Merge remote-tracking branch 'altinity/0.25.0' into 0.25.0

Author: sunsingerus

deploy/builder/build-clickhouse-operator-install-yaml.sh

@@ -34,6 +34,8 @@ CH_PASSWORD_PLAIN="" \
 CH_CREDENTIALS_SECRET_NAME="clickhouse-operator" \
 CH_USERNAME_SECRET_PLAIN="clickhouse_operator" \
 CH_PASSWORD_SECRET_PLAIN="clickhouse_operator_password" \
+MANIFEST_PRINT_RBAC_NAMESPACED=yes \
+MANIFEST_PRINT_RBAC_CLUSTERED=yes \
 "${CUR_DIR}/cat-clickhouse-operator-install-yaml.sh" > "${MANIFEST_ROOT}/operator/clickhouse-operator-install-bundle.yaml"
 
 # Build templated installation .yaml manifest

deploy/builder/cat-clickhouse-operator-install-yaml.sh

@@ -156,8 +156,7 @@ if [[ "${MANIFEST_PRINT_CRD}" == "yes" ]]; then
         envsubst
 fi
 
-# Render RBAC section for ClusterRole
-if [[ "${MANIFEST_PRINT_RBAC_CLUSTERED}" == "yes" ]]; then
+if [[ "${MANIFEST_PRINT_RBAC_CLUSTERED}" == "yes" || "${MANIFEST_PRINT_RBAC_NAMESPACED}" == "yes" ]]; then
     # Render Account
     SECTION_FILE_NAME="clickhouse-operator-install-yaml-template-02-section-rbac-01-service-account.yaml"
     ensure_file "${TEMPLATES_DIR}" "${SECTION_FILE_NAME}" "${REPO_PATH_TEMPLATES_PATH}"
@@ -168,7 +167,10 @@ if [[ "${MANIFEST_PRINT_RBAC_CLUSTERED}" == "yes" ]]; then
         NAME="clickhouse-operator"                \
         OPERATOR_VERSION="${OPERATOR_VERSION}"    \
         envsubst
+fi
 
+# Render RBAC section for ClusterRole
+if [[ "${MANIFEST_PRINT_RBAC_CLUSTERED}" == "yes" ]]; then
     # Render Role
     SECTION_FILE_NAME="clickhouse-operator-install-yaml-template-02-section-rbac-02-role.yaml"
     ensure_file "${TEMPLATES_DIR}" "${SECTION_FILE_NAME}" "${REPO_PATH_TEMPLATES_PATH}"
@@ -186,16 +188,6 @@ fi
 
 # Render RBAC section for Role
 if [[ "${MANIFEST_PRINT_RBAC_NAMESPACED}" == "yes" ]]; then
-    # Render Account
-    SECTION_FILE_NAME="clickhouse-operator-install-yaml-template-02-section-rbac-01-service-account.yaml"
-    ensure_file "${TEMPLATES_DIR}" "${SECTION_FILE_NAME}" "${REPO_PATH_TEMPLATES_PATH}"
-    render_separator
-    cat "${TEMPLATES_DIR}/${SECTION_FILE_NAME}" | \
-        NAMESPACE="${OPERATOR_NAMESPACE}"         \
-        NAME="clickhouse-operator"                \
-        OPERATOR_VERSION="${OPERATOR_VERSION}"    \
-        envsubst
-
     # Render Role
     SECTION_FILE_NAME="clickhouse-operator-install-yaml-template-02-section-rbac-02-role.yaml"
     ensure_file "${TEMPLATES_DIR}" "${SECTION_FILE_NAME}" "${REPO_PATH_TEMPLATES_PATH}"
@@ -211,7 +203,6 @@ if [[ "${MANIFEST_PRINT_RBAC_NAMESPACED}" == "yes" ]]; then
         envsubst
 fi
 
-
 # Render header/beginning of ConfigMap yaml specification:
 # apiVersion: v1
 # kind: ConfigMap

deploy/helm/clickhouse-operator/README.md

@@ -56,7 +56,8 @@ For upgrade please install CRDs separately:
 | podAnnotations | object | check the `values.yaml` file | annotations to add to the clickhouse-operator pod, check `kubectl explain pod.spec.annotations` for details |
 | podLabels | object | `{}` | labels to add to the clickhouse-operator pod |
 | podSecurityContext | object | `{}` |  |
-| rbac.create | bool | `true` | specifies whether cluster roles and cluster role bindings should be created |
+| rbac.create | bool | `true` | specifies whether rbac resources should be created |
+| rbac.namespaceScoped | bool | `false` | specifies whether to create roles and rolebindings at the cluster level or namespace level |
 | secret.create | bool | `true` | create a secret with operator credentials |
 | secret.password | string | `"clickhouse_operator_password"` | operator credentials password |
 | secret.username | string | `"clickhouse_operator"` | operator credentials username |

deploy/helm/clickhouse-operator/templates/generated/ClusterRole-clickhouse-operator-kube-system.yaml

