Add upgrade controller to Helm install chart

Issue: [sc-14201]

Author: cbandy

helm/install/.gitattributes

@@ -0,0 +1,3 @@
+# https://github.com/github/linguist/issues/4905
+# https://github.com/github/linguist/issues/5092#issuecomment-730262298
+/templates/*.tpl linguist-language=handlebars

helm/install/.helmignore

@@ -0,0 +1 @@
+.git*

helm/install/Chart.yaml

@@ -3,5 +3,5 @@ name: pgo
 description: Installer for PGO, the open source Postgres Operator from Crunchy Data
 
 type: application
-version: 0.2.5
+version: 0.3.0
 appVersion: 5.1.0

helm/install/crds/postgres-operator.crunchydata.com_pgupgrades.yaml

@@ -8,31 +8,26 @@ Create chart name and version as used by the chart label.
 {{/*
 Crunchy labels
 */}}
-{{- define "install.crunchyLabels" -}}
+{{- define "install.clusterLabels" -}}
 postgres-operator.crunchydata.com/control-plane: {{ .Chart.Name }}
 {{- end }}
+{{- define "install.upgradeLabels" -}}
+postgres-operator.crunchydata.com/control-plane: {{ .Chart.Name }}-upgrade
+{{- end }}
 
 {{/*
 Common labels
 */}}
 {{- define "install.labels" -}}
 helm.sh/chart: {{ include "install.chart" . }}
-{{ include "install.selectorLabels" . }}
+app.kubernetes.io/name: {{ .Chart.Name }}
+app.kubernetes.io/instance: {{ .Release.Name }}
 {{- if .Chart.AppVersion }}
 app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
 {{- end }}
 app.kubernetes.io/managed-by: {{ .Release.Service }}
 {{- end }}
 
-{{/*
-Selector labels
-*/}}
-{{- define "install.selectorLabels" -}}
-app.kubernetes.io/name: {{ .Chart.Name }}
-app.kubernetes.io/instance: {{ .Release.Name }}
-{{ include "install.crunchyLabels" .}}
-{{- end }}
-
 {{/*
 Create the name of the service account to use
 */}}
@@ -77,3 +72,23 @@ Role
 ClusterRole
 {{- end }}
 {{- end }}
+
+{{- define "install.imagePullSecrets" -}}
+{{/* Earlier versions required the full structure of PodSpec.ImagePullSecrets */}}
+{{- if .Values.imagePullSecrets }}
+imagePullSecrets:
+{{ toYaml .Values.imagePullSecrets }}
+{{- else if .Values.imagePullSecretNames }}
+imagePullSecrets:
+{{- range .Values.imagePullSecretNames }}
+- name: {{ . | quote }}
+{{- end }}{{/* range */}}
+{{- end }}{{/* if */}}
+{{- end }}{{/* define */}}
+
+{{- define "install.relatedImages" -}}
+{{- range $id, $object := .Values.relatedImages }}
+- name: RELATED_IMAGE_{{ $id | upper }}
+  value: {{ $object.image | quote }}
+{{- end }}
+{{- end }}

helm/install/templates/_helpers.tpl

@@ -0,0 +1,40 @@
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ .Chart.Name }}-upgrade
+  labels:
+    {{- include "install.labels" . | nindent 4 }}
+    {{- include "install.upgradeLabels" . | nindent 4 }}
+spec:
+  replicas: 1
+  strategy: { type: Recreate }
+  selector:
+    matchLabels:
+      {{- include "install.upgradeLabels" . | nindent 6 }}
+  template:
+    metadata:
+      labels:
+        {{- include "install.upgradeLabels" . | nindent 8 }}
+    spec:
+      {{- include "install.imagePullSecrets" . | indent 6 }}
+      serviceAccountName: {{ include "install.serviceAccountName" . }}-upgrade
+      containers:
+      - name: operator
+        image: {{ required ".Values.controllerImages.upgrade is required" .Values.controllerImages.upgrade | quote }}
+        env:
+        - name: CRUNCHY_DEBUG
+          value: {{ .Values.debug | ne false | quote }}
+        {{- if .Values.singleNamespace }}
+        - name: PGO_TARGET_NAMESPACE
+          valueFrom: { fieldRef: { apiVersion: v1, fieldPath: metadata.namespace } }
+        {{- end }}
+        {{- if .Values.workers }}
+        - name: PGO_WORKERS
+          value: {{ .Values.workers | quote }}
+        {{- end }}
+        {{- include "install.relatedImages" . | indent 8 }}
+        securityContext:
+          allowPrivilegeEscalation: false
+          readOnlyRootFilesystem: true
+          runAsNonRoot: true

