[stable/kanister-operator] RBAC changes and kanister profile creation (…

…helm#6280)

* [stable/kanister-operator] RBAC changes and default profile creation

Provides the option to install a profile CR along with the operator
the profile CR is installed via a subchart

Kanister operator requires access to CRDs and Events.
Add this to the cluster-role.

Fixes kanisterio/kanister#82
fixes kanisterio/kanister#90

* fixing repo url and version requirement

* Fix typo

* remove remote chart with local

* operator version to 0.10.0

* new lines EOF

* Update Chart.yaml

stable/kanister-operator/Chart.yaml

@@ -1,13 +1,13 @@
 apiVersion: v1
 description: Kanister-operator Helm chart for Kubernetes
 name: kanister-operator
-version: 0.2.3
+version: 0.3.0
 home: https://kanister.io/
 maintainers:
   - email: [email protected]
     name: depohmel
   - email: [email protected]
     name: tdmanv
 icon: https://kasten.io/assets/img/kanister-logo.png
-appVersion: v0.2.0
+appVersion: 0.10.0
 source: https://github.com/kanisterio/kanister

stable/kanister-operator/README.md

@@ -4,7 +4,7 @@
 
 Kanister is a framework that enables application-level data management on Kubernetes. It allows domain experts to capture application specific data management tasks via blueprints, which can be easily shared and extended. The framework takes care of the tedious details surrounding execution on Kubernetes and presents a homogeneous operational experience across applications at scale.
 
-## TL;DR
+## TL;DR;
 
 ```console
 $ helm install stable/kanister-operator
@@ -41,7 +41,7 @@ The command removes all the Kubernetes components associated with the chart and
 
 ## Configuration
 
-The following table lists the configurable parameters of the nginx-ingress chart and their default values.
+The following table lists the configurable parameters of the kanister-operator chart and their default values.
 
 Parameter | Description | Default
 --- | --- | ---
@@ -51,13 +51,32 @@ Parameter | Description | Default
 `image.repository` | controller container image repository | `kanisterio/controller`
 `image.tag` | controller container image tag | `v0.2.0`
 `image.pullPolicy` | controller container image pull policy | `IfNotPresent`
-`resources` | k8s pod resources | `None`
-
-Specify each parameter you'd like to override using a YAML file as described above in the [installation](#installing-the-chart) section.
+`resources` | k8s pod resorces | `None`
+`profile.create` | flag to indicate creation of profile | `false`
+`profile.defaultProfile` | flag to create fallback profile for the namespace | `false`
+`profile.defaultProfileName` | profile name used when creating defaultProfile | `default-profile`
+`profile.profileName` | profile name to be used when not creating a defaultProfile | `None`
+`profile.s3.bucket` | s3 bucket, required if creating a profile | `None`
+`profile.s3.endpoint` | Endpoint to the s3 bucket | `None`
+`profile.s3.prefix` | Prefix to the s3 bucket | `None`
+`profile.s3.region` | Region of the s3 bucket <us-west-1, us-east-1 etc> | `None`
+`profile.s3.accessKey` | aws access key id, required if creating a profile | `None`
+`profile.s3.secretKey` | aws secret access key, required if creating a profile | `None`
+`profile.verifySSL` | flag to verify ssl certs | `true`
+
+Specify each parameter you'd like to override using a YAML file as described above in the [installation](#Installing the Chart) section.
 
 You can also specify any non-array parameter using the `--set key=value[,key=value]` argument to `helm install`. For example,
 
