diff --git a/charts/px-central/templates/crds/_crd-helpers.tpl b/charts/px-central/templates/crds/_crd-helpers.tpl new file mode 100644 index 000000000..2d70a66c8 --- /dev/null +++ b/charts/px-central/templates/crds/_crd-helpers.tpl @@ -0,0 +1,101 @@ +{{/* +============================================================================= +CRD Helper Templates for Helm 4 SSA Compatibility +============================================================================= + +These helpers support conditional CRD installation to prevent conflicts when +CRDs are pre-installed by another component (e.g., Portworx Enterprise). + +In Helm 4 with Server-Side Apply (SSA), CRD ownership conflicts occur when +multiple managers attempt to manage the same CRD. By conditionally installing +CRDs only when they don't exist, we avoid these conflicts. + +SUPPORTED VALUES for .Values.installCRDs: + - "true" : Always install CRDs (use when CRDs don't exist) + - "false" : Never install CRDs (use with ArgoCD when CRDs are managed separately, + or when Portworx Enterprise is pre-installed) + - "auto" : Use Helm lookup to detect if CRDs exist (default) + NOTE: With ArgoCD, lookup always returns empty, so "auto" behaves + like "true". ArgoCD users with pre-existing CRDs should use "false". + +ARGOCD USERS: + When deploying via ArgoCD with pre-existing CRDs (e.g., Portworx installed), + you MUST set installCRDs: "false" to avoid conflicts. ArgoCD uses `helm template` + which doesn't have cluster access, so the lookup function cannot detect existing CRDs. + + Alternatively, use ArgoCD's built-in skipCrds option: + spec: + source: + helm: + skipCrds: true +*/}} + +{{/* +Check if a CRD exists in the cluster. +Usage: {{ include "px-central.crdExists" "alertmanagers.monitoring.coreos.com" }} +Returns: "true" if the CRD exists, "false" otherwise + +NOTE: This returns "false" when used with ArgoCD (helm template) because + lookup requires cluster access which ArgoCD doesn't provide during rendering. +*/}} +{{- define "px-central.crdExists" -}} +{{- $crd := lookup "apiextensions.k8s.io/v1" "CustomResourceDefinition" "" . -}} +{{- if $crd }}true{{- else }}false{{- end -}} +{{- end -}} + +{{/* +Determine if a CRD should be installed based on installCRDs value. +Usage: {{ include "px-central.shouldInstallCRD" (dict "crdName" "alertmanagers.monitoring.coreos.com" "context" .) }} +Returns: "true" if the CRD should be installed, "false" otherwise + +Logic: + - During upgrades: Always return "false" (CRDs were installed during initial install) + - installCRDs: "true" or true -> Always return "true" + - installCRDs: "false" or false -> Always return "false" + - installCRDs: "auto" (default) -> Use lookup to check if CRD exists + (NOTE: ArgoCD will always get "true" here due to lookup limitations) + +NOTE: Helm --set flag parses "false" as boolean, while values.yaml keeps it as string. + This helper handles both boolean and string types. +*/}} +{{- define "px-central.shouldInstallCRD" -}} +{{- /* Skip CRD installation during upgrades - CRDs were installed during initial install */ -}} +{{- if or .context.Release.IsUpgrade .context.Values.isUpgrade -}} +false +{{- else -}} +{{- /* Get installCRDs value, defaulting to "auto" if nil/empty string */ -}} +{{- $installCRDs := .context.Values.installCRDs -}} +{{- /* Check if installCRDs is nil or empty string (but NOT boolean false) */ -}} +{{- $isNilOrEmpty := and (not (kindIs "bool" $installCRDs)) (not $installCRDs) -}} +{{- if $isNilOrEmpty -}} +{{- $installCRDs = "auto" -}} +{{- end -}} +{{- /* Convert to string for consistent comparison */ -}} +{{- $installCRDsStr := toString $installCRDs -}} +{{- /* Handle "true" (also handles boolean true which becomes "true") */ -}} +{{- if eq $installCRDsStr "true" -}} +true +{{- /* Handle "false" (also handles boolean false which becomes "false") */ -}} +{{- else if eq $installCRDsStr "false" -}} +false +{{- else -}} +{{- /* installCRDs = "auto" - use lookup */ -}} +{{- $crdExists := include "px-central.crdExists" .crdName -}} +{{- if eq $crdExists "true" -}} +false +{{- else -}} +true +{{- end -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +CRD labels - common labels for all CRDs +*/}} +{{- define "px-central.crdLabels" -}} +app.kubernetes.io/managed-by: {{ .Release.Service }} +app.kubernetes.io/instance: {{ .Release.Name }} +app.kubernetes.io/part-of: px-central +helm.sh/chart: {{ include "px-central.chart" . }} +{{- end -}} diff --git a/charts/px-central/crds/crd-alertmanager.yaml b/charts/px-central/templates/crds/crd-alertmanager.yaml similarity index 99% rename from charts/px-central/crds/crd-alertmanager.yaml rename to charts/px-central/templates/crds/crd-alertmanager.yaml index 398e56f7c..fbbeadb50 100644 --- a/charts/px-central/crds/crd-alertmanager.yaml +++ b/charts/px-central/templates/crds/crd-alertmanager.yaml @@ -1,12 +1,20 @@ +{{/* +Conditional CRD installation for Helm 4 SSA compatibility. +Only installs the CRD if it doesn't already exist in the cluster. +This preserves the full OpenAPI validation schema. + +For ArgoCD deployments with pre-existing CRDs, set installCRDs: "false" +*/}} +{{- if eq (include "px-central.shouldInstallCRD" (dict "crdName" "alertmanagers.monitoring.coreos.com" "context" .)) "true" }} # https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.47.0/example/prometheus-operator-crd/monitoring.coreos.com_alertmanagers.yaml apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: name: alertmanagers.monitoring.coreos.com + annotations: + helm.sh/resource-policy: keep labels: app: prometheus-operator - annotations: - "helm.sh/hook": crd-install spec: group: monitoring.coreos.com names: @@ -3209,4 +3217,5 @@ spec: type: object served: true storage: true - subresources: {} \ No newline at end of file + subresources: {} +{{- end }} diff --git a/charts/px-central/crds/crd-alertmanagerconfigs.yaml b/charts/px-central/templates/crds/crd-alertmanagerconfigs.yaml similarity index 99% rename from charts/px-central/crds/crd-alertmanagerconfigs.yaml rename to charts/px-central/templates/crds/crd-alertmanagerconfigs.yaml index 873dcfe9b..d8964aa54 100644 --- a/charts/px-central/crds/crd-alertmanagerconfigs.yaml +++ b/charts/px-central/templates/crds/crd-alertmanagerconfigs.yaml @@ -1,3 +1,11 @@ +{{/* +Conditional CRD installation for Helm 4 SSA compatibility. +Only installs the CRD if it doesn't already exist in the cluster. +This preserves the full OpenAPI validation schema. + +For ArgoCD deployments with pre-existing CRDs, set installCRDs: "false" +*/}} +{{- if eq (include "px-central.shouldInstallCRD" (dict "crdName" "alertmanagerconfigs.monitoring.coreos.com" "context" .)) "true" }} # https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.50.0/example/prometheus-operator-crd/monitoring.coreos.com_alertmanagerconfigs.yaml --- @@ -6,6 +14,7 @@ kind: CustomResourceDefinition metadata: annotations: controller-gen.kubebuilder.io/version: v0.4.1 + helm.sh/resource-policy: keep creationTimestamp: null name: alertmanagerconfigs.monitoring.coreos.com spec: @@ -2438,4 +2447,5 @@ status: kind: "" plural: "" conditions: [] - storedVersions: [] \ No newline at end of file + storedVersions: [] +{{- end }} diff --git a/charts/px-central/crds/crd-podmonitor.yaml b/charts/px-central/templates/crds/crd-podmonitor.yaml similarity index 97% rename from charts/px-central/crds/crd-podmonitor.yaml rename to charts/px-central/templates/crds/crd-podmonitor.yaml index c6e866ebd..1f8cb5a59 100644 --- a/charts/px-central/crds/crd-podmonitor.yaml +++ b/charts/px-central/templates/crds/crd-podmonitor.yaml @@ -1,12 +1,20 @@ +{{/* +Conditional CRD installation for Helm 4 SSA compatibility. +Only installs the CRD if it doesn't already exist in the cluster. +This preserves the full OpenAPI validation schema. + +For ArgoCD