHANGELOG.md @@ -2,7 +2,9 @@ ## Next release -- TODO +- Made `cleanupCRD` deprecated in a favour of `crd.cleanup.enabled` +- Made `cleanupImage` deprecated in a favour of `crd.cleanup.image` +- Made `watchNamespace` string deprecated in a favour of `watchNamespaces` slice ## 0.34.5 diff --git a/charts/victoria-metrics-operator/README.md b/charts/victoria-metrics-operator/README.md index ec08bb049..5a5753307 100644 --- a/charts/victoria-metrics-operator/README.md +++ b/charts/victoria-metrics-operator/README.md @@ -179,10 +179,14 @@ Change the values according to the need of the environment in ``victoria-metrics | admissionWebhooks.policy | string | `"Fail"` | What to do in case, when operator not available to validate request. | | affinity | object | `{}` | Pod affinity | | annotations | object | `{}` | Annotations to be added to the all resources | -| cleanupCRD | bool | `false` | Tells helm to clean up all the vm resources under this release's namespace when uninstalling | -| cleanupImage.pullPolicy | string | `"IfNotPresent"` | | -| cleanupImage.repository | string | `"bitnami/kubectl"` | | -| createCRD | bool | `true` | with this option, if you remove this chart, all crd resources will be deleted with it. | +| cleanupCRD | bool | `false` | deprecated. See `crd.cleanup.enabled` | +| cleanupImage | object | `{"pullPolicy":"IfNotPresent","repository":"bitnami/kubectl","tag":"{{ printf \"%s.%s\" .Capabilities.KubeVersion.Major .Capabilities.KubeVersion.Minor | replace \"+\" \"\" }}"}` | deprecated. See `crd.cleanup.image` | +| crd.cleanup.enabled | bool | `false` | Tells helm to clean up all the vm resources under this release's namespace when uninstalling | +| crd.cleanup.image.pullPolicy | string | `"IfNotPresent"` | | +| crd.cleanup.image.repository | string | `"bitnami/kubectl"` | | +| crd.cleanup.image.tag | string | `"{{ printf \"%s.%s\" .Capabilities.KubeVersion.Major .Capabilities.KubeVersion.Minor | replace \"+\" \"\" }}"` | | +| crd.create | bool | `true` | with this option, if you remove this chart, all crd resources will be deleted with it. | +| createCRD | bool | `true` | deprecated. See `crd.create` | | env | list | `[]` | extra settings for the operator deployment. full list Ref: [https://github.com/VictoriaMetrics/operator/blob/master/vars.MD](https://github.com/VictoriaMetrics/operator/blob/master/vars.MD) | | envFrom | list | `[]` | | | extraArgs | object | `{}` | operator container additional commandline arguments | @@ -248,4 +252,5 @@ Change the values according to the need of the environment in ``victoria-metrics | serviceMonitor | object | `{"annotations":{},"basicAuth":{},"enabled":false,"extraLabels":{},"interval":"","relabelings":[],"scheme":"","scrapeTimeout":"","tlsConfig":{}}` | configures monitoring with serviceScrape. VMServiceScrape must be pre-installed | | tolerations | list | `[]` | Array of tolerations object. Ref: [https://kubernetes.io/docs/concepts/configuration/assign-pod-node/](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/) | | topologySpreadConstraints | list | `[]` | Pod Topology Spread Constraints. Ref: [https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/](https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/) | -| watchNamespace | string | `""` | | +| watchNamespace | string | `""` | deprecated. See `watchNamespaces` | +| watchNamespaces | list | `[]` | | diff --git a/charts/victoria-metrics-operator/templates/_helpers.tpl b/charts/victoria-metrics-operator/templates/_helpers.tpl index 6d380a899..e37740861 100644 --- a/charts/victoria-metrics-operator/templates/_helpers.tpl +++ b/charts/victoria-metrics-operator/templates/_helpers.tpl @@ -6,6 +6,12 @@ Expand the name of the chart. {{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} {{- end -}} +{{- define "vm-operator.cleanup.annotations" -}} +"helm.sh/hook": pre-delete +"helm.sh/hook-weight": "{{ .hookWeight }}" +"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded +{{- end }} + {{/* Create a default fully qualified app name. We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). diff --git a/charts/victoria-metrics-operator/templates/cluster_role.yaml b/charts/victoria-metrics-operator/templates/cluster_role.yaml index cfd87c4d8..d49308779 100644 --- a/charts/victoria-metrics-operator/templates/cluster_role.yaml +++ b/charts/victoria-metrics-operator/templates/cluster_role.yaml @@ -1,88 +1,61 @@ -{{- if and .Values.rbac.create (not .Values.watchNamespace) -}} +{{- $files := .Files }} +{{- $fileContentsList := $files.Get "crd.yaml" | splitList "---" }} +{{- $groups := dict }} +{{- range $fileContentsList }} + {{- $fileContents := . | fromYaml }} + {{- $group := $fileContents.spec.group }} + {{- $plural:= $fileContents.spec.names.plural }} + {{- $resources := get $groups $group | default (list) }} + {{- $resources = concat $resources (list $plural (printf "%s/finalizers" $plural) (printf "%s/status" $plural)) }} + {{- $groups = set $groups $group $resources }} +{{- end }} + +{{- $rules := default dict }} +{{- $verbs := dict "admin" (list "*") "view" (list "get" "list" "watch") }} +{{- range $group, $resources := $groups }} + {{- range $name, $v := $verbs }} + {{- $r := index $rules $name | default list -}} + {{- $r = append $r (dict "apiGroups" (list $group) "resources" $resources "verbs" $v) -}} + {{- $_ := set $rules $name $r }} + {{- end }} +{{- end -}} + +{{- if .Values.rbac.create }} +--- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: {{ template "vm-operator.fullname" . }} - labels: -{{ include "vm-operator.labels" . | indent 4 }} + {{- $ctx := merge (deepCopy .) (dict "extraLabels" .Values.extraLabels) }} + labels: {{ include "vm-operator.labels" $ctx | nindent 4 }} + {{- with .Values.annotations }} + annotations: {{ toYaml . | nindent 4 }} + {{- end }} rules: - apiGroups: - "" resources: - configmaps - configmaps/finalizers - verbs: - - "*" -- apiGroups: - - "" - resources: - endpoints - verbs: - - "*" -- apiGroups: - - "" - resources: - events - verbs: - - "*" -- apiGroups: - - "" - resources: - - namespaces - verbs: - - get - - list - - watch -- apiGroups: - - "" - resources: - persistentvolumeclaims - persistentvolumeclaims/finalizers - verbs: - - "*" -- apiGroups: - - "" - resources: - pods - verbs: - - "*" -- apiGroups: - - "" - resources: - secrets - secrets/finalizers - verbs: - - "*" -- apiGroups: - - "" - resources: - services - services/finalizers + - serviceaccounts + - serviceaccounts/finalizers verbs: - "*" - apiGroups: - "" resources: - - serviceaccounts - - serviceaccounts/finalizers - verbs: - - "*" -- apiGroups: - - "" - resources: - - events - verbs: - - create -- apiGroups: - - "" - resources: + - configmaps/status - nodes - nodes/proxy - - services - - endpoints - - pods - - endpointslices - - configmaps - nodes/metrics - namespaces verbs: @@ -106,76 +79,6 @@ rules: - "*" verbs: - "*" -- apiGroups: - - operator.victoriametrics.com - resources: - - vlogs - - vlogs/finalizers - - vmagents - - vmagents/finalizers - - vmalertmanagers - - vmalertmanagers/finalizers - - vmalertmanagerconfigs - - vmalertmanagerconfigs/finalizers - - vmalerts - - vmalerts/finalizers - - vmauths - - vmauths/finalizers - - vmusers - - vmusers/finalizers - - vmclusters - - vmclusters/finalizers - - vmpodscrapes - - vmpodscrapes/finalizers - - vmrules - - vmrules/finalizers - - vmservicescrapes - - vmservicescrapes/finalizers - - vmprobes - - vmprobes/finalizers - - vmsingles - - vmsingles/finalizers - - vmnodescrapes - - vmnodescrapes/finalizers - - vmstaticscrapes - - vmstaticscrapes/finalizers - - vmscrapeconfigs - - vmscrapeconfigs/finalizers - verbs: - - '*' -- apiGroups: - - operator.victoriametrics.com - resources: - - vlogs/status - - vmagents/status - - vmalertmanagers/status - - vmalertmanagerconfigs/status - - vmalerts/status - - vmclusters/status - - vmpodscrapes/status - - vmscrapeconfigs/status - - vmrules/status - - vmservicescrapes/status - - vmprobes/status - - vmsingles/status - - vmscrapeconfig/status - - vmusers/status - - vmauths/status - - vmstaticscrapes/status - - vmnodescrapes/status - verbs: - - get - - patch - - update -- apiGroups: - - extensions - - networking.k8s.io - resources: - - ingresses - verbs: - - get - - list - - watch - nonResourceURLs: - /metrics - /metrics/resources @@ -225,17 +128,11 @@ rules: - horizontalpodautoscalers - apiGroups: - networking.k8s.io - - extensions resources: - ingresses - ingresses/finalizers verbs: - - create - - delete - - get - - patch - - update - - watch + - "*" - apiGroups: - apiextensions.k8s.io resources: @@ -251,4 +148,42 @@ rules: - list - watch - get -{{- end -}} +{{ toYaml $rules.admin }} +{{- end }} +{{- if or .Values.cleanupCRD .Values.crd.cleanup.enabled }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ include "vm-operator.cleanupHookName" . }} + namespace: {{ .Release.Namespace }} + labels: {{ include "vm-operator.labels" . | nindent 4 }} + annotations: {{ include "vm-operator.cleanup.annotations" (dict "hookWeight" "-5") | nindent 4 }} +rules: {{ toYaml $rules.admin | nindent 2 }} +{{- end }} + +{{- if or .Values.createCRD .Values.crd.create .Values.rbac.aggregatedClusterRoles.enabled }} +{{- /* This template generates readonly and admin cluster roles for */ -}} +{{- /* each CRD present in the helm chart. The clusterroles use the */ -}} +{{- /* kubernetes clusterrole aggregation feature to include these */ -}} +{{- /* cluster roles into the default view and admin roles */ -}} +{{- /* See https://kubernetes.io/docs/reference/access-authn-authz/rbac/#aggregated-clusterroles */}} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: victoriametrics:admin + labels: + {{- include "vm-operator.labels" . | nindent 4 }} + {{- .Values.rbac.aggregatedClusterRoles.labels.admin | toYaml | nindent 4 }} +rules: {{ toYaml $rules.admin | nindent 2 }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: victoriametrics:view + labels: + {{- include "vm-operator.labels" . | nindent 4 }} + {{- .Values.rbac.aggregatedClusterRoles.labels.view | toYaml | nindent 4 }} +rules: {{ toYaml $rules.view | nindent 2 }} +{{- end }} diff --git a/charts/victoria-metrics-operator/templates/clusterrole_binding.yaml b/charts/victoria-metrics-operator/templates/clusterrole_binding.yaml deleted file mode 100644 index cd0e55d7b..000000000 --- a/charts/victoria-metrics-operator/templates/clusterrole_binding.yaml +++ /dev/null @@ -1,23 +0,0 @@ -{{- if and .Values.rbac.create (not .Values.watchNamespace) -}} -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: {{ include "vm-operator.fullname" . }} - labels: -{{ include "vm-operator.labels" . | indent 4 }} -{{- with .Values.extraLabels }} -{{ toYaml . | indent 4 }} -{{- end }} -{{- with .Values.annotations }} - annotations: -{{ toYaml . | indent 4 }} -{{- end }} -subjects: -- kind: ServiceAccount - name: {{ template "vm-operator.serviceAccountName" . }} - namespace: {{ .Release.Namespace }} -roleRef: - kind: ClusterRole - name: {{ include "vm-operator.fullname" . }} - apiGroup: rbac.authorization.k8s.io -{{- end -}} diff --git a/charts/victoria-metrics-operator/templates/crb.yaml b/charts/victoria-metrics-operator/templates/crb.yaml new file mode 100644 index 000000000..294dcefac --- /dev/null +++ b/charts/victoria-metrics-operator/templates/crb.yaml @@ -0,0 +1,37 @@ +{{- if .Values.rbac.create -}} +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ include "vm-operator.fullname" . }} + {{- $ctx := merge (deepCopy .) (dict "extraLabels" .Values.extraLabels) }} + labels: {{ include "vm-operator.labels" $ctx | nindent 4 }} + {{- with .Values.annotations }} + annotations: {{ toYaml . | nindent 4 }} + {{- end }} +subjects: +- kind: ServiceAccount + name: {{ template "vm-operator.