Merge pull request #237 from alexandrevilain/release/v0.10.0

Release v0.10.0

CHANGELOG.md

@@ -2,6 +2,19 @@
 
 All notable changes to this project are documented in this file.
 
+## 0.10.0
+
+**Release date:** 2023-01-07
+
+⚠️ This is a **breaking 💣** release. The release now requires cert-manager to run.
+
+Improvements:
+- Add mutating and validating admission webhooks [#229](https://github.com/alexandrevilain/temporal-operator/pull/229)
+- Add support for mTLS enabled clusters in WorkerProcess [#223](https://github.com/alexandrevilain/temporal-operator/pull/223)
+
+Updates:
+- Updated ClusterServiceVersion for Operatorhub release v0.9.1 [#231](https://github.com/alexandrevilain/temporal-operator/pull/231)
+
 ## 0.9.1
 
 **Release date:** 2022-12-24

README.md

@@ -28,7 +28,7 @@ First install cert-manager on your cluster. The operator comes with admissions w
 ```
 kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.10.1/cert-manager.yaml
 ```
-(You can use the installation method you want, see the [cert-manager's documentation](https://cert-manager.io/docs/installation/))
+(You can use the installation method you want, see the [cert-manager's documentation](https://cert-manager.io/docs/installation/)). Note that you can use your own certificates if you don't want cert-manager on your cluster.
 
 Then install Temporal Operator's CRDs and the operator itself on your cluster:
 

VERSION

@@ -1 +1 @@
-0.9.1
+0.10.0

bundle/manifests/temporal-operator-webhook-service_v1_service.yaml

@@ -0,0 +1,21 @@
+apiVersion: v1
+kind: Service
+metadata:
+  creationTimestamp: null
+  labels:
+    app.kubernetes.io/component: webhook
+    app.kubernetes.io/created-by: temporal-operator
+    app.kubernetes.io/instance: webhook-service
+    app.kubernetes.io/managed-by: kustomize
+    app.kubernetes.io/name: service
+    app.kubernetes.io/part-of: temporal-operator
+  name: temporal-operator-webhook-service
+spec:
+  ports:
+  - port: 443
+    protocol: TCP
+    targetPort: 9443
+  selector:
+    control-plane: controller-manager
+status:
+  loadBalancer: {}

bundle/manifests/temporal-operator.clusterserviceversion.yaml

@@ -87,16 +87,16 @@ metadata:
               "buildDir": "samples-go/helloworld",
               "buildRegistry": {
                 "passwordSecretRef": {
-                    "key": "PASSWORD",
-                    "name": "docker-password"
+                  "key": "PASSWORD",
+                  "name": "docker-password"
                 },
                 "repository": "docker.io",
                 "username": "ktenzer"
               },
               "enabled": false,
               "gitRepository": {
                 "reference": {
-                    "branch": "main"
+                  "branch": "main"
                 },
                 "url": "https://github.com/ktenzer/samples-go.git"
               },
@@ -121,7 +121,7 @@ metadata:
     containerImage: ghcr.io/alexandrevilain/temporal-operator:v0.9.1
     operators.operatorframework.io/builder: operator-sdk-v1.23.0
     operators.operatorframework.io/project_layout: go.kubebuilder.io/v3
-  name: temporal-operator.v0.9.1
+  name: temporal-operator.v0.10.0
   namespace: placeholder
 spec:
   apiservicedefinitions: {}
@@ -467,14 +467,18 @@ spec:
                 - --leader-elect
                 command:
                 - /manager
-                image: ghcr.io/alexandrevilain/temporal-operator:v0.9.1
+                image: ghcr.io/alexandrevilain/temporal-operator:v0.10.0
                 livenessProbe:
                   httpGet:
                     path: /healthz
                     port: 8081
                   initialDelaySeconds: 15
                   periodSeconds: 20
                 name: manager
+                ports:
+                - containerPort: 9443
+                  name: webhook-server
+                  protocol: TCP
                 readinessProbe:
                   httpGet:
                     path: /readyz
@@ -490,10 +494,19 @@ spec:
                     memory: 64Mi
                 securityContext:
                   allowPrivilegeEscalation: false
+                volumeMounts:
+                - mountPath: /tmp/k8s-webhook-server/serving-certs
+                  name: cert
+                  readOnly: true
               securityContext:
                 runAsNonRoot: true
               serviceAccountName: temporal-operator-controller-manager
               terminationGracePeriodSeconds: 10
+              volumes:
+              - name: cert
+                secret:
+                  defaultMode: 420
+                  secretName: webhook-server-cert
       permissions:
       - rules:
         - apiGroups:
@@ -558,5 +571,86 @@ spec:
   provider:
     name: Temporal Community
     url: https://temporal.io/
-  version: 0.9.1
   replaces: temporal-operator.v0.7.0
+  version: 0.10.0
+  webhookdefinitions:
+  - admissionReviewVersions:
+    - v1
+    containerPort: 443
+    deploymentName: temporal-operator-controller-manager
+    failurePolicy: Fail
+    generateName: mtemporalc.kb.io
+    rules:
+    - apiGroups:
+      - temporal.io
+      apiVersions:
+      - v1beta1
+      operations:
+      - CREATE
+      - UPDATE
+      resources:
+      - temporalclusters
+    sideEffects: None
+    targetPort: 9443
+    type: MutatingAdmissionWebhook
+    webhookPath: /mutate-temporal-io-v1beta1-temporalcluster
+  - admissionReviewVersions:
+    - v1
+    containerPort: 443
+    deploymentName: temporal-operator-controller-manager
+    failurePolicy: Fail
+    generateName: mtemporalworkerprocess.kb.io
+    rules:
+    - apiGroups:
+      - temporal.io
+      apiVersions:
+      - v1beta1
+      operations:
+      - CREATE
+      - UPDATE
+      resources:
+      - temporalworkerprocesses
+    sideEffects: None
+    targetPort: 9443
+    type: MutatingAdmissionWebhook
+    webhookPath: /mutate-temporal-io-v1beta1-temporalworkerprocess
+  - admissionReviewVersions:
+    - v1
+    containerPort: 443
+    deploymentName: temporal-operator-controller-manager
+    failurePolicy: Fail
+    generateName: vtemporalc.kb.io
+    rules:
+    - apiGroups:
+      - temporal.io
+      apiVersions:
+      - v1beta1
+      operations:
+      - CREATE
+      - UPDATE
+      resources:
+      - temporalclusters
+    sideEffects: None
+    targetPort: 9443
+    type: ValidatingAdmissionWebhook
+    webhookPath: /validate-temporal-io-v1beta1-temporalcluster
+  - admissionReviewVersions:
+    - v1
+    containerPort: 443
+    deploymentName: temporal-operator-controller-manager
+    failurePolicy: Fail
+    generateName: vtemporalworkerprocess.kb.io
+    rules:
+    - apiGroups:
+      - temporal.io
+      apiVersions:
+      - v1beta1
+      operations:
+      - CREATE
+      - UPDATE
+      resources:
+      - temporalworkerprocesses
+    sideEffects: None
+    targetPort: 9443
+    type: ValidatingAdmissionWebhook
+    webhookPath: /validate-temporal-io-v1beta1-temporalworkerprocess

