Skip to content

operator: make templated crds specless #2419

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 5 commits into from
Sep 27, 2025
Merged

operator: make templated crds specless #2419

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
54cee40
crds: move crds to subchart
AndrewChubatiuk Sep 27, 2025
b78cda3
crds: divide chart templates into subcharts
AndrewChubatiuk Sep 14, 2025
bd23ad8
removed CRD template from operator chart
AndrewChubatiuk Sep 15, 2025
bcd24ca
added CRD upgrade job
AndrewChubatiuk Sep 16, 2025
c4474d7
Update charts/victoria-metrics-operator/CHANGELOG.md
AndrewChubatiuk Sep 17, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion charts/victoria-metrics-operator-crds/charts/crds/crd.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1 +1 @@
../../../victoria-metrics-operator/crd.yaml
../../../victoria-metrics-operator/charts/crds/crds/crd.yaml
7 changes: 6 additions & 1 deletion charts/victoria-metrics-operator/CHANGELOG.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,11 @@
## Next release

- Added `securityContext` to the `cleanup` job
**Update node 1**: CRDs generated with `.Values.crds.plain: false` are now specless. For this case operator is fully responsible for VM specs validation. This was done to decrease helm release secret size limit. This change affects `kubectl explain` users and tools, that are rely on CRD specs during input data validation. If this behaviour is not acceptable consider using either `victoria-metrics-operator-crds` chart for CRDs management or set `.Values.crds.plain: true` to use plain CRDs.

- Added `securityContext` to the `cleanup` job.
- Make CRDs, that are rendered using template, specless. This allows to decrease size of k8s secret significantly. If this option is not acceptable for you consider installing CRDs separately using `victoria-metrics-operator-crds` chart or set `.Values.crds.plain: true` and `.Values.crds.upgrade.enabled: true` to use plain CRDs with upgrade job instead.
- Replaced `.Values.admissionWebhooks.enabledCRDValidation` with `.Values.admissionWebhooks.disabledFor` list of CRD names to disable validation for. This change should not affect anyone, since before condition with `.Values.admissionWebhooks.enabledCRDValidation` was not working at all.
- Added CRDs upgrade job, which is only available only for plain CRDs (`.Values.crds.plain: true`). See [#2334](https://github.com/VictoriaMetrics/helm-charts/issues/2334).

## 0.53.0

Expand Down
2 changes: 1 addition & 1 deletion charts/victoria-metrics-operator/Chart.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@ home: https://github.com/VictoriaMetrics/operator
sources:
- https://github.com/VictoriaMetrics/helm-charts
- https://github.com/VictoriaMetrics/operator
version: 0.53.0
version: 0.54.0
appVersion: v0.63.0
icon: https://avatars.githubusercontent.com/u/43720803?s=200&v=4
kubeVersion: ">=1.25.0-0"
Expand Down
1 change: 0 additions & 1 deletion charts/victoria-metrics-operator/charts/crds/crds/crd.yaml
View file
Open in desktop

This file was deleted.

43,143 changes: 43,143 additions & 0 deletions charts/victoria-metrics-operator/charts/crds/crds/crd.yaml
View file
Open in desktop

Large diffs are not rendered by default.

Binary file added charts/victoria-metrics-operator/charts/crds/files/crd.yaml.bz2
View file
Open in desktop
Binary file not shown.
13 changes: 13 additions & 0 deletions charts/victoria-metrics-operator/charts/crds/templates/_helpers.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
{{- define "crds.upgrade.name" -}}
{{- print (include "vm.plain.fullname" .) "-upgrade-crds" }}
{{- end -}}

{{- define "crds.upgrade.serviceAccountName" -}}
{{- $Values := (.helm).Values | default .Values }}
{{- $upgrade := $Values.upgrade }}
{{- if $upgrade.serviceAccount.create -}}
{{ default (include "crds.upgrade.name" .) $upgrade.serviceAccount.name }}
{{- else -}}
{{ default "default" $upgrade.serviceAccount.name }}
{{- end -}}
{{- end -}}
18 changes: 18 additions & 0 deletions charts/victoria-metrics-operator/charts/crds/templates/cm.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
{{- if .Values.upgrade.enabled }}
{{- $ctx := dict "helm" . }}
{{- $upgrade := .Values.upgrade }}
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ include "crds.upgrade.serviceAccountName" $ctx }}
namespace: {{ template "vm.namespace" $ctx }}
annotations:
"helm.sh/hook": pre-install,pre-upgrade,pre-rollback
"helm.sh/hook-weight": "-2"
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
{{- $_ := set $ctx "extraLabels" (dict "app.kubernetes.io/component" "upgrade-crds") }}
labels: {{ include "vm.labels" $ctx | nindent 4 }}
{{- $_ := unset $ctx "extraLabels" }}
binaryData:
crd.yaml.bz2: {{ .Files.Get "files/crd.yaml.bz2" | b64enc }}
{{- end }}
124 changes: 124 additions & 0 deletions charts/victoria-metrics-operator/charts/crds/templates/job.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,124 @@
{{- if .Values.upgrade.enabled }}
{{- $app := .Values.upgrade }}
{{- if empty (($app.kubectl).image).tag }}
{{- $tag := regexSplit "[+-]" .Capabilities.KubeVersion.Version -1 | first -}}
{{- $_ := set $app.kubectl.image "tag" $tag }}
{{- else if not (kindIs "string" (($app.kubectl).image).tag) }}
{{- fail "`crd.upgrade.kubectl.image.tag` is not string, most probably you need to enquote provided value" -}}
{{- end }}
{{- $ctx := dict "helm" . "noEnterprise" true }}
apiVersion: batch/v1
kind: Job
metadata:
name: {{ template "crds.upgrade.name" $ctx }}
namespace: {{ template "vm.namespace" $ctx }}
annotations:
"helm.sh/hook": pre-install,pre-upgrade,pre-rollback
"helm.sh/hook-weight": "5"
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
{{- with $app.annotations }}
{{- toYaml . | nindent 4 }}
{{- end }}
{{- $_ := set $ctx "extraLabels" $app.labels }}
{{- $_ := set $ctx.extraLabels "app.kubernetes.io/component" "upgrade-crds" }}
labels: {{ include "vm.labels" $ctx | nindent 4 }}
{{- $_ := unset $ctx "extraLabels" }}
spec:
backoffLimit: 3
template:
metadata:
{{- with $app.podLabels }}
labels: {{ toYaml . | nindent 8 }}
{{- end }}
{{- with $app.podAnnotations }}
annotations: {{ toYaml . | nindent 8 }}
{{- end }}
spec:
{{- with (.Values.imagePullSecrets | default .Values.global.imagePullSecrets) }}
imagePullSecrets: {{ toYaml . | nindent 8 }}
{{- end }}
serviceAccountName: {{ include "crds.upgrade.serviceAccountName" . }}
{{- if $app.podSecurityContext.enabled }}
securityContext: {{ include "vm.securityContext" (dict "securityContext" $app.podSecurityContext "helm" .) | nindent 8 }}
{{- end }}
initContainers:
- name: busybox
{{- $_ := set $ctx "appKey" (list "upgrade" "busybox") }}
image: {{ include "vm.image" $ctx }}
imagePullPolicy: {{ $app.busybox.image.pullPolicy }}
workingDir: /tmp/
command:
- sh
args:
- -c
- bzcat /crds/crd.yaml.bz2 > /tmp/crd.yaml
{{- with $app.resources }}
resources: {{ toYaml . | nindent 12 }}
{{- end }}
{{- with $app.securityContext }}
securityContext: {{ toYaml . | nindent 12 }}
{{- end }}
volumeMounts:
- mountPath: /crds/
name: crds
- mountPath: /tmp/
name: tmp
{{- with $app.extraVolumeMounts }}
{{- toYaml . | nindent 12 }}
{{- end }}
{{- with $app.env }}
env: {{ toYaml . | nindent 12 }}
{{- end }}
containers:
- name: kubectl
{{- $_ := set $ctx "appKey" (list "upgrade" "kubectl") }}
image: {{ include "vm.image" $ctx }}
imagePullPolicy: {{ $app.kubectl.image.pullPolicy }}
command:
- kubectl
args:
- apply
