Helm chart update

deploy/helm/pulumi-operator/Chart.yaml

@@ -9,8 +9,8 @@ icon: https://www.pulumi.com/logos/brand/avatar-on-white.svg
 
 type: application
 
-version: 0.9.0
-appVersion: 1.14.0
+version: 2.0.0
+appVersion: "v2.0-devel"
 
 keywords:
   - pulumi

deploy/helm/pulumi-operator/templates/clusterrole.yaml

@@ -1,19 +1,193 @@
-{{- if .Values.createClusterRole }}
+{{- if and .Values.rbac.create .Values.rbac.createClusterRole }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
-  name: {{ include "pulumi-kubernetes-operator.fullname" . }}
+  name: {{ include "pulumi-kubernetes-operator.fullname" . }}-controller-manager
   labels:
   {{- include "pulumi-kubernetes-operator.labels" . | nindent 4 }}
 rules:
-  {{- if .Values.clusterRoleRules.enabled }}
-    {{- toYaml .Values.clusterRoleRules.rules | nindent 2 }}
-  {{- else }}
-  - apiGroups:
-      - '*'
-    resources:
-      - '*'
-    verbs:
-      - '*'
+  {{- if .Values.rbac.extraRules }}
+    {{- toYaml .Values.rbac.extraRules | nindent 2 }}
   {{- end }}
+- apiGroups:
+  - ""
+  resources:
+  - events
+  verbs:
+  - create
+  - patch
+  - update
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - create
+  - get
+  - list
+  - watch
+- apiGroups:
+  - apps
+  resources:
+  - statefulsets
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - auto.pulumi.com
+  resources:
+  - updates
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - auto.pulumi.com
+  resources:
+  - updates/finalizers
+  verbs:
+  - update
+- apiGroups:
+  - auto.pulumi.com
+  resources:
+  - updates/status
+  verbs:
+  - get
+  - patch
+  - update
+- apiGroups:
+  - auto.pulumi.com
+  resources:
+  - workspaces
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - auto.pulumi.com
+  resources:
+  - workspaces/finalizers
+  verbs:
+  - update
+- apiGroups:
+  - auto.pulumi.com
+  resources:
+  - workspaces/status
+  verbs:
+  - get
+  - patch
+  - update
+- apiGroups:
+  - ""
+  resources:
+  - pods
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - services
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - pulumi.com
+  resources:
+  - programs
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - pulumi.com
+  resources:
+  - programs/finalizers
+  verbs:
+  - update
+- apiGroups:
+  - pulumi.com
+  resources:
+  - programs/status
+  verbs:
+  - get
+  - patch
+  - update
+- apiGroups:
+  - pulumi.com
+  resources:
+  - stacks
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - pulumi.com
+  resources:
+  - stacks/finalizers
+  verbs:
+  - update
+- apiGroups:
+  - pulumi.com
+  resources:
+  - stacks/status
+  verbs:
+  - get
+  - patch
+  - update
+- apiGroups:
+  - source.toolkit.fluxcd.io
+  resources:
+  - buckets
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - source.toolkit.fluxcd.io
+  resources:
+  - gitrepositories
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - source.toolkit.fluxcd.io
+  resources:
+  - ocirepositories
+  verbs:
+  - get
+  - list
+  - watch
 {{- end }}

deploy/helm/pulumi-operator/templates/clusterrolebinding.yaml

@@ -1,17 +1,16 @@
-{{- if .Values.createClusterRole }}
+{{- if and .Values.rbac.create .Values.rbac.createClusterRole }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
   name: {{ include "pulumi-kubernetes-operator.fullname" . }}
-  namespace: {{ .Release.Namespace | quote }}
   labels:
-    {{- include "pulumi-kubernetes-operator.labels" . | nindent 4 }}
+  {{- include "pulumi-kubernetes-operator.labels" . | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ include "pulumi-kubernetes-operator.fullname" . }}-controller-manager
 subjects:
   - kind: ServiceAccount
     name: {{ include "pulumi-kubernetes-operator.serviceAccountName" . }}
     namespace: {{ .Release.Namespace | quote }}
-roleRef:
-  kind: ClusterRole
-  name: {{ include "pulumi-kubernetes-operator.fullname" . }}
-  apiGroup: rbac.authorization.k8s.io
 {{- end }}