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} +roleRef: + kind: ClusterRole + name: {{ include "vm-operator.fullname" . }} + apiGroup: rbac.authorization.k8s.io +{{- end -}} +{{- if or .Values.cleanupCRD .Values.crd.cleanup.enabled }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ include "vm-operator.cleanupHookName" . }} + namespace: {{ .Release.Namespace }} + labels: {{ include "vm-operator.labels" . | nindent 4 }} + annotations: {{ include "vm-operator.cleanup.annotations" (dict "hookWeight" "-4") | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ include "vm-operator.cleanupHookName" . }} +subjects: +- kind: ServiceAccount + name: {{ include "vm-operator.cleanupHookName" . }} + namespace: {{ .Release.Namespace }} +{{- end }} diff --git a/charts/victoria-metrics-operator/templates/crd_clusterrole.yaml b/charts/victoria-metrics-operator/templates/crd_clusterrole.yaml deleted file mode 100644 index 7054055c7..000000000 --- a/charts/victoria-metrics-operator/templates/crd_clusterrole.yaml +++ /dev/null @@ -1,66 +0,0 @@ -{{- /* This template generates readonly and admin cluster roles for */ -}} -{{- /* each CRD present in the helm chart. The clusterroles use the */ -}} -{{- /* kubernetes clusterrole aggregation feature to include these */ -}} -{{- /* cluster roles into the default view and admin roles */ -}} -{{- /* See https://kubernetes.io/docs/reference/access-authn-authz/rbac/#aggregated-clusterroles */ -}} -{{- if .Values.createCRD }} -{{- if .Values.rbac.aggregatedClusterRoles.enabled }} -{{- $files := .Files }} -{{- $fileContentsList := $files.Get "crd.yaml" | splitList "---" }} -{{- $groups := dict }} -{{- range $fileContentsList }} - {{- $fileContents := . | fromYaml }} - {{- $group := $fileContents.spec.group }} - {{- $plural:= $fileContents.spec.names.plural }} - {{- $resources := get $groups $group | default (list) }} - {{- $resources := append $resources $plural }} - {{- $groups := set $groups $group $resources }} -{{- end }} ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: victoriametrics:admin - labels: - {{- include "vm-operator.labels" . | nindent 4 }} - {{- .Values.rbac.aggregatedClusterRoles.labels.admin | toYaml | nindent 4 }} -rules: -- apiGroups: - {{- range $group, $resources := $groups }} - - {{ $group }} - resources: - {{- range $resource := $resources }} - - {{ $resource }} - {{- end }} - {{- end }} - verbs: - - create - - update - - patch - - delete - - get - - list - - watch ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: victoriametrics:view - labels: - {{- include "vm-operator.labels" . | nindent 4 }} - {{- .Values.rbac.aggregatedClusterRoles.labels.view | toYaml | nindent 4 }} -rules: -- apiGroups: - {{- range $group, $resources := $groups }} - - {{ $group }} - resources: - {{- range $resource := $resources }} - - {{ $resource }} - {{- end }} - {{- end }} - verbs: - - get - - list - - watch -{{- end }} -{{- end }} diff --git a/charts/victoria-metrics-operator/templates/deployment.yaml b/charts/victoria-metrics-operator/templates/deployment.yaml index 534bcffd8..d5385f6f3 100644 --- a/charts/victoria-metrics-operator/templates/deployment.yaml +++ b/charts/victoria-metrics-operator/templates/deployment.yaml @@ -37,12 +37,14 @@ spec: envFrom: {{ toYaml . | nindent 12 }} {{- end }} env: - {{- range .Values.env }} + {{- range .Values.env }} - name: {{ .name }} value: {{ .value | quote }} - {{- end }} + {{- end }} + {{- if or .Values.watchNamespace .Values.watchNamespaces }} - name: WATCH_NAMESPACE - value: {{ .Values.watchNamespace | quote }} + value: {{ ternary .Values.watchNamespace (.Values.watchNamespaces | join "," | quote) (empty .Values.watchNamespaces) }} + {{- end }} - name: POD_NAME valueFrom: fieldRef: diff --git a/charts/victoria-metrics-operator/templates/role_binding.yaml