feat(common): add manifest updater and versioning logic (#277)

* feat(common): add manifest updater and versioning logic

* fix typo

* typo2

* force int

* install metallb

* alles to disable manifest loading

* skip manifest loading for unittests

* move metallb version to values.yaml

* give it all-access

* more verbosity

* no message

* hmmm

* remerge some stuff

* caps
This commit is contained in:
Kjeld Schouten-Lebbing
2022-11-05 18:44:29 +01:00
committed by GitHub
parent 1bca37f8b3
commit fc93547667
7 changed files with 212 additions and 4 deletions

View File

@@ -15,4 +15,5 @@ maintainers:
name: common
sources: null
type: library
version: 10.7.20
version: 10.8.0

View File

@@ -0,0 +1,115 @@
{{- define "tc.common.lib.util.manifest.update" -}}
{{- if .Values.manifests.enabled }}
{{- $fullName := include "tc.common.names.fullname" . -}}
{{- $manifestprevious := lookup "v1" "ConfigMap" "tc-system" "manifestversion" }}
{{- $manifestVersionOld := 0 }}
{{- $manifestversion := .Values.manifests.version }}
{{- if $manifestprevious }}
{{- $manifestVersionOld = ( index $manifestprevious.data "manifestversion" )}}
{{- end }}
{{- if gt ( int $manifestversion ) ( int $manifestVersionOld ) }}
---
apiVersion: v1
kind: ConfigMap
metadata:
namespace: {{ .Release.Namespace }}
name: {{ $fullName }}-manifests
annotations:
"helm.sh/hook": pre-install, pre-upgrade
"helm.sh/hook-weight": "-7"
"helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation
data:
tcman.yaml: |-
apiVersion: v1
kind: Namespace
metadata:
name: tc-system
---
apiVersion: v1
kind: ConfigMap
metadata:
namespace: tc-system
name: manifestversion
data:
manifestversion: "{{ .Values.manifests.version }}"
metalLBVersion: "{{ .Values.manifests.metalLBVersion }}"
---
apiVersion: batch/v1
kind: Job
metadata:
namespace: {{ .Release.Namespace }}
name: {{ $fullName }}-manifests
annotations:
"helm.sh/hook": pre-install, pre-upgrade
"helm.sh/hook-weight": "-6"
"helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation
spec:
template:
spec:
serviceAccountName: {{ $fullName }}-manifests
containers:
- name: {{ $fullName }}-manifests
image: {{ .Values.ubuntuImage.repository }}:{{ .Values.ubuntuImage.tag }}
volumeMounts:
- name: {{ $fullName }}-manifests
mountPath: /etc/manifests
readOnly: true
command:
- "/bin/sh"
- "-c"
- |
/bin/bash <<'EOF'
echo "installing metallb backend..."
kubectl apply -f https://raw.githubusercontent.com/metallb/metallb/v{{ .Values.manifests.metalLBVersion}}/config/manifests/metallb-native.yaml
echo "installing other manifests..."
kubectl apply -f /etc/manifests
EOF
volumes:
- name: {{ $fullName }}-manifests
configMap:
name: {{ $fullName }}-manifests
restartPolicy: Never
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ $fullName }}-manifests
annotations:
"helm.sh/hook": pre-install, pre-upgrade
"helm.sh/hook-weight": "-7"
"helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation
rules:
- apiGroups: ["*"]
resources: ["*"]
verbs: ["*"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: {{ $fullName }}-manifests
annotations:
"helm.sh/hook": pre-install, pre-upgrade
"helm.sh/hook-weight": "-7"
"helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ $fullName }}-manifests
subjects:
- kind: ServiceAccount
name: {{ $fullName }}-manifests
namespace: {{ .Release.Namespace }}
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ $fullName }}-manifests
namespace: {{ .Release.Namespace }}
annotations:
"helm.sh/hook": pre-install, pre-upgrade
"helm.sh/hook-weight": "-7"
"helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation
{{- end }}
{{- end }}
{{- end -}}

View File

@@ -61,4 +61,6 @@ Secondary entrypoint and primary loader for the common chart
{{ include "tc.common.spawner.networkpolicy" . | nindent 0 }}
{{ include "tc.common.lib.util.crd.update" . | nindent 0 }}
{{ include "tc.common.lib.util.manifest.update" . | nindent 0 }}
{{- end -}}

