Enable webhooks by default in chart (#313)

kubedb · Sep 30, 2018 · f3a1ebd · f3a1ebd
1 parent 7d7e249
commit f3a1ebd
Show file tree

Hide file tree

Showing 7 changed files with 41 additions and 58 deletions.
diff --git a/chart/kubedb/README.md b/chart/kubedb/README.md
@@ -49,7 +49,7 @@ The following table lists the configurable parameters of the KubeDB chart and th
 | `kubedb.registry`                   | Docker registry used to pull Kubedb operator image                 | `kubedb`           |
 | `kubedb.repository`                 | Kubedb operator container image                                    | `operator`         |
 | `kubedb.tag`                        | Kubedb operator container image tag                                | `0.9.0-beta.0`     |
-| `cleaner.registry`                  | Docker registry used to pull Webhook cleaner image                 | `appcode`          |
+| `cleaner.registry`                  | Docker registry used to pull Webhook cleaner image                 | `appscode`         |
 | `cleaner.repository`                | Webhook cleaner container image                                    | `kubectl`          |
 | `cleaner.tag`                       | Webhook cleaner container image tag                                | `v1.11`            |
 | `imagePullSecrets`                  | Specify image pull secrets                                         | `nil` (does not add image pull secrets to deployed pods) |
@@ -64,10 +64,10 @@ The following table lists the configurable parameters of the KubeDB chart and th
 | `serviceAccount.name`               | Service account to be used. If not set and `serviceAccount.create` is `true`, a name is generated using the fullname template | `` |
 | `apiserver.groupPriorityMinimum`    | The minimum priority the group should have.                        | 10000              |
 | `apiserver.versionPriority`         | The ordering of this API inside of the group.                      | 15                 |
-| `apiserver.enableValidatingWebhook` | Enable validating webhooks for KubeDB CRDs                         | false              |
-| `apiserver.enableMutatingWebhook`   | Enable mutating webhooks for KubeDB CRDs                           | false              |
-| `apiserver.ca`                      | CA certificate used by main Kubernetes api server                  | ``                 |
-| `apiserver.enableStatusSubresource` | If true, uses status sub resource for crds                         | `false`            |
+| `apiserver.enableValidatingWebhook` | Enable validating webhooks for KubeDB CRDs                         | `true`             |
+| `apiserver.enableMutatingWebhook`   | Enable mutating webhooks for KubeDB CRDs                           | `true`             |
+| `apiserver.ca`                      | CA certificate used by main Kubernetes api server                  | `not-ca-cert`      |
+| `apiserver.disableStatusSubresource` | If true, disables status sub resource for crds. Otherwise enables based on Kubernetes version | `false`            |
 | `enableAnalytics`                   | Send usage events to Google Analytics                              | `true`             |
 
 

diff --git a/chart/kubedb/templates/NOTES.txt b/chart/kubedb/templates/NOTES.txt
@@ -1,3 +1,5 @@
 To verify that KubeDB has started, run:
 
   kubectl --namespace={{ .Release.Namespace }} get deployments -l "release={{ .Release.Name }}, app={{ template "kubedb.name" . }}"
+
+If you have not installed appscode/kubedb-catalog chart, install it. If already installed, upgrade appscode/kubedb-catalog chart.
diff --git a/chart/kubedb/templates/cluster-role.yaml b/chart/kubedb/templates/cluster-role.yaml
@@ -14,14 +14,13 @@ rules:
   resources:
   - customresourcedefinitions
   verbs:
-  - '*'
+  - "*"
 - apiGroups:
   - admissionregistration.k8s.io
   resources:
   - mutatingwebhookconfigurations
   - validatingwebhookconfigurations
-  verbs:
-  - delete
+  verbs: ["delete", "list", "watch", "patch"]
 - apiGroups:
   - rbac.authorization.k8s.io
   resources:
@@ -59,7 +58,7 @@ rules:
   - ""
   resources:
   - pods
-  verbs: ["deletecollection", "get", "list", "patch", "watch"]
+  verbs: ["*"]
 - apiGroups:
   - ""
   resources:
@@ -84,8 +83,8 @@ rules:
   - kubedb.com
   - catalog.kubedb.com
   resources:
-  - '*'
-  verbs: ['*']
+  - "*"
+  verbs: ["*"]
 - apiGroups:
   - monitoring.coreos.com
   resources:

diff --git a/chart/kubedb/templates/deployment.yaml b/chart/kubedb/templates/deployment.yaml
@@ -1,4 +1,7 @@
-apiVersion: apps/v1beta1
+# GKE returns Major:"1", Minor:"10+"
+{{- $major := default "0" .Capabilities.KubeVersion.Major | trimSuffix "+" | int64 }}
+{{- $minor := default "0" .Capabilities.KubeVersion.Minor | trimSuffix "+" | int64 }}
+apiVersion: apps/v1
 kind: Deployment
 metadata:
   name: {{ template "kubedb.fullname" . }}
@@ -46,7 +49,9 @@ spec:
         - --audit-log-path=-
         - --tls-cert-file=/var/serving-cert/tls.crt
         - --tls-private-key-file=/var/serving-cert/tls.key
-        - --enable-status-subresource={{ .Values.apiserver.enableStatusSubresource }}
+{{- if and (not .Values.apiserver.disableStatusSubresource) (ge $major 1) (ge $minor 11) }}
+        - --enable-status-subresource=true
+{{- end }}
         - --enable-analytics={{ .Values.enableAnalytics }}
         env:
         - name: OPERATOR_NAMESPACE

