feat(kafka-operator): add 0.23.0-dev.0 (#1516)

mesosphere · Oct 9, 2024 · 70cc239 · 70cc239
1 parent b13d0f3
commit 70cc239
Show file tree

Hide file tree

Showing 9 changed files with 3,244 additions and 1,969 deletions.
diff --git a/staging/kafka-operator/Chart.yaml b/staging/kafka-operator/Chart.yaml
@@ -1,9 +1,9 @@
 apiVersion: v1
-appVersion: v0.20.2
+appVersion: v0.23.0-dev.0
 description: kafka-operator manages Kafka deployments on Kubernetes
 name: kafka-operator
 sources:
   - https://github.com/banzaicloud/koperator
-version: 0.20.2
+version: 0.23.0-dev.0
 maintainers:
   - name: mhrabovcin
diff --git a/staging/kafka-operator/README.md b/staging/kafka-operator/README.md
@@ -53,7 +53,7 @@ The following table lists the configurable parameters of the Banzaicloud Kafka O
 Parameter | Description | Default
 --------- | ----------- | -------
 `operator.image.repository` | Operator container image repository | `ghcr.io/banzaicloud/kafka-operator`
-`operator.image.tag` | Operator container image tag | `v0.12.4`
+`operator.image.tag` | Operator container image tag | `v0.22.0`
 `operator.image.pullPolicy` | Operator container image pull policy | `IfNotPresent`
 `operator.serviceAccount.name` | ServiceAccount used by the operator pod | `kafka-operator`
 `operator.serviceAccount.create` | If true, create the `operator.serviceAccount.name` service account | `true`
@@ -65,12 +65,13 @@ Parameter | Description | Default
 `prometheusMetrics.authProxy.serviceAccount.create` | If true, create the service account (see `prometheusMetrics.authProxy.serviceAccount.name`) used by prometheus auth proxy | `true`
 `prometheusMetrics.authProxy.serviceAccount.name` | ServiceAccount used by prometheus auth proxy | `kafka-operator-authproxy`
 `prometheusMetrics.authProxy.image.repository` | Auth proxy container image repository | `gcr.io/kubebuilder/kube-rbac-proxy`
-`prometheusMetrics.authProxy.image.tag` | Auth proxy container image tag | `v0.8.0`
+`prometheusMetrics.authProxy.image.tag` | Auth proxy container image tag | `v0.13.0`
 `prometheusMetrics.authProxy.image.pullPolicy` | Auth proxy container image pull policy | `IfNotPresent`
 `rbac.enabled` | Create rbac service account and roles | `true`
 `imagePullSecrets` | Image pull secrets can be set | `[]`
 `replicaCount` | Operator replica count can be set | `1`
 `alertManager.enable` | AlertManager can be enabled | `true`
+`alertManager.permissivePeerAuthentication.create` | Permissive PeerAuthentication (Istio resource) for AlertManager can be created | `true`
 `nodeSelector` | Operator pod node selector can be set | `{}`
 `tolerations` | Operator pod tolerations can be set | `[]`
 `affinity` | Operator pod affinity can be set | `{}`

diff --git a/staging/kafka-operator/templates/alertmanager-peerauthentication.yaml b/staging/kafka-operator/templates/alertmanager-peerauthentication.yaml
@@ -0,0 +1,24 @@
+{{- if and (.Values.alertManager.enable) (.Values.alertManager.permissivePeerAuthentication.create) (.Capabilities.APIVersions.Has "security.istio.io/v1beta1") -}}
+apiVersion: security.istio.io/v1beta1
+kind: PeerAuthentication
+metadata:
+  name: "{{ include "kafka-operator.fullname" . }}-alertmanager-peerauthenticaiton"
+  namespace: {{ .Release.Namespace | quote }}
+  labels:
+    control-plane: controller-manager
+    controller-tools.k8s.io: "1.0"
+    app.kubernetes.io/name: {{ include "kafka-operator.name" . }}
+    helm.sh/chart: {{ include "kafka-operator.chart" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    app.kubernetes.io/component: alertmanager
+spec:
+  selector:
+    matchLabels:
+      control-plane: controller-manager
+      component: alertmanager
+  portLevelMtls:
+    {{ .Values.alertManager.port | quote }}:
+      mode: PERMISSIVE
+{{- end -}}
diff --git a/staging/kafka-operator/templates/alertmanager-service.yaml b/staging/kafka-operator/templates/alertmanager-service.yaml
@@ -25,5 +25,5 @@ spec:
     app.kubernetes.io/component: operator
   ports:
   - name: http-alerts
-    port: 9001
+    port: {{ .Values.alertManager.port }}
 {{- end -}}
diff --git a/staging/kafka-operator/templates/crds.yaml b/staging/kafka-operator/templates/crds.yaml
diff --git a/staging/kafka-operator/templates/operator-deployment-with-webhook.yaml b/staging/kafka-operator/templates/operator-deployment-with-webhook.yaml
@@ -31,13 +31,13 @@ metadata:
   name: {{ include "kafka-operator.name" . }}-validating-webhook
 webhooks:
 - admissionReviewVersions:
-  - v1beta1
+  - v1
   clientConfig:
     caBundle: {{ $caCrt }}
     service:
       name: "{{ include "kafka-operator.fullname" . }}-operator"
       namespace: {{ .Release.Namespace }}
-      path: /validate
+      path: /validate-kafka-banzaicloud-io-v1alpha1-kafkatopic
   failurePolicy: Fail
   name: kafkatopics.kafka.banzaicloud.io
   rules:
@@ -51,6 +51,26 @@ webhooks:
     resources:
     - kafkatopics
   sideEffects: None
+- admissionReviewVersions:
+  - v1
+  clientConfig:
+    caBundle: {{ $caCrt }}
+    service:
+      name: "{{ include "kafka-operator.fullname" . }}-operator"
+      namespace: {{ .Release.Namespace }}
+      path: /validate-kafka-banzaicloud-io-v1beta1-kafkacluster
+  failurePolicy: Fail
+  name: kafkaclusters.kafka.banzaicloud.io
+  rules:
+  - apiGroups:
+    - kafka.banzaicloud.io
+    apiVersions:
+    - v1beta1
+    operations:
+    - UPDATE
+    resources:
+    - kafkaclusters
+  sideEffects: None
 ---
 apiVersion: v1
 kind: Secret
@@ -115,6 +135,10 @@ spec:
         app: prometheus
         component: alertmanager
     spec:
+    {{- with .Values.imagePullSecrets }}
+      imagePullSecrets:
+        {{- toYaml . | nindent 8 }}
+    {{- end }}
       serviceAccountName: {{ include "operator.serviceAccountName" .}}
       volumes:
       {{- if .Values.webhook.enabled }}
@@ -181,6 +205,7 @@ spec:
             - name: POD_NAMESPACE
               valueFrom:
                 fieldRef:
+                  apiVersion: v1
                   fieldPath: metadata.namespace
           {{- if .Values.additionalEnv }}
           {{ toYaml .Values.additionalEnv | nindent 12 }}
@@ -194,7 +219,7 @@ spec:
             - containerPort: {{ (.Values.metricEndpoint).port | default 8080 }}
               name: metrics
               protocol: TCP
-            - containerPort: 9001
+            - containerPort: {{ .Values.alertManager.port }}
               name: alerts
               protocol: TCP
           volumeMounts:

