Merge branch 'master' into mittwald#34/addCRDs

YannikBramkamp · Aug 30, 2021 · e7a0c58 · e7a0c58
2 parents 5ea7d4d + 5247276
commit e7a0c58
Show file tree

Hide file tree

Showing 11 changed files with 162 additions and 76 deletions.
diff --git a/.github/workflows/workflow.yml b/.github/workflows/workflow.yml
@@ -131,5 +131,11 @@ jobs:
       - name: Push images
         run: docker push "$IMAGE_NAME:latest" && docker push "$IMAGE_NAME:${GITHUB_REF##*/}"
 
-      - name: Bump Chart Version
-        run: bash ./scripts/bump-app-version.sh publish "${GITHUB_REF##*/}" "${{ secrets.githubToken }}"
+      - name: Run chart version bump
+        uses: mittwald/bump-app-version-action@v1
+        with:
+          mode: 'publish'
+          chartYaml: './deploy/helm-chart/kubernetes-secret-generator/Chart.yaml'
+        env:
+          GITHUB_TOKEN: "${{ secrets.RELEASE_USER_TOKEN }}"
+          HELM_REPO_PASSWORD: "${{ secrets.HELM_REPO_PASSWORD }}"
diff --git a/Makefile b/Makefile
@@ -15,6 +15,14 @@ install: ## Install all resources (RBAC and Operator)
 	@echo ....... Applying Operator .......
 	kubectl apply -f deploy/operator.yaml -n ${NAMESPACE}
 
+.PHONY: installwithmonitoring
+installwithmonitoring: ## Install all resources (RBAC and Operator) with monitoring role
+	@echo ....... Applying Rules and Service Account .......
+	kubectl apply -f deploy/role_with_service_permissions.yaml -n ${NAMESPACE}
+	kubectl apply -f deploy/role_binding.yaml  -n ${NAMESPACE}
+	kubectl apply -f deploy/service_account.yaml  -n ${NAMESPACE}
+	@echo ....... Applying Operator .......
+	kubectl apply -f deploy/operator.yaml -n ${NAMESPACE}
 
 .PHONY: uninstall
 uninstall: ## Uninstall all that all performed in the $ make install
@@ -26,6 +34,16 @@ uninstall: ## Uninstall all that all performed in the $ make install
 	@echo ....... Deleting Operator .......
 	kubectl delete -f deploy/operator.yaml -n ${NAMESPACE}
 
+.PHONY: uninstallwithmonitoring
+uninstallwithmonitoring: ## Uninstall all that all performed in the $ make installwithmonitoring
+	@echo ....... Uninstalling .......
+	@echo ....... Deleting Rules and Service Account .......
+	kubectl delete -f deploy/role_with_service_permissions.yaml -n ${NAMESPACE}
+	kubectl delete -f deploy/role_binding.yaml -n ${NAMESPACE}
+	kubectl delete -f deploy/service_account.yaml -n ${NAMESPACE}
+	@echo ....... Deleting Operator .......
+	kubectl delete -f deploy/operator.yaml -n ${NAMESPACE}
+
 .PHONY: test
 test: crd
 	@echo go test

diff --git a/README.md b/README.md
@@ -19,6 +19,8 @@ You might want to take a look a the [values.yaml](deploy/helm-chart/kubernetes-s
 
 - `watchNamespace` defines, which namespaces should be watched for secret objects.
 
+- `useMetricsService` toggles whether the operator should provide a service for metrics monitoring by Prometheus. If this is set to true, the operator will start with additional permissions, namely `get` permissions for `replicasets` and `deployments` in the apiGroup `apps`, as well as `create` permissions for `services` and create the needed services during startup.
+
   To watch a single namespace, set it to the desired namespace name.
 Multiple namespaces are supported and can be set as a comma-separated list: `ns1,ns2`.
 

diff --git a/cmd/manager/main.go b/cmd/manager/main.go
@@ -67,6 +67,7 @@ func main() {
 	pflag.String("secret-length", "40", "Secret length")
 	pflag.Int("ssh-key-length", 2048, "Default length of SSH Keys")
 	pflag.String("secret-encoding", "base64", "Encoding for secrets")
+	pflag.Bool("use-metrics-service", false, "Whether or not to use metrics service")
 	pflag.Parse()
 
 	// Import flags into viper and bind them to env vars
@@ -186,8 +187,10 @@ func main() {
 		os.Exit(1)
 	}
 
-	// Add the Metrics Service
-	addMetrics(ctx, cfg)
+	if viper.GetBool("use-metrics-service") {
+		// Add the Metrics Service
+		addMetrics(ctx, cfg)
+	}
 
 	log.Info("Starting the Cmd.")
 

