Split controller and webhook in two separate deployments (#13)

charts/db-operator/Chart.yaml

@@ -2,13 +2,13 @@
 apiVersion: v2
 type: application
 name: db-operator
-version: 1.10.1
+version: 1.11.0
 # ---------------------------------------------------------------------------------
 # -- All supported k8s versions are in the test:
 # --  https://github.com/db-operator/charts/blob/main/.github/workflows/test.yaml
 # ---------------------------------------------------------------------------------
 kubeVersion: ">= 1.22-prerelease"
-appVersion: "1.13.1"
+appVersion: "1.14.0"
 description: The DB Operator creates databases and make them available in the cluster via Custom Resource.
 home: https://github.com/db-operator/db-operator
 

charts/db-operator/ci/unit-test/values-crds-no-cert.yaml

@@ -5,8 +5,10 @@ values: |
 files:
   - ConfigMap-db-operator-config.yml
   - Deployment-db-operator.yml
-  - ServiceAccount-db-operator-sa.yml
-  - ClusterRoleBinding-db-operator-sa.yml
+  - Deployment-db-operator-webhook.yml
+  - ServiceAccount-db-operator.yml
+  - ServiceAccount-db-operator-webhook.yml
+  - ClusterRoleBinding-db-operator.yml
   - CustomResourceDefinition-databases.kinda.rocks
   - Service-db-operator-webhook.yml
   - ClusterRole-db-operator.yml

charts/db-operator/ci/unit-test/values-crds-no-issuer.yaml

@@ -8,8 +8,10 @@ files:
   - Certificate-db-operator-webhook.yml
   - ConfigMap-db-operator-config.yml
   - Deployment-db-operator.yml
-  - ServiceAccount-db-operator-sa.yml
-  - ClusterRoleBinding-db-operator-sa.yml
+  - Deployment-db-operator-webhook.yml
+  - ServiceAccount-db-operator.yml
+  - ServiceAccount-db-operator-webhook.yml
+  - ClusterRoleBinding-db-operator.yml
   - CustomResourceDefinition-databases.kinda.rocks
   - Service-db-operator-webhook.yml
   - ClusterRole-db-operator.yml

charts/db-operator/ci/unit-test/values-crds.yaml

@@ -5,8 +5,10 @@ files:
   - Certificate-db-operator-webhook.yml
   - ConfigMap-db-operator-config.yml
   - Deployment-db-operator.yml
-  - ServiceAccount-db-operator-sa.yml
-  - ClusterRoleBinding-db-operator-sa.yml
+  - Deployment-db-operator-webhook.yml
+  - ServiceAccount-db-operator.yml
+  - ServiceAccount-db-operator-webhook.yml
+  - ClusterRoleBinding-db-operator.yml
   - CustomResourceDefinition-databases.kinda.rocks
   - Issuer-db-operator-issuer.yml
   - Service-db-operator-webhook.yml

charts/db-operator/ci/unit-test/values-no-crds.yaml

@@ -5,8 +5,10 @@ files:
   - Certificate-db-operator-webhook.yml
   - ConfigMap-db-operator-config.yml
   - Deployment-db-operator.yml
-  - ServiceAccount-db-operator-sa.yml
-  - ClusterRoleBinding-db-operator-sa.yml
+  - Deployment-db-operator-webhook.yml
+  - ServiceAccount-db-operator.yml
+  - ServiceAccount-db-operator-webhook.yml
+  - ClusterRoleBinding-db-operator.yml
   - Issuer-db-operator-issuer.yml
   - Service-db-operator-webhook.yml
   - ClusterRole-db-operator.yml