 ```console
 $ helm install stable/kanister-operator --name my-release \
     --set rbac.create=false
 ```
+
+To install a default S3 profile with the operator, you can use the following command:
+
+```console
+$ helm install stable/kanister-operator --name my-release \
+    --set profile.create=true,profile.defaultProfile=true, \
+    profile.s3.bucket=<aws_bucket>,profile.s3.accessKey=<aws_access_key>,profile.s3.secretKey=<aws_secret_access_key>
+```

stable/kanister-operator/charts/profile/.helmignore

@@ -0,0 +1,21 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj

stable/kanister-operator/charts/profile/Chart.yaml

@@ -0,0 +1,10 @@
+apiVersion: v1
+description: A helm chart to create profile custom resource for kanister
+engine: gotpl
+maintainers:
+- email: [email protected]
+  name: tdmanv
+- email: [email protected]
+  name: depohmel
+name: profile
+version: 0.9.0

stable/kanister-operator/charts/profile/README.md

@@ -0,0 +1,72 @@
+# Profile CustomResource
+
+Profile CustomResources (CRs) are used to provide configuration information to
+[Kanister](https://kansiter.io), a framework that enables application-level data
+management on Kubernetes.
+
+## TL;DR;
+
+```bash
+# Add the Kanister helm repo
+$ helm repo add kanister https://charts.kanister.io/
+
+# Create a Profile with the default name in the kanister namespace
+$ helm install kanister/profile --namespace kanister \
+     --set defaultProfile=true \
+     --set s3.accessKey="${AWS_ACCESS_KEY}" \
+     --set s3.secretKey="${AWS_SECRET_KEY}" \
+     --set s3.bucket='my-kanister-bucket'
+```
+
+## Overview
+
+This chart installs a Profile CR for [Kanister](http://kanister.io) using the
+[Helm](https://helm.sh) package manager.
+
+Profiles provide strongly-typed configuration for Kanister.  Because a Profile
+is structured, the Kanister framework is able to provide support for advanced
+features. Rather than relying on one-off implementations in Blueprints that
+consume ConfigMaps Kanister introspect and use configuration from Profiles.
+
+The schema for Profiles is specified by the CustomResourceDefinition (CRD),
+which can be found [here](https://github.com/kanisterio/kanister/blob/master/pkg/apis/cr/v1alpha1/types.go#L234).
+
+Currently Profiles can be used to configure access to object storage compatible
+with the [S3 protocol](https://docs.aws.amazon.com/AmazonS3/latest/API/Welcome.html).
+
+## Prerequisites
+
+- Kubernetes 1.7+ with Beta APIs enabled or 1.9+ without Beta APIs.
+- Kanister version 0.8.0 with `profiles.cr.kanister.io` CRD installed
+
+> **Note**: The Kanister controller will create the Profile CRD at Startup.
+
+## Configuration
+
+The following table lists the configurable PostgreSQL Kanister blueprint and
+Profile CR parameters and their default values. The Profile CR parameters are
+passed to the profile sub-chart.
+
+| Parameter        | Description                                                                                                                        | Default   |
+| ---              | ---                                                                                                                                | ---       |
+| `defaultProfile` | (Optional) Set to ``true`` to create a profile with name `default-profile`.                                                        | ``false`` |
+| `profileName`    | (Required if `! defaultProfile`) Name of the Profile CR.                                                                           | `nil`     |
+| `s3.accessKey`   | (Required) API Key for an s3 compatible object store.                                                                              | `nil`     |
+| `s3.secretKey`   | (Required) Corresponding secret for `accessKey`.                                                                                   | `nil`     |
+| `s3.bucket`      | (Required) Bucket used to store Kanister artifacts.<br><br>The bucket must already exist.                                          | `nil`     |
+| `s3.region`      | (Optional) Region to be used for the bucket.                                                                                       | `nil`     |
+| `s3.endpoint`    | (Optional) The URL for an s3 compatible object store provider. Can be omitted if provider is AWS. Required for any other provider. | `nil`     |
+| `verifySSL`      | (Optional) Set to ``false`` to disable SSL verification on the s3 endpoint.                                                        | `true`    |
+
+Specify each parameter using the `--set key=value[,key=value]` argument to `helm
+install`. For example:
+
+```bash
