Skip to content

Commit 6bbb458

Browse files
oliverbaehleroliverbaehler
committed
feat(chart): introduce new crd lifecycle
Signed-off-by: Oliver Bähler <[email protected]>
1 parent ae7932c commit 6bbb458

11 files changed

+283
-101
lines changed

Makefile

+5-2
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,8 @@
11
# Version
22
GIT_HEAD_COMMIT ?= $(shell git rev-parse --short HEAD)
33
VERSION ?= $(or $(shell git describe --abbrev=0 --tags --match "v*" 2>/dev/null),$(GIT_HEAD_COMMIT))
4+
GO_OS ?= $(shell go env GOOS)
5+
GO_ARCH ?= $(shell go env GOARCH)
46

57
# Defaults
68
REGISTRY ?= ghcr.io
@@ -39,6 +41,7 @@ dlv-build:
3941
docker build . --build-arg "GCFLAGS=all=-N -l" --tag projectcapsule/capsule-proxy:dlv --target dlv
4042

4143

44+
KO_PLATFORM ?= $(GOOS)/$(GO_ARCH)
4245
KOCACHE ?= /tmp/ko-cache
4346
KO_TAGS ?= "latest"
4447

@@ -60,9 +63,9 @@ LD_FLAGS := "-X main.Version=$(VERSION) \
6063

6164
.PHONY: ko-build-capsule-proxy
6265
ko-build-capsule-proxy: ko
63-
@echo Building Capsule Proxy $(KO_TAGS) >&2
66+
echo Building Capsule Proxy $(KO_TAGS) for $(KO_PLATFORM) >&2
6467
@LD_FLAGS=$(LD_FLAGS) KOCACHE=$(KOCACHE) KO_DOCKER_REPO=$(CAPSULE_PROXY_IMG) \
65-
$(KO) build ./ --bare --tags=$(KO_TAGS) --local --push=false
68+
$(KO) build ./ --bare --tags=$(KO_TAGS) --local --push=false --platform=$(KO_PLATFORM)
6669

6770
.PHONY: ko-build-all
6871
ko-build-all: ko-build-capsule-proxy

charts/capsule-proxy/Chart.yaml

+1-1
Original file line numberDiff line numberDiff line change
@@ -34,4 +34,4 @@ annotations:
3434
url: https://capsule.clastix.io/
3535
artifacthub.io/changes: |
3636
- kind: added
37-
description: add subjects for cert-manager certificate
37+
description: crd lifecycle

charts/capsule-proxy/README.md

+28
Original file line numberDiff line numberDiff line change
@@ -40,6 +40,25 @@ The Capsule-proxy Chart can be used to instantly deploy the Capsule-proxy on you
4040

4141
$ helm uninstall capsule-proxy -n capsule-system
4242

43+
## Upgrading the Chart
44+
45+
Intsructions to upgrade the chart the versions, which may remove features or introduce breaking changes.
46+
47+
### 0.7.x
48+
49+
Introduces a new methode to manage all capsule-proxy CRDs and their lifecycle. We are no longer relying on the [native CRD hook with the Helm Chart](https://helm.sh/docs/chart_best_practices/custom_resource_definitions/#some-caveats-and-explanations). The hook only allows to manage CRDs on install and uninstall but we can't deliver updates to the CRDs.
50+
When you newly install the chart we recommend to set `crds.install` to `true`. This will manage the CRDs with the Helm Chart.
51+
52+
If you are upgrading to this release, you can choose to set `global.crds.install` to `true` (by default `false`). However you need to add metadata to the existing CRDs so they can be correctly managed with the new flow. Run the following commands:
53+
54+
```bash
55+
kubectl label crd proxysettings.capsule.clastix.io app.kubernetes.io/managed-by=Helm
56+
kubectl annotate crd proxysettings.capsule.clastix.io meta.helm.sh/release-namespace=capsule-system # might be different
57+
kubectl annotate crd proxysettings.capsule.clastix.io meta.helm.sh/release-name=capsule-proxy # might be different
58+
```
59+
60+
With the new CRD management we can release update CRDs bundled with the chart. The Chart can be uninstalled and the CRDs are still kept.
61+
4362
## Customize the installation
4463

4564
There are two methods for specifying overrides of values during chart installation: `--values` and `--set`.
@@ -56,6 +75,13 @@ If you only need to make minor customizations, you can specify them on the comma
5675

5776
$ helm install capsule-proxy projectcapsule/capsule-proxy --set "kind=DaemonSet" -n capsule-system
5877

78+
### CustomResourceDefinition Lifecycle
79+
80+
| Key | Type | Default | Description |
81+
|-----|------|---------|-------------|
82+
| crds.install | bool | `false` | Install the CustomResourceDefinitions (This also manages the lifecycle of the CRDs for update operations) |
83+
| crds.keep | bool | `true` | Keep the CustomResourceDefinitions (when the chart is deleted) |
84+
5985
### General Parameters
6086

6187
| Key | Type | Default | Description |
@@ -70,6 +96,8 @@ If you only need to make minor customizations, you can specify them on the comma
7096
| certManager.generateCertificates | bool | `false` | Set if the cert manager will generate SSL certificates (self-signed or CA-signed) |
7197
| certManager.issuer.kind | string | `"Issuer"` | Set if the cert manager will generate either self-signed or CA signed SSL certificates. Its value will be either Issuer or ClusterIssuer |
7298
| certManager.issuer.name | string | `""` | Set the name of the ClusterIssuer if issuer kind is ClusterIssuer and if cert manager will generate CA signed SSL certificates |
99+
| crds.install | bool | `false` | Install the CustomResourceDefinitions (This also manages the lifecycle of the CRDs for update operations) |
100+
| crds.keep | bool | `true` | Keep the CustomResourceDefinitions (when the chart is deleted) |
73101
| daemonset.hostNetwork | bool | `false` | Use the host network namespace for capsule-proxy pod. |
74102
| daemonset.hostPort | bool | `false` | Binding the capsule-proxy listening port to the host port. |
75103
| hostNetwork | bool | `false` | When deployed as DaemonSet use |

charts/capsule-proxy/README.md.gotmpl

+30
Original file line numberDiff line numberDiff line change
@@ -40,6 +40,25 @@ The Capsule-proxy Chart can be used to instantly deploy the Capsule-proxy on you
4040

4141
$ helm uninstall capsule-proxy -n capsule-system
4242

43+
## Upgrading the Chart
44+
45+
Intsructions to upgrade the chart the versions, which may remove features or introduce breaking changes.
46+
47+
### 0.7.x
48+
49+
Introduces a new methode to manage all capsule-proxy CRDs and their lifecycle. We are no longer relying on the [native CRD hook with the Helm Chart](https://helm.sh/docs/chart_best_practices/custom_resource_definitions/#some-caveats-and-explanations). The hook only allows to manage CRDs on install and uninstall but we can't deliver updates to the CRDs.
50+
When you newly install the chart we recommend to set `crds.install` to `true`. This will manage the CRDs with the Helm Chart.
51+
52+
If you are upgrading to this release, you can choose to set `global.crds.install` to `true` (by default `false`). However you need to add metadata to the existing CRDs so they can be correctly managed with the new flow. Run the following commands:
53+
54+
```bash
55+
kubectl label crd proxysettings.capsule.clastix.io app.kubernetes.io/managed-by=Helm
56+
kubectl annotate crd proxysettings.capsule.clastix.io meta.helm.sh/release-namespace=capsule-system # might be different
57+
kubectl annotate crd proxysettings.capsule.clastix.io meta.helm.sh/release-name=capsule-proxy # might be different
58+
```
59+
60+
With the new CRD management we can release update CRDs bundled with the chart. The Chart can be uninstalled and the CRDs are still kept.
61+
4362
## Customize the installation
4463

4564
There are two methods for specifying overrides of values during chart installation: `--values` and `--set`.
@@ -56,6 +75,17 @@ If you only need to make minor customizations, you can specify them on the comma
5675

5776
$ helm install capsule-proxy projectcapsule/capsule-proxy --set "kind=DaemonSet" -n capsule-system
5877

78+
### CustomResourceDefinition Lifecycle
79+
80+
| Key | Type | Default | Description |
81+
|-----|------|---------|-------------|
82+
{{- range .Values }}
83+
{{- if (hasPrefix "crds" .Key) }}
84+
| {{ .Key }} | {{ .Type }} | {{ if .Default }}{{ .Default }}{{ else }}{{ .AutoDefault }}{{ end }} | {{ if .Description }}{{ .Description }}{{ else }}{{ .AutoDescription }}{{ end }} |
85+
{{- end }}
86+
{{- end }}
87+
88+
5989
### General Parameters
6090

6191
| Key | Type | Default | Description |

charts/capsule-proxy/ci/cert-manager-values.yaml

+3
Original file line numberDiff line numberDiff line change
@@ -1,3 +1,6 @@
1+
crds:
2+
install: true
3+
keep: false
14
options:
25
enableSSL: true
36
generateCertificates: false

charts/capsule-proxy/ci/deploy-values.yaml

+3
Original file line numberDiff line numberDiff line change
@@ -1,3 +1,6 @@
1+
crds:
2+
install: true
3+
keep: false
14
kind: DaemonSet
25
imagePullSecrets: []
36
certManager:

charts/capsule-proxy/ci/ds-values.yaml

+3
Original file line numberDiff line numberDiff line change
@@ -1,3 +1,6 @@
1+
crds:
2+
install: true
3+
keep: false
14
kind: DaemonSet
25
daemonset:
36
hostNetwork: true