helm/install/templates/manager-upgrade.yaml

@@ -1,34 +1,32 @@
+---
 apiVersion: apps/v1
 kind: Deployment
 metadata:
   name: {{ .Chart.Name }}
   labels:
     {{- include "install.labels" . | nindent 4 }}
+    {{- include "install.clusterLabels" . | nindent 4 }}
 spec:
   replicas: 1
   strategy: { type: Recreate }
   selector:
     matchLabels:
-      {{- include "install.crunchyLabels" . | nindent 6 }}
+      {{- include "install.clusterLabels" . | nindent 6 }}
   template:
     metadata:
       labels:
-        {{- include "install.crunchyLabels" . | nindent 8 }}
+        {{- include "install.clusterLabels" . | nindent 8 }}
     spec:
+      {{- include "install.imagePullSecrets" . | indent 6 }}
+      serviceAccountName: {{ include "install.serviceAccountName" . }}
       containers:
       - name: operator
         image: {{ required ".Values.controllerImages.cluster is required" .Values.controllerImages.cluster | quote }}
         env:
-        - name: PGO_NAMESPACE
-          valueFrom:
-            fieldRef:
-              fieldPath: metadata.namespace
         - name: CRUNCHY_DEBUG
-          value: {{ if eq .Values.debug false  }}"false"{{- else }}"true"{{- end }}
-        {{- range  $image_name, $image_val := .Values.relatedImages }}
-        - name: RELATED_IMAGE_{{ $image_name | upper }}
-          value: "{{ $image_val.image }}"
-        {{- end }}
+          value: {{ .Values.debug | ne false | quote }}
+        - name: PGO_NAMESPACE
+          valueFrom: { fieldRef: { apiVersion: v1, fieldPath: metadata.namespace } }
         {{- if .Values.singleNamespace }}
         - name: PGO_TARGET_NAMESPACE
           valueFrom: { fieldRef: { apiVersion: v1, fieldPath: metadata.namespace } }
@@ -37,12 +35,12 @@ spec:
         - name: PGO_WORKERS
           value: {{ .Values.workers | quote }}
         {{- end }}
-        {{- if (default false .Values.disable_check_for_upgrades) }}
+        {{- include "install.relatedImages" . | indent 8 }}
+        {{- if .Values.disable_check_for_upgrades }}
         - name: CHECK_FOR_UPGRADES
           value: "false"
         {{- end }}
         securityContext:
           allowPrivilegeEscalation: false
           readOnlyRootFilesystem: true
           runAsNonRoot: true
-      serviceAccount: {{ include "install.serviceAccountName" . }}

helm/install/templates/manager.yaml

@@ -0,0 +1,71 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: {{ include "install.roleKind" . }}
+metadata:
+  name: {{ include "install.roleName" . }}-upgrade
+  labels:
+    {{- include "install.labels" . | nindent 4 }}
+    {{- include "install.upgradeLabels" . | nindent 4 }}
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - endpoints
+  verbs:
+  - delete
+  - get
+  - list
+  - watch
+- apiGroups:
+  - apps
+  resources:
+  - statefulsets
+  verbs:
+  - list
+  - watch
+- apiGroups:
+  - batch
+  resources:
+  - jobs
+  verbs:
+  - create
+  - delete
+  - list
+  - patch
+  - watch
+- apiGroups:
+  - postgres-operator.crunchydata.com
+  resources:
+  - pgupgrades
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - postgres-operator.crunchydata.com
+  resources:
+  - pgupgrades/finalizers
+  verbs:
+  - patch
+  - update
+- apiGroups:
+  - postgres-operator.crunchydata.com
+  resources:
+  - pgupgrades/status
+  verbs:
+  - get
+  - patch
+- apiGroups:
+  - postgres-operator.crunchydata.com
+  resources:
+  - postgresclusters
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - postgres-operator.crunchydata.com
+  resources:
+  - postgresclusters/status
+  verbs:
+  - patch