charts/db-operator/ci/unit-test/values-no-rback.yaml

@@ -5,10 +5,12 @@ files:
   - Certificate-db-operator-webhook.yml
   - ConfigMap-db-operator-config.yml
   - Deployment-db-operator.yml
+  - Deployment-db-operator-webhook.yml
   - CustomResourceDefinition-databases.kinda.rocks
   - Issuer-db-operator-issuer.yml
   - Service-db-operator-webhook.yml
-  - ServiceAccount-db-operator-sa.yml
+  - ServiceAccount-db-operator.yml
+  - ServiceAccount-db-operator-webhook.yml
   - CustomResourceDefinition-dbusers.kinda.rocks
   - CustomResourceDefinition-dbinstances.kinda.rocks
   - MutatingWebhookConfiguration-db-operator-mutating-webhook-configuration.yml

charts/db-operator/ci/unit-test/values-no-svcaccount.yaml

@@ -1,11 +1,15 @@
 values: |
   serviceAccount:
       create: false
+  webhook:
+    serviceAccount:
+      create: false
 files:
   - Certificate-db-operator-webhook.yml
   - ConfigMap-db-operator-config.yml
   - Deployment-db-operator.yml
-  - ClusterRoleBinding-db-operator-sa.yml
+  - Deployment-db-operator-webhook.yml
+  - ClusterRoleBinding-db-operator.yml
   - CustomResourceDefinition-databases.kinda.rocks
   - Issuer-db-operator-issuer.yml
   - Service-db-operator-webhook.yml

charts/db-operator/ci/unit-test/values-no-webhook.yaml

@@ -1,12 +1,14 @@
 values: |
   webhook:
     enabled: false
+    serviceAccount:
+      create: false
 files:
   - Certificate-db-operator-webhook.yml
   - ConfigMap-db-operator-config.yml
   - Deployment-db-operator.yml
-  - ServiceAccount-db-operator-sa.yml
-  - ClusterRoleBinding-db-operator-sa.yml
+  - ServiceAccount-db-operator.yml
+  - ClusterRoleBinding-db-operator.yml
   - CustomResourceDefinition-databases.kinda.rocks
   - Issuer-db-operator-issuer.yml
   - ClusterRole-db-operator.yml

charts/db-operator/ci/unit-test/values-webhook.yaml

@@ -1,12 +1,16 @@
 values: |
   webhook:
     enabled: true
+    serviceAccount:
+      create: true
 files:
   - Certificate-db-operator-webhook.yml
   - ConfigMap-db-operator-config.yml
   - Deployment-db-operator.yml
-  - ServiceAccount-db-operator-sa.yml
-  - ClusterRoleBinding-db-operator-sa.yml
+  - Deployment-db-operator-webhook.yml
+  - ServiceAccount-db-operator.yml
+  - ServiceAccount-db-operator-webhook.yml
+  - ClusterRoleBinding-db-operator.yml
   - CustomResourceDefinition-databases.kinda.rocks
   - Issuer-db-operator-issuer.yml
   - Service-db-operator-webhook.yml

charts/db-operator/scripts/test_values

@@ -41,6 +41,7 @@ fi
 
 
 CURRENT_DIR=$(pwd)
+ERROR=false
 for FILE in $(find $VALUES_PATH -type f); do
     WORKDIR=$(mktemp -d)
     echo "Checking $FILE"
@@ -55,7 +56,11 @@ for FILE in $(find $VALUES_PATH -type f); do
         echo "PASSED"
         rm -rf "${WORKDIR}"
     else
+        ERROR=true
         echo "FAILED: Please check unexpected files -> ${DIFF[*]}"
     fi
-
 done
+
+if $ERROR; then
+    exit 1
+fi

charts/db-operator/templates/_helpers.tpl

@@ -25,43 +25,80 @@ If release name contains chart name it will be used as a full name.
 {{- end -}}
 
 {{/*
-Create chart name and version as used by the chart label.
+Create the name of the service account to use
 */}}
-{{- define "db-operator.chart" -}}
-{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
+{{- define "db-operator.serviceAccountName" -}}
+{{- if .Values.serviceAccount.create -}}
+    {{ default (include "db-operator.name" .) .Values.serviceAccount.name }}
+{{- else -}}
+    {{ default "default" .Values.serviceAccount.name }}
+{{- end -}}
 {{- end -}}
 
