Merge pull request #124 from HoustonPutman/helm-ns

Adding ability to deploy helm chart to a namespace.

Author: bsankara

Makefile

@@ -66,8 +66,7 @@ deploy: manifests
 # Generate manifests e.g. CRD, RBAC etc.
 manifests: mod-tidy controller-gen
 	$(CONTROLLER_GEN) $(CRD_OPTIONS) rbac:roleName=solr-operator-role webhook paths="./..." output:crd:artifacts:config=config/crd/bases
-	kustomize build config/crd > helm/solr-operator/crds/crds.yaml
-	cp config/rbac/role.yaml helm/solr-operator/templates/role.yaml
+	./hack/helm/copy_crds_roles_helm.sh
 
 # Run go fmt against code
 fmt:

config/manager/manager.yaml

@@ -22,13 +22,17 @@ spec:
         - -etcd-operator=false
         - -ingress-base-domain=ing.local.domain
         image: bloomberg/solr-operator:latest
-        imagePullPolicy: Always
+        imagePullPolicy: IfNotPresent
         name: solr-operator
         env:
           - name: POD_NAMESPACE
             valueFrom:
               fieldRef:
                 fieldPath: metadata.namespace
+          - name: POD_NAME
+            valueFrom:
+              fieldRef:
+                fieldPath: metadata.name
         resources:
           limits:
             cpu: 200m

hack/helm/copy_crds_roles_helm.sh

@@ -0,0 +1,24 @@
+#!/usr/bin/env bash
+# exit immediately when a command fails
+set -e
+# only exit with zero if all commands of the pipeline exit successfully
+set -o pipefail
+# error on unset variables
+set -u
+
+echo "Copying CRDs and Role to helm repo"
+
+# Build and package CRDs
+kustomize build config/crd > helm/solr-operator/crds/crds.yaml
+
+# Copy Kube Role for Solr Operator permissions to Helm
+rm helm/solr-operator/templates/role.yaml
+printf '{{- if .Values.rbac.create }}\n{{- range $namespace := (split "," (include "solr-operator.watchNamespaces" $)) }}\n' > helm/solr-operator/templates/role.yaml
+cat config/rbac/role.yaml >> helm/solr-operator/templates/role.yaml
+printf '\n{{- end }}\n{{- end }}' >> helm/solr-operator/templates/role.yaml
+gawk -i inplace '/^rules:$/{print "  namespace: {{ $namespace }}"}1' helm/solr-operator/templates/role.yaml
+
+# Template the Solr Operator role as needed
+sed -i.bak -E 's/^kind: ClusterRole$/kind: {{ include "solr-operator\.roleType" \$ }}/' helm/solr-operator/templates/role.yaml
+sed -i.bak -E 's/name: solr-operator-role$/name: {{ include "solr-operator\.fullname" \$ }}-role/' helm/solr-operator/templates/role.yaml
+rm helm/solr-operator/templates/role.yaml.bak

hack/release/update_versions.sh

@@ -14,3 +14,4 @@ tag && $1 == "tag:"{$1 = "  " $1; $2 = "'"${VERSION}"'"} 1' helm/solr-operator/v
 
 gawk -i inplace '$1 == "version:"{$1 = $1; $2 = "'"${VERSION#v}"'"} 1' helm/solr-operator/Chart.yaml
 gawk -i inplace '$1 == "appVersion:"{$1 = $1; $2 = "'"${VERSION}"'"} 1' helm/solr-operator/Chart.yaml
+sed -i.bak -E 's/^\| image.tag \| string \| `".*"` \|/\| image.tag \| string \| `"'${VERSION}'"` \|/g' helm/solr-operator/README.md && rm helm/solr-operator/README.md.bak

