diff --git a/api/operator/v1beta1/vmextra_types.go b/api/operator/v1beta1/vmextra_types.go index 0896555b..6504a1a5 100644 --- a/api/operator/v1beta1/vmextra_types.go +++ b/api/operator/v1beta1/vmextra_types.go @@ -42,6 +42,7 @@ const ( // FinalizerName name of vm-operator finalizer. FinalizerName = "apps.victoriametrics.com/finalizer" SkipValidationAnnotation = "operator.victoriametrics.com/skip-validation" + APIGroup = "operator.victoriametrics.com" SkipValidationValue = "true" AdditionalServiceLabel = "operator.victoriametrics.com/additional-service" // PVCExpandableLabel controls checks for storageClass @@ -131,19 +132,37 @@ func isContainsFinalizer(src []string) bool { // RemoveFinalizer - removes vm-operator finalizer from finalizers list. // executes provided callback if finalizer found func RemoveFinalizer(src client.Object, andThen func(client.Object) error) error { + return RemoveFinalizerWithOwnerReference(src, true, andThen) +} + +func RemoveFinalizerWithOwnerReference(src client.Object, keepOwnerReference bool, andThen func(client.Object) error) error { existFinalizers := src.GetFinalizers() - var wasFinalizerFound bool - dst := existFinalizers[:0] + var wasFound bool + dstFinalizers := existFinalizers[:0] // filter in-place for _, s := range existFinalizers { if s == FinalizerName { - wasFinalizerFound = true + wasFound = true continue } - dst = append(dst, s) + dstFinalizers = append(dstFinalizers, s) + } + src.SetFinalizers(dstFinalizers) + if !keepOwnerReference { + existOwnerReferences := src.GetOwnerReferences() + dstOwnerReferences := existOwnerReferences[:0] + // filter in-place + for _, s := range existOwnerReferences { + if strings.HasPrefix(s.APIVersion, APIGroup) { + wasFound = true + continue + } + dstOwnerReferences = append(dstOwnerReferences, s) + } + src.SetOwnerReferences(dstOwnerReferences) } - src.SetFinalizers(dst) - if wasFinalizerFound && andThen != nil { + + if wasFound && andThen != nil { return andThen(src) } return nil diff --git a/docs/vars.md b/docs/vars.md index 17fa498e..9e75865c 100644 --- a/docs/vars.md +++ b/docs/vars.md @@ -10,14 +10,14 @@ aliases: - /operator/vars/index.html --- - updated at Fri Aug 9 18:57:09 UTC 2024 + updated at Fri Aug 30 10:04:35 UTC 2024 | variable name | variable default value | variable required | variable description | | --- | --- | --- | --- | | VM_USECUSTOMCONFIGRELOADER | false | false | enables custom config reloader for vmauth and vmagent,it should speed-up config reloading process. | | VM_CONTAINERREGISTRY | - | false | container registry name prefix, e.g. docker.io | -| VM_CUSTOMCONFIGRELOADERIMAGE | victoriametrics/operator:config-reloader-v0.43.0 | false | - | +| VM_CUSTOMCONFIGRELOADERIMAGE | victoriametrics/operator:config-reloader-v0.47.2 | false | - | | VM_PSPAUTOCREATEENABLED | false | false | - | | VM_VLOGSDEFAULT_IMAGE | victoriametrics/victoria-logs | false | - | | VM_VLOGSDEFAULT_VERSION | v0.28.0-victorialogs | false | - | @@ -28,7 +28,7 @@ aliases: | VM_VLOGSDEFAULT_RESOURCE_REQUEST_MEM | 500Mi | false | - | | VM_VLOGSDEFAULT_RESOURCE_REQUEST_CPU | 150m | false | - | | VM_VMALERTDEFAULT_IMAGE | victoriametrics/vmalert | false | - | -| VM_VMALERTDEFAULT_VERSION | v1.102.0 | false | - | +| VM_VMALERTDEFAULT_VERSION | v1.103.0 | false | - | | VM_VMALERTDEFAULT_PORT | 8080 | false | - | | VM_VMALERTDEFAULT_USEDEFAULTRESOURCES | true | false | - | | VM_VMALERTDEFAULT_RESOURCE_LIMIT_MEM | 500Mi | false | - | @@ -39,7 +39,7 @@ aliases: | VM_VMALERTDEFAULT_CONFIGRELOADERMEMORY | 25Mi | false | - | | VM_VMALERTDEFAULT_CONFIGRELOADIMAGE | jimmidyson/configmap-reload:v0.3.0 | false | - | | VM_VMAGENTDEFAULT_IMAGE | victoriametrics/vmagent | false | - | -| VM_VMAGENTDEFAULT_VERSION | v1.102.0 | false | - | +| VM_VMAGENTDEFAULT_VERSION | v1.103.0 | false | - | | VM_VMAGENTDEFAULT_CONFIGRELOADIMAGE | quay.io/prometheus-operator/prometheus-config-reloader:v0.68.0 | false | - | | VM_VMAGENTDEFAULT_PORT | 8429 | false | - | | VM_VMAGENTDEFAULT_USEDEFAULTRESOURCES | true | false | - | @@ -50,7 +50,7 @@ aliases: | VM_VMAGENTDEFAULT_CONFIGRELOADERCPU | 100m | false | - | | VM_VMAGENTDEFAULT_CONFIGRELOADERMEMORY | 25Mi | false | - | | VM_VMSINGLEDEFAULT_IMAGE | victoriametrics/victoria-metrics | false | - | -| VM_VMSINGLEDEFAULT_VERSION | v1.102.0 | false | - | +| VM_VMSINGLEDEFAULT_VERSION | v1.103.0 | false | - | | VM_VMSINGLEDEFAULT_PORT | 8429 | false | - | | VM_VMSINGLEDEFAULT_USEDEFAULTRESOURCES | true | false | - | | VM_VMSINGLEDEFAULT_RESOURCE_LIMIT_MEM | 1500Mi | false | - | @@ -61,14 +61,14 @@ aliases: | VM_VMSINGLEDEFAULT_CONFIGRELOADERMEMORY | 25Mi | false | - | | VM_VMCLUSTERDEFAULT_USEDEFAULTRESOURCES | true | false | - | | VM_VMCLUSTERDEFAULT_VMSELECTDEFAULT_IMAGE | victoriametrics/vmselect | false | - | -| VM_VMCLUSTERDEFAULT_VMSELECTDEFAULT_VERSION | v1.102.0-cluster | false | - | +| VM_VMCLUSTERDEFAULT_VMSELECTDEFAULT_VERSION | v1.103.0-cluster | false | - | | VM_VMCLUSTERDEFAULT_VMSELECTDEFAULT_PORT | 8481 | false | - | | VM_VMCLUSTERDEFAULT_VMSELECTDEFAULT_RESOURCE_LIMIT_MEM | 1000Mi | false | - | | VM_VMCLUSTERDEFAULT_VMSELECTDEFAULT_RESOURCE_LIMIT_CPU | 500m | false | - | | VM_VMCLUSTERDEFAULT_VMSELECTDEFAULT_RESOURCE_REQUEST_MEM | 500Mi | false | - | | VM_VMCLUSTERDEFAULT_VMSELECTDEFAULT_RESOURCE_REQUEST_CPU | 100m | false | - | | VM_VMCLUSTERDEFAULT_VMSTORAGEDEFAULT_IMAGE | victoriametrics/vmstorage | false | - | -| VM_VMCLUSTERDEFAULT_VMSTORAGEDEFAULT_VERSION | v1.102.0-cluster | false | - | +| VM_VMCLUSTERDEFAULT_VMSTORAGEDEFAULT_VERSION | v1.103.0-cluster | false | - | | VM_VMCLUSTERDEFAULT_VMSTORAGEDEFAULT_VMINSERTPORT | 8400 | false | - | | VM_VMCLUSTERDEFAULT_VMSTORAGEDEFAULT_VMSELECTPORT | 8401 | false | - | | VM_VMCLUSTERDEFAULT_VMSTORAGEDEFAULT_PORT | 8482 | false | - | @@ -77,7 +77,7 @@ aliases: | VM_VMCLUSTERDEFAULT_VMSTORAGEDEFAULT_RESOURCE_REQUEST_MEM | 500Mi | false | - | | VM_VMCLUSTERDEFAULT_VMSTORAGEDEFAULT_RESOURCE_REQUEST_CPU | 250m | false | - | | VM_VMCLUSTERDEFAULT_VMINSERTDEFAULT_IMAGE | victoriametrics/vminsert | false | - | -| VM_VMCLUSTERDEFAULT_VMINSERTDEFAULT_VERSION | v1.102.0-cluster | false | - | +| VM_VMCLUSTERDEFAULT_VMINSERTDEFAULT_VERSION | v1.103.0-cluster | false | - | | VM_VMCLUSTERDEFAULT_VMINSERTDEFAULT_PORT | 8480 | false | - | | VM_VMCLUSTERDEFAULT_VMINSERTDEFAULT_RESOURCE_LIMIT_MEM | 500Mi | false | - | | VM_VMCLUSTERDEFAULT_VMINSERTDEFAULT_RESOURCE_LIMIT_CPU | 500m | false | - | @@ -96,7 +96,7 @@ aliases: | VM_VMALERTMANAGER_RESOURCE_REQUEST_CPU | 30m | false | - | | VM_DISABLESELFSERVICESCRAPECREATION | false | false | - | | VM_VMBACKUP_IMAGE | victoriametrics/vmbackupmanager | false | - | -| VM_VMBACKUP_VERSION | v1.102.0-enterprise | false | - | +| VM_VMBACKUP_VERSION | v1.103.0-enterprise | false | - | | VM_VMBACKUP_PORT | 8300 | false | - | | VM_VMBACKUP_USEDEFAULTRESOURCES | true | false | - | | VM_VMBACKUP_RESOURCE_LIMIT_MEM | 500Mi | false | - | @@ -105,7 +105,7 @@ aliases: | VM_VMBACKUP_RESOURCE_REQUEST_CPU | 150m | false | - | | VM_VMBACKUP_LOGLEVEL | INFO | false | - | | VM_VMAUTHDEFAULT_IMAGE | victoriametrics/vmauth | false | - | -| VM_VMAUTHDEFAULT_VERSION | v1.102.0 | false | - | +| VM_VMAUTHDEFAULT_VERSION | v1.103.0 | false | - | | VM_VMAUTHDEFAULT_CONFIGRELOADIMAGE | quay.io/prometheus-operator/prometheus-config-reloader:v0.68.0 | false | - | | VM_VMAUTHDEFAULT_PORT | 8427 | false | - | | VM_VMAUTHDEFAULT_USEDEFAULTRESOURCES | true | false | - | @@ -137,4 +137,4 @@ aliases: | VM_PODWAITREADYINITDELAY | 10s | false | - | | VM_FORCERESYNCINTERVAL | 60s | false | configures force resync interval for VMAgent, VMAlert, VMAlertmanager and VMAuth. | | VM_ENABLESTRICTSECURITY | false | false | EnableStrictSecurity will add default `securityContext` to pods and containers created by operatorDefault PodSecurityContext include:1. RunAsNonRoot: true2. RunAsUser/RunAsGroup/FSGroup: 65534'65534' refers to 'nobody' in all the used default images like alpine, busybox.If you're using customize image, please make sure '65534' is a valid uid in there or specify SecurityContext.3. FSGroupChangePolicy: &onRootMismatchIf KubeVersion>=1.20, use `FSGroupChangePolicy="onRootMismatch"` to skip the recursive permission changewhen the root of the volume already has the correct permissions4. SeccompProfile:type: RuntimeDefaultUse `RuntimeDefault` seccomp profile by default, which is defined by the container runtime,instead of using the Unconfined (seccomp disabled) mode.Default container SecurityContext include:1. AllowPrivilegeEscalation: false2. ReadOnlyRootFilesystem: true3. Capabilities:drop:- allturn off `EnableStrictSecurity` by default, see https://github.com/VictoriaMetrics/operator/issues/749 for details | -[envconfig-sum]: e9e93721c4232b8d21d8195387649304 +[envconfig-sum]: 4560053e758cdaf3d11170e5bf296de4 \ No newline at end of file diff --git a/internal/controller/operator/factory/finalize/common.go b/internal/controller/operator/factory/finalize/common.go index 1eac35a9..8ce8f4ef 100644 --- a/internal/controller/operator/factory/finalize/common.go +++ b/internal/controller/operator/factory/finalize/common.go @@ -25,11 +25,17 @@ type crdObject interface { } func patchReplaceFinalizers(ctx context.Context, rclient client.Client, instance client.Object) error { - op := []map[string]interface{}{{ - "op": "replace", - "path": "/metadata/finalizers", - "value": instance.GetFinalizers(), - }} + op := []map[string]interface{}{ + { + "op": "replace", + "path": "/metadata/finalizers", + "value": instance.GetFinalizers(), + }, { + "op": "replace", + "path": "/metadata/ownerReferences", + "value": instance.GetOwnerReferences(), + }, + } patchData, err := json.Marshal(op) if err != nil { @@ -56,13 +62,17 @@ func RemoveFinalizer(ctx context.Context, rclient client.Client, instance client } func removeFinalizeObjByName(ctx context.Context, rclient client.Client, obj client.Object, name, ns string) error { + return removeFinalizeObjByNameWithOwnerReference(ctx, rclient, obj, name, ns, true) +} + +func removeFinalizeObjByNameWithOwnerReference(ctx context.Context, rclient client.Client, obj client.Object, name, ns string, keepOwnerReference bool) error { if err := rclient.Get(ctx, types.NamespacedName{Name: name, Namespace: ns}, obj); err != nil { if errors.IsNotFound(err) { return nil } return err } - return vmv1beta1.RemoveFinalizer(obj, func(o client.Object) error { + return vmv1beta1.RemoveFinalizerWithOwnerReference(obj, keepOwnerReference, func(o client.Object) error { return patchReplaceFinalizers(ctx, rclient, o) }) } diff --git a/internal/controller/operator/factory/finalize/vlogs.go b/internal/controller/operator/factory/finalize/vlogs.go index 6612fc98..f0b0e220 100644 --- a/internal/controller/operator/factory/finalize/vlogs.go +++ b/internal/controller/operator/factory/finalize/vlogs.go @@ -20,7 +20,7 @@ func OnVLogsDelete(ctx context.Context, rclient client.Client, crd *vmv1beta1.VL return err } if crd.Spec.Storage != nil { - if err := removeFinalizeObjByName(ctx, rclient, &v1.PersistentVolumeClaim{}, crd.PrefixedName(), crd.Namespace); err != nil { + if err := removeFinalizeObjByNameWithOwnerReference(ctx, rclient, &v1.PersistentVolumeClaim{}, crd.PrefixedName(), crd.Namespace, crd.Spec.RemovePvcAfterDelete); err != nil { return err } } diff --git a/internal/controller/operator/factory/finalize/vmsingle.go b/internal/controller/operator/factory/finalize/vmsingle.go index a8f20316..eeda86f1 100644 --- a/internal/controller/operator/factory/finalize/vmsingle.go +++ b/internal/controller/operator/factory/finalize/vmsingle.go @@ -20,7 +20,7 @@ func OnVMSingleDelete(ctx context.Context, rclient client.Client, crd *vmv1beta1 return err } if crd.Spec.Storage != nil { - if err := removeFinalizeObjByName(ctx, rclient, &v1.PersistentVolumeClaim{}, crd.PrefixedName(), crd.Namespace); err != nil { + if err := removeFinalizeObjByNameWithOwnerReference(ctx, rclient, &v1.PersistentVolumeClaim{}, crd.PrefixedName(), crd.Namespace, crd.Spec.RemovePvcAfterDelete); err != nil { return err } } diff --git a/internal/controller/operator/factory/vlogs/vlogs.go b/internal/controller/operator/factory/vlogs/vlogs.go index 21e0b41b..0e1830b1 100644 --- a/internal/controller/operator/factory/vlogs/vlogs.go +++ b/internal/controller/operator/factory/vlogs/vlogs.go @@ -68,17 +68,15 @@ func CreateVLogsStorage(ctx context.Context, r *vmv1beta1.VLogs, rclient client. func makeVLogsPvc(r *vmv1beta1.VLogs) *corev1.PersistentVolumeClaim { pvcObject := &corev1.PersistentVolumeClaim{ ObjectMeta: metav1.ObjectMeta{ - Name: r.PrefixedName(), - Namespace: r.Namespace, - Labels: labels.Merge(r.Spec.StorageMetadata.Labels, r.SelectorLabels()), - Annotations: r.Spec.StorageMetadata.Annotations, - Finalizers: []string{vmv1beta1.FinalizerName}, + Name: r.PrefixedName(), + Namespace: r.Namespace, + Labels: labels.Merge(r.Spec.StorageMetadata.Labels, r.SelectorLabels()), + Annotations: r.Spec.StorageMetadata.Annotations, + Finalizers: []string{vmv1beta1.FinalizerName}, + OwnerReferences: r.AsOwner(), }, Spec: *r.Spec.Storage, } - if r.Spec.RemovePvcAfterDelete { - pvcObject.OwnerReferences = r.AsOwner() - } return pvcObject } diff --git a/internal/controller/operator/factory/vmsingle/vmsingle.go b/internal/controller/operator/factory/vmsingle/vmsingle.go index 8e3aca9f..a2da321c 100644 --- a/internal/controller/operator/factory/vmsingle/vmsingle.go +++ b/internal/controller/operator/factory/vmsingle/vmsingle.go @@ -70,17 +70,15 @@ func CreateVMSingleStorage(ctx context.Context, cr *vmv1beta1.VMSingle, rclient func makeVMSinglePvc(cr *vmv1beta1.VMSingle) *corev1.PersistentVolumeClaim { pvcObject := &corev1.PersistentVolumeClaim{ ObjectMeta: metav1.ObjectMeta{ - Name: cr.PrefixedName(), - Namespace: cr.Namespace, - Labels: labels.Merge(cr.Spec.StorageMetadata.Labels, cr.SelectorLabels()), - Annotations: cr.Spec.StorageMetadata.Annotations, - Finalizers: []string{vmv1beta1.FinalizerName}, + Name: cr.PrefixedName(), + Namespace: cr.Namespace, + Labels: labels.Merge(cr.Spec.StorageMetadata.Labels, cr.SelectorLabels()), + Annotations: cr.Spec.StorageMetadata.Annotations, + Finalizers: []string{vmv1beta1.FinalizerName}, + OwnerReferences: cr.AsOwner(), }, Spec: *cr.Spec.Storage, } - if cr.Spec.RemovePvcAfterDelete { - pvcObject.OwnerReferences = cr.AsOwner() - } return pvcObject }