diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index f3850b6615f510812a808a3b446e005622018386..aeab6f3a415ef7c464b0a4c53767b33b1de97dba 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -77,7 +77,6 @@ lint_package: - install_tiller - create_secret - install_external_dns "${DNS_PROVIDER}" "${KUBE_INGRESS_BASE_DOMAIN}" - - if ! crdExists || previousDeployFailed ; then OPERATOR_BOOTSTRAP=true deploy ; fi - deploy - add_license - echo "export QA_ENVIRONMENT_URL=gitlab-$CI_ENVIRONMENT_SLUG.$KUBE_INGRESS_BASE_DOMAIN" >> "${VARIABLES_FILE}" @@ -217,7 +216,6 @@ stop_review_eks: - ensure_namespace - install_tiller - create_secret - - if ! crdExists || previousDeployFailed ; then OPERATOR_BOOTSTRAP=true deploy ; fi - deploy - delete canary - echo "export QA_ENVIRONMENT_URL=gitlab.$KUBE_INGRESS_BASE_DOMAIN" >> "${VARIABLES_FILE}" @@ -428,11 +426,8 @@ check_docs_internal_links: helm repo add gitlab https://charts.gitlab.io/ helm dep update . - # If OPERATOR_BOOTSTRAP is set, we _do not_ want to use --wait / --timeout - WAIT="--wait --timeout 600" - if [ -n "${OPERATOR_BOOTSTRAP}" ]; then - WAIT="" - fi + # When CRD manager is enabled, we _do not_ use --wait + WAIT="--timeout 600" helm upgrade --install \ $WAIT \ @@ -450,7 +445,6 @@ check_docs_internal_links: --set redis.resources.requests.cpu=100m \ --set minio.resources.requests.cpu=100m \ --set global.operator.enabled=true \ - --set global.operator.bootstrap=${OPERATOR_BOOTSTRAP-false} \ --set gitlab.operator.crdPrefix="$CI_ENVIRONMENT_SLUG" \ --namespace="$KUBE_NAMESPACE" \ --version="$CI_PIPELINE_ID-$CI_JOB_ID" \ diff --git a/changelogs/unreleased/1234-crd-hook.yml b/changelogs/unreleased/1234-crd-hook.yml new file mode 100644 index 0000000000000000000000000000000000000000..09558b992f297743707f913d947381b0c625730e --- /dev/null +++ b/changelogs/unreleased/1234-crd-hook.yml @@ -0,0 +1,5 @@ +--- +title: Reduce the install steps for the Operator to a single command +merge_request: 784 +author: +type: performance diff --git a/charts/gitlab/charts/operator/templates/crd.yaml b/charts/gitlab/charts/operator/templates/_crd.yaml similarity index 97% rename from charts/gitlab/charts/operator/templates/crd.yaml rename to charts/gitlab/charts/operator/templates/_crd.yaml index ee23e5fbbe95ea708aca4395bed0ae3f0582b6e1..67338a9cff68e226aa14627c2aafb936b808e795 100644 --- a/charts/gitlab/charts/operator/templates/crd.yaml +++ b/charts/gitlab/charts/operator/templates/_crd.yaml @@ -1,4 +1,3 @@ -{{- if .Values.global.operator.enabled }} apiVersion: apiextensions.k8s.io/v1beta1 kind: CustomResourceDefinition metadata: @@ -69,4 +68,3 @@ spec: status: type: object version: v1beta1 -{{- end }} diff --git a/charts/gitlab/charts/operator/templates/_manage_crd.sh b/charts/gitlab/charts/operator/templates/_manage_crd.sh new file mode 100644 index 0000000000000000000000000000000000000000..12a30afd98e2526b6683ad04fc33d5a3bbf703b6 --- /dev/null +++ b/charts/gitlab/charts/operator/templates/_manage_crd.sh @@ -0,0 +1,45 @@ +#!/bin/bash + +_CRD_NAME='{{ template "gitlab.operator.crdName" . }}' + +createCRD() { + kubectl apply -f "$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd )/crd.yaml" + + printf 'Waiting for CRD `%s` to become available ...\n' "$_CRD_NAME" + _cnt=0 + _max=10 # roughly 10s + while [ $_cnt -lt $_max ]; do + _out="$( kubectl get crd $_CRD_NAME 2>&1 )" + [ "$?" = "0" ] && { + printf 'CRD `%s` is available and ready to use.