operator: make templated crds specless (#2419)

* make templated crds specless
* added CRD upgrade job

Co-authored-by: Hui Wang <[email protected]>

Author: AndrewChubatiuk

charts/victoria-metrics-operator-crds/charts/crds/crd.yaml

@@ -1 +1 @@
-../../../victoria-metrics-operator/crd.yaml
+../../../victoria-metrics-operator/charts/crds/crds/crd.yaml

charts/victoria-metrics-operator/CHANGELOG.md

@@ -1,6 +1,11 @@
 ## Next release
 
-- Added `securityContext` to the `cleanup` job
+**Update node 1**: CRDs generated with `.Values.crds.plain: false` are now specless. For this case operator is fully responsible for VM specs validation. This was done to decrease helm release secret size limit. This change affects `kubectl explain` users and tools, that are rely on CRD specs during input data validation. If this behaviour is not acceptable consider using either `victoria-metrics-operator-crds` chart for CRDs management or set `.Values.crds.plain: true` to use plain CRDs.
+
+- Added `securityContext` to the `cleanup` job.
+- Make CRDs, that are rendered using template, specless. This allows to decrease size of k8s secret significantly. If this option is not acceptable for you consider installing CRDs separately using `victoria-metrics-operator-crds` chart or set `.Values.crds.plain: true` and `.Values.crds.upgrade.enabled: true` to use plain CRDs with upgrade job instead.
+- Replaced `.Values.admissionWebhooks.enabledCRDValidation` with `.Values.admissionWebhooks.disabledFor` list of CRD names to disable validation for. This change should not affect anyone, since before condition with `.Values.admissionWebhooks.enabledCRDValidation` was not working at all.
+- Added CRDs upgrade job, which is only available only for plain CRDs (`.Values.crds.plain: true`). See [#2334](https://github.com/VictoriaMetrics/helm-charts/issues/2334).
 
 ## 0.53.0
 

charts/victoria-metrics-operator/Chart.yaml

@@ -6,7 +6,7 @@ home: https://github.com/VictoriaMetrics/operator
 sources:
   - https://github.com/VictoriaMetrics/helm-charts
   - https://github.com/VictoriaMetrics/operator
-version: 0.53.0
+version: 0.54.0
 appVersion: v0.63.0
 icon: https://avatars.githubusercontent.com/u/43720803?s=200&v=4
 kubeVersion: ">=1.25.0-0"

charts/victoria-metrics-operator/charts/crds/crds/crd.yaml

@@ -0,0 +1,13 @@
+{{- define "crds.upgrade.name" -}}
+{{- print (include "vm.plain.fullname" .) "-upgrade-crds" }}
+{{- end -}}
+
+{{- define "crds.upgrade.serviceAccountName" -}}
+{{- $Values := (.helm).Values | default .Values }}
+{{- $upgrade := $Values.upgrade }}
+{{- if $upgrade.serviceAccount.create -}}
+    {{ default (include "crds.upgrade.name" .) $upgrade.serviceAccount.name }}
+{{- else -}}
+    {{ default "default" $upgrade.serviceAccount.name }}
+{{- end -}}
+{{- end -}}

charts/victoria-metrics-operator/charts/crds/crds/crd.yaml

@@ -0,0 +1,18 @@
+{{- if .Values.upgrade.enabled }}
+{{- $ctx := dict "helm" . }}
+{{- $upgrade := .Values.upgrade }}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ include "crds.upgrade.serviceAccountName" $ctx }}
+  namespace: {{ template "vm.namespace" $ctx }}
+  annotations:
+    "helm.sh/hook": pre-install,pre-upgrade,pre-rollback
+    "helm.sh/hook-weight": "-2"
+    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
+  {{- $_ := set $ctx "extraLabels" (dict "app.kubernetes.io/component" "upgrade-crds") }}
+  labels: {{ include "vm.labels" $ctx | nindent 4 }}
+  {{- $_ := unset $ctx "extraLabels" }}
+binaryData:
+  crd.yaml.bz2: {{ .Files.Get "files/crd.yaml.bz2" | b64enc }}
+{{- end }}