@@ -1,4 +1,4 @@
-{{- if .Values.rbac.create -}}
+{{- if (and .Values.rbac.create (not .Values.rbac.namespaceScoped)) -}}
 # Specifies either
 #   ClusterRole
 # or
@@ -12,7 +12,6 @@ metadata:
   name: {{ include "altinity-clickhouse-operator.fullname" . }}
   #namespace: kube-system
   labels: {{ include "altinity-clickhouse-operator.labels" . | nindent 4 }}
-  namespace: {{ include "altinity-clickhouse-operator.namespace" . }}
   annotations: {{ include "altinity-clickhouse-operator.annotations" . | nindent 4 }}
 rules:
   #

deploy/helm/clickhouse-operator/templates/generated/ClusterRoleBinding-clickhouse-operator-kube-system.yaml

@@ -1,4 +1,4 @@
-{{- if .Values.rbac.create -}}
+{{- if (and .Values.rbac.create (not .Values.rbac.namespaceScoped)) -}}
 # Specifies either
 #   ClusterRoleBinding between ClusterRole and ServiceAccount.
 # or
@@ -11,7 +11,6 @@ metadata:
   name: {{ include "altinity-clickhouse-operator.fullname" . }}
   #namespace: kube-system
   labels: {{ include "altinity-clickhouse-operator.labels" . | nindent 4 }}
-  namespace: {{ include "altinity-clickhouse-operator.namespace" . }}
   annotations: {{ include "altinity-clickhouse-operator.annotations" . | nindent 4 }}
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -21,4 +20,13 @@ subjects:
   - kind: ServiceAccount
     name: {{ include "altinity-clickhouse-operator.serviceAccountName" . }}
     namespace: {{ include "altinity-clickhouse-operator.namespace" . }}
+# Template Parameters:
+#
+# NAMESPACE=kube-system
+# COMMENT=
+# ROLE_KIND=Role
+# ROLE_NAME=clickhouse-operator
+# ROLE_BINDING_KIND=RoleBinding
+# ROLE_BINDING_NAME=clickhouse-operator
+#
 {{- end }}

deploy/helm/clickhouse-operator/templates/generated/Role-clickhouse-operator.yaml