\n' "$_CRD_NAME" + exit 0 + } + [[ ! "$_out" =~ \(NotFound\) ]] && { + printf 'Premature failure in CRD lookup. Reason: \n\t[kubectl] %s\n' "$_out" + exit 2 + } + let _cnt=_cnt+1 + sleep 1 + done + + printf 'Timed out. CRD `%s` did not become available in time' "$_CRD_NAME" + exit 1 +} + +deleteCRD() { + _out="$( kubectl delete crd $_CRD_NAME 2>&1 )" + [ "$?" = "0" ] && { + printf 'CRD `%s` is deleted.\n' "$_CRD_NAME" + exit 0 + } + printf 'WARNING: Failed to delete CRD. Reason: \n\t[kubectl] %s\n' "$_out" + exit 2 +} + +if [ "$1" == "delete" ]; then + printf 'Deleting CRD `%s` ...\n' "$_CRD_NAME" + deleteCRD +else + printf 'Creating CRD `%s` ...\n' "$_CRD_NAME" + createCRD +fi \ No newline at end of file diff --git a/charts/gitlab/charts/operator/templates/crd_jobs.yaml b/charts/gitlab/charts/operator/templates/crd_jobs.yaml new file mode 100644 index 0000000000000000000000000000000000000000..a12a589a05d37bcf60c48aee5ab7cb318d4a9618 --- /dev/null +++ b/charts/gitlab/charts/operator/templates/crd_jobs.yaml @@ -0,0 +1,139 @@ +{{- if and .Values.global.operator.enabled .Values.crdManager.enabled }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "fullname" . }}-crd + namespace: {{ .Release.Namespace }} + labels: +{{ include "gitlab.standardLabels" $ | indent 4 }} + annotations: + helm.sh/hook: pre-install,pre-upgrade,post-delete + helm.sh/hook-weight: "-5" + helm.sh/hook-delete-policy: hook-succeeded,before-hook-creation +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "fullname" . }}-crd + labels: +{{ include "gitlab.standardLabels" $ | indent 4 }} + annotations: + helm.sh/hook: pre-install,pre-upgrade,post-delete + helm.sh/hook-weight: "-5" + helm.sh/hook-delete-policy: hook-succeeded,before-hook-creation +rules: +- apiGroups: + - apiextensions.k8s.io + resources: + - customresourcedefinitions + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ template "fullname" . }}-crd + labels: +{{ include "gitlab.standardLabels" $ | indent 4 }} + annotations: + helm.sh/hook: pre-install,pre-upgrade,post-delete + helm.sh/hook-weight: "-5" + helm.sh/hook-delete-policy: hook-succeeded,before-hook-creation +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "fullname" . }}-crd +subjects: +- kind: ServiceAccount + name: {{ template "fullname" . }}-crd + namespace: {{ .Release.Namespace }} +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "fullname" . }}-crd + namespace: {{ .Release.Namespace }} + labels: +{{ include "gitlab.standardLabels" . | indent 4 }} + annotations: + helm.sh/hook: pre-install,pre-upgrade,post-delete + helm.sh/hook-weight: "-5" + helm.sh/hook-delete-policy: hook-succeeded,before-hook-creation +data: + crd.yaml: |- +{{ include (print $.Template.BasePath "/_crd.yaml") . | indent 4 }} + manage-crd.sh: | +{{ include (print $.Template.BasePath "/_manage_crd.sh") . | indent 4 }} +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ template "fullname" . }}-crd + namespace: {{ .Release.Namespace }} + labels: +{{ include "gitlab.standardLabels" . | indent 4 }} + annotations: + helm.sh/hook: pre-install,pre-upgrade + helm.sh/hook-weight: "-4" + helm.sh/hook-delete-policy: hook-succeeded,before-hook-creation +spec: + template: + metadata: + name: {{ template "fullname" . }}-crd-manager + labels: + release: {{ .Release.Name }} + spec: + restartPolicy: Never + serviceAccountName: {{ template "fullname" . }}-crd + containers: + - name: manage-crd + image: "{{ .Values.crdManager.image.repository }}:{{ .Values.crdManager.image.tag }}" + {{ template "gitlab.imagePullPolicy" . }} + command: ["/bin/bash", "/scripts/manage-crd.sh"] + volumeMounts: + - name: scripts + mountPath: /scripts + volumes: + - name: scripts + configMap: + name: {{ template "fullname" . }}-crd +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ template "fullname" . }}-delete-crd + namespace: {{ .Release.Namespace }} + labels: +{{ include "gitlab.standardLabels" . | indent 4 }} + annotations: + helm.sh/hook: post-delete + helm.sh/hook-weight: "-4" + helm.sh/hook-delete-policy: hook-succeeded,before-hook-creation +spec: + template: + metadata: + name: {{ template "fullname" . }}-crd-manager + labels: + release: {{ .Release.Name }} + spec: + restartPolicy: Never + serviceAccountName: {{ template "fullname" . }}-crd + containers: + - name: manage-crd + image: "{{ .Values.crdManager.image.repository }}:{{ .Values.crdManager.image.tag }}" + {{ template "gitlab.imagePullPolicy" . }} + command: ["/bin/bash", "/scripts/manage-crd.sh", "delete"] + volumeMounts: + - name: scripts + mountPath: /scripts + volumes: + - name: scripts + configMap: + name: {{ template "fullname" . }}-crd +{{- end }} diff --git a/charts/gitlab/charts/operator/templates/operator_deployment.yaml b/charts/gitlab/charts/operator/templates/deployment.yaml similarity index 92% rename from charts/gitlab/charts/operator/templates/operator_deployment.yaml rename to charts/gitlab/charts/operator/templates/deployment.yaml index 8dd93b79f11b02f8a1a6485ad417966674e763a3..2c6ae6b4c7d8870e5866bdd3c997438187a6f73c 100644 --- a/charts/gitlab/charts/operator/templates/operator_deployment.yaml +++ b/charts/gitlab/charts/operator/templates/deployment.yaml @@ -1,4 +1,4 @@ -{{- if and .Values.global.operator.enabled (not .Values.global.operator.bootstrap) }} +{{- if .Values.global.operator.enabled }} apiVersion: apps/v1beta2 kind: Deployment metadata: diff --git a/charts/gitlab/charts/operator/templates/gitlab.yaml b/charts/gitlab/charts/operator/templates/gitlab.yaml index 187dd5ac3e984168f6289d0edf577ce9470d8387..e5f695fb6f7ed46d52fa67850d6579facd9e663b 100644 --- a/charts/gitlab/charts/operator/templates/gitlab.yaml +++ b/charts/gitlab/charts/operator/templates/gitlab.yaml @@ -1,4 +1,4 @@ -{{- if and .Values.global.operator.enabled (not .Values.global.operator.bootstrap) }} +{{- if .Values.global.operator.enabled }} apiVersion: {{ printf "%s/v1beta1" (include "gitlab.operator.groupName" .) }} kind: GitLab metadata: @@ -8,6 +8,10 @@ metadata: revision: "{{ .Release.Revision }}" annotations: gitlab.com/class: {{ .Release.Name }} + {{- if .Values.crdManager.enabled }} + helm.sh/hook: post-install,post-upgrade + helm.sh/hook-delete-policy: before-hook-creation + {{- end }} {{ include "gitlab.standardLabels" $ | indent 4 }} name: {{ template "fullname" . }} spec: diff --git a/charts/gitlab/charts/operator/templates/crd_rbac.yaml b/charts/gitlab/charts/operator/templates/rbac.yaml similarity index 100% rename from charts/gitlab/charts/operator/templates/crd_rbac.yaml rename to charts/gitlab/charts/operator/templates/rbac.yaml diff --git a/charts/gitlab/charts/operator/values.yaml b/charts/gitlab/charts/operator/values.yaml index 