diff --git a/deploy/helm-chart/kubernetes-secret-generator/Chart.yaml b/deploy/helm-chart/kubernetes-secret-generator/Chart.yaml
@@ -4,6 +4,6 @@ description: Controller for automatically creating random secret values
 
 type: application
 
-version: 3.3.0
+version: 3.3.2
 
-appVersion: v3.3.0
+appVersion: v3.3.2
diff --git a/deploy/helm-chart/kubernetes-secret-generator/templates/deployment.yaml b/deploy/helm-chart/kubernetes-secret-generator/templates/deployment.yaml
@@ -9,6 +9,8 @@ spec:
   selector:
     matchLabels:
   {{- include "kubernetes-secret-generator.selectorLabels" . | nindent 6 }}
+  strategy:
+    type: {{ .Values.deploymentStrategy }}
   template:
     metadata:
       labels:
@@ -35,13 +37,13 @@ spec:
             httpGet:
               path: /healthz
               port: healthcheck
-            initialDelaySeconds: 3
+            initialDelaySeconds: 6
             periodSeconds: 3
           readinessProbe:
             httpGet:
               path: /readyz
               port: healthcheck
-            initialDelaySeconds: 3
+            initialDelaySeconds: 6
             periodSeconds: 3
           env:
             - name: WATCH_NAMESPACE
@@ -56,6 +58,8 @@ spec:
               value: {{ .Values.regenerateInsecure | quote }}
             - name: SECRET_LENGTH
               value: {{ .Values.secretLength | quote }}
+            - name: USE_METRICS_SERVICE
+              value: {{ .Values.useMetricsService | quote }}
           resources:
       {{- toYaml .Values.resources | nindent 12 }}
       {{- with .Values.nodeSelector }}

diff --git a/deploy/helm-chart/kubernetes-secret-generator/templates/role.yaml b/deploy/helm-chart/kubernetes-secret-generator/templates/role.yaml
@@ -1,4 +1,61 @@
 {{- if .Values.rbac.create -}}
+{{- if .Values.useMetricsService -}}
+kind: Role
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: "mittwald:{{ include "kubernetes-secret-generator.serviceAccountName" . }}"
+  labels:
+  {{ include "kubernetes-secret-generator.labels" . | nindent 4 }}
+rules:
+  # leader election
+  - apiGroups:
+      - ""
+    resources:
+      - configmaps
+    verbs:
+      - create
+      - delete
+      - get
+  - apiGroups:
+      - "apps"
+    resources:
+      - deployments
+      - replicasets
+    verbs:
+      - get
+  - apiGroups:
+      - ""
+    resources:
+      - services
+    verbs:
+      - create
+  - apiGroups:
+      - ""
+    resources:
+      - pods
+    verbs:
+      - delete
+      - get
+  - apiGroups:
+      - monitoring.coreos.com
+    resources:
+      - servicemonitors
+    verbs:
+      - "get"
+      - "create"
+  {{- if and .Values.rbac.create (not .Values.rbac.clusterRole) }}
+  # Permissions to access secrets in this namespace if no cluster role is created.
+  - apiGroups:
+      - ""
+    resources:
+      - secrets
+    verbs:
+      - get
+      - list
+      - watch
+      - update
+  {{- end -}}
+{{- else -}}
 kind: Role
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
@@ -42,3 +99,4 @@ rules:
       - update
   {{- end -}}
 {{- end -}}
+{{- end -}}
diff --git a/deploy/helm-chart/kubernetes-secret-generator/values.yaml b/deploy/helm-chart/kubernetes-secret-generator/values.yaml
@@ -9,6 +9,7 @@ args: []
 imagePullSecrets: []
 nameOverride: ""
 fullnameOverride: ""
+deploymentStrategy: "Recreate"
 
 serviceAccount:
   # Specifies whether a service account should be created
@@ -55,6 +56,8 @@ secretLength: 40
 # Accessing secrets in namespaces other than the deployed one requires permissions via a cluster role (on by default)
 watchNamespace: ""
 
+useMetricsService: false
+
 # RBAC parameteres
 # https://kubernetes.io/docs/reference/access-authn-authz/rbac/
 rbac:
@@ -64,3 +67,4 @@ rbac:
   # Set to false to restrict access to the deployed namespace only.
   # ClusterRole is deployed by Default
   clusterRole: true
+
diff --git a/deploy/operator.yaml b/deploy/operator.yaml
@@ -27,13 +27,13 @@ spec:
             httpGet:
               path: /healthz
               port: healthcheck
-            initialDelaySeconds: 3
+            initialDelaySeconds: 6
             periodSeconds: 3
           readinessProbe:
             httpGet:
               path: /readyz
               port: healthcheck
-            initialDelaySeconds: 3
+            initialDelaySeconds: 6
             periodSeconds: 3
           env:
             - name: WATCH_NAMESPACE
@@ -50,3 +50,5 @@ spec:
               value: "true"
             - name: SECRET_LENGTH
               value: "40"
+            - name: USE_METRICS_SERVICE
+              value: "false"
diff --git a/deploy/role_with_service_permissions.yaml b/deploy/role_with_service_permissions.yaml
@@ -0,0 +1,55 @@
+kind: Role
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: kubernetes-secret-generator
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - configmaps
+    verbs:
+      - create
+      - delete
+      - get
+  - apiGroups:
+      - "apps"
+    resources:
+      - deployments
+      - replicasets
+    verbs:
+      - get
+  - apiGroups:
+      - ""
+    resources:
+      - services
+    verbs:
+      - create
+  - apiGroups:
+      - ""
+    resources:
+      - pods
+    verbs:
+      - delete
+      - get
+  - apiGroups:
+      - monitoring.coreos.com
+    resources:
+      - servicemonitors
+    verbs:
+      - "get"
+      - "create"
+---
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: kubernetes-secret-generator
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - secrets
+    verbs:
+      - get
+      - list
+      - watch
+      - update
diff --git a/scripts/bump-app-version.sh b/scripts/bump-app-version.sh