b/charts/victoria-metrics-operator/templates/rb.yaml similarity index 65% rename from charts/victoria-metrics-operator/templates/role_binding.yaml rename to charts/victoria-metrics-operator/templates/rb.yaml index e30cfaa2b..7d9107430 100644 --- a/charts/victoria-metrics-operator/templates/role_binding.yaml +++ b/charts/victoria-metrics-operator/templates/rb.yaml @@ -4,15 +4,11 @@ apiVersion: rbac.authorization.k8s.io/v1 metadata: name: {{ include "vm-operator.fullname" . }} namespace: {{ .Release.Namespace }} - labels: -{{ include "vm-operator.labels" . | indent 4 }} -{{- with .Values.extraLabels }} -{{ toYaml . | indent 4 }} -{{- end }} -{{- with .Values.annotations }} - annotations: -{{ toYaml . | indent 4 }} -{{- end }} + {{- $ctx := merge (deepCopy .) (dict "extraLabels" .Values.extraLabels) }} + labels: {{ include "vm-operator.labels" $ctx | nindent 4 }} + {{- with .Values.annotations }} + annotations: {{ toYaml . | nindent 4 }} + {{- end }} subjects: - kind: ServiceAccount name: {{ template "vm-operator.serviceAccountName" . }} diff --git a/charts/victoria-metrics-operator/templates/role.yaml b/charts/victoria-metrics-operator/templates/role.yaml index d77d41de0..8ef2ce1d0 100644 --- a/charts/victoria-metrics-operator/templates/role.yaml +++ b/charts/victoria-metrics-operator/templates/role.yaml @@ -3,15 +3,11 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: {{ template "vm-operator.fullname" . }} - labels: -{{ include "vm-operator.labels" . | indent 4 }} -{{- with .Values.extraLabels }} -{{ toYaml . | indent 4 }} -{{- end }} -{{- with .Values.annotations }} - annotations: -{{ toYaml . | indent 4 }} -{{- end }} + {{- $ctx := merge (deepCopy .) (dict "extraLabels" .Values.extraLabels) }} + labels: {{ include "vm-operator.labels" $ctx | nindent 4 }} + {{- with .Values.annotations }} + annotations: {{ toYaml . | nindent 4 }} + {{- end }} namespace: {{ .Release.Namespace }} rules: - apiGroups: @@ -49,162 +45,4 @@ rules: - update resources: - leases -{{ if .Values.watchNamespace }} -- apiGroups: - - "" - resources: - - endpoints - - endpointslices - verbs: - - list - - watch - - get -- apiGroups: - - "" - resources: - - pods - - configmaps - - configmaps/finalizers - - persistentvolumeclaims - - persistentvolumeclaims/finalizers - - secrets - - secrets/finalizers - - services - - services/finalizers - - serviceaccounts - - serviceaccounts/finalizers - verbs: - - "*" -- apiGroups: - - apps - resources: - - deployments - - deployments/finalizers - - replicasets - - statefulsets - - statefulsets/finalizers - - statefulsets/status - verbs: - - "*" -- apiGroups: - - policy - resources: - - poddisruptionbudgets - - poddisruptionbudgets/finalizers - verbs: - - "*" -- apiGroups: - - monitoring.coreos.com - resources: - - "*" - verbs: - - "*" -- apiGroups: - - operator.victoriametrics.com - resources: - - vlogs - - vlogs/finalizers - - vmagents - - vmagents/finalizers - - vmalertmanagers - - vmalertmanagers/finalizers - - vmalertmanagerconfigs - - vmalertmanagerconfigs/finalizers - - vmalerts - - vmalerts/finalizers - - vmauths - - vmauths/finalizers - - vmusers - - vmusers/finalizers - - vmclusters - - vmclusters/finalizers - - vmpodscrapes - - vmpodscrapes/finalizers - - vmrules - - vmrules/finalizers - - vmservicescrapes - - vmservicescrapes/finalizers - - vmprobes - - vmprobes/finalizers - - vmsingles - - vmsingles/finalizers - - vmnodescrapes - - vmnodescrapes/finalizers - - vmstaticscrapes - - vmstaticscrapes/finalizers - - vmscrapeconfigs - - vmscrapeconfigs/finalizers - verbs: - - '*' -- apiGroups: - - operator.victoriametrics.com - resources: - - vlogs/status - - vmagents/status - - vmalertmanagers/status - - vmalertmanagerconfigs/status - - vmalerts/status - - vmclusters/status - - vmpodscrapes/status - - vmscrapeconfigs/status - - vmrules/status - - vmservicescrapes/status - - vmprobes/status - - vmsingles/status - - vmscrapeconfig/status - - vmusers/status - - vmauths/status - - vmstaticscrapes/status - - vmnodescrapes/status - verbs: - - get - - patch - - update -- apiGroups: - - extensions - - "extensions" - - networking.k8s.io - - "networking.k8s.io" - resources: - - ingresses - verbs: - - get - - list - - watch - - delete -- apiGroups: - - "rbac.authorization.k8s.io" - resources: - - roles - - rolebindings - verbs: - - "*" -- apiGroups: - - autoscaling - resources: - - horizontalpodautoscalers - verbs: - - "*" -- apiGroups: - - networking.k8s.io - - extensions - resources: - - ingresses - - ingresses/finalizers - verbs: - - create - - get - - patch - - update - - watch - - delete -- apiGroups: - - discovery.k8s.io - resources: - - endpointslices - verbs: - - list - - watch - - get -{{- end -}} {{- end -}} diff --git a/charts/victoria-metrics-operator/templates/service_account.yaml b/charts/victoria-metrics-operator/templates/service_account.yaml index 66da92830..919ad7710 100644 --- a/charts/victoria-metrics-operator/templates/service_account.yaml +++ b/charts/victoria-metrics-operator/templates/service_account.yaml @@ -4,13 +4,21 @@ kind: ServiceAccount metadata: name: {{ template "vm-operator.serviceAccountName" . }} namespace: {{ .Release.Namespace }} - labels: -{{ include "vm-operator.labels" . | indent 4 }} -{{- with .Values.extraLabels }} -{{ toYaml . | indent 4 }} + labels: {{ include "vm-operator.labels" . | nindent 4 }} + {{- with .Values.extraLabels }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.annotations }} + annotations: {{ toYaml . | nindent 4 }} + {{- end }} {{- end }} -{{- with .Values.annotations }} - annotations: -{{ toYaml . | indent 4 }} +{{- if or .Values.cleanupCRD .Values.crd.cleanup.enabled }} +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "vm-operator.cleanupHookName" . }} + namespace: {{ .Release.Namespace }} + labels: {{ include "vm-operator.labels" . | nindent 4 }} + annotations: {{ include "vm-operator.cleanup.annotations" (dict "hookWeight" "-5") | nindent 4 }} {{- end }} -{{- end -}} diff --git a/charts/victoria-metrics-operator/templates/uninstall_hook.yaml b/charts/victoria-metrics-operator/templates/uninstall_hook.yaml index b48ddfdce..bbe704ab8 100644 --- a/charts/victoria-metrics-operator/templates/uninstall_hook.yaml +++ b/charts/victoria-metrics-operator/templates/uninstall_hook.yaml @@ -1,9 +1,6 @@ -{{- define "cleanupHookName.annotations" -}} -"helm.sh/hook": pre-delete -"helm.sh/hook-weight": "{{ .hookWeight }}" -"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded -{{- end }} -{{- if .Values.cleanupCRD }} +{{- if or .Values.cleanupCRD .Values.crd.cleanup.enabled }} +{{- $app := ternary .Values.crd.cleanup (dict "image" .Values.cleanupImage) .Values.crd.cleanup.enabled }} +{{- $global := (dict "Values" (deepCopy .Values) "Release" (deepCopy .Release) "Chart" (deepCopy .Chart) "Template" (deepCopy .Template) "Capabilities" (deepCopy .Capabilities)) }} --- apiVersion: batch/v1 kind: Job @@ -11,8 +8,7 @@ metadata: name: {{ include "vm-operator.cleanupHookName" . }} namespace: {{ .Release.Namespace }} labels: {{ include "vm-operator.labels" . | nindent 4 }} - {{ $_ := set . "hookWeight" "-3" }} - annotations: {{ include "cleanupHookName.annotations" . | nindent 4 }} + annotations: {{ include "vm-operator.cleanup.annotations" (dict "hookWeight" "-3") | nindent 4 }} spec: template: metadata: @@ -25,8 +21,8 @@ spec: {{- end }} containers: - name: kubectl - image: {{ (index .Values "cleanupImage" "repository") }}:{{ (index .Values "cleanupImage" "tag" | default (printf "%s.