Portworx: operator helm chart

portworx · May 10, 2023 · 6bb3449 · 6bb3449
1 parent 65797d9
commit 6bb3449
Show file tree

Hide file tree

Showing 28 changed files with 626 additions and 514 deletions.
diff --git a/charts/portworx/Chart.yaml b/charts/portworx/Chart.yaml
@@ -1,8 +1,8 @@
 name: portworx
-version: 2.13.0
+version: 2.13.3
 description: A Helm chart for installing Portworx on Kubernetes.
 kubeVersion: ">=1.10.0"
-appVersion: "2.12.2"
+appVersion: 2.13.3
 apiVersion: v1
 keywords:
   - Storage

diff --git a/charts/portworx/templates/_helpers.tpl b/charts/portworx/templates/_helpers.tpl
@@ -25,13 +25,6 @@ release: {{ .Release.Name | quote }}
 {{$version := .Capabilities.KubeVersion.GitVersion | regexFind "^v\\d+\\.\\d+\\.\\d+"}}{{$version}}
 {{- end -}}
 
-{{- define "px.kubectlImageTag" -}}
-{{$version := .Capabilities.KubeVersion.GitVersion | regexFind "^v\\d+\\.\\d+\\.\\d+" | trimPrefix "v" | split "."}}
-{{- $major := index $version "_0" -}}
-{{- $minor := index $version "_1" -}}
-{{printf "%s.%s" $major $minor }}
-{{- end -}}
-
 {{- define "px.getPxOperatorImage" -}}
 {{- if (.Values.customRegistryURL) -}}
     {{- if (eq "/" (.Values.customRegistryURL | regexFind "/")) -}}
@@ -221,6 +214,18 @@ Generate a random token for storage provisioning
 {{- end -}}
 
 
+{{- define "px.getDeploymentNamespace" -}}
+{{- if (.Release.Namespace) -}}
+    {{- if (eq "default" .Release.Namespace) -}}
+        {{- printf "kube-system"  -}}
+    {{- else -}}
+        {{- printf "%s" .Release.Namespace -}}
+    {{- end -}}
+{{- end -}}
+{{- end -}}
+
+
+
 {{- define "px.affinityPxEnabledValue" -}}
 {{- if .Values.requirePxEnabledTag -}}
     {{- "true"  | quote }}
@@ -231,19 +236,19 @@ Generate a random token for storage provisioning
 
 {{- define "px.deprecatedKvdbArgs" }}
 {{- $result := "" }}
-{{- if ne .Values.etcd.credentials "none:none" }}
+{{- if ne .Values.etcd.credentials "null:null" }}
     {{- $result = printf "%s -userpwd %s" $result .Values.etcd.credentials }}
 {{- end }}
-{{- if ne .Values.etcd.ca "none" }}
+{{- if ne .Values.etcd.ca null }}
     {{- $result = printf "%s -ca %s" $result .Values.etcd.ca }}
 {{- end }}
-{{- if ne .Values.etcd.cert "none" }}
+{{- if ne .Values.etcd.cert null }}
     {{- $result = printf "%s -cert %s" $result .Values.etcd.cert }}
 {{- end }}
-{{- if ne .Values.etcd.key "none" }}
+{{- if ne .Values.etcd.key null }}
     {{- $result = printf "%s -key %s" $result .Values.etcd.key }}
 {{- end }}
-{{- if ne .Values.consul.token "none" }}
+{{- if ne .Values.consul.token null }}
     {{- $result = printf "%s -acltoken %s" $result .Values.consul.token }}
 {{- end }}
 {{- trim $result }}
@@ -254,7 +259,7 @@ Generate a random token for storage provisioning
 {{- if (include "px.deprecatedKvdbArgs" .) }}
     {{- $result = printf "%s %s" $result (include "px.deprecatedKvdbArgs" .) }}
 {{- end }}
-{{- if ne .Values.miscArgs "none" }}
+{{- if ne .Values.miscArgs null }}
     {{- $result = printf "%s %s" $result .Values.miscArgs }}
 {{- end }}
 {{- trim $result }}
@@ -265,7 +270,7 @@ Generate a random token for storage provisioning
 {{- if (default false .Values.isTargetOSCoreOS) }}
     {{- $result = true }}
 {{- end }}
-{{- if ne (default "none" .Values.etcd.certPath) "none" }}
+{{- if ne (default null .Values.etcd.certPath) null }}
     {{- $result = true }}
 {{- end }}
 {{- if .Values.volumes }}