diff --git a/staging/kafka-operator/templates/operator-rbac.yaml b/staging/kafka-operator/templates/operator-rbac.yaml
@@ -1,12 +1,6 @@
 {{- if .Values.operator.serviceAccount.create }}
 apiVersion: v1
 kind: ServiceAccount
-{{- if .Values.imagePullSecrets }}
-imagePullSecrets:
-{{- range .Values.imagePullSecrets }}
-  - name: {{ . }}
-{{- end }}
-{{- end }}
 metadata:
   name: {{ include "operator.serviceAccountName" . }}
   namespace: {{ .Release.Namespace | quote }}
@@ -33,9 +27,9 @@ metadata:
     app.kubernetes.io/component: operator
 rules:
 - apiGroups:
-  - istio.banzaicloud.io
+  - servicemesh.cisco.com
   resources:
-  - meshgateways
+  - istiomeshgateways
   verbs:
   - create
   - delete
@@ -240,6 +234,33 @@ rules:
   - patch
   - update
   - watch
+- apiGroups:
+  - kafka.banzaicloud.io
+  resources:
+  - cruisecontroloperations
+  verbs:
+  - create
+  - delete
+  - deletecollection
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - kafka.banzaicloud.io
+  resources:
+  - cruisecontroloperations/finalizers
+  verbs:
+  - update
+- apiGroups:
+  - kafka.banzaicloud.io
+  resources:
+  - cruisecontroloperations/status
+  verbs:
+  - get
+  - patch
+  - update
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding

diff --git a/staging/kafka-operator/templates/operator-service.yaml b/staging/kafka-operator/templates/operator-service.yaml
@@ -28,7 +28,9 @@ spec:
   ports:
   - name: https
     port: 443
+    targetPort: {{ (.Values.webhook).serverPort | default 443 }}
   {{- if and .Values.prometheusMetrics.enabled (not .Values.prometheusMetrics.authProxy.enabled) }}
   - name: metrics
     port: 8080
+    targetPort: {{ (.Values.metricEndpoint).port | default 8080 }}
   {{- end }}
diff --git a/staging/kafka-operator/values.yaml b/staging/kafka-operator/values.yaml
@@ -14,6 +14,15 @@ operator:
     repository: ghcr.io/banzaicloud/kafka-operator
     tag: ""
     pullPolicy: IfNotPresent
+  # In constrained environments where operator cannot
+  # be granted cluster level roles, users can configure
+  # the Koperator to watch CRs only in specific set of
+  # configurable Kubernetes namespaces.
+  # In this scenario, users can replace the default
+  # ClusterRole and ClusterRoleBinding to Role and RoleBinding respectively.
+  # When this field is not empty and Cert-manager is used,
+  # the Cert-manager's Custom Resource Namespace must be included in the comma separated list.
+  # When it is empty, all namespaces will be watched.
   namespaces: ""
   verboseLogging: false
   developmentLogging: false
@@ -38,22 +47,27 @@ webhook:
     secret: "kafka-operator-serving-cert"
 
 certManager:
-  namespace: "cert-manager"
   enabled: false
+  # namespace field specifies the Cert-manager's Cluster Resource Namespace.
+  # https://cert-manager.io/docs/configuration/
+  namespace: "cert-manager"
 
 certSigning:
   enabled: true
 
 alertManager:
   enable: true
+  port: 9001
+  permissivePeerAuthentication:
+    create: false
 
 prometheusMetrics:
   enabled: true
   authProxy:
     enabled: true
     image:
       repository: gcr.io/kubebuilder/kube-rbac-proxy
-      tag: v0.8.0
+      tag: v0.13.0
       pullPolicy: IfNotPresent
     serviceAccount:
       create: true