%s" .Capabilities.KubeVersion.Major .Capabilities.KubeVersion.Minor | replace "+" "")) }} - imagePullPolicy: {{ (index .Values "cleanupImage" "pullPolicy") }} + image: {{ include "vm.image" (merge (deepCopy $global) (dict "app" $app)) }} + imagePullPolicy: {{ $app.image.pullPolicy }} resources: limits: cpu: "500m" @@ -36,7 +32,7 @@ spec: memory: "56Mi" args: - delete - - vlogs,vmagents,vmalertmanagers,vmalerts,vmauths,vmclusters,vmsingles,vmusers + - {{ (keys .Values.admissionWebhooks.enabledCRDValidation) | join "," }} - --all - --ignore-not-found=true restartPolicy: OnFailure @@ -49,46 +45,4 @@ spec: {{- with .Values.tolerations }} tolerations: {{ toYaml . | nindent 8 }} {{- end }} ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: {{ include "vm-operator.cleanupHookName" . }} - namespace: {{ .Release.Namespace }} - labels: {{ include "vm-operator.labels" . | nindent 4 }} - {{ $_ := set . "hookWeight" "-5" }} - annotations: {{ include "cleanupHookName.annotations" . | nindent 4 }} ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: {{ include "vm-operator.cleanupHookName" . }} - namespace: {{ .Release.Namespace }} - labels: {{ include "vm-operator.labels" . | nindent 4 }} - {{ $_ := set . "hookWeight" "-4" }} - annotations: {{ include "cleanupHookName.annotations" . | nindent 4 }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: {{ include "vm-operator.cleanupHookName" . }} -subjects: - - kind: ServiceAccount - name: {{ include "vm-operator.cleanupHookName" . }} - namespace: {{ .Release.Namespace }} ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: {{ include "vm-operator.cleanupHookName" . }} - namespace: {{ .Release.Namespace }} - labels: {{ include "vm-operator.labels" . | nindent 4 }} - {{ $_ := set . "hookWeight" "-5" }} - annotations: {{ include "cleanupHookName.annotations" . | nindent 4 }} -rules: - - apiGroups: ["operator.victoriametrics.com"] - resources: - {{- range $crd, $config := .Values.admissionWebhooks.enabledCRDValidation }} - - {{ $crd }} - {{- end }} - verbs: ["*"] {{- end }} diff --git a/charts/victoria-metrics-operator/values.yaml b/charts/victoria-metrics-operator/values.yaml index c05f9a147..d4a6ca79c 100644 --- a/charts/victoria-metrics-operator/values.yaml +++ b/charts/victoria-metrics-operator/values.yaml @@ -21,18 +21,31 @@ image: # -- Image pull policy pullPolicy: IfNotPresent -# -- enables CRD creation and management. -# -- with this option, if you remove this chart, all crd resources will be deleted with it. +# -- deprecated. See `crd.create` createCRD: true -# -- Tells helm to clean up all the vm resources under this release's namespace when uninstalling +# -- deprecated. See `crd.cleanup.enabled` cleanupCRD: false + +# -- deprecated. See `crd.cleanup.image` cleanupImage: repository: bitnami/kubectl - # use image tag that matches k8s API version by default - # tag: 1.29.6 + tag: '{{ printf "%s.%s" .Capabilities.KubeVersion.Major .Capabilities.KubeVersion.Minor | replace "+" "" }}' pullPolicy: IfNotPresent +crd: + # -- enables CRD creation and management. + # -- with this option, if you remove this chart, all crd resources will be deleted with it. + create: true + cleanup: + # -- Tells helm to clean up all the vm resources under this release's namespace when uninstalling + enabled: false + image: + repository: bitnami/kubectl + # use image tag that matches k8s API version by default + tag: '{{ printf "%s.%s" .Capabilities.KubeVersion.Major .Capabilities.KubeVersion.Minor | replace "+" "" }}' + pullPolicy: IfNotPresent + replicaCount: 1 # -- Secret to pull images @@ -83,10 +96,13 @@ operator: # It should reduce vmagent and vmauth config sync-time and make it predictable. useCustomConfigReloader: false +# -- deprecated. See `watchNamespaces` +watchNamespace: "" + # By default, the operator will watch all the namespaces # If you want to override this behavior, specify the namespace. -# Operator supports only single namespace for watching. -watchNamespace: "" +# Operator supports multiple namespaces for watching. +watchNamespaces: [] serviceAccount: # -- Specifies whether a service account should be created