fix: updated helm chart (#77)

charts/redis-operator/templates/NOTES.txt

@@ -1,4 +1,16 @@
+
+{{- if not .Values.issuer.name }}
+1. If Issuer not specified, please run the following command to pass tls verify:
+
+CA_BUNDLE=$(kubectl get secret redis-operator-service-cert -n {{ .Release.Namespace }} -o jsonpath='{.data.ca\.crt}')
+kubectl patch validatingwebhookconfigurations vredis.middleware.alauda.io --type='json' -p="[{'op': 'replace', 'path': '/webhooks/0/clientConfig/caBundle', 'value':'${CA_BUNDLE}'},{'op': 'replace', 'path': '/webhooks/1/clientConfig/caBundle', 'value':'${CA_BUNDLE}'}]"
+kubectl patch mutatingwebhookconfigurations mredis.middleware.alauda.io --type='json' -p="[{'op': 'replace', 'path': '/webhooks/0/clientConfig/caBundle', 'value':'${CA_BUNDLE}'},{'op': 'replace', 'path': '/webhooks/1/clientConfig/caBundle', 'value':'${CA_BUNDLE}'}]"
+
+2. To deploy Redis instance, apply this template:
+
+{{- else }}
 1. To deploy Redis instance, apply this template:
+{{- end }}
 
 ---
 apiVersion: middleware.alauda.io/v1
@@ -11,13 +23,6 @@ spec:
     save: 60 10000 300 100 600 1
   exporter:
     enabled: true
-    resources:
-      limits:
-        cpu: 100m
-        memory: 384Mi
-      requests:
-        cpu: 50m
-        memory: 128Mi
   passwordSecret: redis-password
   persistent:
     storageClassName: sc-topolvm
@@ -34,32 +39,7 @@ spec:
       cpu: 300m
       memory: 300Mi
   sentinel:
-    affinity:
-      podAntiAffinity:
-        requiredDuringSchedulingIgnoredDuringExecution:
-        - labelSelector:
-            matchExpressions:
-            - key: app.kubernetes.io/component
-              operator: In
-              values:
-              - sentinel
-            - key: redissentinels.databases.spotahome.com/name
-              operator: In
-              values:
-              - redis-failover
-          topologyKey: kubernetes.io/hostname
-    monitorConfig:
-      down-after-milliseconds: "30000"
-      failover-timeout: "180000"
-      parallel-syncs: "1"
     replicas: 3
-    resources:
-      limits:
-        cpu: 100m
-        memory: 128Mi
-      requests:
-        cpu: 100m
-        memory: 128Mi
   version: "6.0"
 ---
 

charts/redis-operator/templates/certificate.yaml

@@ -0,0 +1,24 @@
+{{- if not .Values.issuer.name }}
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: redis-operator-selfsigned-issuer
+spec:
+  selfSigned: {}
+{{- end }}
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: redis-operator-service-cert
+spec:
+  commonName: redis-operator-service.{{ .Release.Namespace }}
+  dnsNames:
+  - redis-operator-service.{{ .Release.Namespace }}
+  - redis-operator-service.{{ .Release.Namespace }}.svc
+  duration: 17520h0m0s
+  issuerRef:
+    kind: {{ .Values.issuer.name | default "Issuer" }}
+    name: {{ .Values.issuer.name | default "redis-operator-selfsigned-issuer" }}
+  renewBefore: 720h0m0s
+  secretName: redis-operator-service-cert

charts/redis-operator/templates/deployment.yaml

@@ -1,3 +1,6 @@
+{{- if not (lookup "apiextensions.k8s.io/v1" "CustomResourceDefinition" "" "certificates.cert-manager.io") }}
+{{- fail "The Certificate CRD (certificates.cert-manager.io) is not installed. Aborting installation." }}
+{{- end }}
 apiVersion: apps/v1
 kind: Deployment
 metadata:
@@ -70,7 +73,7 @@ spec:
           - name: REDIS_TOOLS_IMAGE
             value: "{{ .Values.images.redisOperator.repository }}:{{ .Values.images.redisOperator.tag }}"
           - name: REDIS_OPERATOR_VERSION
-            value: "{{ .Values.redisOperator.version }}"
+            value: "{{ .Values.images.redisOperator.version }}"
           securityContext:
             {{- toYaml .Values.redisOperator.securityContext | nindent 12 }}
           image: "{{ .Values.images.redisOperator.repository }}:{{ .Values.images.redisOperator.tag }}"
@@ -110,6 +113,11 @@ spec:
             periodSeconds: 10
             successThreshold: 1
             timeoutSeconds: 30
+          volumeMounts:
+          - mountPath: /apiserver.local.config/certificates
+            name: apiservice-cert
+          - mountPath: /tmp/k8s-webhook-server/serving-certs
+            name: webhook-cert
       {{- with .Values.nodeSelector }}
       nodeSelector:
         {{- toYaml . | nindent 8 }}
@@ -146,3 +154,22 @@ spec:
         {{- toYaml . | nindent 8 }}
       {{- end }}
       {{- end }}
+      volumes:
+      - name: apiservice-cert
+        secret:
+          defaultMode: 420
+          items:
+          - key: tls.crt
+            path: apiserver.crt
+          - key: tls.key
+            path: apiserver.key
+          secretName: redis-operator-service-cert
+      - name: webhook-cert
+        secret:
+          defaultMode: 420
+          items:
+          - key: tls.crt
+            path: tls.crt
+          - key: tls.key
+            path: tls.key
+          secretName: redis-operator-service-cert

