From a00a07bdb039309b5d07301e85f03498547dd82d Mon Sep 17 00:00:00 2001 From: jrkeen Date: Thu, 30 Sep 2021 09:28:51 +0800 Subject: [PATCH] chart support multi version conversion Signed-off-by: jrkeen --- ...tch_webhook_in_clusterresourcebindings.tpl | 21 ++++ .../_patch_webhook_in_resourcebindings.tpl | 21 ++++ charts/templates/post-install-job.yaml | 70 +++++++++-- charts/templates/pre-install-job.yaml | 118 +++++++++++------- 4 files changed, 175 insertions(+), 55 deletions(-) create mode 100644 charts/templates/_patch_webhook_in_clusterresourcebindings.tpl create mode 100644 charts/templates/_patch_webhook_in_resourcebindings.tpl diff --git a/charts/templates/_patch_webhook_in_clusterresourcebindings.tpl b/charts/templates/_patch_webhook_in_clusterresourcebindings.tpl new file mode 100644 index 000000000000..52b6e068f8e1 --- /dev/null +++ b/charts/templates/_patch_webhook_in_clusterresourcebindings.tpl @@ -0,0 +1,21 @@ +{{- define "karmada.crd.patch.webhook.clusterresourcebinding" -}} +{{ $name := include "karmada.name" .}} +{{ $namespace := include "karmada.namespace" .}} +--- +# The following patch enables conversion webhook for CRD +# CRD conversion requires k8s 1.13 or later. +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: clusterresourcebindings.work.karmada.io +spec: + conversion: + strategy: Webhook + webhook: + clientConfig: + url: https://{{ $name }}-webhook.{{ $namespace }}.svc:443/convert + {{- include "karmada.webhook.caBundle" . | nindent 8 }} + # TODO(RainbowMango): After we update controller-runtime to v0.10+, then we can remove `v1beta1` + conversionReviewVersions: ["v1beta1", "v1"] +--- +{{- end -}} diff --git a/charts/templates/_patch_webhook_in_resourcebindings.tpl b/charts/templates/_patch_webhook_in_resourcebindings.tpl new file mode 100644 index 000000000000..31801b5a9616 --- /dev/null +++ b/charts/templates/_patch_webhook_in_resourcebindings.tpl @@ -0,0 +1,21 @@ +{{- define "karmada.crd.patch.webhook.resourcebinding" -}} +{{ $name := include "karmada.name" .}} +{{ $namespace := include "karmada.namespace" .}} +--- +# The following patch enables conversion webhook for CRD +# CRD conversion requires k8s 1.13 or later. +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: resourcebindings.work.karmada.io +spec: + conversion: + strategy: Webhook + webhook: + clientConfig: + url: https://{{ $name }}-webhook.{{ $namespace }}.svc:443/convert + {{- include "karmada.webhook.caBundle" . | nindent 8 }} + # TODO(RainbowMango): After we update controller-runtime to v0.10+, then we can remove `v1beta1` + conversionReviewVersions: ["v1beta1", "v1"] +--- +{{- end -}} diff --git a/charts/templates/post-install-job.yaml b/charts/templates/post-install-job.yaml index ba4004ac9a5f..692c090cbc01 100644 --- a/charts/templates/post-install-job.yaml +++ b/charts/templates/post-install-job.yaml @@ -1,28 +1,59 @@ {{- $name := include "karmada.name" . -}} - +{{- $namespace := include "karmada.namespace" . -}} {{- if eq .Values.installMode "host" }} {{- if eq .Values.certs.mode "custom" }} apiVersion: v1 kind: ConfigMap metadata: - name: {{ $name }}-crds - namespace: {{ include "karmada.namespace" . }} + name: {{ $name }}-static-resources + namespace: {{ $namespace }} data: {{- print "webhook-configuration.yaml: " | nindent 2 }} |- {{- include "karmada.webhook.configuration" . | nindent 4 }} {{- print "system-namespace.yaml: " | nindent 2 }} |- {{- include "karmada.systemNamespace" . | nindent 4 }} +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ $name }}-crds + namespace: {{ $namespace }} +data: + {{ range $path, $bytes := .Files.Glob (printf "_crds/**")}} + {{ $name := base $path }} + {{- (printf "%s: " $name) | nindent 2 }} |- + {{- $.Files.Get $path | nindent 4 }} + {{ end }} +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ $name }}-crds-bases + namespace: {{ $namespace }} +data: {{ range $path, $bytes := .Files.Glob (printf "_crds/bases/**")}} {{ $name := base $path }} {{- (printf "%s: " $name) | nindent 2 }} |- {{- $.Files.Get $path | nindent 4 }} {{ end }} --- +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ $name }}-crds-patches + namespace: {{ $namespace }} +data: + {{- print "webhook_in_clusterresourcebindings.yaml: " | nindent 2 }} |- + {{- include "karmada.crd.patch.webhook.clusterresourcebinding" . | nindent 4 }} + {{- print "webhook_in_resourcebindings.yaml: " | nindent 2 }} |- + {{- include "karmada.crd.patch.webhook.resourcebinding" . | nindent 4 }} +--- {{- end }} apiVersion: batch/v1 kind: Job metadata: - name: "{{ $name }}-install-crds" + name: "{{ $name }}-post-install" + namespace: {{ $namespace }} labels: app.kubernetes.io/managed-by: {{ .Release.Service | quote }} app.kubernetes.io/instance: {{ $name | quote }} @@ -47,22 +78,39 @@ spec: spec: restartPolicy: Never containers: - - name: post-install-job + - name: post-install image: bitnami/kubectl:latest command: - - "kubectl" - - "apply" - - "-f" - - "/crds" - - "--kubeconfig" - - "/etc/kubeconfig" + - /bin/sh + - -c + - | + bash <<'EOF' + set -ex + kubectl kustomize /crds | kubectl apply --kubeconfig /etc/kubeconfig -f - + kubectl apply -f /static-resources --kubeconfig /etc/kubeconfig + EOF volumeMounts: + - name: {{ $name }}-crds-bases + mountPath: /crds/bases + - name: {{ $name }}-crds-patches + mountPath: /crds/patches - name: {{ $name }}-crds mountPath: /crds + - name: {{ $name }}-static-resources + mountPath: /static-resources {{ include "karmada.kubeconfig.volumeMount" . | nindent 10 }} volumes: + - name: {{ $name }}-crds-bases + configMap: + name: {{ $name }}-crds-bases + - name: {{ $name }}-crds-patches + configMap: + name: {{ $name }}-crds-patches - name: {{ $name }}-crds configMap: name: {{ $name }}-crds + - name: {{ $name }}-static-resources + configMap: + name: {{ $name }}-static-resources {{ include "karmada.kubeconfig.volume" . | nindent 8 }} {{- end }} diff --git a/charts/templates/pre-install-job.yaml b/charts/templates/pre-install-job.yaml index 5a63b97821c6..9f58a475d75b 100644 --- a/charts/templates/pre-install-job.yaml +++ b/charts/templates/pre-install-job.yaml @@ -10,36 +10,6 @@ metadata: "helm.sh/hook": pre-install "helm.sh/hook-weight": "2" data: - install.sh: |- - #!/bin/bash - set -ex - function join() { - local IFS=$1 - shift - echo "$*" - } - kubectl apply -f $(join ',' /opt/configs/*.yaml) - generator.sh: |- - #!/bin/bash - set -ex - mkdir -p /opt/configs - mkdir -p /opt/certs - cp -r -L /opt/mount/* /opt/configs/ - openssl req -x509 -sha256 -new -nodes -days 365 -newkey rsa:2048 -keyout "/opt/certs/server-ca.key" -out "/opt/certs/server-ca.crt" -subj "/C=xx/ST=x/L=x/O=x/OU=x/CN=ca/emailAddress=x/" - echo '{"signing":{"default":{"expiry":{{ printf `"%s"` .Values.certs.auto.expiry }},"usages":["signing","key encipherment","client auth","server auth"]}}}' > "/opt/certs/server-ca-config.json" - echo '{"CN":"system:admin","hosts":{{ toJson .Values.certs.auto.hosts }},"names":[{"O":"system:masters"}],"key":{"algo":"rsa","size":2048}}' | cfssl gencert -ca=/opt/certs/server-ca.crt -ca-key=/opt/certs/server-ca.key -config=/opt/certs/server-ca-config.json - | cfssljson -bare /opt/certs/karmada - karmada_ca=$(base64 /opt/certs/server-ca.crt | tr -d '\r\n') - karmada_crt=$(base64 /opt/certs/karmada.pem | tr -d '\r\n') - karmada_key=$(base64 /opt/certs/karmada-key.pem | tr -d '\r\n') - sed -i'' -e "s/{{ print "{{ ca_crt }}" }}/${karmada_ca}/g" /opt/configs/cert.yaml - sed -i'' -e "s/{{ print "{{ crt }}" }}/${karmada_crt}/g" /opt/configs/cert.yaml - sed -i'' -e "s/{{ print "{{ key }}" }}/${karmada_key}/g" /opt/configs/cert.yaml - sed -i'' -e "s/{{ print "{{ ca_crt }}" }}/${karmada_ca}/g" /opt/configs/kubeconfig.yaml - sed -i'' -e "s/{{ print "{{ crt }}" }}/${karmada_crt}/g" /opt/configs/kubeconfig.yaml - sed -i'' -e "s/{{ print "{{ key }}" }}/${karmada_key}/g" /opt/configs/kubeconfig.yaml - sed -i'' -e "s/{{ print "{{ crt }}" }}/${karmada_crt}/g" /opt/configs/webhook-cert.yaml - sed -i'' -e "s/{{ print "{{ key }}" }}/${karmada_key}/g" /opt/configs/webhook-cert.yaml - sed -i'' -e "s/{{ print "{{ ca_crt }}" }}/${karmada_ca}/g" /opt/configs/crds-configmap.yaml cert.yaml: |- apiVersion: v1 kind: Secret @@ -59,7 +29,7 @@ data: kind: Secret metadata: name: {{ $name }}-webhook-cert - namespace: {{ include "karmada.namespace" . }} + namespace: {{ $namespace }} type: kubernetes.io/tls data: tls.crt: |- @@ -71,7 +41,7 @@ data: kind: Secret metadata: name: {{ $name }}-kubeconfig - namespace: {{ include "karmada.namespace" . }} + namespace: {{ $namespace }} stringData: kubeconfig: |- apiVersion: v1 @@ -80,7 +50,7 @@ data: - cluster: certificate-authority-data: {{ print "{{ ca_crt }}" }} insecure-skip-tls-verify: false - server: https://{{ $name }}-apiserver.{{ include "karmada.namespace" . }}.svc.{{ .Values.clusterDomain }}:5443 + server: https://{{ $name }}-apiserver.{{ $namespace }}.svc.{{ .Values.clusterDomain }}:5443 name: {{ $name }}-apiserver users: - user: @@ -93,28 +63,59 @@ data: user: {{ $name }}-apiserver name: {{ $name }}-apiserver current-context: {{ $name }}-apiserver - crds-configmap.yaml: |- + static-resources-configmaps.yaml: |- apiVersion: v1 kind: ConfigMap metadata: - name: {{ $name }}-crds - namespace: {{ include "karmada.namespace" . }} + name: {{ $name }}-static-resources + namespace: {{ $namespace }} data: {{- print "webhook-configuration.yaml: " | nindent 6 }} |- {{- include "karmada.webhook.configuration" . | nindent 8 }} {{- print "system-namespace.yaml: " | nindent 6 }} |- {{- include "karmada.systemNamespace" . | nindent 8 }} + crds-configmaps.yaml: |- + apiVersion: v1 + kind: ConfigMap + metadata: + name: {{ $name }}-crds + namespace: {{ $namespace }} + data: + {{ range $path, $bytes := .Files.Glob (printf "_crds/**")}} + {{ $name := base $path }} + {{- (printf "%s: " $name) | nindent 6 }} |- + {{- $.Files.Get $path | nindent 8 }} + {{ end }} + crds-bases-configmaps.yaml: |- + apiVersion: v1 + kind: ConfigMap + metadata: + name: {{ $name }}-crds-bases + namespace: {{ $namespace }} + data: {{ range $path, $bytes := .Files.Glob (printf "_crds/bases/**")}} {{ $name := base $path }} {{- (printf "%s: " $name) | nindent 6 }} |- {{- $.Files.Get $path | nindent 8 }} {{ end }} + crds-patches-configmaps.yaml: |- + apiVersion: v1 + kind: ConfigMap + metadata: + name: {{ $name }}-crds-patches + namespace: {{ $namespace }} + data: + {{- print "webhook_in_clusterresourcebindings.yaml: " | nindent 6 }} |- + {{- include "karmada.crd.patch.webhook.clusterresourcebinding" . | nindent 8 }} + {{- print "webhook_in_resourcebindings.yaml: " | nindent 6 }} |- + {{- include "karmada.crd.patch.webhook.resourcebinding" . | nindent 8 }} --- apiVersion: batch/v1 kind: Job metadata: - name: "{{ $name }}-config-generator" + name: "{{ $name }}-pre-install" + namespace: {{ $namespace }} annotations: # This is what defines this resource as a hook. Without this line, the # job is considered part of the release. @@ -135,22 +136,52 @@ spec: serviceAccountName: {{ $name }}-pre-job restartPolicy: Never initContainers: - - name: generator + - name: init image: cfssl/cfssl workingDir: /opt/mount command: - - "./generator.sh" + - /bin/sh + - -c + - | + bash <<'EOF' + set -ex + mkdir -p /opt/configs + mkdir -p /opt/certs + cp -r -L /opt/mount/* /opt/configs/ + openssl req -x509 -sha256 -new -nodes -days 365 -newkey rsa:2048 -keyout "/opt/certs/server-ca.key" -out "/opt/certs/server-ca.crt" -subj "/C=xx/ST=x/L=x/O=x/OU=x/CN=ca/emailAddress=x/" + echo '{"signing":{"default":{"expiry":{{ printf `"%s"` .Values.certs.auto.expiry }},"usages":["signing","key encipherment","client auth","server auth"]}}}' > "/opt/certs/server-ca-config.json" + echo '{"CN":"system:admin","hosts":{{ toJson .Values.certs.auto.hosts }},"names":[{"O":"system:masters"}],"key":{"algo":"rsa","size":2048}}' | cfssl gencert -ca=/opt/certs/server-ca.crt -ca-key=/opt/certs/server-ca.key -config=/opt/certs/server-ca-config.json - | cfssljson -bare /opt/certs/karmada + karmada_ca=$(base64 /opt/certs/server-ca.crt | tr -d '\r\n') + karmada_crt=$(base64 /opt/certs/karmada.pem | tr -d '\r\n') + karmada_key=$(base64 /opt/certs/karmada-key.pem | tr -d '\r\n') + sed -i'' -e "s/{{ print "{{ ca_crt }}" }}/${karmada_ca}/g" /opt/configs/cert.yaml + sed -i'' -e "s/{{ print "{{ crt }}" }}/${karmada_crt}/g" /opt/configs/cert.yaml + sed -i'' -e "s/{{ print "{{ key }}" }}/${karmada_key}/g" /opt/configs/cert.yaml + sed -i'' -e "s/{{ print "{{ ca_crt }}" }}/${karmada_ca}/g" /opt/configs/kubeconfig.yaml + sed -i'' -e "s/{{ print "{{ crt }}" }}/${karmada_crt}/g" /opt/configs/kubeconfig.yaml + sed -i'' -e "s/{{ print "{{ key }}" }}/${karmada_key}/g" /opt/configs/kubeconfig.yaml + sed -i'' -e "s/{{ print "{{ crt }}" }}/${karmada_crt}/g" /opt/configs/webhook-cert.yaml + sed -i'' -e "s/{{ print "{{ key }}" }}/${karmada_key}/g" /opt/configs/webhook-cert.yaml + sed -i'' -e "s/{{ print "{{ ca_crt }}" }}/${karmada_ca}/g" /opt/configs/static-resources-configmaps.yaml + sed -i'' -e "s/{{ print "{{ ca_crt }}" }}/${karmada_ca}/g" /opt/configs/crds-patches-configmaps.yaml + EOF volumeMounts: - name: mount mountPath: /opt/mount - name: configs mountPath: /opt/configs containers: - - name: pre-install-job + - name: pre-install image: bitnami/kubectl:latest workingDir: /opt/mount command: - - "./install.sh" + - /bin/sh + - -c + - | + bash <<'EOF' + set -ex + kubectl apply -f /opt/configs/ + EOF volumeMounts: - name: mount mountPath: /opt/mount @@ -160,7 +191,6 @@ spec: - name: mount configMap: name: {{ $name }}-config - defaultMode: 0777 - name: configs emptyDir: {} @@ -169,10 +199,10 @@ apiVersion: v1 kind: ServiceAccount metadata: name: {{ $name }}-pre-job + namespace: {{ $namespace }} annotations: "helm.sh/hook": pre-install "helm.sh/hook-weight": "1" - namespace: {{ include "karmada.namespace" . }} --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole @@ -202,6 +232,6 @@ roleRef: subjects: - kind: ServiceAccount name: {{ $name }}-pre-job - namespace: {{ include "karmada.namespace" . }} + namespace: {{ $namespace }} --- {{- end }}