deployments with pre-existing CRDs, set installCRDs: "false" +*/}} +{{- if eq (include "px-central.shouldInstallCRD" (dict "crdName" "podmonitors.monitoring.coreos.com" "context" .)) "true" }} # https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.47.0/example/prometheus-operator-crd/monitoring.coreos.com_podmonitors.yaml apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: name: podmonitors.monitoring.coreos.com + annotations: + helm.sh/resource-policy: keep labels: app: prometheus-operator - annotations: - "helm.sh/hook": crd-install spec: group: monitoring.coreos.com names: @@ -344,4 +352,5 @@ spec: - spec type: object served: true - storage: true \ No newline at end of file + storage: true +{{- end }} diff --git a/charts/px-central/crds/crd-probes.yaml b/charts/px-central/templates/crds/crd-probes.yaml similarity index 98% rename from charts/px-central/crds/crd-probes.yaml rename to charts/px-central/templates/crds/crd-probes.yaml index 4d298cfc9..4743e2757 100644 --- a/charts/px-central/crds/crd-probes.yaml +++ b/charts/px-central/templates/crds/crd-probes.yaml @@ -1,3 +1,11 @@ +{{/* +Conditional CRD installation for Helm 4 SSA compatibility. +Only installs the CRD if it doesn't already exist in the cluster. +This preserves the full OpenAPI validation schema. + +For ArgoCD deployments with pre-existing CRDs, set installCRDs: "false" +*/}} +{{- if eq (include "px-central.shouldInstallCRD" (dict "crdName" "probes.monitoring.coreos.com" "context" .)) "true" }} # https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.50.0/example/prometheus-operator-crd/monitoring.coreos.com_probes.yaml --- @@ -6,6 +14,7 @@ kind: CustomResourceDefinition metadata: annotations: controller-gen.kubebuilder.io/version: v0.4.1 + helm.sh/resource-policy: keep creationTimestamp: null name: probes.monitoring.coreos.com spec: @@ -566,4 +575,5 @@ status: kind: "" plural: "" conditions: [] - storedVersions: [] \ No newline at end of file + storedVersions: [] +{{- end }} diff --git a/charts/px-central/crds/crd-prometheus.yaml b/charts/px-central/templates/crds/crd-prometheus.yaml similarity index 99% rename from charts/px-central/crds/crd-prometheus.yaml rename to charts/px-central/templates/crds/crd-prometheus.yaml index 7b4dbfe8b..1abbeb300 100644 --- a/charts/px-central/crds/crd-prometheus.yaml +++ b/charts/px-central/templates/crds/crd-prometheus.yaml @@ -1,12 +1,20 @@ +{{/* +Conditional CRD installation for Helm 4 SSA compatibility. +Only installs the CRD if it doesn't already exist in the cluster. +This preserves the full OpenAPI validation schema. + +For ArgoCD deployments with pre-existing CRDs, set installCRDs: "false" +*/}} +{{- if eq (include "px-central.shouldInstallCRD" (dict "crdName" "prometheuses.monitoring.coreos.com" "context" .)) "true" }} # https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.47.0/example/prometheus-operator-crd/monitoring.coreos.com_prometheuses.yaml apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: name: prometheuses.monitoring.coreos.com + annotations: + helm.sh/resource-policy: keep labels: app: prometheus-operator - annotations: - "helm.sh/hook": crd-install spec: group: monitoring.coreos.com names: @@ -4434,4 +4442,5 @@ spec: type: object served: true storage: true - subresources: {} \ No newline at end of file + subresources: {} +{{- end }} diff --git a/charts/px-central/crds/crd-prometheusrules.yaml b/charts/px-central/templates/crds/crd-prometheusrules.yaml similarity index 88% rename from charts/px-central/crds/crd-prometheusrules.yaml rename to charts/px-central/templates/crds/crd-prometheusrules.yaml index dd2121872..5e826dd18 100644 --- a/charts/px-central/crds/crd-prometheusrules.yaml +++ b/charts/px-central/templates/crds/crd-prometheusrules.yaml @@ -1,13 +1,21 @@ +{{/* +Conditional CRD installation for Helm 4 SSA compatibility. +Only installs the CRD if it doesn't already exist in the