charts/redis-operator/templates/webhook.yaml

@@ -0,0 +1,108 @@
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: redis-operator-service
+spec:
+  ports:
+  - port: 443
+    protocol: TCP
+    targetPort: 9443
+  selector:
+    app.kubernetes.io/component: redis-operator
+  sessionAffinity: None
+  type: ClusterIP
+---
+apiVersion: admissionregistration.k8s.io/v1
+kind: MutatingWebhookConfiguration
+metadata:
+  name: mredis.middleware.alauda.io
+webhooks:
+- admissionReviewVersions:
+  - v1
+  clientConfig:
+    service:
+      name: redis-operator-service
+      namespace: {{ .Release.Namespace }}
+      path: /mutate-redis-middleware-alauda-io-v1-redisuser
+  failurePolicy: Fail
+  name: mredisuser.kb.io
+  rules:
+  - apiGroups:
+    - redis.middleware.alauda.io
+    apiVersions:
+    - v1
+    operations:
+    - CREATE
+    - UPDATE
+    resources:
+    - redisusers
+  sideEffects: None
+- admissionReviewVersions:
+  - v1
+  clientConfig:
+    service:
+      name: redis-operator-service
+      namespace: {{ .Release.Namespace }}
+      path: /mutate-middleware-alauda-io-v1-redis
+  failurePolicy: Fail
+  name: mredis.kb.io
+  rules:
+  - apiGroups:
+    - middleware.alauda.io
+    apiVersions:
+    - v1
+    operations:
+    - CREATE
+    - UPDATE
+    resources:
+    - redis
+  sideEffects: None
+---
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingWebhookConfiguration
+metadata:
+  name: vredis.middleware.alauda.io
+webhooks:
+- admissionReviewVersions:
+  - v1
+  clientConfig:
+    service:
+      name: redis-operator-service
+      namespace: {{ .Release.Namespace }}
+      path: /validate-redis-middleware-alauda-io-v1-redisuser
+  failurePolicy: Fail
+  name: vredisuser.kb.io
+  rules:
+  - apiGroups:
+    - redis.middleware.alauda.io
+    apiVersions:
+    - v1
+    operations:
+    - CREATE
+    - UPDATE
+    - DELETE
+    resources:
+    - redisusers
+  sideEffects: None
+- admissionReviewVersions:
+  - v1
+  clientConfig:
+    service:
+      name: redis-operator-service
+      namespace: {{ .Release.Namespace }}
+      path: /validate-middleware-alauda-io-v1-redis
+  failurePolicy: Fail
+  name: vredis.kb.io
+  rules:
+  - apiGroups:
+    - middleware.alauda.io
+    apiVersions:
+    - v1
+    operations:
+    - CREATE
+    - UPDATE
+    - DELETE
+    resources:
+    - redis
+  sideEffects: None

charts/redis-operator/values.yaml

@@ -15,7 +15,7 @@ images:
     repository: alaudaos/redis-operator
     tag: latest
     version: "3.18.0"
-    digest: "c6fffd56a8ac0411c9461891062070d1321a65f1cfa5172b1a50a9bc34a9d6a5"
+    digest: ""
   defaultRedis:
     repository: redis
     tag: 6.0
@@ -39,7 +39,7 @@ images:
 
 redisOperator:
   replicaCount: 1
-  imagePullPolicy: IfNotPresent
+  imagePullPolicy: Always
   resources:
     # We usually recommend not to specify default resources and to leave this as a conscious
     # choice for the user. This also increases chances charts run on environments with little
@@ -59,6 +59,10 @@ redisOperator:
     runAsUser: 65534
     runAsGroup: 65534
 
+issuer:
+  name: ""
+  kind: ClusterIssuer
+
 securityContext: {}
   # capabilities:
   #   drop: