diff --git a/Makefile b/Makefile index fb704a6c..b02368b2 100644 --- a/Makefile +++ b/Makefile @@ -243,6 +243,31 @@ installer/install.sh: ## Build install shell script to deploy the operator sed 's/__VERSION__/v$(VERSION)/g' | \ sed 's/__CERT_MANAGER_VERSION__/$(CERT_MANAGER_VERSION)/g' > $@ +## +# Update helm chart +.PHONY: helm_generate +helm_generate: helm installer/cloud-sql-proxy-operator.yaml bin/install_to_helm + bin/install_to_helm \ + -installYaml=installer/cloud-sql-proxy-operator.yaml \ + -operatorChartDir=helm/cloud-sql-operator + -crdChartDir=helm/cloud-sql-operator-crds + +.PHONY: helm_e2e_build_deploy +helm_e2e_build_deploy: helm e2e_image_push e2e_cert_manager_deploy helm_e2e_install + +.PHONY: helm_e2e_install +helm_e2e_install: helm + KUBECONFIG_E2E=$(KUBECONFIG_E2E) \ + PRIVATE_KUBECONFIG_E2E=$(PRIVATE_KUBECONFIG_E2E) \ + E2E_OPERATOR_URL=$(E2E_OPERATOR_URL) \ + tools/helm-install-operator.sh + +.PHONY: helm_lint +helm_lint: helm + helm lint helm/cloud-sql-operator + +bin/install_to_helm: tools/install_to_helm.go + go build -o $@ $< ## ##@ Google Cloud End to End Test @@ -432,6 +457,7 @@ TERRAFORM ?= $(LOCALBIN)/terraform GOLANGCI_LINT ?= $(LOCALBIN)/golangci-lint GO_LICENSES ?= $(LOCALBIN)/go-licenses CRD_REF_DOCS ?= $(LOCALBIN)/crd-ref-docs +HELM ?= $(LOCALBIN)/helm ## Tool Versions # Important note: avoid adding spaces in the macro declarations as any @@ -445,6 +471,7 @@ CRD_REF_DOCS_VERSION=v0.0.9# renovate datasource=go depName=github.com/elastic/c ENVTEST_VERSION=v0.0.0-20230301194117-e2d8821b277f# renovate datasource=go depName=sigs.k8s.io/controller-runtime/tools/setup-envtest GOLANGCI_LINT_VERSION=v1.51.2# renovate datasource=go depName=github.com/golangci/golangci-lint/cmd/golangci-lint GO_LICENSES_VERSION=v1.6.0# renovate datasource=go depName=github.com/google/go-licenses +HELM_VERSION=v3.13.1# renovate datasource=go depName=github.com/helm/helm KUSTOMIZE_VERSION=v4.5.2# don't manage with renovate, this repo has non-standard tags @@ -452,7 +479,7 @@ GOOS?=$(shell go env GOOS | tr -d '\n') GOARCH?=$(shell go env GOARCH | tr -d '\n') remove_tools: - rm -rf $(KUSTOMIZE) $(CONTROLLER_GEN) $(KUBECTL) $(ENVTEST) $(TERRAFORM) $(GOLANGCI_LINT) $(CRD_REF_DOCS) + rm -rf $(KUSTOMIZE) $(CONTROLLER_GEN) $(KUBECTL) $(ENVTEST) $(TERRAFORM) $(GOLANGCI_LINT) $(CRD_REF_DOCS) $(HELM) all_tools: kustomize controller-gen envtest kubectl terraform golangci-lint crd-ref-docs @@ -516,8 +543,14 @@ gcloud: exit 1) .PHONY: helm -helm: - @which helm > /dev/null || \ - (echo "Helm command line tools are not available in your path" ; \ - echo "Instructions on how to install https://helm.sh/docs/helm/helm_install/ " ; \ - exit 1) +helm: $(HELM) +$(HELM): $(LOCALBIN) ## Download helm locally if necessary. + test -s $@ || \ + ( curl -v -L -o $@.tar.gz https://get.helm.sh/helm-$(HELM_VERSION)-$(GOOS)-$(GOARCH).tar.gz && \ + cd $(LOCALBIN) && \ + tar -zxf $@.tar.gz && \ + mv $(LOCALBIN)/$(GOOS)-$(GOARCH)/* $(LOCALBIN) && \ + rm -rf $(LOCALBIN)/$(GOOS)-$(GOARCH) && \ + rm -f $@.tar.gz && \ + chmod a+x $@ && \ + touch $@ ) \ No newline at end of file diff --git a/config/crd/bases/_.yaml b/config/crd/bases/_.yaml new file mode 100644 index 00000000..109558d8 --- /dev/null +++ b/config/crd/bases/_.yaml @@ -0,0 +1,25 @@ +# Copyright 2023 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.13.0 +spec: + group: "" + names: + kind: "" + plural: "" + scope: "" + versions: null diff --git a/docs/dev.md b/docs/dev.md index 89f282b3..20951825 100644 --- a/docs/dev.md +++ b/docs/dev.md @@ -50,4 +50,24 @@ Step 4: Run your e2e tests. The tests will read the contents of the file `bin/last-local-proxy-url.txt`. Delete the file `bin/last-local-proxy-url.txt` to go back to using -the public proxy iamge again \ No newline at end of file +the public proxy iamge again + +## Creating the helm chart + +From the project root, the helm chart scaffolding was generated using +helm version 3.13.1. + +```shell +# Download the latest helm tool +make helm + +# Create the helm directory +mkdir -p helm +cd helm + + +# Create the operator helm chart +../bin/helm create cloud-sql-operator + + +``` \ No newline at end of file diff --git a/helm/cloud-sql-operator-crds/.helmignore b/helm/cloud-sql-operator-crds/.helmignore new file mode 100644 index 00000000..0e8a0eb3 --- /dev/null +++ b/helm/cloud-sql-operator-crds/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/helm/cloud-sql-operator-crds/Chart.yaml b/helm/cloud-sql-operator-crds/Chart.yaml new file mode 100644 index 00000000..a0cd1ea3 --- /dev/null +++ b/helm/cloud-sql-operator-crds/Chart.yaml @@ -0,0 +1,38 @@ +# Copyright 2023 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v2 +name: cloud-sql-operator-crds +description: A Helm chart for Kubernetes + +# A chart can be either an 'application' or a 'library' chart. +# +# Application charts are a collection of templates that can be packaged into versioned archives +# to be deployed. +# +# Library charts provide useful utilities or functions for the chart developer. They're included as +# a dependency of application charts to inject those utilities and functions into the rendering +# pipeline. Library charts do not define any templates and therefore cannot be deployed. +type: application + +# This is the chart version. This version number should be incremented each time you make changes +# to the chart and its templates, including the app version. +# Versions are expected to follow Semantic Versioning (https://semver.org/) +version: 0.1.0 + +# This is the version number of the application being deployed. This version number should be +# incremented each time you make changes to the application. Versions are not expected to +# follow Semantic Versioning. They should reflect the version the application is using. +# It is recommended to use it with quotes. +appVersion: "1.2.0" diff --git a/helm/cloud-sql-operator-crds/templates/CustomResourceDefinition-authproxyworkloads.cloudsql.cloud.google.com.yaml b/helm/cloud-sql-operator-crds/templates/CustomResourceDefinition-authproxyworkloads.cloudsql.cloud.google.com.yaml new file mode 100644 index 00000000..033d36b5 --- /dev/null +++ b/helm/cloud-sql-operator-crds/templates/CustomResourceDefinition-authproxyworkloads.cloudsql.cloud.google.com.yaml @@ -0,0 +1,1867 @@ +# Copyright 2023 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + cert-manager.io/inject-ca-from: {{ .Values.operatorNamespace }}/{{ .Values.operatorName }}-serving-cert + controller-gen.kubebuilder.io/version: v0.13.0 + name: authproxyworkloads.cloudsql.cloud.google.com +spec: + conversion: + strategy: Webhook + webhook: + clientConfig: + service: + name: {{ .Values.operatorName }}-webhook-service + namespace: {{ .Values.operatorNamespace }} + path: /convert + conversionReviewVersions: + - v1 + group: cloudsql.cloud.google.com + names: + kind: AuthProxyWorkload + listKind: AuthProxyWorkloadList + plural: authproxyworkloads + singular: authproxyworkload + scope: Namespaced + versions: + - name: v1 + schema: + openAPIV3Schema: + description: AuthProxyWorkload declares how a Cloud SQL Proxy container should + be applied to a matching set of workloads, and shows the status of those + proxy containers. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: AuthProxyWorkloadSpec describes where and how to configure + the proxy. + properties: + authProxyContainer: + description: AuthProxyContainer describes the resources and config + for the Auth Proxy container. + properties: + adminServer: + description: AdminServer specifies the config for the proxy's + admin service which is available to other containers in the + same pod. + properties: + enableAPIs: + description: 'EnableAPIs specifies the list of admin APIs + to enable. At least one API must be enabled. Possible values: + - "Debug" will enable pprof debugging by setting the `--debug` + cli flag. - "QuitQuitQuit" will enable pprof debugging by + setting the `--quitquitquit` cli flag.' + items: + type: string + minItems: 1 + type: array + port: + description: Port the port for the proxy's localhost-only + admin server. This sets the proxy container's CLI argument + `--admin-port` + format: int32 + minimum: 1 + type: integer + type: object + container: + description: Container is debugging parameter that when specified + will override the proxy container with a completely custom Container + spec. + properties: + args: + description: 'Arguments to the entrypoint. The container image''s + CMD is used if this is not provided. Variable references + $(VAR_NAME) are expanded using the container''s environment. + If a variable cannot be resolved, the reference in the input + string will be unchanged. Double $$ are reduced to a single + $, which allows for escaping the $(VAR_NAME) syntax: i.e. + "$$(VAR_NAME)" will produce the string literal "$(VAR_NAME)". + Escaped references will never be expanded, regardless of + whether the variable exists or not. Cannot be updated. More + info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell' + items: + type: string + type: array + command: + description: 'Entrypoint array. Not executed within a shell. + The container image''s ENTRYPOINT is used if this is not + provided. Variable references $(VAR_NAME) are expanded using + the container''s environment. If a variable cannot be resolved, + the reference in the input string will be unchanged. Double + $$ are reduced to a single $, which allows for escaping + the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" will produce + the string literal "$(VAR_NAME)". Escaped references will + never be expanded, regardless of whether the variable exists + or not. Cannot be updated. More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell' + items: + type: string + type: array + env: + description: List of environment variables to set in the container. + Cannot be updated. + items: + description: EnvVar represents an environment variable present + in a Container. + properties: + name: + description: Name of the environment variable. Must + be a C_IDENTIFIER. + type: string + value: + description: 'Variable references $(VAR_NAME) are expanded + using the previously defined environment variables + in the container and any service environment variables. + If a variable cannot be resolved, the reference in + the input string will be unchanged. Double $$ are + reduced to a single $, which allows for escaping the + $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" will produce + the string literal "$(VAR_NAME)". Escaped references + will never be expanded, regardless of whether the + variable exists or not. Defaults to "".' + type: string + valueFrom: + description: Source for the environment variable's value. + Cannot be used if value is not empty. + properties: + configMapKeyRef: + description: Selects a key of a ConfigMap. + properties: + key: + description: The key to select. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: Specify whether the ConfigMap or + its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + fieldRef: + description: 'Selects a field of the pod: supports + metadata.name, metadata.namespace, `metadata.labels['''']`, + `metadata.annotations['''']`, spec.nodeName, + spec.serviceAccountName, status.hostIP, status.podIP, + status.podIPs.' + properties: + apiVersion: + description: Version of the schema the FieldPath + is written in terms of, defaults to "v1". + type: string + fieldPath: + description: Path of the field to select in + the specified API version. + type: string + required: + - fieldPath + type: object + x-kubernetes-map-type: atomic + resourceFieldRef: + description: 'Selects a resource of the container: + only resources limits and requests (limits.cpu, + limits.memory, limits.ephemeral-storage, requests.cpu, + requests.memory and requests.ephemeral-storage) + are currently supported.' + properties: + containerName: + description: 'Container name: required for volumes, + optional for env vars' + type: string + divisor: + anyOf: + - type: integer + - type: string + description: Specifies the output format of + the exposed resources, defaults to "1" + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + resource: + description: 'Required: resource to select' + type: string + required: + - resource + type: object + x-kubernetes-map-type: atomic + secretKeyRef: + description: Selects a key of a secret in the pod's + namespace + properties: + key: + description: The key of the secret to select + from. Must be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: Specify whether the Secret or its + key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + required: + - name + type: object + type: array + envFrom: + description: List of sources to populate environment variables + in the container. The keys defined within a source must + be a C_IDENTIFIER. All invalid keys will be reported as + an event when the container is starting. When a key exists + in multiple sources, the value associated with the last + source will take precedence. Values defined by an Env with + a duplicate key will take precedence. Cannot be updated. + items: + description: EnvFromSource represents the source of a set + of ConfigMaps + properties: + configMapRef: + description: The ConfigMap to select from + properties: + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + optional: + description: Specify whether the ConfigMap must + be defined + type: boolean + type: object + x-kubernetes-map-type: atomic + prefix: + description: An optional identifier to prepend to each + key in the ConfigMap. Must be a C_IDENTIFIER. + type: string + secretRef: + description: The Secret to select from + properties: + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + optional: + description: Specify whether the Secret must be + defined + type: boolean + type: object + x-kubernetes-map-type: atomic + type: object + type: array + image: + description: 'Container image name. More info: https://kubernetes.io/docs/concepts/containers/images + This field is optional to allow higher level config management + to default or override container images in workload controllers + like Deployments and StatefulSets.' + type: string + imagePullPolicy: + description: 'Image pull policy. One of Always, Never, IfNotPresent. + Defaults to Always if :latest tag is specified, or IfNotPresent + otherwise. Cannot be updated. More info: https://kubernetes.io/docs/concepts/containers/images#updating-images' + type: string + lifecycle: + description: Actions that the management system should take + in response to container lifecycle events. Cannot be updated. + properties: + postStart: + description: 'PostStart is called immediately after a + container is created. If the handler fails, the container + is terminated and restarted according to its restart + policy. Other management of the container blocks until + the hook completes. More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks' + properties: + exec: + description: Exec specifies the action to take. + properties: + command: + description: Command is the command line to execute + inside the container, the working directory + for the command is root ('/') in the container's + filesystem. The command is simply exec'd, it + is not run inside a shell, so traditional shell + instructions ('|', etc) won't work. To use a + shell, you need to explicitly call out to that + shell. Exit status of 0 is treated as live/healthy + and non-zero is unhealthy. + items: + type: string + type: array + type: object + httpGet: + description: HTTPGet specifies the http request to + perform. + properties: + host: + description: Host name to connect to, defaults + to the pod IP. You probably want to set "Host" + in httpHeaders instead. + type: string + httpHeaders: + description: Custom headers to set in the request. + HTTP allows repeated headers. + items: + description: HTTPHeader describes a custom header + to be used in HTTP probes + properties: + name: + description: The header field name. This + will be canonicalized upon output, so + case-variant names will be understood + as the same header. + type: string + value: + description: The header field value + type: string + required: + - name + - value + type: object + type: array + path: + description: Path to access on the HTTP server. + type: string + port: + anyOf: + - type: integer + - type: string + description: Name or number of the port to access + on the container. Number must be in the range + 1 to 65535. Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: Scheme to use for connecting to the + host. Defaults to HTTP. + type: string + required: + - port + type: object + tcpSocket: + description: Deprecated. TCPSocket is NOT supported + as a LifecycleHandler and kept for the backward + compatibility. There are no validation of this field + and lifecycle hooks will fail in runtime when tcp + handler is specified. + properties: + host: + description: 'Optional: Host name to connect to, + defaults to the pod IP.' + type: string + port: + anyOf: + - type: integer + - type: string + description: Number or name of the port to access + on the container. Number must be in the range + 1 to 65535. Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + type: object + preStop: + description: 'PreStop is called immediately before a container + is terminated due to an API request or management event + such as liveness/startup probe failure, preemption, + resource contention, etc. The handler is not called + if the container crashes or exits. The Pod''s termination + grace period countdown begins before the PreStop hook + is executed. Regardless of the outcome of the handler, + the container will eventually terminate within the Pod''s + termination grace period (unless delayed by finalizers). + Other management of the container blocks until the hook + completes or until the termination grace period is reached. + More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks' + properties: + exec: + description: Exec specifies the action to take. + properties: + command: + description: Command is the command line to execute + inside the container, the working directory + for the command is root ('/') in the container's + filesystem. The command is simply exec'd, it + is not run inside a shell, so traditional shell + instructions ('|', etc) won't work. To use a + shell, you need to explicitly call out to that + shell. Exit status of 0 is treated as live/healthy + and non-zero is unhealthy. + items: + type: string + type: array + type: object + httpGet: + description: HTTPGet specifies the http request to + perform. + properties: + host: + description: Host name to connect to, defaults + to the pod IP. You probably want to set "Host" + in httpHeaders instead. + type: string + httpHeaders: + description: Custom headers to set in the request. + HTTP allows repeated headers. + items: + description: HTTPHeader describes a custom header + to be used in HTTP probes + properties: + name: + description: The header field name. This + will be canonicalized upon output, so + case-variant names will be understood + as the same header. + type: string + value: + description: The header field value + type: string + required: + - name + - value + type: object + type: array + path: + description: Path to access on the HTTP server. + type: string + port: + anyOf: + - type: integer + - type: string + description: Name or number of the port to access + on the container. Number must be in the range + 1 to 65535. Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: Scheme to use for connecting to the + host. Defaults to HTTP. + type: string + required: + - port + type: object + tcpSocket: + description: Deprecated. TCPSocket is NOT supported + as a LifecycleHandler and kept for the backward + compatibility. There are no validation of this field + and lifecycle hooks will fail in runtime when tcp + handler is specified. + properties: + host: + description: 'Optional: Host name to connect to, + defaults to the pod IP.' + type: string + port: + anyOf: + - type: integer + - type: string + description: Number or name of the port to access + on the container. Number must be in the range + 1 to 65535. Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + type: object + type: object + livenessProbe: + description: 'Periodic probe of container liveness. Container + will be restarted if the probe fails. Cannot be updated. + More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + properties: + exec: + description: Exec specifies the action to take. + properties: + command: + description: Command is the command line to execute + inside the container, the working directory for + the command is root ('/') in the container's filesystem. + The command is simply exec'd, it is not run inside + a shell, so traditional shell instructions ('|', + etc) won't work. To use a shell, you need to explicitly + call out to that shell. Exit status of 0 is treated + as live/healthy and non-zero is unhealthy. + items: + type: string + type: array + type: object + failureThreshold: + description: Minimum consecutive failures for the probe + to be considered failed after having succeeded. Defaults + to 3. Minimum value is 1. + format: int32 + type: integer + grpc: + description: GRPC specifies an action involving a GRPC + port. + properties: + port: + description: Port number of the gRPC service. Number + must be in the range 1 to 65535. + format: int32 + type: integer + service: + description: "Service is the name of the service to + place in the gRPC HealthCheckRequest (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). + \n If this is not specified, the default behavior + is defined by gRPC." + type: string + required: + - port + type: object + httpGet: + description: HTTPGet specifies the http request to perform. + properties: + host: + description: Host name to connect to, defaults to + the pod IP. You probably want to set "Host" in httpHeaders + instead. + type: string + httpHeaders: + description: Custom headers to set in the request. + HTTP allows repeated headers. + items: + description: HTTPHeader describes a custom header + to be used in HTTP probes + properties: + name: + description: The header field name. This will + be canonicalized upon output, so case-variant + names will be understood as the same header. + type: string + value: + description: The header field value + type: string + required: + - name + - value + type: object + type: array + path: + description: Path to access on the HTTP server. + type: string + port: + anyOf: + - type: integer + - type: string + description: Name or number of the port to access + on the container. Number must be in the range 1 + to 65535. Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: Scheme to use for connecting to the host. + Defaults to HTTP. + type: string + required: + - port + type: object + initialDelaySeconds: + description: 'Number of seconds after the container has + started before liveness probes are initiated. More info: + https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + periodSeconds: + description: How often (in seconds) to perform the probe. + Default to 10 seconds. Minimum value is 1. + format: int32 + type: integer + successThreshold: + description: Minimum consecutive successes for the probe + to be considered successful after having failed. Defaults + to 1. Must be 1 for liveness and startup. Minimum value + is 1. + format: int32 + type: integer + tcpSocket: + description: TCPSocket specifies an action involving a + TCP port. + properties: + host: + description: 'Optional: Host name to connect to, defaults + to the pod IP.' + type: string + port: + anyOf: + - type: integer + - type: string + description: Number or name of the port to access + on the container. Number must be in the range 1 + to 65535. Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + terminationGracePeriodSeconds: + description: Optional duration in seconds the pod needs + to terminate gracefully upon probe failure. The grace + period is the duration in seconds after the processes + running in the pod are sent a termination signal and + the time when the processes are forcibly halted with + a kill signal. Set this value longer than the expected + cleanup time for your process. If this value is nil, + the pod's terminationGracePeriodSeconds will be used. + Otherwise, this value overrides the value provided by + the pod spec. Value must be non-negative integer. The + value zero indicates stop immediately via the kill signal + (no opportunity to shut down). This is a beta field + and requires enabling ProbeTerminationGracePeriod feature + gate. Minimum value is 1. spec.terminationGracePeriodSeconds + is used if unset. + format: int64 + type: integer + timeoutSeconds: + description: 'Number of seconds after which the probe + times out. Defaults to 1 second. Minimum value is 1. + More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + type: object + name: + description: Name of the container specified as a DNS_LABEL. + Each container in a pod must have a unique name (DNS_LABEL). + Cannot be updated. + type: string + ports: + description: List of ports to expose from the container. Not + specifying a port here DOES NOT prevent that port from being + exposed. Any port which is listening on the default "0.0.0.0" + address inside a container will be accessible from the network. + Modifying this array with strategic merge patch may corrupt + the data. For more information See https://github.com/kubernetes/kubernetes/issues/108255. + Cannot be updated. + items: + description: ContainerPort represents a network port in + a single container. + properties: + containerPort: + description: Number of port to expose on the pod's IP + address. This must be a valid port number, 0 < x < + 65536. + format: int32 + type: integer + hostIP: + description: What host IP to bind the external port + to. + type: string + hostPort: + description: Number of port to expose on the host. If + specified, this must be a valid port number, 0 < x + < 65536. If HostNetwork is specified, this must match + ContainerPort. Most containers do not need this. + format: int32 + type: integer + name: + description: If specified, this must be an IANA_SVC_NAME + and unique within the pod. Each named port in a pod + must have a unique name. Name for the port that can + be referred to by services. + type: string + protocol: + default: TCP + description: Protocol for port. Must be UDP, TCP, or + SCTP. Defaults to "TCP". + type: string + required: + - containerPort + type: object + type: array + x-kubernetes-list-map-keys: + - containerPort + - protocol + x-kubernetes-list-type: map + readinessProbe: + description: 'Periodic probe of container service readiness. + Container will be removed from service endpoints if the + probe fails. Cannot be updated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + properties: + exec: + description: Exec specifies the action to take. + properties: + command: + description: Command is the command line to execute + inside the container, the working directory for + the command is root ('/') in the container's filesystem. + The command is simply exec'd, it is not run inside + a shell, so traditional shell instructions ('|', + etc) won't work. To use a shell, you need to explicitly + call out to that shell. Exit status of 0 is treated + as live/healthy and non-zero is unhealthy. + items: + type: string + type: array + type: object + failureThreshold: + description: Minimum consecutive failures for the probe + to be considered failed after having succeeded. Defaults + to 3. Minimum value is 1. + format: int32 + type: integer + grpc: + description: GRPC specifies an action involving a GRPC + port. + properties: + port: + description: Port number of the gRPC service. Number + must be in the range 1 to 65535. + format: int32 + type: integer + service: + description: "Service is the name of the service to + place in the gRPC HealthCheckRequest (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). + \n If this is not specified, the default behavior + is defined by gRPC." + type: string + required: + - port + type: object + httpGet: + description: HTTPGet specifies the http request to perform. + properties: + host: + description: Host name to connect to, defaults to + the pod IP. You probably want to set "Host" in httpHeaders + instead. + type: string + httpHeaders: + description: Custom headers to set in the request. + HTTP allows repeated headers. + items: + description: HTTPHeader describes a custom header + to be used in HTTP probes + properties: + name: + description: The header field name. This will + be canonicalized upon output, so case-variant + names will be understood as the same header. + type: string + value: + description: The header field value + type: string + required: + - name + - value + type: object + type: array + path: + description: Path to access on the HTTP server. + type: string + port: + anyOf: + - type: integer + - type: string + description: Name or number of the port to access + on the container. Number must be in the range 1 + to 65535. Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: Scheme to use for connecting to the host. + Defaults to HTTP. + type: string + required: + - port + type: object + initialDelaySeconds: + description: 'Number of seconds after the container has + started before liveness probes are initiated. More info: + https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + periodSeconds: + description: How often (in seconds) to perform the probe. + Default to 10 seconds. Minimum value is 1. + format: int32 + type: integer + successThreshold: + description: Minimum consecutive successes for the probe + to be considered successful after having failed. Defaults + to 1. Must be 1 for liveness and startup. Minimum value + is 1. + format: int32 + type: integer + tcpSocket: + description: TCPSocket specifies an action involving a + TCP port. + properties: + host: + description: 'Optional: Host name to connect to, defaults + to the pod IP.' + type: string + port: + anyOf: + - type: integer + - type: string + description: Number or name of the port to access + on the container. Number must be in the range 1 + to 65535. Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + terminationGracePeriodSeconds: + description: Optional duration in seconds the pod needs + to terminate gracefully upon probe failure. The grace + period is the duration in seconds after the processes + running in the pod are sent a termination signal and + the time when the processes are forcibly halted with + a kill signal. Set this value longer than the expected + cleanup time for your process. If this value is nil, + the pod's terminationGracePeriodSeconds will be used. + Otherwise, this value overrides the value provided by + the pod spec. Value must be non-negative integer. The + value zero indicates stop immediately via the kill signal + (no opportunity to shut down). This is a beta field + and requires enabling ProbeTerminationGracePeriod feature + gate. Minimum value is 1. spec.terminationGracePeriodSeconds + is used if unset. + format: int64 + type: integer + timeoutSeconds: + description: 'Number of seconds after which the probe + times out. Defaults to 1 second. Minimum value is 1. + More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + type: object + resizePolicy: + description: Resources resize policy for the container. + items: + description: ContainerResizePolicy represents resource resize + policy for the container. + properties: + resourceName: + description: 'Name of the resource to which this resource + resize policy applies. Supported values: cpu, memory.' + type: string + restartPolicy: + description: Restart policy to apply when specified + resource is resized. If not specified, it defaults + to NotRequired. + type: string + required: + - resourceName + - restartPolicy + type: object + type: array + x-kubernetes-list-type: atomic + resources: + description: 'Compute Resources required by this container. + Cannot be updated. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + properties: + claims: + description: "Claims lists the names of resources, defined + in spec.resourceClaims, that are used by this container. + \n This is an alpha field and requires enabling the + DynamicResourceAllocation feature gate. \n This field + is immutable. It can only be set for containers." + items: + description: ResourceClaim references one entry in PodSpec.ResourceClaims. + properties: + name: + description: Name must match the name of one entry + in pod.spec.resourceClaims of the Pod where this + field is used. It makes that resource available + inside a container. + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Limits describes the maximum amount of compute + resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Requests describes the minimum amount of + compute resources required. If Requests is omitted for + a container, it defaults to Limits if that is explicitly + specified, otherwise to an implementation-defined value. + Requests cannot exceed Limits. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + type: object + restartPolicy: + description: 'RestartPolicy defines the restart behavior of + individual containers in a pod. This field may only be set + for init containers, and the only allowed value is "Always". + For non-init containers or when this field is not specified, + the restart behavior is defined by the Pod''s restart policy + and the container type. Setting the RestartPolicy as "Always" + for the init container will have the following effect: this + init container will be continually restarted on exit until + all regular containers have terminated. Once all regular + containers have completed, all init containers with restartPolicy + "Always" will be shut down. This lifecycle differs from + normal init containers and is often referred to as a "sidecar" + container. Although this init container still starts in + the init container sequence, it does not wait for the container + to complete before proceeding to the next init container. + Instead, the next init container starts immediately after + this init container is started, or after any startupProbe + has successfully completed.' + type: string + securityContext: + description: 'SecurityContext defines the security options + the container should be run with. If set, the fields of + SecurityContext override the equivalent fields of PodSecurityContext. + More info: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/' + properties: + allowPrivilegeEscalation: + description: 'AllowPrivilegeEscalation controls whether + a process can gain more privileges than its parent process. + This bool directly controls if the no_new_privs flag + will be set on the container process. AllowPrivilegeEscalation + is true always when the container is: 1) run as Privileged + 2) has CAP_SYS_ADMIN Note that this field cannot be + set when spec.os.name is windows.' + type: boolean + capabilities: + description: The capabilities to add/drop when running + containers. Defaults to the default set of capabilities + granted by the container runtime. Note that this field + cannot be set when spec.os.name is windows. + properties: + add: + description: Added capabilities + items: + description: Capability represent POSIX capabilities + type + type: string + type: array + drop: + description: Removed capabilities + items: + description: Capability represent POSIX capabilities + type + type: string + type: array + type: object + privileged: + description: Run container in privileged mode. Processes + in privileged containers are essentially equivalent + to root on the host. Defaults to false. Note that this + field cannot be set when spec.os.name is windows. + type: boolean + procMount: + description: procMount denotes the type of proc mount + to use for the containers. The default is DefaultProcMount + which uses the container runtime defaults for readonly + paths and masked paths. This requires the ProcMountType + feature flag to be enabled. Note that this field cannot + be set when spec.os.name is windows. + type: string + readOnlyRootFilesystem: + description: Whether this container has a read-only root + filesystem. Default is false. Note that this field cannot + be set when spec.os.name is windows. + type: boolean + runAsGroup: + description: The GID to run the entrypoint of the container + process. Uses runtime default if unset. May also be + set in PodSecurityContext. If set in both SecurityContext + and PodSecurityContext, the value specified in SecurityContext + takes precedence. Note that this field cannot be set + when spec.os.name is windows. + format: int64 + type: integer + runAsNonRoot: + description: Indicates that the container must run as + a non-root user. If true, the Kubelet will validate + the image at runtime to ensure that it does not run + as UID 0 (root) and fail to start the container if it + does. If unset or false, no such validation will be + performed. May also be set in PodSecurityContext. If + set in both SecurityContext and PodSecurityContext, + the value specified in SecurityContext takes precedence. + type: boolean + runAsUser: + description: The UID to run the entrypoint of the container + process. Defaults to user specified in image metadata + if unspecified. May also be set in PodSecurityContext. If + set in both SecurityContext and PodSecurityContext, + the value specified in SecurityContext takes precedence. + Note that this field cannot be set when spec.os.name + is windows. + format: int64 + type: integer + seLinuxOptions: + description: The SELinux context to be applied to the + container. If unspecified, the container runtime will + allocate a random SELinux context for each container. May + also be set in PodSecurityContext. If set in both SecurityContext + and PodSecurityContext, the value specified in SecurityContext + takes precedence. Note that this field cannot be set + when spec.os.name is windows. + properties: + level: + description: Level is SELinux level label that applies + to the container. + type: string + role: + description: Role is a SELinux role label that applies + to the container. + type: string + type: + description: Type is a SELinux type label that applies + to the container. + type: string + user: + description: User is a SELinux user label that applies + to the container. + type: string + type: object + seccompProfile: + description: The seccomp options to use by this container. + If seccomp options are provided at both the pod & container + level, the container options override the pod options. + Note that this field cannot be set when spec.os.name + is windows. + properties: + localhostProfile: + description: localhostProfile indicates a profile + defined in a file on the node should be used. The + profile must be preconfigured on the node to work. + Must be a descending path, relative to the kubelet's + configured seccomp profile location. Must be set + if type is "Localhost". Must NOT be set for any + other type. + type: string + type: + description: "type indicates which kind of seccomp + profile will be applied. Valid options are: \n Localhost + - a profile defined in a file on the node should + be used. RuntimeDefault - the container runtime + default profile should be used. Unconfined - no + profile should be applied." + type: string + required: + - type + type: object + windowsOptions: + description: The Windows specific settings applied to + all containers. If unspecified, the options from the + PodSecurityContext will be used. If set in both SecurityContext + and PodSecurityContext, the value specified in SecurityContext + takes precedence. Note that this field cannot be set + when spec.os.name is linux. + properties: + gmsaCredentialSpec: + description: GMSACredentialSpec is where the GMSA + admission webhook (https://github.com/kubernetes-sigs/windows-gmsa) + inlines the contents of the GMSA credential spec + named by the GMSACredentialSpecName field. + type: string + gmsaCredentialSpecName: + description: GMSACredentialSpecName is the name of + the GMSA credential spec to use. + type: string + hostProcess: + description: HostProcess determines if a container + should be run as a 'Host Process' container. All + of a Pod's containers must have the same effective + HostProcess value (it is not allowed to have a mix + of HostProcess containers and non-HostProcess containers). + In addition, if HostProcess is true then HostNetwork + must also be set to true. + type: boolean + runAsUserName: + description: The UserName in Windows to run the entrypoint + of the container process. Defaults to the user specified + in image metadata if unspecified. May also be set + in PodSecurityContext. If set in both SecurityContext + and PodSecurityContext, the value specified in SecurityContext + takes precedence. + type: string + type: object + type: object + startupProbe: + description: 'StartupProbe indicates that the Pod has successfully + initialized. If specified, no other probes are executed + until this completes successfully. If this probe fails, + the Pod will be restarted, just as if the livenessProbe + failed. This can be used to provide different probe parameters + at the beginning of a Pod''s lifecycle, when it might take + a long time to load data or warm a cache, than during steady-state + operation. This cannot be updated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + properties: + exec: + description: Exec specifies the action to take. + properties: + command: + description: Command is the command line to execute + inside the container, the working directory for + the command is root ('/') in the container's filesystem. + The command is simply exec'd, it is not run inside + a shell, so traditional shell instructions ('|', + etc) won't work. To use a shell, you need to explicitly + call out to that shell. Exit status of 0 is treated + as live/healthy and non-zero is unhealthy. + items: + type: string + type: array + type: object + failureThreshold: + description: Minimum consecutive failures for the probe + to be considered failed after having succeeded. Defaults + to 3. Minimum value is 1. + format: int32 + type: integer + grpc: + description: GRPC specifies an action involving a GRPC + port. + properties: + port: + description: Port number of the gRPC service. Number + must be in the range 1 to 65535. + format: int32 + type: integer + service: + description: "Service is the name of the service to + place in the gRPC HealthCheckRequest (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). + \n If this is not specified, the default behavior + is defined by gRPC." + type: string + required: + - port + type: object + httpGet: + description: HTTPGet specifies the http request to perform. + properties: + host: + description: Host name to connect to, defaults to + the pod IP. You probably want to set "Host" in httpHeaders + instead. + type: string + httpHeaders: + description: Custom headers to set in the request. + HTTP allows repeated headers. + items: + description: HTTPHeader describes a custom header + to be used in HTTP probes + properties: + name: + description: The header field name. This will + be canonicalized upon output, so case-variant + names will be understood as the same header. + type: string + value: + description: The header field value + type: string + required: + - name + - value + type: object + type: array + path: + description: Path to access on the HTTP server. + type: string + port: + anyOf: + - type: integer + - type: string + description: Name or number of the port to access + on the container. Number must be in the range 1 + to 65535. Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: Scheme to use for connecting to the host. + Defaults to HTTP. + type: string + required: + - port + type: object + initialDelaySeconds: + description: 'Number of seconds after the container has + started before liveness probes are initiated. More info: + https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + periodSeconds: + description: How often (in seconds) to perform the probe. + Default to 10 seconds. Minimum value is 1. + format: int32 + type: integer + successThreshold: + description: Minimum consecutive successes for the probe + to be considered successful after having failed. Defaults + to 1. Must be 1 for liveness and startup. Minimum value + is 1. + format: int32 + type: integer + tcpSocket: + description: TCPSocket specifies an action involving a + TCP port. + properties: + host: + description: 'Optional: Host name to connect to, defaults + to the pod IP.' + type: string + port: + anyOf: + - type: integer + - type: string + description: Number or name of the port to access + on the container. Number must be in the range 1 + to 65535. Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + terminationGracePeriodSeconds: + description: Optional duration in seconds the pod needs + to terminate gracefully upon probe failure. The grace + period is the duration in seconds after the processes + running in the pod are sent a termination signal and + the time when the processes are forcibly halted with + a kill signal. Set this value longer than the expected + cleanup time for your process. If this value is nil, + the pod's terminationGracePeriodSeconds will be used. + Otherwise, this value overrides the value provided by + the pod spec. Value must be non-negative integer. The + value zero indicates stop immediately via the kill signal + (no opportunity to shut down). This is a beta field + and requires enabling ProbeTerminationGracePeriod feature + gate. Minimum value is 1. spec.terminationGracePeriodSeconds + is used if unset. + format: int64 + type: integer + timeoutSeconds: + description: 'Number of seconds after which the probe + times out. Defaults to 1 second. Minimum value is 1. + More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + type: object + stdin: + description: Whether this container should allocate a buffer + for stdin in the container runtime. If this is not set, + reads from stdin in the container will always result in + EOF. Default is false. + type: boolean + stdinOnce: + description: Whether the container runtime should close the + stdin channel after it has been opened by a single attach. + When stdin is true the stdin stream will remain open across + multiple attach sessions. If stdinOnce is set to true, stdin + is opened on container start, is empty until the first client + attaches to stdin, and then remains open and accepts data + until the client disconnects, at which time stdin is closed + and remains closed until the container is restarted. If + this flag is false, a container processes that reads from + stdin will never receive an EOF. Default is false + type: boolean + terminationMessagePath: + description: 'Optional: Path at which the file to which the + container''s termination message will be written is mounted + into the container''s filesystem. Message written is intended + to be brief final status, such as an assertion failure message. + Will be truncated by the node if greater than 4096 bytes. + The total message length across all containers will be limited + to 12kb. Defaults to /dev/termination-log. Cannot be updated.' + type: string + terminationMessagePolicy: + description: Indicate how the termination message should be + populated. File will use the contents of terminationMessagePath + to populate the container status message on both success + and failure. FallbackToLogsOnError will use the last chunk + of container log output if the termination message file + is empty and the container exited with an error. The log + output is limited to 2048 bytes or 80 lines, whichever is + smaller. Defaults to File. Cannot be updated. + type: string + tty: + description: Whether this container should allocate a TTY + for itself, also requires 'stdin' to be true. Default is + false. + type: boolean + volumeDevices: + description: volumeDevices is the list of block devices to + be used by the container. + items: + description: volumeDevice describes a mapping of a raw block + device within a container. + properties: + devicePath: + description: devicePath is the path inside of the container + that the device will be mapped to. + type: string + name: + description: name must match the name of a persistentVolumeClaim + in the pod + type: string + required: + - devicePath + - name + type: object + type: array + volumeMounts: + description: Pod volumes to mount into the container's filesystem. + Cannot be updated. + items: + description: VolumeMount describes a mounting of a Volume + within a container. + properties: + mountPath: + description: Path within the container at which the + volume should be mounted. Must not contain ':'. + type: string + mountPropagation: + description: mountPropagation determines how mounts + are propagated from the host to container and the + other way around. When not set, MountPropagationNone + is used. This field is beta in 1.10. + type: string + name: + description: This must match the Name of a Volume. + type: string + readOnly: + description: Mounted read-only if true, read-write otherwise + (false or unspecified). Defaults to false. + type: boolean + subPath: + description: Path within the volume from which the container's + volume should be mounted. Defaults to "" (volume's + root). + type: string + subPathExpr: + description: Expanded path within the volume from which + the container's volume should be mounted. Behaves + similarly to SubPath but environment variable references + $(VAR_NAME) are expanded using the container's environment. + Defaults to "" (volume's root). SubPathExpr and SubPath + are mutually exclusive. + type: string + required: + - mountPath + - name + type: object + type: array + workingDir: + description: Container's working directory. If not specified, + the container runtime's default will be used, which might + be configured in the container image. Cannot be updated. + type: string + required: + - name + type: object + image: + description: "Image is the URL to the proxy image. Optional, by + default the operator will use the latest Cloud SQL Auth Proxy + version as of the release of the operator. \n The operator ensures + that all workloads configured with the default proxy image are + upgraded automatically to use to the latest released proxy image. + \n When the customer upgrades the operator, the operator upgrades + all workloads using the default proxy image to the latest proxy + image. The change to the proxy container image is applied in + accordance with the RolloutStrategy." + type: string + maxConnections: + description: MaxConnections limits the number of connections. + Default value is no limit. This sets the proxy container's CLI + argument `--max-connections` + format: int64 + minimum: 0 + type: integer + maxSigtermDelay: + description: MaxSigtermDelay is the maximum number of seconds + to wait for connections to close after receiving a TERM signal. + This sets the proxy container's CLI argument `--max-sigterm-delay` + and configures `terminationGracePeriodSeconds` on the workload's + PodSpec. + format: int64 + minimum: 0 + type: integer + resources: + description: Resources specifies the resources required for the + proxy pod. + properties: + claims: + description: "Claims lists the names of resources, defined + in spec.resourceClaims, that are used by this container. + \n This is an alpha field and requires enabling the DynamicResourceAllocation + feature gate. \n This field is immutable. It can only be + set for containers." + items: + description: ResourceClaim references one entry in PodSpec.ResourceClaims. + properties: + name: + description: Name must match the name of one entry in + pod.spec.resourceClaims of the Pod where this field + is used. It makes that resource available inside a + container. + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Limits describes the maximum amount of compute + resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Requests describes the minimum amount of compute + resources required. If Requests is omitted for a container, + it defaults to Limits if that is explicitly specified, otherwise + to an implementation-defined value. Requests cannot exceed + Limits. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + type: object + rolloutStrategy: + default: Workload + description: 'RolloutStrategy indicates the strategy to use when + rolling out changes to the workloads affected by the results. + When this is set to `Workload`, changes to this resource will + be automatically applied to a running Deployment, StatefulSet, + DaemonSet, or ReplicaSet in accordance with the Strategy set + on that workload. When this is set to `None`, the operator will + take no action to roll out changes to affected workloads. `Workload` + will be used by default if no value is set. See: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy' + enum: + - Workload + - None + type: string + sqlAdminAPIEndpoint: + description: SQLAdminAPIEndpoint is a debugging parameter that + when specified will change the Google Cloud api endpoint used + by the proxy. + type: string + telemetry: + description: Telemetry specifies how the proxy should expose telemetry. + Optional, by default + properties: + disableMetrics: + description: DisableMetrics disables Cloud Monitoring testintegration + (used with telemetryProject) This sets the proxy container's + CLI argument `--disable-metrics` + type: boolean + disableTraces: + description: DisableTraces disables Cloud Trace testintegration + (used with telemetryProject) This sets the proxy container's + CLI argument `--disable-traces` + type: boolean + httpPort: + description: HTTPPort the port for Prometheus and health check + server. This sets the proxy container's CLI argument `--http-port` + format: int32 + type: integer + prometheus: + description: Prometheus Enables Prometheus HTTP endpoint /metrics + on localhost This sets the proxy container's CLI argument + `--prometheus` + type: boolean + prometheusNamespace: + description: PrometheusNamespace is used the provided Prometheus + namespace for metrics This sets the proxy container's CLI + argument `--prometheus-namespace` + type: string + quotaProject: + description: QuotaProject Specifies the project to use for + Cloud SQL Admin API quota tracking. The IAM principal must + have the "serviceusage.services.use" permission for the + given project. See https://cloud.google.com/service-usage/docs/overview + and https://cloud.google.com/storage/docs/requester-pays + This sets the proxy container's CLI argument `--quota-project` + type: string + telemetryPrefix: + description: TelemetryPrefix is the prefix for Cloud Monitoring + metrics. This sets the proxy container's CLI argument `--telemetry-prefix` + type: string + telemetryProject: + description: TelemetryProject enables Cloud Monitoring and + Cloud Trace with the provided project ID. This sets the + proxy container's CLI argument `--telemetry-project` + type: string + telemetrySampleRate: + description: TelemetrySampleRate is the Cloud Trace sample + rate. A smaller number means more traces. This sets the + proxy container's CLI argument `--telemetry-sample-rate` + type: integer + type: object + type: object + instances: + description: Instances describes the Cloud SQL instances to configure + on the proxy container. + items: + description: "InstanceSpec describes the configuration for how the + proxy should expose a Cloud SQL database instance to a workload. + \n In the minimum recommended configuration, the operator will + choose a non-conflicting TCP port and set environment variables + MY_DB_SERVER_PORT MY_DB_SERVER_HOST with the value of the TCP + port and hostname. The application can read these values to connect + to the database through the proxy. For example: \n `{ \"connectionString\":\"my-project:us-central1:my-db-server\", + \"portEnvName\":\"MY_DB_SERVER_PORT\" \"hostEnvName\":\"MY_DB_SERVER_HOST\" + }` \n If you want to assign a specific port number for a database, + set the `port` field. For example: \n `{ \"connectionString\":\"my-project:us-central1:my-db-server\", + \"port\":5000 }`" + properties: + autoIAMAuthN: + description: AutoIAMAuthN (optional) Enables IAM Authentication + for this instance. Default value is false. + type: boolean + connectionString: + description: ConnectionString is the connection string for the + Cloud SQL Instance in the format `project_id:region:instance_name` + pattern: ^([^:]+(:[^:]+)?):([^:]+):([^:]+)$ + type: string + hostEnvName: + description: HostEnvName The name of the environment variable + containing this instances tcp hostname Optional, when set + this environment variable will be added to all containers + in the workload. + type: string + port: + description: Port (optional) sets the tcp port for this instance. + If not set, a value will be automatically assigned by the + operator and set as an environment variable on all containers + in the workload named according to PortEnvName. The operator + will choose a port so that it does not conflict with other + ports on the workload. + format: int32 + minimum: 1 + type: integer + portEnvName: + description: PortEnvName is name of the environment variable + containing this instance's tcp port. Optional, when set this + environment variable will be added to all containers in the + workload. + type: string + privateIP: + description: PrivateIP (optional) Enable connection to the Cloud + SQL instance's private ip for this instance. Default value + is false. + type: boolean + psc: + description: PSC (optional) Enable connection to the Cloud SQL + instance's private service connect endpoint. May not be used + with PrivateIP. Default value is false. + type: boolean + unixSocketPath: + description: UnixSocketPath is the path to the unix socket where + the proxy will listen for connnections. This will be mounted + to all containers in the pod. + type: string + unixSocketPathEnvName: + description: UnixSocketPathEnvName is the environment variable + containing the value of UnixSocketPath. + type: string + type: object + minItems: 1 + type: array + workloadSelector: + description: Workload selects the workload where the proxy container + will be added. + properties: + kind: + description: 'Kind specifies what kind of workload Supported kinds: + Deployment, StatefulSet, Pod, ReplicaSet,DaemonSet, Job, CronJob + Example: "Deployment" "Deployment.v1" or "Deployment.v1.apps".' + pattern: \w+(\.