bundle/manifests/temporal.io_temporalclusters.yaml

@@ -162,7 +162,6 @@ spec:
                           from.
                         type: string
                       listenPort:
-                        default: 9090
                         description: ListenPort for prometheus to serve metrics from.
                         format: int32
                         type: integer

bundle/manifests/temporal.io_temporalworkerprocesses.yaml

@@ -46,7 +46,8 @@ spec:
             description: TemporalWorkerProcessSpec defines the desired state of TemporalWorkerProcess
             properties:
               builder:
-                description: Builder is the configuration for building a TemporalWorkerProcess
+                description: Builder is the configuration for building a TemporalWorkerProcess.
+                  THIS FEATURE IS HIGHLY EXPERIMENTAL.
                 properties:
                   attempt:
                     description: BuildAttempt is the build attempt number of a given
@@ -267,9 +268,7 @@ spec:
                   to build worker image.
                 type: string
             required:
-            - attempt
             - conditions
-            - created
             - ready
             - version
             type: object

config/manager/kustomization.yaml

@@ -4,4 +4,4 @@ resources:
 - manager.yaml
 images:
 - name: ghcr.io/alexandrevilain/temporal-operator
-  newTag: v0.9.1
+  newTag: v0.10.0

config/manifests/bases/temporal-operator.clusterserviceversion.yaml

@@ -558,5 +558,5 @@ spec:
   provider:
     name: Temporal Community
     url: https://temporal.io/
-  version: 0.9.1
   replaces: temporal-operator.v0.7.0
+  version: 0.10.0

config/samples/temporal.io_v1beta1_temporalworkerprocess.yaml

@@ -3,4 +3,28 @@ kind: TemporalWorkerProcess
 metadata:
   name: temporalworkerprocess-sample
 spec:
-  # TODO(user): Add fields here
+  builder:
+    attempt: 3
+    buildDir: samples-go/helloworld
+    buildRegistry:
+      passwordSecretRef:
+        key: PASSWORD
+        name: docker-password
+      repository: docker.io
+      username: ktenzer
+    enabled: false
+    gitRepository:
+      reference:
+        branch: main
+      url: https://github.com/ktenzer/samples-go.git
+    image: quay.io/podman/stable
+    version: latest
+  clusterRef:
+    name: prod
+    namespace: temporal
+  image: ktenzer/helloworld-worker
+  jobTtlSecondsAfterFinished: 300
+  pullPolicy: Always
+  replicas: 3
+  temporalNamespace: default
+  version: latest