 {{/*
-Image version definition;
+Arguments builder
 */}}
-{{- define "db-operator.image_version" -}}
-{{ default .Chart.AppVersion .Values.image.tag }}
+{{- define "db-operator.args" -}}
+{{- $args := list -}}
+{{- if .Values.checkForChanges -}}
+{{- $args = append $args "--check-for-changes" -}}
+{{- end -}}
+{{ join "," $args }}
 {{- end -}}
 
 {{/*
-Image version definition using Github Packages format ('v' prefix);
+Webhook templates
 */}}
-{{- define "db-operator.github_packages_image_version" -}}
-{{- printf "v%s" (default .Chart.AppVersion .Values.image.tag) }}
+
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "webhook.name" -}}
+{{- printf "db-operator-webhook" -}}
+{{- end -}}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "webhook.fullname" -}}
+{{- if .Values.fullnameOverride -}}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- $name := default .Chart.Name .Values.nameOverride -}}
+{{- if contains $name .Release.Name -}}
+{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+{{- end -}}
 {{- end -}}
 
 {{/*
 Create the name of the service account to use
 */}}
-{{- define "db-operator.serviceAccountName" -}}
-{{- if .Values.serviceAccount.create -}}
-{{- printf "%s-sa" (include "db-operator.name" .) -}}
+{{- define "webhook.serviceAccountName" -}}
+{{- if .Values.webhook.serviceAccount.create -}}
+    {{ default (include "webhook.name" .) .Values.webhook.serviceAccount.name }}
 {{- else -}}
-{{ default "default" .Values.serviceAccount.name }}
+    {{ default "default" .Values.webhook.serviceAccount.name }}
 {{- end -}}
 {{- end -}}
 
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
 {{/*
 Common labels
 */}}
-{{- define "db-operator.labels" -}}
-helm.sh/chart: {{ include "db-operator.chart" . }}
-{{ include "db-operator.selectorLabels" . }}
+{{- define "labels" -}}
+helm.sh/chart: {{ include "chart" . }}
+{{ include "selectorLabels" . }}
 {{- if .Chart.AppVersion }}
 app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
 {{- end }}
@@ -71,19 +108,21 @@ app.kubernetes.io/managed-by: {{ .Release.Service }}
 {{/*
 Selector labels
 */}}
-{{- define "db-operator.selectorLabels" -}}
+{{- define "selectorLabels" -}}
 app.kubernetes.io/name: {{ include "db-operator.name" . }}
 app.kubernetes.io/instance: {{ .Release.Name }}
 {{- end -}}
 
 {{/*
-Arguments builder
+Image version definition;
 */}}
-{{- define "db-operator.args" -}}
-{{- $args := list -}}
-{{- if .Values.checkForChanges -}}
-{{- $args = append $args "--check-for-changes" -}}
-{{- end -}}
-{{ join "," $args }}
+{{- define "image_version" -}}
+{{ default .Chart.AppVersion .Values.image.tag }}
 {{- end -}}
 
+{{/*
+Image version definition using Github Packages format ('v' prefix);
+*/}}
+{{- define "github_packages_image_version" -}}
+{{- printf "v%s" (default .Chart.AppVersion .Values.image.tag) }}
+{{- end -}}

charts/db-operator/templates/certificate/certificate.yaml

@@ -6,8 +6,8 @@ metadata:
   name: {{ .Values.webhook.certificate.name }}
 spec:
   dnsNames:
-  - {{ .Values.webhook.serviceName }}.{{ .Release.Namespace }}.svc
-  - {{ .Values.webhook.serviceName }}.{{ .Release.Namespace }}.svc.cluster.local
+  - {{ include "webhook.name" . }}.{{ .Release.Namespace }}.svc
+  - {{ include "webhook.name" . }}.{{ .Release.Namespace }}.svc.cluster.local
   issuerRef:
     kind: {{ .Values.webhook.certificate.issuer.kind }}
     name: {{ .Values.webhook.certificate.issuer.name }}

charts/db-operator/templates/config.yaml → charts/db-operator/templates/controller/config.yaml