\w+)* + type: string + name: + description: Name specifies the name of the resource to select. + type: string + selector: + description: Selector (optional) selects resources using labels. + See "Label selectors" in the kubernetes docs https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector + that contains values, a key, and an operator that relates + the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are In, NotIn, + Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If + the operator is In or NotIn, the values array must + be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced + during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A + single {key,value} in the matchLabels map is equivalent + to an element of matchExpressions, whose key field is "key", + the operator is "In", and the values array contains only + "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + required: + - kind + type: object + required: + - instances + - workloadSelector + type: object + status: + description: AuthProxyWorkloadStatus presents the observed state of AuthProxyWorkload + using standard Kubernetes Conditions. + properties: + WorkloadStatus: + description: WorkloadStatus presents the observed status of individual + workloads that match this AuthProxyWorkload resource. + items: + description: WorkloadStatus presents the status for how this AuthProxyWorkload + resource was applied to a specific workload. + properties: + conditions: + description: "Conditions show the status of the AuthProxyWorkload + resource on this matching workload. \n The \"UpToDate\" condition + indicates that the proxy was successfully applied to all matching + workloads. See ConditionUpToDate." + items: + description: "Condition contains details for one aspect of + the current state of this API Resource. --- This struct + is intended for direct use as an array at the field path + .status.conditions. For example, \n type FooStatus struct{ + // Represents the observations of a foo's current state. + // Known .status.conditions.type are: \"Available\", \"Progressing\", + and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge + // +listType=map // +listMapKey=type Conditions []metav1.Condition + `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" + protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields + }" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition + transitioned from one status to another. This should + be when the underlying condition changed. If that is + not known, then using the time when the API field changed + is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating + details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation + that the condition was set based upon. For instance, + if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration + is 9, the condition is out of date with respect to the + current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier + indicating the reason for the condition's last transition. + Producers of specific condition types may define expected + values and meanings for this field, and whether the + values are considered a guaranteed API. The value should + be a CamelCase string. This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, + Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + --- Many .condition.type values are consistent across + resources like Available, but because arbitrary conditions + can be useful (see .node.status.conditions), the ability + to deconflict is important. The regex it matches is + (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + kind: + description: Kind Version Namespace Name identify the specific + workload. + enum: + - Pod + - Deployment + - StatefulSet + - ReplicaSet + - DaemonSet + - Job + - CronJob + type: string + name: + type: string + namespace: + type: string + version: + type: string + required: + - conditions + type: object + type: array + conditions: + description: "Conditions show the overall status of the AuthProxyWorkload + resource on all matching workloads. \n The \"UpToDate\" condition + indicates that the proxy was successfully applied to all matching + workloads. See ConditionUpToDate." + items: + description: "Condition contains details for one aspect of the current + state of this API Resource. --- This struct is intended for direct + use as an array at the field path .status.conditions. For example, + \n type FooStatus struct{ // Represents the observations of a + foo's current state. // Known .status.conditions.type are: \"Available\", + \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge + // +listType=map // +listMapKey=type Conditions []metav1.Condition + `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" + protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition + transitioned from one status to another. This should be when + the underlying condition changed. If that is not known, then + using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating + details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation + that the condition was set based upon. For instance, if .metadata.generation + is currently 12, but the .status.conditions[x].observedGeneration + is 9, the condition is out of date with respect to the current + state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating + the reason for the condition's last transition. Producers + of specific condition types may define expected values and + meanings for this field, and whether the values are considered + a guaranteed API. The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + --- Many .condition.type values are consistent across resources + like Available, but because arbitrary conditions can be useful + (see .node.status.conditions), the ability to deconflict is + important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + type: object + type: object + served: true + storage: true + subresources: + status: {} \ No newline at end of file diff --git a/helm/cloud-sql-operator-crds/values.yaml b/helm/cloud-sql-operator-crds/values.yaml new file mode 100644 index 00000000..a37b512e --- /dev/null +++ b/helm/cloud-sql-operator-crds/values.yaml @@ -0,0 +1,16 @@ +# Copyright 2023 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +operatorNamespace: "cloud-sql-proxy-operator-system" +operatorName: "cloud-sql-proxy-operator" \ No newline at end of file diff --git a/helm/cloud-sql-operator/.helmignore b/helm/cloud-sql-operator/.helmignore new file mode 100644 index 00000000..0e8a0eb3 --- /dev/null +++ b/helm/cloud-sql-operator/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/helm/cloud-sql-operator/Chart.yaml b/helm/cloud-sql-operator/Chart.yaml new file mode 100644 index 00000000..8b319f84 --- /dev/null +++ b/helm/cloud-sql-operator/Chart.yaml @@ -0,0 +1,51 @@ +# Copyright 2023 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v2 +name: cloud-sql-operator +description: A helm chart for the Cloud SQL Auth Proxy Operator + +# A chart can be either an 'application' or a 'library' chart. +# +# Application charts are a collection of templates that can be packaged into versioned archives +# to be deployed. +# +# Library charts provide useful utilities or functions for the chart developer. They're included as +# a dependency of application charts to inject those utilities and functions into the rendering +# pipeline. Library charts do not define any templates and therefore cannot be deployed. +type: application + +# This is the chart version. This version number should be incremented each time you make changes +# to the chart and its templates, including the app version. +# Versions are expected to follow Semantic Versioning (https://semver.org/) +version: 0.1.0 + +# This is the version number of the application being deployed. This version number should be +# incremented each time you make changes to the application. Versions are not expected to +# follow Semantic Versioning. They should reflect the version the application is using. +# It is recommended to use it with quotes. +appVersion: "1.2.0" + +icon: https://lh3.googleusercontent.com/W3UEBKN5fp9DlpOe7N8rDi738TxH2BV61XKxmF3EFL15utdzE-rK99XBSnOjtXOKFyDf2-FnXnY=s48-w48-rw + +## Add cert-manager chart as a dependency +#dependencies: +#- name: cloud-sql-operator-crds +# version: v1.13.1 +# repository: ./charts/ +# alias: cloud-sql-operator-crds +# version: v1.13.1 +# repository: https://charts.jetstack.io +# alias: cert-manager +# condition: cert-manager.enabled \ No newline at end of file diff --git a/helm/cloud-sql-operator/csql-icon.webp b/helm/cloud-sql-operator/csql-icon.webp new file mode 100644 index 00000000..7925071d Binary files /dev/null and b/helm/cloud-sql-operator/csql-icon.webp differ diff --git a/helm/cloud-sql-operator/templates/Certificate-serving-cert.yaml b/helm/cloud-sql-operator/templates/Certificate-serving-cert.yaml new file mode 100644 index 00000000..3a4b6e86 --- /dev/null +++ b/helm/cloud-sql-operator/templates/Certificate-serving-cert.yaml @@ -0,0 +1,27 @@ +# Copyright 2023 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: {{ .Release.Name }}-serving-cert + namespace: {{ .Release.Namespace }} +spec: + dnsNames: + - {{ .Release.Name }}-webhook-service.{{ .Release.Namespace }}.svc + - {{ .Release.Name }}-webhook-service.