helm/solr-operator/README.md

@@ -46,24 +46,54 @@ $ helm install solr-operator solr-operator/solr-operator
 $ helm install solr-operator solr-operator/solr-operator --version 0.2.5
 ```
 
-The command deploys the solr-operator on the Kubernetes cluster with the default configuration. The [configuration](#chart-values) section lists the parameters that can be configured during installation.
+The command deploys the solr-operator on the Kubernetes cluster with the default configuration.
+The [configuration](#chart-values) section lists the parameters that can be configured during installation.
 
-### Helm Version Differences
+#### Namespaces
 
-#### Helm 2
+If you want to specify the namespace for the installation, use the `--namespace` flag.
+All resources will be deployed to the given namespace.
 
-If you are using Helm 2, CRDs are installed using the crd-install hook. Prior to installing, you'll need to uncomment the last two lines in [kustomization.yaml](../../config/crd/kustomization.yaml), and run `make manifests`
+```console
+$ helm install solr-operator solr-operator/solr-operator --namespace solr
+```
 
-You will also need to update the install command to use the name flag, as shown below.
+If you want to only watch that namespace, or others, then you will have to provide the `watchNamespaces` option.
 
 ```console
-$ helm install --name solr-operator solr-operator/solr-operator
+// Watch the namespace where the operator is deployed to (just pass the boolean true)
+$ helm install solr-operator solr-operator/solr-operator --namespace solr --set watchNamespaces=true
+// Watch a single namespace different than the one being deployed to
+$ helm install solr-operator solr-operator/solr-operator --namespace solr --set watchNamespaces=other
+// Watch multiple namespaces (commmas must be escaped in the set string)
+$ helm install solr-operator solr-operator/solr-operator --namespace solr --set watchNamespaces="team1\,team2\,team3"
 ```
 
+Note: Passing `false` and `""` to the `watchNamespaces` variable will both result in the operator watchting all namespaces in the Kube cluster.
+
+### Managing CRDs
+
 #### Helm 3
 
 Helm 3 automatically runs CRDs in the /crds directory, no further action is needed.
 
+If have solr operator installations in multiple namespaces that are managed separately, you will likely want to skip installing CRDs when installing the chart.
+This can be done with the `--skip-crds` helm option.
+
+```console
+$ helm install solr-operator solr-operator/solr-operator --skip-crds --namespace solr
+```
+
+#### Helm 2
+
+If you are using Helm 2, CRDs are installed using the crd-install hook. Prior to installing, you'll need to uncomment the last two lines in [kustomization.yaml](../../config/crd/kustomization.yaml), and run `make manifests`
+
+You will also need to update the install command to use the name flag, as shown below.
+
+```console
+$ helm install --name solr-operator solr-operator/solr-operator
+```
+
 ### Uninstalling the Chart
 
 To uninstall/delete the `solr-operator` deployment:
@@ -85,12 +115,21 @@ The command removes all the Kubernetes components associated with the chart and
 
 ## Chart Values
 
+### Configuring the Solr Operator
+
+| Key | Type | Default | Description |
+|-----|------|---------|-------------|
+| watchNamespaces | string | `""` | A comma-separated list of namespaces that the solr operator should watch. If empty, the solr operator will watch all namespaces in the cluster. If set to `true`, this will be populated with the namespace that the operator is deployed to. |
+| ingressBaseDomain | string | `""` | If you have a base domain that points to your ingress controllers for this kubernetes cluster, you can provide this. SolrClouds will then begin to use ingresses that utilize this base domain. E.g. `solrcloud-test.<base.domain>` |
+| useZkOperator | string | `"true"` | This option enables the use of provided Zookeeper instances for SolrClouds |