diff --git a/charts/portworx/templates/clusterrole.yaml b/charts/portworx/templates/clusterrole.yaml
@@ -0,0 +1,15 @@
+---
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: portworx-operator
+rules:
+  - apiGroups: ["*"]
+    resources: ["*"]
+    verbs: ["*"]
+  {{- if semverCompare "<1.25" (.Capabilities.KubeVersion.Version) }}
+  - apiGroups: ["policy"]
+    resources: ["podsecuritypolicies"]
+    resourceNames: ["px-operator"]
+    verbs: ["use"]
+  {{- end }}
diff --git a/charts/portworx/templates/clusterrolebinding.yaml b/charts/portworx/templates/clusterrolebinding.yaml
@@ -0,0 +1,13 @@
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: portworx-operator
+subjects:
+  - kind: ServiceAccount
+    name: portworx-operator
+    namespace: {{ .Release.Namespace }}
+roleRef:
+  kind: ClusterRole
+  name: portworx-operator
+  apiGroup: rbac.authorization.k8s.io
diff --git a/charts/portworx/templates/clustertoken-serviceaccount.yaml b/charts/portworx/templates/clustertoken-serviceaccount.yaml
@@ -0,0 +1,14 @@
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ .Values.clusterToken.serviceAccountName }}
+  annotations:
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded,hook-failed
+    helm.sh/hook: post-install
+  labels:
+    heritage: {{ .Release.Service }}
+    release: {{ .Release.Name }}
+    app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
+    app.kubernetes.io/instance: {{ .Release.Name | quote }}
+    chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
diff --git a/charts/portworx/templates/deployment.yaml b/charts/portworx/templates/deployment.yaml
@@ -0,0 +1,48 @@
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: portworx-operator
+  namespace: {{ .Release.Namespace }}
+spec:
+  strategy:
+    rollingUpdate:
+      maxSurge: 1
+      maxUnavailable: 1
+    type: RollingUpdate
+  replicas: 1
+  selector:
+    matchLabels:
+      name: portworx-operator
+  template:
+    metadata:
+      labels:
+        name: portworx-operator
+    spec:
+      containers:
+        - name: portworx-operator
+          imagePullPolicy: Always
+          image: "{{ .Values.operator.image.repository }}:{{ default .Chart.AppVersion .Values.operator.image.tag }}"
+          command:
+            - /operator
+            - --verbose
+            - --driver=portworx
+            - --leader-elect=true
+          env:
+            - name: OPERATOR_NAME
+              value: portworx-operator
+            - name: POD_NAME
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.name
+      affinity:
+        podAntiAffinity:
+          requiredDuringSchedulingIgnoredDuringExecution:
+            - labelSelector:
+                matchExpressions:
+                  - key: "name"
+                    operator: In
+                    values:
+                      - portworx-operator
+              topologyKey: "kubernetes.io/hostname"
+      serviceAccountName: portworx-operator
diff --git a/charts/portworx/templates/hooks/clusterrole.yaml b/charts/portworx/templates/hooks/clusterrole.yaml
@@ -0,0 +1,15 @@
+---
+kind: ClusterRole
+apiVersion: {{ template "rbac.apiVersion" . }}
+metadata:
+  annotations:
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+    helm.sh/hook: post-install,pre-upgrade,pre-delete
+  name: {{ template "px.hookClusterRole" . }}
+rules:
+  # for daemonset to operator migration, we need hooks for all resources deployed by daemonset, due to resources are
+  # different in different helm charts (GCP, IKS, Rancher and portworx), we use wild card here. After daemonset
+  # migration is finished for all customers we shall change this back to limited access.
+  - apiGroups: ["*"]
+    resources: ["*"]
+    verbs: ["*"]
diff --git a/charts/portworx/templates/hooks/clusterrolebinding.yaml b/charts/portworx/templates/hooks/clusterrolebinding.yaml
@@ -0,0 +1,16 @@
+---
+kind: ClusterRoleBinding
+apiVersion: {{ template "rbac.apiVersion" . }}
+metadata:
+  annotations:
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+    helm.sh/hook: "post-install,pre-upgrade,pre-delete"
+  name: {{ template "px.hookClusterRoleBinding" . }}
+subjects:
+  - kind: ServiceAccount
+    name: {{ template "px.hookServiceAccount" . }}
+    namespace: {{ .Release.Namespace }}
+roleRef:
+  kind: ClusterRole
+  name: {{ template "px.hookClusterRole" . }}
+  apiGroup: rbac.authorization.k8s.io
diff --git a/charts/portworx/templates/hooks/post-install/px-create-cluster-token.yaml b/charts/portworx/templates/hooks/post-install/px-create-cluster-token.yaml
@@ -1,42 +1,34 @@
-{{- if (.Values.clusterToken.create) }}
-  {{- $customRegistryURL := .Values.customRegistryURL | default "none" }}
-  {{- $registrySecret := .Values.registrySecret | default "none" }}
-
+{{- if .Values.clusterToken.create }}
 apiVersion: batch/v1
 kind: Job
 metadata:
-  namespace: kube-system
   name: px-set-cluster-token
   labels:
-    heritage: {{.Release.Service | quote }}