helm/install/templates/role-upgrade.yaml

@@ -1,9 +1,11 @@
+---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: {{ include "install.roleKind" . }}
 metadata:
   name: {{ include "install.roleName" . }}
   labels:
     {{- include "install.labels" . | nindent 4 }}
+    {{- include "install.clusterLabels" . | nindent 4 }}
 rules:
 - apiGroups:
   - ''

helm/install/templates/role.yaml

@@ -1,9 +1,11 @@
+---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: {{ include "install.roleBindingKind" . }}
 metadata:
   name: {{ include "install.roleBindingName" . }}
   labels:
     {{- include "install.labels" . | nindent 4 }}
+    {{- include "install.clusterLabels" . | nindent 4 }}
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: {{ include "install.roleKind" . }}
@@ -12,3 +14,19 @@ subjects:
 - kind: ServiceAccount
   name: {{ include "install.serviceAccountName" . }}
   namespace: {{ .Release.Namespace }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: {{ include "install.roleBindingKind" . }}
+metadata:
+  name: {{ include "install.roleBindingName" . }}-upgrade
+  labels:
+    {{- include "install.labels" . | nindent 4 }}
+    {{- include "install.upgradeLabels" . | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: {{ include "install.roleKind" . }}
+  name: {{ include "install.roleName" . }}-upgrade
+subjects:
+- kind: ServiceAccount
+  name: {{ include "install.serviceAccountName" . }}-upgrade
+  namespace: {{ .Release.Namespace }}

helm/install/templates/role_binding.yaml

@@ -1,6 +1,16 @@
+---
 apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: {{ include "install.serviceAccountName" . }}
   labels:
     {{- include "install.labels" . | nindent 4 }}
+    {{- include "install.clusterLabels" . | nindent 4 }}
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ include "install.serviceAccountName" . }}-upgrade
+  labels:
+    {{- include "install.labels" . | nindent 4 }}
+    {{- include "install.upgradeLabels" . | nindent 4 }}

helm/install/templates/service_account.yaml

@@ -1,9 +1,9 @@
----
-# controllerImages are used to run the PostgresCluster controller.
+# controllerImages are used to run the PostgresCluster and PGUpgrade controllers.
 controllerImages:
   cluster: registry.developers.crunchydata.com/crunchydata/postgres-operator:ubi8-5.1.0-0
+  upgrade: registry.developers.crunchydata.com/crunchydata/postgres-operator-upgrade:ubi8-5.1.0-0
 
-# relatedImages are used when an image is omitted from the PostgresCluster spec.
+# relatedImages are used when an image is omitted from PostgresCluster or PGUpgrade specs.
 relatedImages:
   postgres_14:
     image: registry.developers.crunchydata.com/crunchydata/crunchy-postgres:ubi8-14.2-1
@@ -21,12 +21,17 @@ relatedImages:
     image: registry.developers.crunchydata.com/crunchydata/crunchy-pgbouncer:ubi8-1.16-2
   pgexporter:
     image: registry.developers.crunchydata.com/crunchydata/crunchy-postgres-exporter:ubi8-5.1.0-0
+  pgupgrade:
+    image: registry.developers.crunchydata.com/crunchydata/crunchy-upgrade:ubi8-5.1.0-0
 
 # singleNamespace controls where PGO watches for PostgresClusters. When false,
 # PGO watches for and responds to PostgresClusters in all namespaces. When true,
 # PGO watches only the namespace in which it is installed.
 singleNamespace: false
 
 # debug allows you to enable or disable the "debug" level of logging.
-# Defaults to the value below.
 debug: true
+
+# imagePullSecretNames is a list of secret names to use for pulling controller images.
+# More info: https://kubernetes.io/docs/concepts/containers/images/#specifying-imagepullsecrets-on-a-pod
+imagePullSecretNames: []