cluster. +This preserves the full OpenAPI validation schema. + +For ArgoCD deployments with pre-existing CRDs, set installCRDs: "false" +*/}} +{{- if eq (include "px-central.shouldInstallCRD" (dict "crdName" "prometheusrules.monitoring.coreos.com" "context" .)) "true" }} # https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.47.0/example/prometheus-operator-crd/monitoring.coreos.com_prometheusrules.yaml apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: name: prometheusrules.monitoring.coreos.com + annotations: + helm.sh/resource-policy: keep labels: app: prometheus-operator - annotations: - "helm.sh/hook": crd-install spec: group: monitoring.coreos.com names: @@ -81,4 +89,5 @@ spec: - spec type: object served: true - storage: true \ No newline at end of file + storage: true +{{- end }} diff --git a/charts/px-central/crds/crd-servicemonitor.yaml b/charts/px-central/templates/crds/crd-servicemonitor.yaml similarity index 97% rename from charts/px-central/crds/crd-servicemonitor.yaml rename to charts/px-central/templates/crds/crd-servicemonitor.yaml index 3b27a4be4..88787f798 100644 --- a/charts/px-central/crds/crd-servicemonitor.yaml +++ b/charts/px-central/templates/crds/crd-servicemonitor.yaml @@ -1,10 +1,18 @@ +{{/* +Conditional CRD installation for Helm 4 SSA compatibility. +Only installs the CRD if it doesn't already exist in the cluster. +This preserves the full OpenAPI validation schema. + +For ArgoCD deployments with pre-existing CRDs, set installCRDs: "false" +*/}} +{{- if eq (include "px-central.shouldInstallCRD" (dict "crdName" "servicemonitors.monitoring.coreos.com" "context" .)) "true" }} # https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.47.0/example/prometheus-operator-crd/monitoring.coreos.com_servicemonitors.yaml apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: controller-gen.kubebuilder.io/version: v0.4.1 - helm.sh/hook: crd-install + helm.sh/resource-policy: keep name: servicemonitors.monitoring.coreos.com spec: group: monitoring.coreos.com @@ -363,4 +371,5 @@ spec: - spec type: object served: true - storage: true \ No newline at end of file + storage: true +{{- end }} diff --git a/charts/px-central/crds/crd-thanosrulers.yaml b/charts/px-central/templates/crds/crd-thanosrulers.yaml similarity index 99% rename from charts/px-central/crds/crd-thanosrulers.yaml rename to charts/px-central/templates/crds/crd-thanosrulers.yaml index d6e064312..2a4068342 100644 --- a/charts/px-central/crds/crd-thanosrulers.yaml +++ b/charts/px-central/templates/crds/crd-thanosrulers.yaml @@ -1,3 +1,11 @@ +{{/* +Conditional CRD installation for Helm 4 SSA compatibility. +Only installs the CRD if it doesn't already exist in the cluster. +This preserves the full OpenAPI validation schema. + +For ArgoCD deployments with pre-existing CRDs, set installCRDs: "false" +*/}} +{{- if eq (include "px-central.shouldInstallCRD" (dict "crdName" "thanosrulers.monitoring.coreos.com" "context" .)) "true" }} # https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.50.0/example/prometheus-operator-crd/monitoring.coreos.com_thanosrulers.yaml --- apiVersion: apiextensions.k8s.io/v1 @@ -5,6 +13,7 @@ kind: CustomResourceDefinition metadata: annotations: controller-gen.kubebuilder.io/version: v0.4.1 + helm.sh/resource-policy: keep creationTimestamp: null name: thanosrulers.monitoring.coreos.com spec: @@ -5030,4 +5039,5 @@ status: kind: "" plural: "" conditions: [] - storedVersions: [] \ No newline at end of file + storedVersions: [] +{{- end }} diff --git a/charts/px-central/templates/px-backup/pre-install-hook/pre-install-check.yaml b/charts/px-central/templates/px-backup/pre-install-hook/pre-install-check.yaml index bc6c13b53..5e7c888dc 100644 --- a/charts/px-central/templates/px-backup/pre-install-hook/pre-install-check.yaml +++ b/charts/px-central/templates/px-backup/pre-install-hook/pre-install-check.yaml @@ -7,6 +7,20 @@ {{- if