{{ .Release.Namespace }}.svc.cluster.local + issuerRef: + kind: Issuer + name: {{ .Release.Name }}-selfsigned-issuer + secretName: webhook-server-cert \ No newline at end of file diff --git a/helm/cloud-sql-operator/templates/ClusterRole-manager-role.yaml b/helm/cloud-sql-operator/templates/ClusterRole-manager-role.yaml new file mode 100644 index 00000000..61df54b4 --- /dev/null +++ b/helm/cloud-sql-operator/templates/ClusterRole-manager-role.yaml @@ -0,0 +1,91 @@ +# Copyright 2023 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ .Release.Name }}-manager-role +rules: +- apiGroups: + - "" + resources: + - '*' + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - pods + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - apps + resources: + - '*' + verbs: + - get + - list + - watch +- apiGroups: + - apps + resources: + - daemonsets + - deployments + - replicasets + - statefulsets + verbs: + - patch + - update +- apiGroups: + - batch + resources: + - '*' + verbs: + - get + - list + - watch +- apiGroups: + - cloudsql.cloud.google.com + resources: + - authproxyworkloads + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - cloudsql.cloud.google.com + resources: + - authproxyworkloads/finalizers + verbs: + - update +- apiGroups: + - cloudsql.cloud.google.com + resources: + - authproxyworkloads/status + verbs: + - get + - patch + - update \ No newline at end of file diff --git a/helm/cloud-sql-operator/templates/ClusterRole-metrics-reader.yaml b/helm/cloud-sql-operator/templates/ClusterRole-metrics-reader.yaml new file mode 100644 index 00000000..18507337 --- /dev/null +++ b/helm/cloud-sql-operator/templates/ClusterRole-metrics-reader.yaml @@ -0,0 +1,23 @@ +# Copyright 2023 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ .Release.Name }}-metrics-reader +rules: +- nonResourceURLs: + - /metrics + verbs: + - get \ No newline at end of file diff --git a/helm/cloud-sql-operator/templates/ClusterRole-proxy-role.yaml b/helm/cloud-sql-operator/templates/ClusterRole-proxy-role.yaml new file mode 100644 index 00000000..1048fcb2 --- /dev/null +++ b/helm/cloud-sql-operator/templates/ClusterRole-proxy-role.yaml @@ -0,0 +1,31 @@ +# Copyright 2023 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ .Release.Name }}-proxy-role +rules: +- apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create +- apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create \ No newline at end of file diff --git a/helm/cloud-sql-operator/templates/ClusterRoleBinding-manager-rolebinding.yaml b/helm/cloud-sql-operator/templates/ClusterRoleBinding-manager-rolebinding.yaml new file mode 100644 index 00000000..0cd18893 --- /dev/null +++ b/helm/cloud-sql-operator/templates/ClusterRoleBinding-manager-rolebinding.yaml @@ -0,0 +1,26 @@ +# Copyright 2023 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ .Release.Name }}-manager-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ .Release.Name }}-manager-role +subjects: +- kind: ServiceAccount + name: {{ .Release.Name }}-controller-manager + namespace: {{ .Release.Namespace }} \ No newline at end of file diff --git a/helm/cloud-sql-operator/templates/ClusterRoleBinding-proxy-rolebinding.yaml b/helm/cloud-sql-operator/templates/ClusterRoleBinding-proxy-rolebinding.yaml new file mode 100644 index 00000000..759dac69 --- /dev/null +++ b/helm/cloud-sql-operator/templates/ClusterRoleBinding-proxy-rolebinding.yaml @@ -0,0 +1,26 @@ +# Copyright 2023 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ .Release.Name }}-proxy-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ .Release.Name }}-proxy-role +subjects: +- kind: ServiceAccount + name: {{ .Release.Name }}-controller-manager + namespace: {{ .Release.Namespace }} \ No newline at end of file diff --git a/helm/cloud-sql-operator/templates/ConfigMap-manager-config.yaml b/helm/cloud-sql-operator/templates/ConfigMap-manager-config.yaml new file mode 100644 index 00000000..f201f822 --- /dev/null +++ b/helm/cloud-sql-operator/templates/ConfigMap-manager-config.yaml @@ -0,0 +1,41 @@ +apiVersion: v1 +data: + controller_manager_config.yaml: | + # Copyright 2022 Google LLC. + # + # Licensed under the Apache License, Version 2.0 (the "License"); + # you may not use this file except in compliance with the License. + # You may obtain a copy of the License at + # + # http://www.apache.org/licenses/LICENSE-2.0 + # + # Unless required by applicable law or agreed to in writing, software + # distributed under the License is distributed on an "AS IS" BASIS, + # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + # See the License for the specific language governing permissions and + # limitations under the License. + apiVersion: controller-runtime.sigs.k8s.io/v1 + kind: ControllerManagerConfig + health: + healthProbeBindAddress: :8081 + metrics: + bindAddress: 127.0.0.1:8080 + webhook: + port: 9443 + leaderElection: + leaderElect: true + resourceName: 76941ffa.cloud.google.com + # leaderElectionReleaseOnCancel defines if the leader should step down volume + # when the Manager ends. This requires the binary to immediately end when the + # Manager is stopped, otherwise, this setting is unsafe. Setting this significantly + # speeds up voluntary leader transitions as the new leader don't have to wait + # LeaseDuration time first. + # In the default scaffold provided, the program ends immediately after + # the manager stops, so would be fine to enable this option. However, + # if you are doing or is intended to do any operation such as perform cleanups + # after the manager stops then its usage might be unsafe. + # leaderElectionReleaseOnCancel: true +kind: ConfigMap +metadata: + name: {{ .Release.Name }}-manager-config + namespace: {{ .Release.Namespace }} \ No newline at end of file diff --git a/helm/cloud-sql-operator/templates/Issuer-selfsigned-issuer.yaml b/helm/cloud-sql-operator/templates/Issuer-selfsigned-issuer.yaml new file mode 100644 index 00000000..b1d440e9 --- /dev/null +++ b/helm/cloud-sql-operator/templates/Issuer-selfsigned-issuer.yaml @@ -0,0 +1,21 @@ +# Copyright 2023 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + name: {{ .Release.Name }}-selfsigned-issuer + namespace: {{ .Release.Namespace }} +spec: + selfSigned: {} \ No newline at end of file diff --git a/helm/cloud-sql-operator/templates/MutatingWebhookConfiguration-mutating-core-webhook-configuration.yaml b/helm/cloud-sql-operator/templates/MutatingWebhookConfiguration-mutating-core-webhook-configuration.yaml new file mode 100644 index 00000000..d20dad30 --- /dev/null +++ b/helm/cloud-sql-operator/templates/MutatingWebhookConfiguration-mutating-core-webhook-configuration.yaml @@ -0,0 +1,43 @@ +# Copyright 2023 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: + annotations: + cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ .Release.Name }}-serving-cert + name: {{ .Release.Name }}-mutating-core-webhook-configuration +webhooks: +- admissionReviewVersions: + - v1 + clientConfig: + service: + name: {{ .Release.Name }}-webhook-service + namespace: {{ .Release.Namespace }} + path: /mutate-pods + failurePolicy: Ignore + matchPolicy: Equivalent + name: pods.proxy.cloudsql.google.com + rules: + - apiGroups: + - "" + apiVersions: + - v1 + operations: + - CREATE + resources: + - pods + scope: '*' + sideEffects: None + timeoutSeconds: 2 \ No newline at end of file diff --git a/helm/cloud-sql-operator/templates/MutatingWebhookConfiguration-mutating-webhook-configuration.yaml b/helm/cloud-sql-operator/templates/MutatingWebhookConfiguration-mutating-webhook-configuration.yaml new file mode 100644 index 00000000..42f63e92 --- /dev/null +++ b/helm/cloud-sql-operator/templates/MutatingWebhookConfiguration-mutating-webhook-configuration.yaml @@ -0,0 +1,41 @@ +# Copyright 2023 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: + annotations: + cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ .Release.Name }}-serving-cert + name: {{ .Release.Name }}-mutating-webhook-configuration +webhooks: +- admissionReviewVersions: + - v1 + clientConfig: + service: + name: {{ .Release.Name }}-webhook-service + namespace: {{ .Release.Namespace }} + path: /mutate-cloudsql-cloud-google-com-v1-authproxyworkload + failurePolicy: Fail + name: mauthproxyworkload.kb.io + rules: + - apiGroups: + - cloudsql.cloud.google.com + apiVersions: + - v1 + operations: + - CREATE + - UPDATE + resources: + - authproxyworkloads + sideEffects: None \ No newline at end of file diff --git a/helm/cloud-sql-operator/templates/NOTES.txt b/helm/cloud-sql-operator/templates/NOTES.txt new file mode 100644 index 00000000..b95ca717 --- /dev/null +++ b/helm/cloud-sql-operator/templates/NOTES.txt @@ -0,0 +1,2 @@ +Check that the operator is running by running these commands: +kubectl -n {{ .Release.Namespace }} get pods diff --git a/helm/cloud-sql-operator/templates/Role-leader-election-role.yaml b/helm/cloud-sql-operator/templates/Role-leader-election-role.yaml new file mode 100644 index 00000000..60f892d9 --- /dev/null +++ b/helm/cloud-sql-operator/templates/Role-leader-election-role.yaml @@ -0,0 +1,51 @@ +# Copyright 2023 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ .Release.Name }}-leader-election-role + namespace: {{ .Release.Namespace }} +rules: +- apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch \ No newline at end of file diff --git a/helm/cloud-sql-operator/templates/RoleBinding-leader-election-rolebinding.yaml b/helm/cloud-sql-operator/templates/RoleBinding-leader-election-rolebinding.yaml new file mode 100644 index 00000000..b4fee166 --- /dev/null +++ b/helm/cloud-sql-operator/templates/RoleBinding-leader-election-rolebinding.yaml @@ -0,0 +1,27 @@ +# Copyright 2023 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ .Release.Name }}-leader-election-rolebinding + namespace: {{ .Release.Namespace }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ .Release.Name }}-leader-election-role +subjects: +- kind: ServiceAccount + name: {{ .Release.Name }}-controller-manager + namespace: {{ .Release.Namespace }} \ No newline at end of file diff --git a/helm/cloud-sql-operator/templates/Service-controller-manager-metrics-service.yaml b/helm/cloud-sql-operator/templates/Service-controller-manager-metrics-service.yaml new file mode 100644 index 00000000..69b33f3e --- /dev/null +++ b/helm/cloud-sql-operator/templates/Service-controller-manager-metrics-service.yaml @@ -0,0 +1,29 @@ +# Copyright 2023 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v1 +kind: Service +metadata: + labels: + control-plane: controller-manager + name: {{ .Release.Name }}-controller-manager-metrics-service + namespace: {{ .Release.Namespace }} +spec: + ports: + - name: https + port: 8443 + protocol: TCP + targetPort: https + selector: + control-plane: controller-manager \ No newline at end of file diff --git a/helm/cloud-sql-operator/templates/Service-webhook-service.yaml b/helm/cloud-sql-operator/templates/Service-webhook-service.yaml new file mode 100644 index 00000000..c23ee78e --- /dev/null +++ b/helm/cloud-sql-operator/templates/Service-webhook-service.yaml @@ -0,0 +1,26 @@ +# Copyright 2023 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v1 +kind: Service +metadata: + name: {{ .Release.Name }}-webhook-service + namespace: {{ .Release.Namespace }} +spec: + ports: + - port: 443 + protocol: TCP + targetPort: 9443 + selector: + control-plane: controller-manager \ No newline at end of file diff --git a/helm/cloud-sql-operator/templates/ServiceAccount-controller-manager.yaml b/helm/cloud-sql-operator/templates/ServiceAccount-controller-manager.yaml new file mode 100644 index 00000000..0e043576 --- /dev/null +++ b/helm/cloud-sql-operator/templates/ServiceAccount-controller-manager.yaml @@ -0,0 +1,19 @@ +# Copyright 2023 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ .Release.Name }}-controller-manager + namespace: {{ .Release.Namespace }} \ No newline at end of file diff --git a/helm/cloud-sql-operator/templates/ValidatingWebhookConfiguration-validating-webhook-configuration.yaml b/helm/cloud-sql-operator/templates/ValidatingWebhookConfiguration-validating-webhook-configuration.yaml new file mode 100644 index 00000000..5172aad3 --- /dev/null +++ b/helm/cloud-sql-operator/templates/ValidatingWebhookConfiguration-validating-webhook-configuration.yaml @@ -0,0 +1,41 @@ +# Copyright 2023 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + annotations: + cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ .Release.Name }}-serving-cert + name: {{ .Release.Name }}-validating-webhook-configuration +webhooks: +- admissionReviewVersions: + - v1 + clientConfig: + service: + name: {{ .Release.Name }}-webhook-service + namespace: {{ .Release.Namespace }} + path: /validate-cloudsql-cloud-google-com-v1-authproxyworkload + failurePolicy: Fail + name: vauthproxyworkload.kb.io + rules: + - apiGroups: + - cloudsql.cloud.google.com + apiVersions: + - v1 + operations: + - CREATE + - UPDATE + resources: + - authproxyworkloads + sideEffects: None diff --git a/helm/cloud-sql-operator/templates/_helpers.tpl b/helm/cloud-sql-operator/templates/_helpers.tpl new file mode 100644 index 00000000..c2d3fc73 --- /dev/null +++ b/helm/cloud-sql-operator/templates/_helpers.tpl @@ -0,0 +1,62 @@ +{{/* +Expand the name of the chart. +*/}} +{{- define "cloud-sql-operator.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "cloud-sql-operator.fullname" -}} +{{- if .Values.fullnameOverride }} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- $name := default .Chart.Name .Values.nameOverride }} +{{- if contains $name .Release.Name }} +{{- .Release.Name | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end }} +{{- end }} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "cloud-sql-operator.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Common labels +*/}} +{{- define "cloud-sql-operator.labels" -}} +helm.sh/chart: {{ include "cloud-sql-operator.chart" . }} +{{ include "cloud-sql-operator.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "cloud-sql-operator.selectorLabels" -}} +app.kubernetes.io/name: {{ include "cloud-sql-operator.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} + +{{/* +Create the name of the service account to use +*/}} +{{- define "cloud-sql-operator.serviceAccountName" -}} +{{- if .Values.serviceAccount.create }} +{{- default (include "cloud-sql-operator.fullname" .) .Values.serviceAccount.name }} +{{- else }} +{{- default "default" .Values.serviceAccount.name }} +{{- end }} +{{- end }} diff --git a/helm/cloud-sql-operator/templates/deployment.yaml b/helm/cloud-sql-operator/templates/deployment.yaml new file mode 100644 index 00000000..06e2a9b3 --- /dev/null +++ b/helm/cloud-sql-operator/templates/deployment.yaml @@ -0,0 +1,127 @@ +# Copyright 2023 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "cloud-sql-operator.fullname" . }} + labels: + {{- include "cloud-sql-operator.labels" . | nindent 4 }} +spec: + replicas: {{ .Values.replicaCount }} + selector: + matchLabels: + {{- include "cloud-sql-operator.selectorLabels" . | nindent 6 }} + template: + metadata: + annotations: + {{- with .Values.podAnnotations }} + {{- toYaml . | nindent 8 }} + {{- end }} + labels: + {{- include "cloud-sql-operator.labels" . | nindent 8 }} + {{- with .Values.podLabels }} + {{- toYaml . | nindent 8 }} + {{- end }} + spec: + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + containers: + - args: + - --health-probe-bind-address=:8081 + - --metrics-bind-address=127.0.0.1:8080 + - --leader-elect + command: + - /manager + image: gcr.io/cloud-sql-connectors/cloud-sql-operator/cloud-sql-proxy-operator:1.2.0 + livenessProbe: + httpGet: + path: /healthz + port: 8081 + initialDelaySeconds: 15 + + periodSeconds: 20 + name: manager + ports: + - containerPort: 9443 + name: webhook-server + protocol: TCP + readinessProbe: + httpGet: + path: /readyz + port: 8081 + initialDelaySeconds: 5 + periodSeconds: 10 + resources: + limits: + cpu: 500m + memory: 128Mi + requests: + cpu: 10m + memory: 64Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + volumeMounts: + - mountPath: /tmp/k8s-webhook-server/serving-certs + name: cert + readOnly: true + - args: + - --secure-listen-address=0.0.0.0:8443 + - --upstream=http://127.0.0.1:8080/ + - --logtostderr=true + - --v=0 + image: gcr.io/kubebuilder/kube-rbac-proxy:v0.13.0 + name: kube-rbac-proxy + ports: + - containerPort: 8443 + name: https + protocol: TCP + resources: + limits: + cpu: 500m + memory: 128Mi + requests: + cpu: 5m + memory: 64Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + {{- toYaml .Values.podSecurityContext | nindent 8 }} + serviceAccountName: {{ .Release.Name }}-controller-manager + terminationGracePeriodSeconds: 10 + volumes: + - name: cert + secret: + defaultMode: 420 + secretName: webhook-server-cert + {{- with .Values.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} diff --git a/helm/cloud-sql-operator/values.yaml b/helm/cloud-sql-operator/values.yaml new file mode 100644 index 00000000..4cde724c --- /dev/null +++ b/helm/cloud-sql-operator/values.yaml @@ -0,0 +1,64 @@ +# Copyright 2023 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# Default values for cloud-sql-operator. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. + +image: + repository: gcr.io/cloud-sql-connectors/cloud-sql-operator/cloud-sql-proxy-operator + pullPolicy: IfNotPresent + # Overrides the image tag whose default is the chart appVersion. + tag: "" + +replicaCount: 2 +imagePullSecrets: [] +nameOverride: "" +fullnameOverride: "" + +podAnnotations: + kubectl.kubernetes.io/default-container: manager + +podLabels: + control-plane: controller-manager + +podSecurityContext: + runAsNonRoot: true + # fsGroup: 2000 + +securityContext: + runAsNonRoot: true + # capabilities: + # drop: + # - ALL + # readOnlyRootFilesystem: true + # runAsUser: 1000 + +resources: {} + # We usually recommend not to specify default resources and to leave this as a conscious + # choice for the user. This also increases chances charts run on environments with little + # resources, such as Minikube. If you do want to specify resources, uncomment the following + # lines, adjust them as necessary, and remove the curly braces after 'resources:'. + # limits: + # cpu: 100m + # memory: 128Mi + # requests: + # cpu: 100m + # memory: 128Mi + +nodeSelector: {} + +tolerations: [] + +affinity: {} diff --git a/tools/build-identifier.sh b/tools/build-identifier.sh index 7d3c82f8..d40d2c6a 100755 --- a/tools/build-identifier.sh +++ b/tools/build-identifier.sh @@ -23,14 +23,19 @@ if [[ -n ${RELEASE_TEST_BUILD_ID:-} ]] ; then fi NOW=$(date -u "+%Y%m%dT%H%M" | tr -d "\n") -GIT_HEAD=$( git rev-parse HEAD | tr -d "\n") +if [[ -d .git ]] ; then + GIT_HEAD=$( git rev-parse HEAD | tr -d "\n") + + if git diff HEAD --exit-code --quiet ; then + # git working dir is clean. + IMAGE_VERSION="$GIT_HEAD" + else + # git working dir is dirty, append "dirty" and the timestamp + IMAGE_VERSION="$GIT_HEAD-dirty-${NOW}" + fi -if git diff HEAD --exit-code --quiet ; then - # git working dir is clean. - IMAGE_VERSION="$GIT_HEAD" else - # git working dir is dirty, append "dirty" and the timestamp - IMAGE_VERSION="$GIT_HEAD-dirty-${NOW}" + IMAGE_VERSION="0000000-dirty-${NOW}" fi echo -n "$IMAGE_VERSION" diff --git a/tools/helm-install-operator.sh b/tools/helm-install-operator.sh new file mode 100755 index 00000000..d264f4ae --- /dev/null +++ b/tools/helm-install-operator.sh @@ -0,0 +1,65 @@ +#!/usr/bin/env bash +# Copyright 2023 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +function install() { + helm repo update --kubeconfig "${KUBECONFIG}" + + helm --kubeconfig "${KUBECONFIG}" uninstall cloud-sql-proxy-operator || true + + helm --kubeconfig "${KUBECONFIG}" uninstall cloud-sql-proxy-operator-crds || true + + kubectl delete ns helm-cloud-sql-operator || true + + helm --kubeconfig "${KUBECONFIG}" "install" --replace \ + cloud-sql-proxy-operator-crds "$PROJECT_DIR/helm/cloud-sql-operator-crds" \ + --set "operatorNamespace=helm-cloud-sql-operator" \ + --set "operatorName=cloud-sql-proxy-operator" + + helm --kubeconfig "${KUBECONFIG}" "install" --replace \ + cloud-sql-proxy-operator "$PROJECT_DIR/helm/cloud-sql-operator" \ + --create-namespace \ + --namespace helm-cloud-sql-operator \ + --set "image.repository=$E2E_OPERATOR_URL" +} + + +# Configure script to fail on any command error +set -euxo pipefail + +# Find project directory, cd to project directory +SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd ) +PROJECT_DIR=$( dirname "$SCRIPT_DIR") +cd "$PROJECT_DIR" + +# Validate input environment variables +#expects KUBECONFIG to be set by the caller +if [[ -z "${KUBECONFIG_E2E:-}" ]]; then + echo "expects KUBECONFIG_E2E to be the path to the kubeconfig file for kubectl." + exit 1 +fi +if [[ -z "${PRIVATE_KUBECONFIG_E2E:-}" ]]; then + echo "expects PRIVATE_KUBECONFIG_E2E to be the path to the kubeconfig file for kubectl." + exit 1 +fi + +#expects E2E_OPERATOR_URL to be set by the caller +if [[ -z "${E2E_OPERATOR_URL:-}" ]]; then + echo "expects E2E_OPERATOR_URL to be the URL to the operator image." + exit 1 +fi + +export KUBECONFIG=$KUBECONFIG_E2E +install + diff --git a/tools/install_to_helm.go b/tools/install_to_helm.go new file mode 100644 index 00000000..e2297fc6 --- /dev/null +++ b/tools/install_to_helm.go @@ -0,0 +1,121 @@ +// Copyright 2023 Google LLC +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +// Copies the static yaml installer output and turns it into a helm chart +// template +package main + +import ( + "bytes" + "flag" + "fmt" + "os" + "path" + "strings" + + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "sigs.k8s.io/yaml" +) + +type document struct { + metav1.TypeMeta `json:",inline"` + // Standard object's metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +optional + metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"` +} + +func main() { + installYaml := flag.String("installYaml", "", "The install yaml file") + operatorChartDir := flag.String("operatorChartDir", "", "The operator helm chart directory") + crdChartDir := flag.String("crdChartDir", "", "The crd helm chart directory") + flag.Parse() + fmt.Printf("Converting install yaml %v to helm chart at %v and %v.", *installYaml, *operatorChartDir, *crdChartDir) + read(*installYaml, *operatorChartDir, *crdChartDir) +} + +func read(installYaml, operatorChartDir, crdChardDir string) { + // read the output.yaml file + data, err := os.ReadFile(installYaml) + if err != nil { + panic(err) + } + + // Split on '---' + docs := bytes.Split(data, []byte{'\n', '-', '-', '-', '\n'}) + fmt.Println("Starting docs...") + fmt.Println() + for i, docBytes := range docs { + + var doc document + if err := yaml.Unmarshal(docBytes, &doc); err != nil { + panic(err) + } + fmt.Printf("Doc %d\n", i) + // print the fields to the console + fmt.Printf("%d, %v %v\n", i, doc.Kind, doc.Name) + + var filename = fmt.Sprintf("%s-%s.yaml", doc.Kind, strings.Replace(doc.Name, "cloud-sql-proxy-operator-", "", 1)) + + var filePath string + var content []byte + switch doc.Kind { + case "Namespace": + filePath = path.Join(crdChardDir, "templates", filename) + content = makeCrdChartReplacements(docBytes) + case "Deployment": + // ignore the deployment, this is a custom-written chart + case "CustomResourceDefinition": + filePath = path.Join(crdChardDir, "templates", filename) + content = makeCrdChartReplacements(docBytes) + default: + filePath = path.Join(operatorChartDir, "templates", filename) + content = makeChartReplacements(docBytes) + } + + if filePath == "" { + continue + } + + err := os.WriteFile(filePath, content, 0644) + if err != nil { + panic(err) + } + } + +} + +func makeChartReplacements(data []byte) []byte { + content := string(data) + + // Namespace + content = strings.Replace(content, "cloud-sql-proxy-operator-system", "{{ .Release.Namespace }}", -1) + + // Name + content = strings.Replace(content, "cloud-sql-proxy-operator", "{{ .Release.Name }}", -1) + + return []byte(content) +} + +func makeCrdChartReplacements(data []byte) []byte { + content := string(data) + + // Namespace + content = strings.Replace(content, "cloud-sql-proxy-operator-system", "{{ .Values.operatorNamespace }}", -1) + + // Name + content = strings.Replace(content, "cloud-sql-proxy-operator", "{{ .Values.operatorName }}", -1) + + return []byte(content) +}