View File

@@ -1,7 +1,6 @@
{{/* load all list to dict injectors */}}
{{- define "tc.common.loader.lists" -}}
{{ include "tc.common.lib.values.controller.label.list" . }}
{{ include "tc.common.lib.values.controller.annotations.list" . }}
@@ -19,6 +18,4 @@
{{ include "tc.common.lib.values.ingress.label.list" . }}
{{ include "tc.common.lib.values.ingress.annotations.list" . }}
{{- end -}}

View File

@@ -66,6 +66,12 @@ ubuntuImage:
# -- Specify the redis image pull policy
pullPolicy: IfNotPresent
# -- Used to inject our own operator manifests into SCALE
manifests:
enabled: true
version: 1
metalLBVersion: "0.13.7"
global:
# -- Set an override for the prefix of the fullname
nameOverride:

View File

@@ -0,0 +1,84 @@
image:
repository: ghcr.io/truecharts/whoami
pullPolicy: IfNotPresent
tag: 1.8.7@sha256:8c61f0ca92fd806fcb4ed1465cb793c05443f37951554b105b0f2dc686a95772
service:
main:
ports:
main:
port: 8080
args:
- --port
- '8080'
manifests:
enabled: true
ingress:
main:
enabled: true
probes:
liveness:
enabled: true
readiness:
enabled: true
startup:
enabled: true
"ixCertificateAuthorities": {}
"ixCertificates":
"1":
"CA_type_existing": false
"CA_type_intermediate": false
"CA_type_internal": false
"CSR": ""
"DN": "/C=US/O=iXsystems/CN=localhost/emailAddress=info@ixsystems.com/ST=Tennessee/L=Maryville/subjectAltName=DNS:localhost"
"cert_type": "CERTIFICATE"
"cert_type_CSR": false
"cert_type_existing": true
"cert_type_internal": false
"certificate": "-----BEGIN CERTIFICATE-----\nMIIDqjCCApKgAwIBAgIBATANBgkqhkiG9w0BAQsFADCBgDELMAkGA1UEBhMCVVMx\nEjAQBgNVBAoMCWlYc3lzdGVtczESMBAGA1UEAwwJbG9jYWxob3N0MSEwHwYJKoZI\nhvcNAQkBFhJpbmZvQGl4c3lzdGVtcy5jb20xEjAQBgNVBAgMCVRlbm5lc3NlZTES\nMBAGA1UEBwwJTWFyeXZpbGxlMB4XDTIwMDkyNTE0MDUzOFoXDTIyMTIyOTE0MDUz\nOFowgYAxCzAJBgNVBAYTAlVTMRIwEAYDVQQKDAlpWHN5c3RlbXMxEjAQBgNVBAMM\nCWxvY2FsaG9zdDEhMB8GCSqGSIb3DQEJARYSaW5mb0BpeHN5c3RlbXMuY29tMRIw\nEAYDVQQIDAlUZW5uZXNzZWUxEjAQBgNVBAcMCU1hcnl2aWxsZTCCASIwDQYJKoZI\nhvcNAQEBBQADggEPADCCAQoCggEBALpoGliii6X8DeoFdLcR7jjsfJIn3nC8f1pT\nLQ3RURHUOEyhPT3Z6TkhaHeHoj8D6kiXROhyJJq3kw5OeqGZisfpGQhkxjpxkfh9\nfAhlvhuLwCWHaMvSh1TaT+h9+eHfcx3un5CIaH8b1KYRBMH+jmKFpr7jkPNkBXLS\nMA7jKIIa8pD9R6lF4gAsbqJafCbT3R7bqkd9xp3n3j2YhqQzETU2lmu4fra3BPio\nofK47kSkguUC6mtk6VrDf2+QtCKlY0dtbF3e2ZBNWo1aj86sjCtoEmqOCMsPRLc/\nXwQcfEqHY4XfafXwqk0G0UxV2ce18xKoR/pN3