diff --git a/charts/redis-operator/templates/NOTES.txt b/charts/redis-operator/templates/NOTES.txt index ac7cbef..a2ad040 100644 --- a/charts/redis-operator/templates/NOTES.txt +++ b/charts/redis-operator/templates/NOTES.txt @@ -1,4 +1,16 @@ + +{{- if not .Values.issuer.name }} +1. If Issuer not specified, please run the following command to pass tls verify: + +CA_BUNDLE=$(kubectl get secret redis-operator-service-cert -n {{ .Release.Namespace }} -o jsonpath='{.data.ca\.crt}') +kubectl patch validatingwebhookconfigurations vredis.middleware.alauda.io --type='json' -p="[{'op': 'replace', 'path': '/webhooks/0/clientConfig/caBundle', 'value':'${CA_BUNDLE}'},{'op': 'replace', 'path': '/webhooks/1/clientConfig/caBundle', 'value':'${CA_BUNDLE}'}]" +kubectl patch mutatingwebhookconfigurations mredis.middleware.alauda.io --type='json' -p="[{'op': 'replace', 'path': '/webhooks/0/clientConfig/caBundle', 'value':'${CA_BUNDLE}'},{'op': 'replace', 'path': '/webhooks/1/clientConfig/caBundle', 'value':'${CA_BUNDLE}'}]" + +2. To deploy Redis instance, apply this template: + +{{- else }} 1. To deploy Redis instance, apply this template: +{{- end }} --- apiVersion: middleware.alauda.io/v1 @@ -11,13 +23,6 @@ spec: save: 60 10000 300 100 600 1 exporter: enabled: true - resources: - limits: - cpu: 100m - memory: 384Mi - requests: - cpu: 50m - memory: 128Mi passwordSecret: redis-password persistent: storageClassName: sc-topolvm @@ -34,32 +39,7 @@ spec: cpu: 300m memory: 300Mi sentinel: - affinity: - podAntiAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - - labelSelector: - matchExpressions: - - key: app.kubernetes.io/component - operator: In - values: - - sentinel - - key: redissentinels.databases.spotahome.com/name - operator: In - values: - - redis-failover - topologyKey: kubernetes.io/hostname - monitorConfig: - down-after-milliseconds: "30000" - failover-timeout: "180000" - parallel-syncs: "1" replicas: 3 - resources: - limits: - cpu: 100m - memory: 128Mi - requests: - cpu: 100m - memory: 128Mi version: "6.0" --- diff --git a/charts/redis-operator/templates/certificate.yaml b/charts/redis-operator/templates/certificate.yaml new file mode 100644 index 0000000..bcb74bd --- /dev/null +++ b/charts/redis-operator/templates/certificate.yaml @@ -0,0 +1,24 @@ +{{- if not .Values.issuer.name }} +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + name: redis-operator-selfsigned-issuer +spec: + selfSigned: {} +{{- end }} +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: redis-operator-service-cert +spec: + commonName: redis-operator-service.{{ .Release.Namespace }} + dnsNames: + - redis-operator-service.{{ .Release.Namespace }} + - redis-operator-service.{{ .Release.Namespace }}.svc + duration: 17520h0m0s + issuerRef: + kind: {{ .Values.issuer.name | default "Issuer" }} + name: {{ .Values.issuer.name | default "redis-operator-selfsigned-issuer" }} + renewBefore: 720h0m0s + secretName: redis-operator-service-cert diff --git a/charts/redis-operator/templates/deployment.yaml b/charts/redis-operator/templates/deployment.yaml index 0b2bbb3..183593b 100644 --- a/charts/redis-operator/templates/deployment.yaml +++ b/charts/redis-operator/templates/deployment.yaml @@ -1,3 +1,6 @@ +{{- if not (lookup "apiextensions.k8s.io/v1" "CustomResourceDefinition" "" "certificates.cert-manager.io") }} +{{- fail "The Certificate CRD (certificates.cert-manager.io) is not installed. Aborting installation." }} +{{- end }} apiVersion: apps/v1 kind: Deployment metadata: @@ -70,7 +73,7 @@ spec: - name: REDIS_TOOLS_IMAGE value: "{{ .Values.images.redisOperator.repository }}:{{ .Values.images.redisOperator.tag }}" - name: REDIS_OPERATOR_VERSION - value: "{{ .Values.redisOperator.version }}" + value: "{{ .Values.images.redisOperator.version }}" securityContext: {{- toYaml .Values.redisOperator.securityContext | nindent 12 }} image: "{{ .Values.images.redisOperator.repository }}:{{ .Values.images.redisOperator.tag }}" @@ -110,6 +113,11 @@ spec: periodSeconds: 10 successThreshold: 1 timeoutSeconds: 30 + volumeMounts: + - mountPath: /apiserver.local.config/certificates + name: apiservice-cert + - mountPath: /tmp/k8s-webhook-server/serving-certs + name: webhook-cert {{- with .Values.nodeSelector }} nodeSelector: {{- toYaml . | nindent 8 }} @@ -146,3 +154,22 @@ spec: {{- toYaml . | nindent 8 }} {{- end }} {{- end }} + volumes: + - name: apiservice-cert + secret: + defaultMode: 420 + items: + - key: tls.crt + path: apiserver.crt + - key: tls.key + path: apiserver.key + secretName: redis-operator-service-cert + - name: webhook-cert + secret: + defaultMode: 420 + items: + - key: tls.crt + path: tls.crt + - key: tls.key + path: tls.key + secretName: redis-operator-service-cert diff --git a/charts/redis-operator/templates/webhook.yaml b/charts/redis-operator/templates/webhook.yaml new file mode 100644 index 0000000..c9c2b0c --- /dev/null +++ b/charts/redis-operator/templates/webhook.yaml @@ -0,0 +1,108 @@ +--- +apiVersion: v1 +kind: Service +metadata: + name: redis-operator-service +spec: + ports: + - port: 443 + protocol: TCP + targetPort: 9443 + selector: + app.kubernetes.io/component: redis-operator + sessionAffinity: None + type: ClusterIP +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: + name: mredis.middleware.alauda.io +webhooks: +- admissionReviewVersions: + - v1 + clientConfig: + service: + name: redis-operator-service + namespace: {{ .Release.Namespace }} + path: /mutate-redis-middleware-alauda-io-v1-redisuser + failurePolicy: Fail + name: mredisuser.kb.io + rules: + - apiGroups: + - redis.middleware.alauda.io + apiVersions: + - v1 + operations: + - CREATE + - UPDATE + resources: + - redisusers + sideEffects: None +- admissionReviewVersions: + - v1 + clientConfig: + service: + name: redis-operator-service + namespace: {{ .Release.Namespace }} + path: /mutate-middleware-alauda-io-v1-redis + failurePolicy: Fail + name: mredis.kb.io + rules: + - apiGroups: + - middleware.alauda.io + apiVersions: + - v1 + operations: + - CREATE + - UPDATE + resources: + - redis + sideEffects: None +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + name: vredis.middleware.alauda.io +webhooks: +- admissionReviewVersions: + - v1 + clientConfig: + service: + name: redis-operator-service + namespace: {{ .Release.Namespace }} + path: /validate-redis-middleware-alauda-io-v1-redisuser + failurePolicy: Fail + name: vredisuser.kb.io + rules: + - apiGroups: + - redis.middleware.alauda.io + apiVersions: + - v1 + operations: + - CREATE + - UPDATE + - DELETE + resources: + - redisusers + sideEffects: None +- admissionReviewVersions: + - v1 + clientConfig: + service: + name: redis-operator-service + namespace: {{ .Release.Namespace }} + path: /validate-middleware-alauda-io-v1-redis + failurePolicy: Fail + name: vredis.kb.io + rules: + - apiGroups: + - middleware.alauda.io + apiVersions: + - v1 + operations: + - CREATE + - UPDATE + - DELETE + resources: + - redis + sideEffects: None diff --git a/charts/redis-operator/values.yaml b/charts/redis-operator/values.yaml index 04b2d96..319011a 100644 --- a/charts/redis-operator/values.yaml +++ b/charts/redis-operator/values.yaml @@ -15,7 +15,7 @@ images: repository: alaudaos/redis-operator tag: latest version: "3.18.0" - digest: "c6fffd56a8ac0411c9461891062070d1321a65f1cfa5172b1a50a9bc34a9d6a5" + digest: "" defaultRedis: repository: redis tag: 6.0 @@ -39,7 +39,7 @@ images: redisOperator: replicaCount: 1 - imagePullPolicy: IfNotPresent + imagePullPolicy: Always resources: # We usually recommend not to specify default resources and to leave this as a conscious # choice for the user. This also increases chances charts run on environments with little @@ -59,6 +59,10 @@ redisOperator: runAsUser: 65534 runAsGroup: 65534 +issuer: + name: "" + kind: ClusterIssuer + securityContext: {} # capabilities: # drop: