Merge branch 'devel' into add-seccomp

Author: benjaminjb

helm/install/.gitattributes

@@ -0,0 +1,3 @@
+# https://github.com/github/linguist/issues/4905
+# https://github.com/github/linguist/issues/5092#issuecomment-730262298
+/templates/*.tpl linguist-language=handlebars

helm/install/.helmignore

@@ -0,0 +1 @@
+.git*

helm/install/Chart.yaml

@@ -1,6 +1,7 @@
 apiVersion: v2
 name: pgo
 description: Installer for PGO, the open source Postgres Operator from Crunchy Data
+
 type: application
-version: 0.2.5
+version: 0.3.0
 appVersion: 5.1.0

helm/install/crds/postgres-operator.crunchydata.com_pgupgrades.yaml

@@ -9409,9 +9409,3 @@ spec:
     storage: true
     subresources:
       status: {}
-status:
-  acceptedNames:
-    kind: ""
-    plural: ""
-  conditions: []
-  storedVersions: []

helm/install/crds/postgres-operator.crunchydata.com_postgresclusters.yaml

@@ -8,31 +8,26 @@ Create chart name and version as used by the chart label.
 {{/*
 Crunchy labels
 */}}
-{{- define "install.crunchyLabels" -}}
+{{- define "install.clusterLabels" -}}
 postgres-operator.crunchydata.com/control-plane: {{ .Chart.Name }}
 {{- end }}
+{{- define "install.upgradeLabels" -}}
+postgres-operator.crunchydata.com/control-plane: {{ .Chart.Name }}-upgrade
+{{- end }}
 
 {{/*
 Common labels
 */}}
 {{- define "install.labels" -}}
 helm.sh/chart: {{ include "install.chart" . }}
-{{ include "install.selectorLabels" . }}
+app.kubernetes.io/name: {{ .Chart.Name }}
+app.kubernetes.io/instance: {{ .Release.Name }}
 {{- if .Chart.AppVersion }}
 app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
 {{- end }}
 app.kubernetes.io/managed-by: {{ .Release.Service }}
 {{- end }}
 
-{{/*
-Selector labels
-*/}}
-{{- define "install.selectorLabels" -}}
-app.kubernetes.io/name: {{ .Chart.Name }}
-app.kubernetes.io/instance: {{ .Release.Name }}
-{{ include "install.crunchyLabels" .}}
-{{- end }}
-
 {{/*
 Create the name of the service account to use
 */}}
@@ -77,3 +72,23 @@ Role
 ClusterRole
 {{- end }}
 {{- end }}
+
+{{- define "install.imagePullSecrets" -}}
+{{/* Earlier versions required the full structure of PodSpec.ImagePullSecrets */}}
+{{- if .Values.imagePullSecrets }}
+imagePullSecrets:
+{{ toYaml .Values.imagePullSecrets }}
+{{- else if .Values.imagePullSecretNames }}
+imagePullSecrets:
+{{- range .Values.imagePullSecretNames }}
+- name: {{ . | quote }}
+{{- end }}{{/* range */}}
+{{- end }}{{/* if */}}
+{{- end }}{{/* define */}}
+
+{{- define "install.relatedImages" -}}
+{{- range $id, $object := .Values.relatedImages }}
+- name: RELATED_IMAGE_{{ $id | upper }}
+  value: {{ $object.image | quote }}
+{{- end }}
+{{- end }}

helm/install/templates/_helpers.tpl

@@ -0,0 +1,40 @@
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ .Chart.Name }}-upgrade
+  labels:
+    {{- include "install.labels" . | nindent 4 }}
+    {{- include "install.upgradeLabels" . | nindent 4 }}
+spec:
+  replicas: 1
+  strategy: { type: Recreate }
+  selector:
+    matchLabels:
+      {{- include "install.upgradeLabels" . | nindent 6 }}
+  template:
+    metadata:
+      labels:
+        {{- include "install.upgradeLabels" . | nindent 8 }}
+    spec:
+      {{- include "install.imagePullSecrets" . | indent 6 }}
+      serviceAccountName: {{ include "install.serviceAccountName" . }}-upgrade
+      containers:
+      - name: operator
+        image: {{ required ".Values.controllerImages.upgrade is required" .Values.controllerImages.upgrade | quote }}
+        env:
+        - name: CRUNCHY_DEBUG
+          value: {{ .Values.debug | ne false | quote }}
+        {{- if .Values.singleNamespace }}
+        - name: PGO_TARGET_NAMESPACE
+          valueFrom: { fieldRef: { apiVersion: v1, fieldPath: metadata.namespace } }
+        {{- end }}
+        {{- if .Values.workers }}
+        - name: PGO_WORKERS
+          value: {{ .Values.workers | quote }}
+        {{- end }}
+        {{- include "install.relatedImages" . | indent 8 }}
+        securityContext:
+          allowPrivilegeEscalation: false
+          readOnlyRootFilesystem: true
+          runAsNonRoot: true

helm/install/templates/manager-upgrade.yaml

@@ -1,34 +1,32 @@
+---
 apiVersion: apps/v1
 kind: Deployment
 metadata:
   name: {{ .Chart.Name }}
   labels:
     {{- include "install.labels" . | nindent 4 }}
+    {{- include "install.clusterLabels" . | nindent 4 }}
 spec:
   replicas: 1
   strategy: { type: Recreate }
   selector:
     matchLabels:
-      {{- include "install.crunchyLabels" . | nindent 6 }}
+      {{- include "install.clusterLabels" . | nindent 6 }}
   template:
     metadata:
       labels:
-        {{- include "install.crunchyLabels" . | nindent 8 }}
+        {{- include "install.clusterLabels" . | nindent 8 }}
     spec:
+      {{- include "install.imagePullSecrets" . | indent 6 }}
+      serviceAccountName: {{ include "install.serviceAccountName" . }}
       containers:
       - name: operator
-        image: "{{ .Values.image.image }}"
+        image: {{ required ".Values.controllerImages.cluster is required" .Values.controllerImages.cluster | quote }}
         env:
-        - name: PGO_NAMESPACE
-          valueFrom:
-            fieldRef:
-              fieldPath: metadata.namespace
         - name: CRUNCHY_DEBUG
-          value: {{ if eq .Values.debug false  }}"false"{{- else }}"true"{{- end }}
-        {{- range  $image_name, $image_val := .Values.relatedImages }}
-        - name: RELATED_IMAGE_{{ $image_name | upper }}
-          value: "{{ $image_val.image }}"
-        {{- end }}
+          value: {{ .Values.debug | ne false | quote }}
+        - name: PGO_NAMESPACE
+          valueFrom: { fieldRef: { apiVersion: v1, fieldPath: metadata.namespace } }
         {{- if .Values.singleNamespace }}
         - name: PGO_TARGET_NAMESPACE
           valueFrom: { fieldRef: { apiVersion: v1, fieldPath: metadata.namespace } }
@@ -37,7 +35,8 @@ spec:
         - name: PGO_WORKERS
           value: {{ .Values.workers | quote }}
         {{- end }}
-        {{- if (default false .Values.disable_check_for_upgrades) }}
+        {{- include "install.relatedImages" . | indent 8 }}
+        {{- if .Values.disable_check_for_upgrades }}
         - name: CHECK_FOR_UPGRADES
           value: "false"
         {{- end }}
@@ -47,4 +46,3 @@ spec:
           runAsNonRoot: true
           seccompProfile:
             type: RuntimeDefault
-      serviceAccount: {{ include "install.serviceAccountName" . }}

helm/install/templates/manager.yaml

@@ -0,0 +1,71 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: {{ include "install.roleKind" . }}
+metadata:
+  name: {{ include "install.roleName" . }}-upgrade
+  labels:
+    {{- include "install.labels" . | nindent 4 }}
+    {{- include "install.upgradeLabels" . | nindent 4 }}
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - endpoints
+  verbs:
+  - delete
+  - get
+  - list
+  - watch
+- apiGroups:
+  - apps
+  resources:
+  - statefulsets
+  verbs:
+  - list
+  - watch
+- apiGroups:
+  - batch
+  resources:
+  - jobs
+  verbs:
+  - create
+  - delete
+  - list
+  - patch
+  - watch
+- apiGroups:
+  - postgres-operator.crunchydata.com
+  resources:
+  - pgupgrades
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - postgres-operator.crunchydata.com
+  resources:
+  - pgupgrades/finalizers
+  verbs:
+  - patch
+  - update
+- apiGroups:
+  - postgres-operator.crunchydata.com
+  resources:
+  - pgupgrades/status
+  verbs:
+  - get
+  - patch
+- apiGroups:
+  - postgres-operator.crunchydata.com
+  resources:
+  - postgresclusters
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - postgres-operator.crunchydata.com
+  resources:
+  - postgresclusters/status
+  verbs:
+  - patch

helm/install/templates/role-upgrade.yaml

@@ -1,9 +1,11 @@
+---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: {{ include "install.roleKind" . }}
 metadata:
   name: {{ include "install.roleName" . }}
   labels:
     {{- include "install.labels" . | nindent 4 }}
+    {{- include "install.clusterLabels" . | nindent 4 }}
 rules:
 - apiGroups:
   - ''