Added Operator charts, modified cockroachdb charts to support cc-operator

Author: udnay

build/templates/values.yaml

@@ -716,6 +716,135 @@ iap:
 godebug:
   disablethp: "1"
 
-# Use the CockroachDB Operator to manage the CockroachDB clusters.
+# Use the CRDB Operator to manage the CRDB clusters
 operator:
-  enabled: false
+  enabled: true
+  # Default values for the cluster chart.
+  image:
+    repository: cockroachdb/cockroach
+    pullPolicy: IfNotPresent
+    # Overrides the image tag whose default is the cluster chart's appVersion.
+    tag: ""
+
+  nameOverride: ""
+  fullnameOverride: ""
+
+  # A map of CRDB cluster settings.
+  # See https://www.cockroachlabs.com/docs/stable/cluster-settings.html
+  clusterSettings: ~
+
+    # Regions controls the number of CRDB nodes that are deployed per region.
+    # regions: ~
+    # - code: us-central1
+      # nodes: 3
+
+  # loggingConf is the logging configuration used by cockroach.
+  # More details: https://www.cockroachlabs.com/docs/stable/logging-overview.html
+  loggingConf: ~
+    # sinks:
+      # stderr:
+        # channels: [health, dev]
+        # filter: INFO
+
+  # We usually recommend not to specify default resources and to leave this as a conscious
+  # choice for the user. This also increases chances charts run on environments with little
+  # resources, such as K3D. If you do want to specify resources, uncomment the following
+  # lines, adjust them as necessary, and remove the tilde after 'resources:'.
+  resources: ~
+    # limits:
+      # cpu: 100m
+      # memory: 128Mi
+    # requests:
+      # cpu: 100m
+      # memory: 128Mi
+
+  # dataStore specifies the disk configuration for the CRDB Node.
+  dataStore:
+    volumeClaimTemplate:
+      metadata: {}
+      spec:
+        accessModes:
+          - ReadWriteOnce
+        resources:
+          requests:
+            storage: 10Gi
+        volumeMode: Filesystem
+
+  certificates:
+    # Any extra alt names that should be added to the node certs.
+    extraNodeAltNames: []
+      # - somevalue
+      # - somevalue.default
+      # - somevalue.default.svc.local
+    # the number of days generated certs are valid for
+    # validForDays: 3650
+
+    # External certificates for the CRDB cluster.
+    externalCertificates:
+      clientCaConfigMapName: ""
+      nodeCaConfigMapName: ""
+      httpSecretName: ""
+      nodeClientSecretName: ""
+      nodeSecretName: ""
+      rootSqlClientSecretName: ""
+
+  # RBAC settings for CRDB nodes
+  rbac:
+    # By default the service account will be the resource name. It will
+    # be created during the installation along with a namespaced role and
+    # a cluster role with the policy rules below.
+    #
+    # Uncomment the line below to use a custom SA. If a custom SA is used,
+    # no roles or bindings will be created.
+    # serviceAccountName: my-custom-sa
+
+    # Rules for the namespaced role bound to the service account.
+    #
+    # E.g.
+    # permissions:
+    #   - apiGroup: [""]
+    #     resources: ["secrets"]
+    #     verbs: ["create", "get"]
+    rules: []
+
+    # Rules for the cluster role bound to the service account.
+    clusterRules:
+      # Get nodes allows the locality container to work as expected. It pulls the
+      # failure-domain.beta.kubernetes.io/zone label to determine node locality.
+      - apiGroups: [""]
+        resources: ["nodes"]
+        verbs: ["get"]
+    serviceAccountName: ~
+
+  regions:
+    - code: us-east-1
+      nodes: 3
+      cloudProvider: k3d
+      namespace: default
+
+  # PodLabels are the labels that should be applied to the underlying CRDB pod
+  podLabels:
+    app.kubernetes.io/component: cockroachdb
+
+  # Flags passed to the cockroachdb container.
+  flags:
+    # Disable backup/restore to local disk by default.
+    --external-io-dir: disabled
+
+  # Environment variables set on cockroachdb pods.
+  env: []
+
+  # Delay between cockroachdb pod restarts. Wait 3m by default to avoid
+  # unavailability during restarts.
+  rollingRestartDelay: 3m0s
+
+  # Topology spread constraints set on cockroachdb pods. Spread cockroachdb
+  # pods across zones by default.
+  topologySpreadConstraints:
+    - maxSkew: 1
+      topologyKey: topology.kubernetes.io/zone
+      whenUnsatisfiable: DoNotSchedule
+
+  extras:
+    # Add a container with dnsutils (nslookup, dig, ping, etc.) installed.
+    dnsutils: false

cockroachdb/templates/_helpers.tpl

@@ -361,3 +361,23 @@ Construct the GODEBUG env var value (looks like: GODEBUG="foo=bar,baz=quux"; def
 {{- end }}
 {{- join "," $godebugList -}}
 {{- end }}
+
+
+{{/* Common labels that are applied to all managed objects. */}}
+{{- define "cluster.labels" -}}
+helm.sh/chart: {{ include "cockroachdb.chart" . }}
+{{ include "cluster.selectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end }}
+
+{{/*
+  Selector labels defines the set of labels that can be used as selectors for
+  crdb nodes.
+*/}}
+{{- define "cluster.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "cockroachdb.clusterfullname" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end }}

cockroachdb/templates/crdb.yaml

@@ -0,0 +1,68 @@
+{{- if .Values.operator.enabled }}
+---
+apiVersion: crdb.cockroachlabs.com/v1alpha1
+kind: CrdbCluster
+metadata:
+  name: {{ template "cockroachdb.fullname" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "cluster.labels" . | nindent 4 }}
+    {{- with .Values.statefulset.labels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+    {{- with .Values.labels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+spec:
+  {{- with .Values.operator.clusterSettings }}
+  clusterSettings: {{- toYaml . | nindent 4 }}
+  {{- end }}
+  {{- with .Values.operator.regions }}
+  regions: {{- toYaml . | nindent 4 }}
+  {{- end }}
+  features:
+    - reconcile
+    - reconcile-beta
+  {{- with .Values.operator.flags }}
+  flags: {{- toYaml . | nindent 4 }}
+  {{- end }}
+  rollingRestartDelay: {{ .Values.operator.rollingRestartDelay }}
+  template:
+    spec:
+      image: "{{ .Values.image.repository }}:{{ default .Chart.AppVersion .Values.image.tag }}"
+      certificates:
+        externalCertificates:
+          {{- /* Note: defaults should match secrets and configmaps created by the self-signer job. */}}
+          clientCaConfigMapName: {{ .Values.operator.certificates.externalCertificates.clientCaConfigMapName | default (printf "%s-ca-secret-crt" (include "cockroachdb.fullname" .)) }}
+          nodeCaConfigMapName: {{ .Values.operator.certificates.externalCertificates.nodeCaConfigMapName | default (printf "%s-ca-secret-crt" (include "cockroachdb.fullname" .)) }}
+          httpSecretName: {{ .Values.operator.certificates.externalCertificates.httpSecretName | default (printf "%s-client-secret" (include "cockroachdb.fullname" .)) }}
+          nodeClientSecretName: {{ .Values.operator.certificates.externalCertificates.nodeClientSecretName | default (printf "%s-client-secret" (include "cockroachdb.fullname" .)) }}
+          nodeSecretName: {{ .Values.operator.certificates.externalCertificates.nodeSecretName | default (printf "%s-node-secret" (include "cockroachdb.fullname" .)) }}
+          rootSqlClientSecretName: {{ .Values.operator.certificates.externalCertificates.rootSqlClientSecretName | default (printf "%s-client-secret" (include "cockroachdb.fullname" .)) }}
+      {{- with .Values.operator.dataStore }}
+      dataStore: {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.operator.env }}
+      env: {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.operator.topologySpreadConstraints }}
+      topologySpreadConstraints: {{- toYaml . | nindent 8 }}
+      {{- end }}
+      podLabels:
+        app.kubernetes.io/name: {{ template "cockroachdb.name" . }}
+        app.kubernetes.io/instance: {{ .Release.Name | quote }}
+        {{- with .Values.operator.podLabels }}
+          {{- toYaml . | nindent 8 }}
+        {{- end }}
+      {{- with .Values.operator.resources }}
+      resourceRequirements: {{- toYaml . | nindent 8 }}
+      {{- end }}
+      serviceAccountName: {{ .Values.operator.rbac.serviceAccountName | default (include "cockroachdb.serviceAccount.name" .) }}
+      {{- if .Values.operator.loggingConf }}
+      loggingConfigMapName: {{ .Release.Name }}-logging
+      {{- end }}
+  # All properties below are solely to pass validation. They aren't used by the
+  # betaclusterctrl controller so the values don't matter so long as they're
+  # valid.
+  dataStore: {}
+{{- end }}

cockroachdb/templates/job.init.yaml

@@ -1,6 +1,6 @@
 {{ $isClusterInitEnabled := and (eq (len .Values.conf.join) 0) (not (index .Values.conf `single-node`)) }}
 {{ $isDatabaseProvisioningEnabled := .Values.init.provisioning.enabled }}
-{{- if or $isClusterInitEnabled $isDatabaseProvisioningEnabled }}
+{{- if and (or $isClusterInitEnabled $isDatabaseProvisioningEnabled) (not .Values.operator.enabled) }}
   {{ template "cockroachdb.tlsValidation" . }}
 kind: Job
 apiVersion: batch/v1