charts/capsule-proxy/crd/capsule.clastix.io_proxysettings.yaml

+182
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,182 @@
1+
---
2+
apiVersion: apiextensions.k8s.io/v1
3+
kind: CustomResourceDefinition
4+
metadata:
5+
annotations:
6+
controller-gen.kubebuilder.io/version: v0.8.0
7+
creationTimestamp: null
8+
name: proxysettings.capsule.clastix.io
9+
spec:
10+
group: capsule.clastix.io
11+
names:
12+
kind: ProxySetting
13+
listKind: ProxySettingList
14+
plural: proxysettings
15+
singular: proxysetting
16+
scope: Namespaced
17+
versions:
18+
- name: v1beta1
19+
schema:
20+
openAPIV3Schema:
21+
description: ProxySetting is the Schema for the proxysettings API.
22+
properties:
23+
apiVersion:
24+
description: 'APIVersion defines the versioned schema of this representation
25+
of an object. Servers should convert recognized schemas to the latest
26+
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
27+
type: string
28+
kind:
29+
description: 'Kind is a string value representing the REST resource this
30+
object represents. Servers may infer this from the endpoint the client
31+
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
32+
type: string
33+
metadata:
34+
type: object
35+
spec:
36+
description: ProxySettingSpec defines the additional Capsule Proxy settings
37+
for additional users of the Tenant. Resource is Namespace-scoped and
38+
applies the settings to the belonged Tenant.
39+
properties:
40+
subjects:
41+
description: Subjects that should receive additional permissions.
42+
items:
43+
properties:
44+
clusterResources:
45+
description: Cluster Resources for tenant Owner.
46+
items:
47+
properties:
48+
apiGroups:
49+
description: APIGroups is the name of the APIGroup that
50+
contains the resources. If multiple API groups are specified,
51+
any action requested against any resource listed will
52+
be allowed. '*' represents all resources. Empty string
53+
represents v1 api resources.
54+
items:
55+
type: string
56+
type: array
57+
operations:
58+
default:
59+
- List
60+
description: Operations which can be executed on the selected
61+
resources.
62+
items:
63+
enum:
64+
- List
65+
- Update
66+
- Delete
67+
type: string
68+
type: array
69+
resources:
70+
description: Resources is a list of resources this rule
71+
applies to. '*' represents all resources.
72+
items:
73+
type: string
74+
type: array
75+
selector:
76+
description: Select all cluster scoped resources with
77+
the given label selector.
78+
properties:
79+
matchExpressions:
80+
description: matchExpressions is a list of label selector
81+
requirements. The requirements are ANDed.
82+
items:
83+
description: A label selector requirement is a selector
84+
that contains values, a key, and an operator that
85+
relates the key and values.
86+
properties:
87+
key:
88+
description: key is the label key that the selector
89+
applies to.
90+
type: string
91+
operator:
92+
description: operator represents a key's relationship
93+
to a set of values. Valid operators are In,
94+
NotIn, Exists and DoesNotExist.
95+
type: string
96+
values:
97+
description: values is an array of string values.
98+
If the operator is In or NotIn, the values
99+
array must be non-empty. If the operator is
100+
Exists or DoesNotExist, the values array must
101+
be empty. This array is replaced during a
102+
strategic merge patch.
103+
items:
104+
type: string
105+
type: array
106+
required:
107+
- key
108+
- operator
109+
type: object
110+
type: array
111+
matchLabels:
112+
additionalProperties:
113+
type: string
114+
description: matchLabels is a map of {key,value} pairs.
115+
A single {key,value} in the matchLabels map is equivalent
116+
to an element of matchExpressions, whose key field
117+
is "key", the operator is "In", and the values array
118+
contains only "value". The requirements are ANDed.
119+
type: object
120+
type: object
121+
required:
122+
- apiGroups
123+
- operations
124+
- resources
125+
- selector
126+
type: object
127+
type: array
128+
kind:
129+
description: Kind of tenant owner. Possible values are "User",
130+
"Group", and "ServiceAccount"
131+
enum:
132+
- User
133+
- Group
134+
- ServiceAccount
135+
type: string
136+
name:
137+
description: Name of tenant owner.
138+
type: string
139+
proxySettings:
140+
description: Proxy settings for tenant owner.
141+
items:
142+
properties:
143+
kind:
144+
enum:
145+
- Nodes
146+
- StorageClasses
147+
- IngressClasses
148+
- PriorityClasses
149+
- RuntimeClasses
150+
- PersistentVolumes
151+
type: string
152+
operations:
153+
items:
154+
enum:
155+
- List
156+
- Update
157+
- Delete
158+
type: string
159+
type: array
160+
required:
161+
- kind
162+
- operations
163+
type: object
164+
type: array
165+
required:
166+
- kind
167+
- name
168+
type: object
169+
minItems: 1
170+
type: array
171+
required:
172+
- subjects
173+
type: object
174+
type: object
175+
served: true
176+
storage: true
177+
status:
178+
acceptedNames:
179+
kind: ""
180+
plural: ""
181+
conditions: []
182+
storedVersions: []

0 commit comments

Comments
 (0)