-    release: {{.Release.Name | quote }}
-    chart: "{{.Chart.Name}}-{{.Chart.Version}}"
-    app.kubernetes.io/managed-by: {{.Release.Service | quote }}
-    app.kubernetes.io/instance: {{.Release.Name | quote }}
+    heritage: {{ .Release.Service | quote }}
+    release: {{ .Release.Name | quote }}
+    chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
+    app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
+    app.kubernetes.io/instance: {{ .Release.Name | quote }}
   annotations:
-    "helm.sh/hook": post-install
-    "helm.sh/hook-weight": "10"
-    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
+    helm.sh/hook: post-install
+    helm.sh/hook-weight: "10"
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
 spec:
   backoffLimit: 0
   template:
     spec:
-      {{- if not (eq $registrySecret "none") }}
+      {{- if .Values.global.image.pullSecret }}
       imagePullSecrets:
-        - name: {{ $registrySecret }}
+        - name: {{ .Values.global.image.pullSecret }}
       {{- end }}
       restartPolicy: Never
       serviceAccountName: {{ .Values.clusterToken.serviceAccountName }}
       containers:
         - name: post-install-job
-          {{- if eq $customRegistryURL "none" }}
-          image: "bitnami/kubectl:{{ template "px.kubectlImageTag" . }}"
-          {{- else}}
-          image: "{{ $customRegistryURL }}/bitnami/kubectl:{{ template "px.kubectlImageTag" . }}"
-          {{- end }}
+          image: "{{ .Values.kubectl.image.repository }}:{{ default .Capabilities.KubeVersion.Version .Values.kubectl.image.tag }}"
           env:
             - name: NS
-              value: kube-system
+              value: {{ .Release.Namespace }}
             - name: KEY
               value: cluster-wide-secret-key
           command: ['/bin/bash', '-c']
@@ -46,14 +38,10 @@ spec:
               kubectl -n $NS exec -c portworx $readyPortworxPod -- /opt/pwx/bin/pxctl secrets set-cluster-key --secret $KEY
       initContainers:
         - name: post-install-job-init
-          {{- if eq $customRegistryURL "none" }}
-          image: "bitnami/kubectl:{{ template "px.kubectlImageTag" . }}"
-          {{- else}}
-          image: "{{ $customRegistryURL }}/bitnami/kubectl:{{ template "px.kubectlImageTag" . }}"
-          {{- end }}
+          image: "{{ .Values.kubectl.image.repository }}:{{ default .Capabilities.KubeVersion.Version .Values.kubectl.image.tag }}"
           env:
             - name: NS
-              value: kube-system
+              value: {{ .Release.Namespace }}
           command: ['/bin/bash', '-c']
           args:
             - |
@@ -64,71 +52,4 @@ spec:
                 sleep 5
                 output=$(kubectl -n $NS get pods -l name=portworx -o 'jsonpath={..status.conditions[?(@.type=="Ready")].status}')
               done
----
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: {{ .Values.clusterToken.serviceAccountName }}
-  namespace: kube-system
-  annotations:
-    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded,hook-failed
-    "helm.sh/hook": "post-install"
-  labels:
-    heritage: {{ .Release.Service }}
-    release: {{ .Release.Name }}
-    app.kubernetes.io/managed-by: {{.Release.Service | quote }}
-    app.kubernetes.io/instance: {{.Release.Name | quote }}
-    chart: "{{.Chart.Name}}-{{.Chart.Version}}"
----
-kind: Role
-apiVersion: {{ template "rbac.apiVersion" . }}
-metadata:
-  annotations:
-    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded,hook-failed
-    "helm.sh/hook": post-install
-  name: {{ .Values.clusterToken.serviceAccountName }}-role
-  namespace: kube-system
-rules:
-  - apiGroups: [""]
-    resources: ["pods"]
-    verbs: ["get", "watch", "list" ]
-  - apiGroups: [""]
-    resources: ["pods/exec"]
-    verbs: ["create"]
----
-kind: RoleBinding
-apiVersion: {{ template "rbac.apiVersion" . }}
-metadata:
-  annotations:
-    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded,hook-failed
-    "helm.sh/hook": post-install
-  name: {{ .Values.clusterToken.serviceAccountName }}-binding
-  namespace: kube-system
-subjects:
-  - kind: ServiceAccount
-    name: {{ .Values.clusterToken.serviceAccountName }}
-    namespace: kube-system
-roleRef:
-  kind: Role
-  name: {{ .Values.clusterToken.serviceAccountName }}-role
-  apiGroup: rbac.authorization.k8s.io
----
-apiVersion: v1
-kind: Secret
-metadata:
-  annotations:
-    "helm.sh/hook-delete-policy": before-hook-creation
-    "helm.sh/hook": post-install
-  name: {{ .Values.clusterToken.secretName }}
-  namespace: portworx
-  labels:
-    name: {{ .Values.clusterToken.secretName }}
-    heritage: {{ .Release.Service }}
-    release: {{ .Release.Name }}
-    app.kubernetes.io/managed-by: {{.Release.Service | quote }}
-    app.kubernetes.io/instance: {{.Release.Name | quote }}
-    chart: "{{.Chart.Name}}-{{.Chart.Version}}"
-type: "Opaque"
-data:
-  cluster-wide-secret-key: {{ template "portworx-cluster-key"  }}
 {{- end }}