+| useEtcdOperator | string | `"false"` | This option enables the use of provided Zetcd instances for SolrClouds |
+
 ### Running the Solr Operator
 
 | Key | Type | Default | Description |
 |-----|------|---------|-------------|
 | image.repository | string | `"bloomberg/solr-operator"` | The repository of the Solr Operator image |
-| image.tag | string | `"v0.2.1"` | The tag/version of the Solr Operator to run |
+| image.tag | string | `"v0.2.5"` | The tag/version of the Solr Operator to run |
 | image.pullPolicy | string | `"Always"` |  |
 | fullnameOverride | string | `""` | A custom name for the Solr Operator Deployment |
 | nameOverride | string | `""` |  |
@@ -99,11 +138,6 @@ The command removes all the Kubernetes components associated with the chart and
 | resources.limits.memory | string | `"500Mi"` |  |
 | resources.requests.cpu | string | `"100m"` |  |
 | resources.requests.memory | string | `"100Mi"` |  |
-
-### Configuring the Solr Operator
-
-| Key | Type | Default | Description |
-|-----|------|---------|-------------|
-| ingressBaseDomain | string | `""` | If you have a base domain that points to your ingress controllers for this kubernetes cluster, you can provide this. SolrClouds will then begin to use ingresses that utilize this base domain. E.g. `solrcloud-test.<base.domain>` |
-| useZkOperator | string | `"true"` | This option enables the use of provided Zookeeper instances for SolrClouds |
-| useEtcdOperator | string | `"false"` | This option enables the use of provided Zetcd instances for SolrClouds |
+| rbac.create | boolean | true | Create the necessary RBAC rules, whether cluster-wide or namespaced, for the Solr Operator. |
+| serviceAccount.create | boolean | true | Create a serviceAccount to be used for this operator. This serviceAccount will be given the permissions specified in the operator's RBAC rules. |
+| serviceAccount.name | string | "" | If `serviceAccount.create` is set to `false`, the name of an existing serviceAccount in the target namespace **must** be provided to run the Solr Operator with. This serviceAccount with be given the operator's RBAC rules. | 

helm/solr-operator/templates/_helpers.tpl

@@ -29,4 +29,42 @@ Create chart name and version as used by the chart label.
 */}}
 {{- define "solr-operator.chart" -}}
 {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+Create the name of the service account to use
+*/}}
+{{- define "solr-operator.serviceAccountName" -}}
+{{- if .Values.serviceAccount.create -}}
+    {{ default (include "solr-operator.fullname" .) .Values.serviceAccount.name }}
+{{- else -}}
+    {{ required "Must provide a serviceAccount.name if serviceAccount.create is set to false" .Values.serviceAccount.name }}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Get the namespaces to watch (empty if the operator should watch the entire cluster).
+If .Values.watchNamespaces = true, then use the release namespace.
+If .Values.watchNamespaces is a string, use it.
+If .Values.watchNamespaces is empty or false, return empty.
+*/}}
+{{- define "solr-operator.watchNamespaces" -}}
+{{- if .Values.watchNamespaces -}}
+{{- if kindIs "bool" .Values.watchNamespaces -}}
+{{ .Release.Namespace }}
+{{- else -}}
+{{ .Values.watchNamespaces }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Determine whether to use ClusterRoles or Roles
+*/}}
+{{- define "solr-operator.roleType" -}}
+{{- if .Values.watchNamespaces -}}
+    Role
+{{- else -}}
+    ClusterRole
+{{- end -}}
 {{- end -}}

helm/solr-operator/templates/deployment.yaml

@@ -2,7 +2,6 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   name: {{ include "solr-operator.fullname" . }}
-  namespace: {{ .Release.Namespace }}
   labels:
     control-plane: solr-operator
     controller-tools.k8s.io: "1.0"
@@ -20,20 +19,32 @@ spec:
         control-plane: solr-operator
         controller-tools.k8s.io: "1.0"
     spec:
-      serviceAccountName: solr-operator