@@ -0,0 +1,211 @@
+{{- if (and .Values.rbac.create .Values.rbac.namespaceScoped) -}}
+# Specifies either
+#   ClusterRole
+# or
+#   Role
+# to be bound to ServiceAccount.
+# ClusterRole is namespace-less and must have unique name
+# Role is namespace-bound
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ include "altinity-clickhouse-operator.fullname" . }}
+  namespace: {{ include "altinity-clickhouse-operator.namespace" . }}
+  labels: {{ include "altinity-clickhouse-operator.labels" . | nindent 4 }}
+  annotations: {{ include "altinity-clickhouse-operator.annotations" . | nindent 4 }}
+rules:
+  #
+  # Core API group
+  #
+  - apiGroups:
+      - ""
+    resources:
+      - configmaps
+      - services
+      - persistentvolumeclaims
+      - secrets
+    verbs:
+      - get
+      - list
+      - patch
+      - update
+      - watch
+      - create
+      - delete
+  - apiGroups:
+      - ""
+    resources:
+      - endpoints
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - ""
+    resources:
+      - events
+    verbs:
+      - create
+  - apiGroups:
+      - ""
+    resources:
+      - persistentvolumes
+    verbs:
+      - get
+      - list
+      - patch
+      - update
+      - watch
+  - apiGroups:
+      - ""
+    resources:
+      - pods
+    verbs:
+      - get
+      - list
+      - patch
+      - update
+      - watch
+      - delete
+  - apiGroups:
+      - ""
+    resources:
+      - secrets
+    verbs:
+      - get
+      - list
+  #
+  # apps.* resources
+  #
+  - apiGroups:
+      - apps
+    resources:
+      - statefulsets
+    verbs:
+      - get
+      - list
+      - patch
+      - update
+      - watch
+      - create
+      - delete
+  - apiGroups:
+      - apps
+    resources:
+      - replicasets
+    verbs:
+      - get
+      - patch
+      - update
+      - delete
+  # The operator deployment personally, identified by name
+  - apiGroups:
+      - apps
+    resources:
+      - deployments
+    resourceNames:
+      - {{ include "altinity-clickhouse-operator.fullname" . }}
+    verbs:
+      - get
+      - patch
+      - update
+      - delete
+  #
+  # policy.* resources
+  #
+  - apiGroups:
+      - policy
+    resources:
+      - poddisruptionbudgets
+    verbs:
+      - get
+      - list
+      - patch
+      - update
+      - watch
+      - create
+      - delete
+  #
+  # apiextensions
+  #
+  - apiGroups:
+      - apiextensions.k8s.io
+    resources:
+      - customresourcedefinitions
+    verbs:
+      - get
+      - list
+  # clickhouse - related resources
+  - apiGroups:
+      - clickhouse.altinity.com
+    #
+    # The operators specific Custom Resources
+    #
+
+    resources:
+      - clickhouseinstallations
+    verbs:
+      - get
+      - list
+      - watch
+      - patch
+      - update
+      - delete
+  - apiGroups:
+      - clickhouse.altinity.com
+    resources:
+      - clickhouseinstallationtemplates
+      - clickhouseoperatorconfigurations
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - clickhouse.altinity.com
+    resources:
+      - clickhouseinstallations/finalizers
+      - clickhouseinstallationtemplates/finalizers
+      - clickhouseoperatorconfigurations/finalizers
+    verbs:
+      - update
+  - apiGroups:
+      - clickhouse.altinity.com
+    resources:
+      - clickhouseinstallations/status
+      - clickhouseinstallationtemplates/status
+      - clickhouseoperatorconfigurations/status
+    verbs:
+      - get
+      - update
+      - patch
+      - create
+      - delete
+  # clickhouse-keeper - related resources
+  - apiGroups:
+      - clickhouse-keeper.altinity.com
+    resources:
+      - clickhousekeeperinstallations
+    verbs:
+      - get
+      - list
+      - watch
+      - patch
+      - update
+      - delete
+  - apiGroups:
+      - clickhouse-keeper.altinity.com
+    resources:
+      - clickhousekeeperinstallations/finalizers
+    verbs:
+      - update
+  - apiGroups:
+      - clickhouse-keeper.altinity.com
+    resources:
+      - clickhousekeeperinstallations/status
+    verbs:
+      - get
+      - update
+      - patch
+      - create
+      - delete
+{{- end }}

deploy/helm/clickhouse-operator/templates/generated/RoleBinding-clickhouse-operator.yaml

@@ -0,0 +1,23 @@
+{{- if (and .Values.rbac.create .Values.rbac.namespaceScoped) -}}
+# Specifies either
+#   ClusterRoleBinding between ClusterRole and ServiceAccount.
+# or
+#   RoleBinding between Role and ServiceAccount.
+# ClusterRoleBinding is namespace-less and must have unique name
+# RoleBinding is namespace-bound
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ include "altinity-clickhouse-operator.fullname" . }}
+  namespace: {{ include "altinity-clickhouse-operator.namespace" . }}
+  labels: {{ include "altinity-clickhouse-operator.labels" . | nindent 4 }}
+  annotations: {{ include "altinity-clickhouse-operator.annotations" . | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ include "altinity-clickhouse-operator.fullname" . }}
+subjects:
+  - kind: ServiceAccount
+    name: {{ include "altinity-clickhouse-operator.serviceAccountName" . }}
+    namespace: {{ include "altinity-clickhouse-operator.namespace" . }}
+{{- end }}

deploy/helm/clickhouse-operator/templates/generated/ServiceAccount-clickhouse-operator.yaml

@@ -13,7 +13,6 @@ metadata:
   namespace: {{ include "altinity-clickhouse-operator.namespace" . }}
   labels: {{ include "altinity-clickhouse-operator.labels" . | nindent 4 }}
   annotations: {{ include "altinity-clickhouse-operator.annotations" . | nindent 4 }}{{ if .Values.serviceAccount.annotations }}{{ toYaml .Values.serviceAccount.annotations | nindent 4 }}{{ end }}
-
 # Template Parameters:
 #
 # NAMESPACE=kube-system

deploy/helm/clickhouse-operator/values.yaml

@@ -71,8 +71,10 @@ serviceAccount:
   # serviceAccount.name -- the name of the service account to use; if not set and create is true, a name is generated using the fullname template
   name:
 rbac:
-  # rbac.create -- specifies whether cluster roles and cluster role bindings should be created
+  # rbac.create -- specifies whether rbac resources should be created
   create: true
+  # rbac.namespaceScoped -- specifies whether to create roles and rolebindings at the cluster level or namespace level
+  namespaceScoped: false
 secret:
   # secret.create -- create a secret with operator credentials
   create: true