@@ -3,7 +3,8 @@ kind: ConfigMap
 metadata:
   name: {{ template "db-operator.name" . }}-config
   labels:
-    {{- include "db-operator.labels" . | nindent 4 }}
+    {{- include "labels" . | nindent 4 }}
+    app.kubernetes.io/component: "controller"
 data:
   config.yaml: |
     instance:

charts/db-operator/templates/operator.yaml → charts/db-operator/templates/controller/deployment.yaml

@@ -4,27 +4,30 @@ kind: Deployment
 metadata:
   name: {{ template "db-operator.name" . }}
   labels:
-    {{- include "db-operator.labels" . | nindent 4 }}
+    {{- include "labels" . | nindent 4 }}
+    app.kubernetes.io/component: "controller"
 spec:
   replicas: 1
   selector:
     matchLabels:
-      {{- include "db-operator.selectorLabels" . | nindent 6 }}
+      {{- include "selectorLabels" . | nindent 6 }}
+      app.kubernetes.io/component: "controller"
   template:
     metadata:
       labels:
-        {{- include "db-operator.labels" . | nindent 8 }}
+        {{- include "labels" . | nindent 8 }}
+        app.kubernetes.io/component: "controller"
         {{- if .Values.podLabels }}
         {{ toYaml .Values.podLabels | trim | nindent 8 }}
         {{- end }}
       annotations:
-        checksum/config: {{ include (print $.Template.BasePath "/config.yaml") . | sha256sum }}
+        checksum/config: {{ include (print $.Template.BasePath "/controller/config.yaml") . | sha256sum }}
         {{- if .Values.annotations }}
         {{ toYaml .Values.annotations | nindent 8 }}
         {{- end }}
     spec:
       {{- if .Values.serviceAccount.create }}
-      serviceAccountName: {{ template "db-operator.name" . }}-sa
+      serviceAccountName: {{ template "db-operator.serviceAccountName" . }}
       {{- end }}
      {{- if .Values.security }}
       securityContext:
@@ -33,13 +36,10 @@ spec:
      {{- end }}
       containers:
         - name: operator
-          image: "{{ .Values.image.repository }}:{{ template "db-operator.github_packages_image_version" . }}"
+          image: "{{ .Values.image.repository }}:{{ template "github_packages_image_version" . }}"
           ports:
           - containerPort: 60000
             name: metrics
-          - containerPort: 9443
-            name: webhook-server
-            protocol: TCP
           command:
           - db-operator
           {{- if (include "db-operator.args" . ) }}
@@ -87,9 +87,6 @@ spec:
           - mountPath: /run/config/
             name: config-volume
             readOnly: true
-          - mountPath: /tmp/k8s-webhook-server/serving-certs
-            name: cert
-            readOnly: true
           resources:
             {{ toYaml .Values.resources | nindent 12 }}
       nodeSelector:
@@ -121,7 +118,3 @@ spec:
         - name: config-volume
           configMap: 
             name: {{ template "db-operator.name" . }}-config
-        - name: cert
-          secret:
-            defaultMode: 420
-            secretName: {{ .Values.webhook.certificate.secretName }}

charts/db-operator/templates/gsql-secret.yaml → charts/db-operator/templates/controller/gsql-secret.yaml

@@ -10,7 +10,8 @@ kind: Secret
 metadata:
   name: cloudsql-admin-serviceaccount
   labels:
-    {{- include "db-operator.labels" . | nindent 4 }}
+    {{- include "labels" . | nindent 4 }}
+    app.kubernetes.io/component: "controller"
 type: Opaque
 data:
   credentials.json: |-
@@ -26,7 +27,8 @@ kind: Secret
 metadata:
   name: cloudsql-readonly-serviceaccount
   labels:
-    {{- include "db-operator.labels" . | nindent 4 }}
+    {{- include "labels" . | nindent 4 }}
+    app.kubernetes.io/component: "controller"
 type: Opaque
 data:
   credentials.json: |-