MpLBZ65NzPnpn0CAwEAAaMtMCsw\nFAYDVR0RBA0wC4IJbG9jYWxob3N0MBMGA1UdJQQMMAoGCCsGAQUFBwMBMA0GCSqG\nSIb3DQEBCwUAA4IBAQBFW1R037y7wllg/gRk9p2T1stiG8iIXosblmL4Ak1YToTQ\n/0to5GY2ZYW29+rbA4SDTS5eeu2YqZ0A/fF3wey7ggzMS7KyNBOvx5QBJRw3PJGn\n+THfhXvdfkOyeUC6KWRGLgl+/zBFvgh6vFDq3jmv0NI4ehVBTBMCJn7r6577S16T\nwtgKMCooizII0Odu5HIF10gTieFIH3PQYm9JBji9iyemb9Ht3wn7fXQptfGadz/l\nWz/Dv9+a6IOr7JVJMHnqAIvPzpkav4efuVPOX1zbhjg4K5g+nRYfjr5F5upOd0Y3\nznWTUBUyI7CXRkpHtSDXfEqKgnk/8uv7GWw+hyKr\n-----END CERTIFICATE-----\n"
"certificate_path": "/etc/certificates/freenas_default.crt"
"chain": false
"chain_list": [
"-----BEGIN CERTIFICATE-----\nMIIDqjCCApKgAwIBAgIBATANBgkqhkiG9w0BAQsFADCBgDELMAkGA1UEBhMCVVMx\nEjAQBgNVBAoMCWlYc3lzdGVtczESMBAGA1UEAwwJbG9jYWxob3N0MSEwHwYJKoZI\nhvcNAQkBFhJpbmZvQGl4c3lzdGVtcy5jb20xEjAQBgNVBAgMCVRlbm5lc3NlZTES\nMBAGA1UEBwwJTWFyeXZpbGxlMB4XDTIwMDkyNTE0MDUzOFoXDTIyMTIyOTE0MDUz\nOFowgYAxCzAJBgNVBAYTAlVTMRIwEAYDVQQKDAlpWHN5c3RlbXMxEjAQBgNVBAMM\nCWxvY2FsaG9zdDEhMB8GCSqGSIb3DQEJARYSaW5mb0BpeHN5c3RlbXMuY29tMRIw\nEAYDVQQIDAlUZW5uZXNzZWUxEjAQBgNVBAcMCU1hcnl2aWxsZTCCASIwDQYJKoZI\nhvcNAQEBBQADggEPADCCAQoCggEBALpoGliii6X8DeoFdLcR7jjsfJIn3nC8f1pT\nLQ3RURHUOEyhPT3Z6TkhaHeHoj8D6kiXROhyJJq3kw5OeqGZisfpGQhkxjpxkfh9\nfAhlvhuLwCWHaMvSh1TaT+h9+eHfcx3un5CIaH8b1KYRBMH+jmKFpr7jkPNkBXLS\nMA7jKIIa8pD9R6lF4gAsbqJafCbT3R7bqkd9xp3n3j2YhqQzETU2lmu4fra3BPio\nofK47kSkguUC6mtk6VrDf2+QtCKlY0dtbF3e2ZBNWo1aj86sjCtoEmqOCMsPRLc/\nXwQcfEqHY4XfafXwqk0G0UxV2ce18xKoR/pN3MpLBZ65NzPnpn0CAwEAAaMtMCsw\nFAYDVR0RBA0wC4IJbG9jYWxob3N0MBMGA1UdJQQMMAoGCCsGAQUFBwMBMA0GCSqG\nSIb3DQEBCwUAA4IBAQBFW1R037y7wllg/gRk9p2T1stiG8iIXosblmL4Ak1YToTQ\n/0to5GY2ZYW29+rbA4SDTS5eeu2YqZ0A/fF3wey7ggzMS7KyNBOvx5QBJRw3PJGn\n+THfhXvdfkOyeUC6KWRGLgl+/zBFvgh6vFDq3jmv0NI4ehVBTBMCJn7r6577S16T\nwtgKMCooizII0Odu5HIF10gTieFIH3PQYm9JBji9iyemb9Ht3wn7fXQptfGadz/l\nWz/Dv9+a6IOr7JVJMHnqAIvPzpkav4efuVPOX1zbhjg4K5g+nRYfjr5F5upOd0Y3\nznWTUBUyI7CXRkpHtSDXfEqKgnk/8uv7GWw+hyKr\n-----END CERTIFICATE-----\n"
]
"city": "Maryville"
"common": "localhost"
"country": "US"
"csr_path": "/etc/certificates/freenas_default.csr"
"digest_algorithm": "SHA256"
"email": "info@ixsystems.com"
"extensions":
"ExtendedKeyUsage": "TLS Web Server Authentication"
"SubjectAltName": "DNS:localhost"
"fingerprint": "9C:5A:1D:1B:E7:9E:0B:89:2B:37:F4:19:83:ED:3C:6B:D8:14:0D:9B"
"from": "Fri Sep 25 16:05:38 2020"