diff --git a/chart/kubedb/values.yaml b/chart/kubedb/values.yaml
@@ -9,7 +9,7 @@ kubedb:
   repository: operator
   tag: 0.9.0-beta.0
 cleaner:
-  registry: appcode
+  registry: appscode
   repository: kubectl
   tag: v1.11
 ## Optionally specify an array of imagePullSecrets.
@@ -66,13 +66,14 @@ apiserver:
   # for more information on proper values of this field
   versionPriority: 15
   # enableMutatingWebhook is used to configure mutating webhook for KubeDB CRDs
-  enableMutatingWebhook: false
+  enableMutatingWebhook: true
   # enableValidatingWebhook is used to configure validating webhook for KubeDB CRDs
-  enableValidatingWebhook: false
+  enableValidatingWebhook: true
   # CA certificate used by main Kubernetes api server
-  ca:
-  # If true, uses status sub resource for crds.
-  enableStatusSubresource: false
+  ca: not-ca-cert
+  # If true, disables status sub resource for crds.
+  # Otherwise, enables status sub resource for Kubernetes version >= 1.11 and disables for other versions.
+  disableStatusSubresource: false
 
 # Send usage events to Google Analytics
 enableAnalytics: true
diff --git a/docs/setup/install.md b/docs/setup/install.md
@@ -129,20 +129,8 @@ NAME                    CHART VERSION APP VERSION   DESCRIPTION
 appscode/kubedb         0.9.0-beta.0  0.9.0-beta.0  KubeDB by AppsCode - Production ready databases ...
 appscode/kubedb-catalog 0.9.0-beta.0  0.9.0-beta.0  KubeDB Catalog by AppsCode - Catalog for database versions
 
-# Step 1(a): Kubernetes 1.9.x - 1.10.x
 $ helm install appscode/kubedb --name kubedb-operator --version 0.9.0-beta.0 \
-  --namespace kube-system \
-  --set apiserver.ca="$(onessl get kube-ca)" \
-  --set apiserver.enableValidatingWebhook=true \
-  --set apiserver.enableMutatingWebhook=true
-
-# Step 1(b): Kubernetes 1.11.0 or later
-$ helm install appscode/kubedb --name kubedb-operator --version 0.9.0-beta.0 \
-  --namespace kube-system \
-  --set apiserver.ca="$(onessl get kube-ca)" \
-  --set apiserver.enableValidatingWebhook=true \
-  --set apiserver.enableMutatingWebhook=true \
-  --set apiserver.enableStatusSubresource=true
+  --namespace kube-system
 
 # Step 2: wait until crds are registered
 $ kubectl get crds -l app=kubedb -w
@@ -168,25 +156,6 @@ snapshots.kubedb.com               6s
 $ helm install appscode/kubedb-catalog --name kubedb-catalog
 ```
 
-To install `onessl`, run the following commands:
-
-```console
-# Mac OSX amd64:
-curl -fsSL -o onessl https://github.com/kubepack/onessl/releases/download/0.7.0/onessl-darwin-amd64 \
-  && chmod +x onessl \
-  && sudo mv onessl /usr/local/bin/
-
-# Linux amd64:
-curl -fsSL -o onessl https://github.com/kubepack/onessl/releases/download/0.7.0/onessl-linux-amd64 \
-  && chmod +x onessl \
-  && sudo mv onessl /usr/local/bin/
-
-# Linux arm64:
-curl -fsSL -o onessl https://github.com/kubepack/onessl/releases/download/0.7.0/onessl-linux-arm64 \
-  && chmod +x onessl \
-  && sudo mv onessl /usr/local/bin/
-```
-
 To see the detailed configuration options, visit [here](https://github.com/kubedb/cli/tree/master/chart/kubedb).
 
 </div>

diff --git a/hack/deploy/rbac-list.yaml b/hack/deploy/rbac-list.yaml
@@ -10,7 +10,13 @@ rules:
   resources:
   - customresourcedefinitions
   verbs:
-  - '*'
+  - "*"
+- apiGroups:
+  - admissionregistration.k8s.io
+  resources:
+  - mutatingwebhookconfigurations
+  - validatingwebhookconfigurations
+  verbs: ["delete", "list", "watch", "patch"]
 - apiGroups:
   - rbac.authorization.k8s.io
   resources:
@@ -48,8 +54,7 @@ rules:
   - ""
   resources:
   - pods
-  verbs:
-  - '*'
+  verbs: ["*"]
 - apiGroups:
   - ""
   resources:
@@ -74,15 +79,17 @@ rules:
   - kubedb.com
   - catalog.kubedb.com
   resources:
-  - '*'
-  verbs: ['*']
+  - "*"
+  verbs: ["*"]
 - apiGroups:
   - monitoring.coreos.com
   resources:
   - servicemonitors
   verbs: ["create", "delete", "get", "list", "update"]
-- apiGroups: [""]
-  resources: ["pods/exec"]
+- apiGroups:
+  - ""
+  resources:
+  - "pods/exec"
   verbs: ["create"]
 ---
 apiVersion: rbac.authorization.k8s.io/v1