not .Values.isUpgrade }} --- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: pxcentral-pre-install-account + namespace: {{ .Release.Namespace }} + annotations: + "helm.sh/hook": pre-install + "helm.sh/hook-weight": "1" + "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded + labels: + name: pxcentral-pre-install-hook + app.kubernetes.io/component: pxcentral-pre-install-hook +{{- include "px-central.partOfLabel" . | nindent 4 }} +--- apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: @@ -67,6 +81,29 @@ rules: resources: ["resourcequotas"] verbs: ["get", "list", "watch"] --- +# Pre-install ClusterRole (cluster-scoped resources) +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ .Release.Namespace }}-px-backup-pre-install-clusterrole + annotations: + "helm.sh/hook": pre-install + "helm.sh/hook-weight": "2" + "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded + labels: + name: pxcentral-pre-install-hook + app.kubernetes.io/component: pxcentral-pre-install-hook +{{- include "px-central.partOfLabel" . | nindent 4 }} +rules: + # For ValidateNamespace + - apiGroups: [""] + resources: ["namespaces"] + verbs: ["get", "list", "watch"] + # For ValidateStorageClass / Storage provisioner validation + - apiGroups: ["storage.k8s.io"] + resources: ["storageclasses"] + verbs: ["get", "list", "watch"] +--- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: @@ -82,13 +119,35 @@ metadata: {{- include "px-central.partOfLabel" . | nindent 4 }} subjects: - kind: ServiceAccount - name: default + name: pxcentral-pre-install-account namespace: {{ .Release.Namespace }} roleRef: kind: Role name: px-backup-pre-install-role apiGroup: rbac.authorization.k8s.io --- +# Pre-install ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ .Release.Namespace }}-px-backup-pre-install-clusterrolebinding + annotations: + "helm.sh/hook": pre-install + "helm.sh/hook-weight": "3" + "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded + labels: + name: pxcentral-pre-install-hook + app.kubernetes.io/component: pxcentral-pre-install-hook +{{- include "px-central.partOfLabel" . | nindent 4 }} +subjects: + - kind: ServiceAccount + name: pxcentral-pre-install-account + namespace: {{ .Release.Namespace }} +roleRef: + kind: ClusterRole + name: {{ .Release.Namespace }}-px-backup-pre-install-clusterrole + apiGroup: rbac.authorization.k8s.io +--- apiVersion: v1 kind: PersistentVolumeClaim metadata: @@ -139,6 +198,7 @@ spec: kubernetes.azure.com/no-http-proxy-vars: "true" {{- end }} spec: + serviceAccountName: pxcentral-pre-install-account {{- if $isOpenshiftCluster}} {{- else }} securityContext: @@ -243,6 +303,126 @@ spec: {{- end }} --- {{- if eq $pxBackupEnabled true }} +# Preflight ServiceAccount - runs on both pre-install and pre-upgrade +apiVersion: v1 +kind: ServiceAccount +metadata: + name: pxcentral-preflight-account + namespace: {{ .Release.Namespace }} + annotations: + "helm.sh/hook": pre-install,pre-upgrade + "helm.sh/hook-weight": "1" + "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded + labels: + name: pxcentral-preflight-check-hook + app.kubernetes.io/component: pxcentral-preflight-check-hook +{{- include "px-central.partOfLabel" . | nindent 4 }} +--- +# Preflight Role (namespace-scoped resources) +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: px-backup-preflight-role + namespace: {{ .Release.Namespace }} + annotations: + "helm.sh/hook": pre-install,pre-upgrade + "helm.sh/hook-weight": "2" + "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded + labels: + name: pxcentral-preflight-check-hook + app.kubernetes.io/component: pxcentral-preflight-check-hook +{{- include "px-central.partOfLabel" . | nindent 4 }} +rules: + # For in-cluster keychain / image pull secrets + - apiGroups: [""] + resources: ["serviceaccounts"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "list", "watch"] + # For saving preflight results + - apiGroups: [""] + resources: ["configmaps"] + verbs: ["get", "list", "watch", "create", "update", "delete"] + # For job cleanup and log collection + - apiGroups: [""] + resources: ["pods"] + verbs: ["get", "list"] + - apiGroups: [""] + resources: ["pods/log"] + verbs: ["get"] + - apiGroups: ["batch"] + resources: ["jobs"] + verbs: ["get", "list", "delete"] +--- +# Preflight ClusterRole (cluster-scoped resources like StorageClasses) +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ .Release.Namespace }}-px-backup-preflight-clusterrole + annotations: + "helm.sh/hook": pre-install,pre-upgrade + "helm.sh/hook-weight": "2" + "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded + labels: + name: pxcentral-preflight-check-hook + app.kubernetes.io/component: pxcentral-preflight-check-hook +{{- include "px-central.partOfLabel" . | nindent 4 }} +rules: + # For ValidateStorageClass + - apiGroups: ["storage.k8s.io"] + resources: ["storageclasses"] + verbs: ["get", "list", "watch"] + # For ValidateNamespace + - apiGroups: [""] + resources: ["namespaces"] + verbs: ["get", "list", "watch"] +--- +# Preflight RoleBinding (namespace-scoped) +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: px-backup-preflight-rolebinding + namespace: {{ .Release.Namespace }} + annotations: + "helm.sh/hook": pre-install,pre-upgrade + "helm.sh/hook-weight": "3" + "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded + labels: + name: pxcentral-preflight-check-hook + app.kubernetes.io/component: pxcentral-preflight-check-hook +{{- include "px-central.partOfLabel" . | nindent 4 }} +subjects: + - kind: ServiceAccount + name: pxcentral-preflight-account + namespace: {{ .Release.Namespace }} +roleRef: + kind: Role + name: px-backup-preflight-role + apiGroup: rbac.authorization.k8s.io +--- +# Preflight ClusterRoleBinding (for cluster-scoped resources) +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ .Release.Namespace }}-px-backup-preflight-clusterrolebinding + annotations: + "helm.sh/hook": pre-install,pre-upgrade + "helm.sh/hook-weight": "3" + "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded + labels: + name: pxcentral-preflight-check-hook + app.kubernetes.io/component: pxcentral-preflight-check-hook +{{- include "px-central.partOfLabel" . | nindent 4 }} +subjects: + - kind: ServiceAccount + name: pxcentral-preflight-account + namespace: {{ .Release.Namespace }} +roleRef: + kind: ClusterRole + name: {{ .Release.Namespace }}-px-backup-preflight-clusterrole + apiGroup: rbac.authorization.k8s.io +--- # Pre Flight check job apiVersion: batch/v1 kind: Job @@ -267,6 +447,7 @@ spec: kubernetes.azure.com/no-http-proxy-vars: "true" {{- end }} spec: + serviceAccountName: pxcentral-preflight-account {{- if $isOpenshiftCluster}} {{- else }} securityContext: diff --git a/charts/px-central/templates/px-backup/pre-upgrade-hook/pre-upgrade-check.yaml b/charts/px-central/templates/px-backup/pre-upgrade-hook/pre-upgrade-check.yaml index 1bd49aaf6..bbddc9347 100644 --- a/charts/px-central/templates/px-backup/pre-upgrade-hook/pre-upgrade-check.yaml +++ b/charts/px-central/templates/px-backup/pre-upgrade-hook/pre-upgrade-check.yaml @@ -32,6 +32,20 @@ {{- end }} {{- end }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: px-backup-pre-upgrade-account + namespace: {{ .Release.Namespace }} + annotations: + "helm.sh/hook": pre-upgrade + "helm.sh/hook-weight": "1" + "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded + labels: + name: pxcentral-pre-upgrade-hook + app.kubernetes.io/component: pxcentral-pre-upgrade-hook +{{- include "px-central.partOfLabel" . | nindent 4 }} +--- apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: @@ -39,6 +53,7 @@ metadata: namespace: {{ .Release.Namespace }} annotations: "helm.sh/hook": pre-upgrade + "helm.sh/hook-weight": "2" "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded labels: name: pxcentral-pre-upgrade-hook @@ -81,15 +96,39 @@ rules: - apiGroups: ["apps"] resources: ["deployments"] verbs: ["get", "list", "update", "patch"] - - apiGroups: ["apiextensions.k8s.io"] - resources: ["customresourcedefinitions"] - verbs: ["create", "update", "get", "patch", "list", "watch"] - - apiGroups: [""] - resources: ["persistentvolumes"] - verbs: ["create", "update", "get", "patch", "list", "delete"] - apiGroups: [""] resources: ["pods/exec"] verbs: ["create"] + - apiGroups: [""] + resources: ["resourcequotas"] + verbs: ["get", "list", "watch"] +--- +# Pre-upgrade ClusterRole (cluster-scoped resources) +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ .Release.Namespace }}-px-backup-pre-upgrade-clusterrole + annotations: + "helm.sh/hook": pre-upgrade + "helm.sh/hook-weight": "2" + "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded + labels: + name: pxcentral-pre-upgrade-hook + app.kubernetes.io/component: pxcentral-pre-upgrade-hook +{{- include "px-central.partOfLabel" . | nindent 4 }} +rules: + # For ValidateNamespace + - apiGroups: [""] + resources: ["namespaces"] + verbs: ["get", "list", "watch"] + # For PersistentVolumes (cluster-scoped) + - apiGroups: [""] + resources: ["persistentvolumes"] + verbs: ["create", "update", "get", "patch", "list", "delete"] + # For CustomResourceDefinitions (cluster-scoped) + - apiGroups: ["apiextensions.k8s.io"] + resources: ["customresourcedefinitions"] + verbs: ["create", "update", "get", "patch", "list", "watch"] --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding @@ -98,6 +137,7 @@ metadata: namespace: {{ .Release.Namespace }} annotations: "helm.sh/hook": pre-upgrade + "helm.sh/hook-weight": "3" "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded labels: name: pxcentral-pre-upgrade-hook @@ -105,13 +145,35 @@ metadata: {{- include "px-central.partOfLabel" . | nindent 4 }} subjects: - kind: ServiceAccount - name: default + name: px-backup-pre-upgrade-account namespace: {{ .Release.Namespace }} roleRef: kind: Role name: px-backup-mongodb-pre-upgrade-role apiGroup: rbac.authorization.k8s.io --- +# Pre-upgrade ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ .Release.Namespace }}-px-backup-pre-upgrade-clusterrolebinding + annotations: + "helm.sh/hook": pre-upgrade + "helm.sh/hook-weight": "3" + "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded + labels: + name: pxcentral-pre-upgrade-hook + app.kubernetes.io/component: pxcentral-pre-upgrade-hook +{{- include "px-central.partOfLabel" . | nindent 4 }} +subjects: + - kind: ServiceAccount + name: px-backup-pre-upgrade-account + namespace: {{ .Release.Namespace }} +roleRef: + kind: ClusterRole + name: {{ .Release.Namespace }}-px-backup-pre-upgrade-clusterrole + apiGroup: rbac.authorization.k8s.io +--- apiVersion: v1 kind: PersistentVolumeClaim metadata: @@ -162,6 +224,7 @@ spec: kubernetes.azure.com/no-http-proxy-vars: "true" {{- end }} spec: + serviceAccountName: px-backup-pre-upgrade-account {{- if $isOpenshiftCluster}} {{- else }} securityContext: diff --git a/charts/px-central/values.yaml b/charts/px-central/values.yaml index 556810170..b21d12a89 100644 --- a/charts/px-central/values.yaml +++ b/charts/px-central/values.yaml @@ -192,7 +192,20 @@ cassandra: maxHeapSize: newHeapSize: -installCRDs: false +## ============================================================================= +## CRD Installation Control +## ============================================================================= +## NOTE: CRDs are automatically SKIPPED during upgrades. +## +## For FRESH INSTALLS: +## - "auto" : (default) Uses lookup to detect existing CRDs +## - "true" : Always install CRDs +## - "false" : Never install CRDs +## +## ArgoCD users: lookup doesn't work with `helm template`. +## If external Prometheus CRDs exist, set installCRDs: "false" +## +installCRDs: "auto" clusterDomain: "cluster.local" cassandraUsername: cassandra cassandraPassword: cassandra