234067943f54d370d07e8ea79dda3aa49b5cc603..f05dce75923867b602b6793d94e4a22000822c0b 100644 --- a/charts/gitlab/charts/operator/values.yaml +++ b/charts/gitlab/charts/operator/values.yaml @@ -34,4 +34,14 @@ resources: # A prefix for group name of GitLab CRD. It can be used for distinguishing # different CRDs in a cluster, e.g. for development purposes such GitLab CI. -#crdPrefix: \ No newline at end of file +#crdPrefix: + +crdManager: + # Enables/disables automatic CRD management. By default the it is enabled. + # Disable it if you need/want to manage CRD lifecycle outside the Chart, e.g. + # due to restrictions on cluster-level roles. + enabled: true + image: + repository: registry.gitlab.com/gitlab-org/build/cng/kubectl + tag: v1.9.3 + # pullPolicy: IfNotPresent diff --git a/doc/installation/operator.md b/doc/installation/operator.md index cbed2dc78e3c9c84a647a9d9ca8701c3f5bd8495..4aa0ba8493a113ebcd083ad55c7d11c61ec1248a 100644 --- a/doc/installation/operator.md +++ b/doc/installation/operator.md @@ -12,15 +12,16 @@ We provide the flag `global.operator.enabled`, when set to true it enables the o ## Installing using the operator -The operator makes use of Kubernetes CustomResourceDefinitions (CRD). Since Helm will be used for the installation, we need to ensure that this CRD is in place prior to attempting to use it. In order to do this, we have to run an additional command prior to use. +The operator makes use of Kubernetes CustomResourceDefinitions (CRD). Therefore, you need cluster level privilege to install +it. Please note that this privilege is only required for CRD installation. The operator itself does not mandate it. -1. `helm upgrade --install . --set global.operator.enabled=true --set global.operator.bootstrap=true ... ` where `...` shall be replaced by the rest of the values you would like to set. -2. `helm upgrade . --set global.operator.enabled=true --set global.operator.bootstrap=false ...`. +Simply run `helm upgrade --install . --set global.operator.enabled=true ... ` where `...` shall be replaced by the rest of the values you would like to set. Along with everything else, this command will install the CRD, GitLab custom resource, and the operator. -The first command will install only the `CRD` but will not actually attempt to deploy the operator. The second command will deploy the operator itself, now that the CRD is in place. - -**NOTE:** This needs done only the first time you install the operator, further upgrades will follow the normal [upgrade procedures](./upgrade.md) +**NOTE:** When the operator is enabled you can not use `--no-hooks` and `--wait` flags. Otherwise it will fail the installation. **NOTE:** Test new versions of the operator by setting `gitlab.operator.image.tag` to either the branch name of a gitlab-operator container build or a specific tagged release number. **NOTE:** The operator is transitioning from a ClusterRole to a regular Role that operates within a namespace. Operator containers after version 0.4 will have this new behavior by default. + +**NOTE:** When the operator is enabled the CRD is managed automatically. It's this particular piece that requires cluster-level privileges. If you need/want to manage CRD installation without Helm, e.g. due to restrictions on cluster-level roles, you can disable automatic CRD management by setting `gitlab.operator.crdManager.enabled` to +`false`. \ No newline at end of file