+      serviceAccountName: {{ include "solr-operator.serviceAccountName" . }}
       containers:
       - name: {{ .Chart.Name }}
         image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" 
         imagePullPolicy: {{ .Values.image.pullPolicy }}
         args:
         - -zk-operator={{ .Values.useZkOperator }}
         - -etcd-operator={{ .Values.useEtcdOperator }}
-        - -ingress-base-domain={{ .Values.ingressBaseDomain }}
+        {{- if .Values.ingressBaseDomain }}
+        - --ingress-base-domain={{ .Values.ingressBaseDomain }}
+        {{- end }}
+        {{- if .Values.watchNamespaces }}
+        - --watch-namespaces={{- include "solr-operator.watchNamespaces" . -}}
+        {{- end }}
         env:
-        - name: POD_NAMESPACE
-          valueFrom:
-            fieldRef:
-              fieldPath: metadata.namespace
+          - name: POD_NAMESPACE
+            valueFrom:
+              fieldRef:
+                fieldPath: metadata.namespace
+          - name: POD_NAME
+            valueFrom:
+              fieldRef:
+                fieldPath: metadata.name
+          {{- if .Values.envVars }}
+          {{- toYaml .Values.envVars | nindent 10 }}
+          {{- end }}
         resources:
-            {{- toYaml .Values.resources | nindent 12 }} 
-      terminationGracePeriodSeconds: 10
+          {{- toYaml .Values.resources | nindent 10 }}
+      terminationGracePeriodSeconds: 10

helm/solr-operator/templates/role.yaml

@@ -1,10 +1,13 @@
+{{- if .Values.rbac.create }}
+{{- range $namespace := (split "," (include "solr-operator.watchNamespaces" $)) }}
 
 ---
 apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
+kind: {{ include "solr-operator.roleType" $ }}
 metadata:
   creationTimestamp: null
-  name: solr-operator-role
+  name: {{ include "solr-operator.fullname" $ }}-role
+  namespace: {{ $namespace }}
 rules:
 - apiGroups:
   - ""
@@ -300,3 +303,6 @@ rules:
   - get
   - patch
   - update
+
+{{- end }}
+{{- end }}

helm/solr-operator/templates/role_binding.yaml

@@ -1,12 +1,18 @@
+{{- if .Values.rbac.create }}
+{{- range $namespace := (split "," (include "solr-operator.watchNamespaces" $)) }}
+---
 apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
+kind: {{ include "solr-operator.roleType" $ }}Binding
 metadata:
-  name: solr-operator-rolebinding
+  name: {{ include "solr-operator.fullname" $ }}-rolebinding
+  namespace: {{ $namespace }}
 roleRef:
   apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: solr-operator-role
+  kind: {{ include "solr-operator.roleType" $ }}
+  name: {{ include "solr-operator.fullname" $ }}-role
 subjects:
-- kind: ServiceAccount
-  name: solr-operator
-  namespace: {{ .Release.Namespace }}
+  - kind: ServiceAccount
+    name: {{ include "solr-operator.serviceAccountName" $ }}
+    namespace: {{ $.Release.Namespace }}
+{{- end }}
+{{- end }}

helm/solr-operator/templates/service_account.yaml

@@ -1,5 +1,6 @@
+{{- if .Values.serviceAccount.create }}
 apiVersion: v1
 kind: ServiceAccount
 metadata:
-  name: solr-operator
-  namespace: {{ .Release.Namespace }}
+  name: {{ include "solr-operator.serviceAccountName" . }}
+{{- end }}

helm/solr-operator/values.yaml

@@ -12,15 +12,32 @@ image:
 nameOverride: ""
 fullnameOverride: ""
 
-
 useZkOperator: "true"
 useEtcdOperator: "false"
 ingressBaseDomain: ""
 
+# A comma-separated list of namespaces that the operator should watch.
+# If empty, the solr operator will watch all namespaces in the cluster.
+watchNamespaces: ""
+
+rbac:
+  # Specifies whether RBAC resources should be created
+  create: true
+
+serviceAccount:
+  # Specifies whether a ServiceAccount should be created
+  create: true
+  # The name of the ServiceAccount to use.
+  # Required if create is false.
+  # If not set and create is true, a name is generated using the fullname template
+  name:
+
 resources:
   limits:
     cpu: 400m
     memory: 500Mi
   requests:
     cpu: 100m
     memory: 100Mi
+
+envVars: []