cockroachdb/templates/poddisruptionbudget.yaml

@@ -1,3 +1,4 @@
+{{- if (not .Values.operator.enabled) }}
 kind: PodDisruptionBudget
 {{- if or (.Capabilities.APIVersions.Has "policy/v1") (semverCompare ">=1.21-0" .Capabilities.KubeVersion.Version) }}
 apiVersion: policy/v1
@@ -24,3 +25,4 @@ spec:
       {{- toYaml . | nindent 6 }}
     {{- end }}
   maxUnavailable: {{ .Values.statefulset.budget.maxUnavailable | int64 }}
+{{- end }}

cockroachdb/templates/role-certSelfSigner.yaml

@@ -30,4 +30,7 @@ rules:
   - apiGroups: [""]
     resources: ["pods"]
     verbs: ["delete", "get"]
+  - apiGroups: [""]
+    resources: ["configmaps"]
+    verbs: ["create", "get", "update", "delete"]
 {{- end }}

cockroachdb/templates/role.yaml

@@ -20,4 +20,25 @@ rules:
     {{- else }}
     verbs: ["create", "get"]
     {{- end }}
+  - apiGroups: [""]
+    resources: ["nodes"]
+    verbs: ["get", "list", "watch"]
+---
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ template "cockroachdb.fullname" . }}-node-reader
+  namespace: {{ .Release.Namespace | quote }}
+  labels:
+    helm.sh/chart: {{ template "cockroachdb.chart" . }}
+    app.kubernetes.io/name: {{ template "cockroachdb.name" . }}
+    app.kubernetes.io/instance: {{ .Release.Name | quote }}
+    app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
+  {{- with .Values.labels }}
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+rules:
+  - apiGroups: [""]
+    resources: ["nodes"]
+    verbs: ["get", "list", "watch"]
 {{- end }}

cockroachdb/templates/rolebinding.yaml

@@ -20,4 +20,26 @@ subjects:
   - kind: ServiceAccount
     name: {{ template "cockroachdb.serviceAccount.name" . }}
     namespace: {{ .Release.Namespace | quote }}
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ template "cockroachdb.fullname" . }}-node-reader
+  namespace: {{ .Release.Namespace | quote }}
+  labels:
+    helm.sh/chart: {{ template "cockroachdb.chart" . }}
+    app.kubernetes.io/name: {{ template "cockroachdb.name" . }}
+    app.kubernetes.io/instance: {{ .Release.Name | quote }}
+    app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
+  {{- with .Values.labels }}
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ template "cockroachdb.fullname" . }}-node-reader
+subjects:
+  - kind: ServiceAccount
+    name: {{ template "cockroachdb.serviceAccount.name" . }}
+    namespace: {{ .Release.Namespace | quote }}
 {{- end }}

cockroachdb/templates/service.discovery.yaml

@@ -2,6 +2,7 @@
 # the StatefulSet such that they can resolve each other's IP addresses.
 # It does not create a load-balanced ClusterIP and should not be used directly
 # by clients in most circumstances.
+{{- if not .Values.operator.enabled }}
 kind: Service
 apiVersion: v1
 metadata:
@@ -62,3 +63,4 @@ spec:
   {{- with .Values.statefulset.labels }}
     {{- toYaml . | nindent 4 }}
   {{- end }}
+{{- end }}

cockroachdb/templates/service.public.yaml

@@ -30,6 +30,33 @@ metadata:
   {{- end }}
   {{- end }}
 spec:
+  selector:
+    app.kubernetes.io/name: {{ template "cockroachdb.name" . }}
+    app.kubernetes.io/instance: {{ .Release.Name | quote }}
+{{- if .Values.operator.enabled }}
+  {{- with .Values.operator.podLabels }}
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+  # Cockroach Cloud operator doesn't provide a way to change the sql,grpc and http ports for the pods. Hence, making these
+  # ports static here.
+  type: ClusterIP
+  ports:
+  - name: sql
+    port: 26257
+    protocol: TCP
+    targetPort: 26257
+  - name: grpc
+    port: 26258
+    protocol: TCP
+    targetPort: 26258
+  - name: http
+    port: 8080
+    protocol: TCP
+    targetPort: 8080
+{{- else }}
+  {{- with .Values.statefulset.labels }}
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
   type: {{ .Values.service.public.type | quote }}
   ports:
   {{- $ports := .Values.service.ports }}
@@ -47,9 +74,4 @@ spec:
     - name: {{ $ports.http.name | quote }}
       port: {{ $ports.http.port | int64 }}
       targetPort: http
-  selector:
-    app.kubernetes.io/name: {{ template "cockroachdb.name" . }}
-    app.kubernetes.io/instance: {{ .Release.Name | quote }}
-  {{- with .Values.statefulset.labels }}
-    {{- toYaml . | nindent 4 }}
-  {{- end }}
+{{- end }}