+$ helm install kanister/profile my-profile-release --namespace kanister \
+     --set profileName='my-profile' \
+     --set s3.endpoint='https://my-custom-s3-provider:9000' \
+     --set s3.accessKey="${AWS_ACCESS_KEY}" \
+     --set s3.secretKey="${AWS_SECRET_KEY}" \
+     --set s3.bucket='my-kanister-bucket'
+     --set s3.verifySSL='true'
+```

stable/kanister-operator/charts/profile/templates/NOTES.txt

@@ -0,0 +1,3 @@
+{{ if .Values.create }}
+This chart created a profile with name {{ template "profile.profileName" .}}
+{{ end }}

stable/kanister-operator/charts/profile/templates/_helpers.tpl

@@ -0,0 +1,42 @@
+{{/* vim: set filetype=mustache: */}}
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "profile.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+Name of the profile to create
+*/}}
+{{- define "profile.profileName" -}}
+{{- if .Values.defaultProfile -}}
+    {{ .Values.defaultProfileName }}
+{{- else -}}
+    {{- required "If not creating a default profile, please provide a name for the profile by setting the parameter profileName" .Values.profileName -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+*/}}
+{{- define "profile.fullname" -}}
+{{- $name := default .Chart.Name .Values.nameOverride -}}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "profile.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/* Helm required labels */}}
+{{- define "profile.helmLabels" -}}
+heritage: {{ .Release.Service }}
+release: {{ .Release.Name }}
+chart: {{ template "profile.chart" . }}
+app: {{ template "profile.name" . }}
+{{- end -}}

stable/kanister-operator/charts/profile/templates/profile.yaml

@@ -0,0 +1,38 @@
+{{ if .Values.create }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ template "profile.profileName" . }}-creds
+  namespace: {{ .Release.Namespace }}
+  labels:
+{{ include "profile.helmLabels" . | indent 4 }}
+type: Opaque
+data:
+  access_key_id: {{ required "Cloud provider API key is required when configuring a profile." .Values.s3.accessKey | b64enc | quote }}
+  secret_access_key: {{ required "Cloud provider API secret is required when configuring a profile." .Values.s3.secretKey | b64enc | quote }}
+---
+apiVersion: cr.kanister.io/v1alpha1
+kind: Profile
+metadata:
+  name: {{ template "profile.profileName" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+{{ include "profile.helmLabels" . | indent 4 }}
+location:
+  type: s3Compliant
+  s3Compliant:
+    bucket: {{ required "S3 compatible bucket is required when configuring a profile." .Values.s3.bucket | quote }}
+    endpoint: {{ .Values.s3.endpoint | quote }}
+    prefix: {{ .Values.s3.prefix | quote }}
+    region: {{ .Values.s3.region | quote }}
+credential:
+  type: keyPair
+  keyPair:
+    idField: access_key_id
+    secretField: secret_access_key
+    secret:
+      apiVersion: v1
+      name: {{ template "profile.profileName" . }}-creds
+      namespace: {{ .Release.Namespace }}
+skipSSLVerify: {{ not .Values.verifySSL }}
+{{ end }}

stable/kanister-operator/charts/profile/values.yaml

@@ -0,0 +1,15 @@
+# Default values for kanister-profile.
+# This is a YAML-formatted file.
+# Declare variables to be passed into your templates.
+defaultProfile: true
+defaultProfileName: default-profile
+profileName:
+# s3 properties
+s3:
+  bucket:
+  endpoint:
+  prefix:
+  region:
+  accessKey:
+  secretKey:
+verifySSL: true

stable/kanister-operator/templates/rbac.yaml

@@ -6,12 +6,24 @@ metadata:
 {{ include "kanister-operator.helmLabels" . | indent 4 }}
   name: {{ template "kanister-operator.fullname" . }}-cluster-role
 rules:
+- apiGroups:
+  - ""
+  resources:
+  - events
+  verbs:
+  - create
+- apiGroups:
+  - apiextensions.k8s.io
+  resources:
+  - customresourcedefinitions
+  verbs:
+  - '*'
 - apiGroups:
   - cr.kanister.io
   resources:
-  - "*"
+  - '*'
   verbs:
-  - "*"
+  - '*'
 ---
 kind: ClusterRoleBinding
 apiVersion: rbac.authorization.k8s.io/v1beta1

stable/kanister-operator/values.yaml

@@ -3,13 +3,22 @@
 # Declare variables to be passed into your templates.
 image:
   repository: kanisterio/controller
-  tag: v0.2.0
+  tag: 0.10.0
   pullPolicy: IfNotPresent
 rbac:
   create: true
 serviceAccount:
   create: true
   name:
+# Configuration for the kanister profile dependency chart
+profile:
+  create: false
+  # Used to indicate whether to create a default profile
+  defaultProfile: false
+  # Profile name used when defaultProfile is true
+  defaultProfileName: default-profile
+  # If not creating a defaultProfile, should set the profile name
+  profileName:
 
 resources:
 # We usually recommend not to specify default resources and to leave this as a conscious