- --server-side
{{- if $app.forceConflicts }}
- --force-conflicts
{{- end }}
- --filename
- /tmp/crd.yaml
{{- with $app.resources }}
resources: {{ toYaml . | nindent 12 }}
{{- end }}
{{- with $app.securityContext }}
securityContext: {{ toYaml . | nindent 12 }}
{{- end }}
volumeMounts:
- mountPath: /tmp/
name: tmp
{{- with $app.extraVolumeMounts }}
{{- toYaml . | nindent 12 }}
{{- end }}
{{- with $app.env }}
env: {{ toYaml . | nindent 12 }}
{{- end }}
volumes:
- name: tmp
emptyDir: {}
- name: crds
configMap:
name: {{ template "crds.upgrade.name" . }}
{{- with $app.extraVolumes }}
{{- toYaml . | nindent 8 }}
{{- end }}
restartPolicy: OnFailure
{{- with $app.nodeSelector }}
nodeSelector: {{ toYaml . | nindent 8 }}
{{- end }}
{{- with $app.tolerations }}
tolerations: {{ toYaml . | nindent 8 }}
{{- end }}
{{- with $app.affinity }}
affinity: {{ toYaml . | nindent 8 }}
{{- end }}
{{- with $app.topologySpreadConstraints }}
topologySpreadConstraints: {{ toYaml . | nindent 8 }}
{{- end }}
{{- end }}
52 changes: 52 additions & 0 deletions charts/victoria-metrics-operator/charts/crds/templates/role.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,52 @@
{{- if .Values.upgrade.enabled }}
{{- $ctx := dict "helm" . }}
{{- $_ := set $ctx "extraLabels" (dict "app.kubernetes.io/component" "upgrade-crds") }}
{{- $labels := include "vm.labels" $ctx }}
{{- $_ := unset $ctx "extraLabels" }}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ template "crds.upgrade.name" . }}
namespace: {{ template "vm.namespace" . }}
annotations:
"helm.sh/hook": pre-install,pre-upgrade,pre-rollback
"helm.sh/hook-weight": "-5"
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
labels: {{ $labels | nindent 4 }}
{{- $crds := .Files.Get "crds/crd.yaml" | splitList "---" }}
rules:
- apiGroups:
- "apiextensions.k8s.io"
resources:
- "customresourcedefinitions"
verbs:
- create
- patch
- update
- get
- list
resourceNames:
{{- range $crds }}
{{- $crd := fromYaml . }}
- {{ $crd.metadata.name }}
{{- end }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: {{ template "crds.upgrade.name" . }}
namespace: {{ template "vm.namespace" . }}
annotations:
"helm.sh/hook": pre-install,pre-upgrade,pre-rollback
"helm.sh/hook-weight": "-3"
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
labels: {{ $labels | nindent 4 }}
subjects:
- kind: ServiceAccount
namespace: {{ template "vm.namespace" . }}
name: {{ template "crds.upgrade.serviceAccountName" . }}
roleRef:
kind: ClusterRole
name: {{ template "crds.upgrade.name" . }}
apiGroup: rbac.authorization.k8s.io
{{- end }}
24 changes: 24 additions & 0 deletions charts/victoria-metrics-operator/charts/crds/templates/serviceaccount.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@
{{- $upgrade := .Values.upgrade }}
{{- if and $upgrade.enabled $upgrade.serviceAccount.create }}
{{- $ctx := dict "helm" . }}
{{- $fullname := include "vm.plain.fullname" $ctx }}
{{- $ns := include "vm.namespace" $ctx }}
{{- $sa := $upgrade.serviceAccount }}
apiVersion: v1
kind: ServiceAccount
automountServiceAccountToken: {{ $sa.automountServiceAccountToken }}
metadata:
name: {{ include "crds.upgrade.name" . }}
namespace: {{ $ns }}
annotations:
"helm.sh/hook": pre-install,pre-upgrade,pre-rollback
"helm.sh/hook-weight": "-4"
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
{{- with $sa.annotations }}
{{- toYaml . | nindent 4 }}
{{- end }}
{{- $_ := set $ctx "extraLabels" $sa.labels }}
{{- $_ := set $ctx.extraLabels "app.kubernetes.io/component" "upgrade-crds" }}
labels: {{ include "vm.labels" $ctx | nindent 4 }}
{{- $_ := unset $ctx "extraLabels" }}
{{- end }}
2 changes: 2 additions & 0 deletions charts/victoria-metrics-operator/charts/crds/values.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
upgrade:
enabled: true
Loading