"id": 1
"internal": "NO"
"issuer": "external"
"key_length": 2048
"key_type": "RSA"
"lifetime": 825
"name": "freenas_default"
"organization": "iXsystems"
"organizational_unit": ""
"parsed": true
"privatekey": "-----BEGIN PRIVATE KEY-----\nMIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQC6aBpYooul/A3q\nBXS3Ee447HySJ95wvH9aUy0N0VER1DhMoT092ek5IWh3h6I/A+pIl0TociSat5MO\nTnqhmYrH6RkIZMY6cZH4fXwIZb4bi8Alh2jL0odU2k/offnh33Md7p+QiGh/G9Sm\nEQTB/o5ihaa+45DzZAVy0jAO4yiCGvKQ/UepReIALG6iWnwm090e26pHfcad5949\nmIakMxE1NpZruH62twT4qKHyuO5EpILlAuprZOlaw39vkLQipWNHbWxd3tmQTVqN\nWo/OrIwraBJqjgjLD0S3P18EHHxKh2OF32n18KpNBtFMVdnHtfMSqEf6TdzKSwWe\nuTcz56Z9AgMBAAECggEARwcb4uIs7BZbBu0FSCyg5TfXT6m5bKOmszg2VqmHho+i\n1DAsMcEyyP4d3E3mWLSZNQfOzfOQVxPUCQOGXsUuyHXdgAFGN0bHJDRMara59a0O\njj5GhEO4JXD6OdCmwpZuOt2OF3iiuKxWHuElOvZQMuJSYzI7LULTgKjufv23lbsf\nxMO/v9yi57c5EGgnQ8siLKOy/FQZapn4Z9qKn+lVyk5gfaKP0pDsvV4d7nGYMDD2\nYijfkSyNecApFdtWiLE5zLUlvF6oNj8o66z3YrVNKrCPzhA/5Rkkwwk32SNxvKU3\nVZFSNPeOZ60BicxYcWO+b2aAa0WF+uazJAZ4q52gUQKBgQDu88R+0wm76secYkzE\nQglteLNZKFcvth0kI5xH42Hmk9IXkGimFoDJCIrLAuopyGnfNmqmh2is3QUMUPdR\n/wDLnKc4MCezEidNoD2RBC+bzM1hB9oye/b5sOZUDFXSa0k4XSLu1UEuy1yWhkuS\n6JjY1KQfc4FN0K0Fjqqo7UCTCwKBgQDHtKQh/NvMJ2ok4YW+/QAsus4mEK9eCyUy\nOuyDszQYrGvjkS7STKJVNxGLhWb0XKSIAxMZ66b1MwOt+71h7xNn6pcancfVdK7F\n1Xl5J+76SwbXSgQwTZuoMDxPIvZn7v/2ep5Ni/BcOhMcPIcobWb/OmXrFN1brBvo\nlFNQyWWhlwKBgFDAyPMjVvLO0U6kWdUpjA4W8GV9IJnbLdX8wt/4lClcY2/bOcKH\ncFaAMIeTIJemR0FMHpbQxCtHNmGHK03mo9orwsdWXtRBmk69jJDpnT1F5VKZWMAe\n7MRNaEmXMZm+8CvALgIQx8qMp2mnUPsA6Ea+9gg6/MPTdeWe5UXZiC0pAoGAGtSt\nPJfBXBNrklruYjORo3DRo5GYThVHQRFjl2orNKltsVxfIwgCw1ortEgPBgOwY0mu\ndkwP2V+qPeTVk+PQAqUk+gF6yLXtiUzeDiYMWHpeB+y81VSH9jfM0oELA/m7T/03\naYnEmE+BI8kKC6dvMBlDeisKdneQJFZRP0hfrC8CgYEAgYIyCGwcydKpe2Nkj0Fz\nKTtCMC/k4DvJfd5Kb9AbmrPUfKgA9Xj4GT6yPG6uBMi8r5etvLCKJ2x2NtN024a8\nQJLATYPrSsaZkE+9zM0j5nYAgbKpxBhlDzDAzn//3ByVzfgJ25S80XhTI2lfbLH/\nU07ssxdZaQCo+WuD82OvNcg=\n-----END PRIVATE KEY-----\n"
"privatekey_path": "/etc/certificates/freenas_default.key"
"revoked": false
"revoked_date": ""
"root_path": "/etc/certificates"
"san": [
"DNS:localhost"
]
"serial": 1
"signedby": ""
"state": "Tennessee"
"subject_name_hash": 3193428416
"type": 8
"until": "Thu Dec 29 15:05:38 2022"

View File

@@ -8,3 +8,6 @@ service:
ports:
main:
port: 8080
manifests:
enabled: false