charts/victoria-metrics-operator/charts/crds/files/crd.yaml.bz2

@@ -0,0 +1,124 @@
+{{- if .Values.upgrade.enabled }}
+{{- $app := .Values.upgrade }}
+{{- if empty (($app.kubectl).image).tag }}
+  {{- $tag := regexSplit "[+-]" .Capabilities.KubeVersion.Version -1 | first -}}
+  {{- $_ := set $app.kubectl.image "tag" $tag }}
+{{- else if not (kindIs "string" (($app.kubectl).image).tag) }}
+  {{- fail "`crd.upgrade.kubectl.image.tag` is not string, most probably you need to enquote provided value" -}}
+{{- end }}
+{{- $ctx := dict "helm" . "noEnterprise" true }}
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ template "crds.upgrade.name" $ctx }}
+  namespace: {{ template "vm.namespace" $ctx }}
+  annotations:
+    "helm.sh/hook": pre-install,pre-upgrade,pre-rollback
+    "helm.sh/hook-weight": "5"
+    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
+    {{- with $app.annotations }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+  {{- $_ := set $ctx "extraLabels" $app.labels }}
+  {{- $_ := set $ctx.extraLabels "app.kubernetes.io/component" "upgrade-crds" }}
+  labels: {{ include "vm.labels" $ctx | nindent 4 }}
+  {{- $_ := unset $ctx "extraLabels" }}
+spec:
+  backoffLimit: 3
+  template:
+    metadata:
+      {{- with $app.podLabels }}
+      labels: {{ toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with $app.podAnnotations }}
+      annotations: {{ toYaml . | nindent 8 }}
+      {{- end }}
+    spec:
+      {{- with (.Values.imagePullSecrets | default .Values.global.imagePullSecrets) }}
+      imagePullSecrets: {{ toYaml . | nindent 8 }}
+      {{- end }}
+      serviceAccountName: {{ include "crds.upgrade.serviceAccountName" . }}
+      {{- if $app.podSecurityContext.enabled }}
+      securityContext: {{ include "vm.securityContext" (dict "securityContext" $app.podSecurityContext "helm" .) | nindent 8 }}
+      {{- end }}
+      initContainers:
+        - name: busybox
+          {{- $_ := set $ctx "appKey" (list "upgrade" "busybox") }}
+          image: {{ include "vm.image" $ctx }}
+          imagePullPolicy: {{ $app.busybox.image.pullPolicy }}
+          workingDir: /tmp/
+          command:
+            - sh
+          args:
+            - -c
+            - bzcat /crds/crd.yaml.bz2 > /tmp/crd.yaml
+          {{- with $app.resources }}
+          resources: {{ toYaml . | nindent 12 }}
+          {{- end }}
+          {{- with $app.securityContext }}
+          securityContext: {{ toYaml . | nindent 12 }}
+          {{- end }}
+          volumeMounts:
+            - mountPath: /crds/
+              name: crds
+            - mountPath: /tmp/
+              name: tmp
+            {{- with $app.extraVolumeMounts }}
+            {{- toYaml . | nindent 12 }}
+            {{- end }}
+          {{- with $app.env }}
+          env: {{ toYaml . | nindent 12 }}
+          {{- end }}
+      containers:
+        - name: kubectl
+          {{- $_ := set $ctx "appKey" (list "upgrade" "kubectl") }}
+          image: {{ include "vm.image" $ctx }}
+          imagePullPolicy: {{ $app.kubectl.image.pullPolicy }}
+          command:
+            - kubectl
+          args:
+            - apply
+            - --server-side
+            {{- if $app.forceConflicts }}
+            - --force-conflicts
+            {{- end }}
+            - --filename
+            - /tmp/crd.yaml
+          {{- with $app.resources }}
+          resources: {{ toYaml . | nindent 12 }}
+          {{- end }}
+          {{- with $app.securityContext }}
+          securityContext: {{ toYaml . | nindent 12 }}
+          {{- end }}
+          volumeMounts:
+            - mountPath: /tmp/
+              name: tmp
+            {{- with $app.extraVolumeMounts }}
+            {{- toYaml . | nindent 12 }}
+            {{- end }}
+          {{- with $app.env }}
+          env: {{ toYaml . | nindent 12 }}
+          {{- end }}
+      volumes:
+        - name: tmp
+          emptyDir: {}
+        - name: crds
+          configMap:
+            name: {{ template "crds.upgrade.name" . }}
+        {{- with $app.extraVolumes }}
+        {{- toYaml . | nindent 8 }}
+        {{- end }}
+      restartPolicy: OnFailure
+      {{- with $app.nodeSelector }}
+      nodeSelector: {{ toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with $app.tolerations }}
+      tolerations: {{ toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with $app.affinity }}
+      affinity: {{ toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with $app.topologySpreadConstraints }}
+      topologySpreadConstraints: {{ toYaml . | nindent 8 }}
+      {{- end }}
+{{- end }}

charts/victoria-metrics-operator/charts/crds/templates/_helpers.yaml

@@ -0,0 +1,52 @@
+{{- if .Values.upgrade.enabled }}
+{{- $ctx := dict "helm" . }}
+{{- $_ := set $ctx "extraLabels" (dict "app.kubernetes.io/component" "upgrade-crds") }}
+{{- $labels := include "vm.labels" $ctx }}
+{{- $_ := unset $ctx "extraLabels" }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ template "crds.upgrade.name" . }}
+  namespace: {{ template "vm.namespace" . }}
+  annotations:
+    "helm.sh/hook": pre-install,pre-upgrade,pre-rollback
+    "helm.sh/hook-weight": "-5"
+    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
+  labels: {{ $labels | nindent 4 }}
+  {{- $crds := .Files.Get "crds/crd.yaml" | splitList "---" }}
+rules:
+  - apiGroups:
+      - "apiextensions.k8s.io"
+    resources:
+      - "customresourcedefinitions"
+    verbs:
+      - create
+      - patch
+      - update
+      - get
+      - list
+    resourceNames:
+      {{- range $crds }}
+        {{- $crd := fromYaml . }}
+      - {{ $crd.metadata.name }}
+      {{- end }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ template "crds.upgrade.name" . }}
+  namespace: {{ template "vm.namespace" . }}
+  annotations:
+    "helm.sh/hook": pre-install,pre-upgrade,pre-rollback
+    "helm.sh/hook-weight": "-3"
+    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
+  labels: {{ $labels | nindent 4 }}
+subjects:
+  - kind: ServiceAccount
+    namespace: {{ template "vm.namespace" . }}
+    name: {{ template "crds.upgrade.serviceAccountName" . }}
+roleRef:
+  kind: ClusterRole
+  name: {{ template "crds.upgrade.name" . }}
+  apiGroup: rbac.authorization.k8s.io
+{{- end }}