deploy/helm/pulumi-operator/templates/deployment.yaml

@@ -5,28 +5,24 @@ metadata:
   annotations:
     {{- toYaml . | nindent 4 }}
   {{- end }}
-  name: {{ include "pulumi-kubernetes-operator.fullname" . }}
+  name: {{ include "pulumi-kubernetes-operator.fullname" . }}-controller-manager
   labels:
   {{- include "pulumi-kubernetes-operator.labels" . | nindent 4 }}
 spec:
   replicas: {{ .Values.replicaCount }}
   strategy:
-    type: {{ .Values.deploymentStrategy }}
+    type: {{ default "RollingUpdate" .Values.deploymentStrategy }}
   selector:
     matchLabels:
     {{- include "pulumi-kubernetes-operator.selectorLabels" . | nindent 6 }}
-      app: {{ template "pulumi-kubernetes-operator.name" . }}
-      release: {{ .Release.Name }}
   template:
     metadata:
-      {{- with .Values.podAnnotations }}
       annotations:
+        kubectl.kubernetes.io/default-container: manager
+      {{- with .Values.podAnnotations }}
         {{- toYaml . | nindent 8 }}
       {{- end }}
       labels:
-        name: {{ template "pulumi-kubernetes-operator.name" . }}
-        app: {{ template "pulumi-kubernetes-operator.name" . }}
-        release: {{ .Release.Name }}
       {{- include "pulumi-kubernetes-operator.selectorLabels" . | nindent 8 }}
       {{- if .Values.podLabels }}
         {{ toYaml .Values.podLabels | indent 8 }}
@@ -36,35 +32,36 @@ spec:
       {{- if .Values.extraSidecars }}
       {{- toYaml .Values.extraSidecars  | nindent  8 }}
       {{- end}}
-      - args:
-        {{- with .Values.controller.args }}
-        {{- toYaml . | nindent 10 }}
-        {{- end }}
+      - name: manager
+        command:
+        - /manager
+        args:
+        - --leader-elect
+        - --health-probe-bind-address=:8081
+        - --metrics-bind-address=:8383
+        - --program-fs-adv-addr=pulumi-kubernetes-operator.$(POD_NAMESPACE).svc.cluster.local
+        - --zap-log-level={{ .Values.controller.logLevel }}
+        - --zap-time-encoding=iso8601
         env:
         {{- if .Values.extraEnv }}
         {{- toYaml .Values.extraEnv  | nindent 8 }}
         {{- end }}
-        - name: WATCH_NAMESPACE
+        - name: POD_NAMESPACE
           valueFrom:
             fieldRef:
               fieldPath: metadata.namespace
-        - name: POD_NAME
-          valueFrom:
-            fieldRef:
-              fieldPath: metadata.name
-        - name: OPERATOR_NAME
-          value: {{ include "pulumi-kubernetes-operator.name" . }}
-        - name: GRACEFUL_SHUTDOWN_TIMEOUT_DURATION
-          value: {{ .Values.controller.gracefulShutdownTimeoutDuration }}
-        - name: MAX_CONCURRENT_RECONCILES
-          value: {{ .Values.controller.maxConcurrentReconciles | quote }}
-        - name: PULUMI_INFER_NAMESPACE
-          value: {{ .Values.controller.pulumiInferNamespace | quote }}
-        - name: KUBERNETES_CLUSTER_DOMAIN
-          value: {{ .Values.controller.kubernetesClusterDomain }}
-        image: "{{ .Values.image.registry }}/{{ .Values.image.repository }}:v{{ .Values.image.tag | default .Chart.AppVersion }}"
+        ports:
+        - containerPort: 8383
+          name: http-metrics
+          protocol: TCP
+        - containerPort: 9090
+          name: http-fileserver
+          protocol: TCP
+        {{- if .Values.extraPorts }}
+        {{- toYaml .Values.extraPorts  | nindent 8 }}
+        {{- end }}
+        image: "{{ .Values.image.registry }}/{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
         imagePullPolicy: {{ .Values.image.pullPolicy }}
-        name: {{ .Chart.Name }}
         {{- if .Values.securityContext }}
         securityContext:
         {{- toYaml .Values.securityContext | nindent 12 }}
@@ -73,12 +70,22 @@ spec:
         resources:
           {{- toYaml .Values.resources | nindent 12 }}
         {{- end }}
-        volumeMounts:
         {{- with .Values.extraVolumeMounts }}
+        volumeMounts:
         {{- toYaml . | nindent 8 }}
         {{- end }}
-        - mountPath: /tmp
-          name: tmp-dir
+        livenessProbe:
+          httpGet:
+            path: /healthz
+            port: 8081
+          initialDelaySeconds: 15
+          periodSeconds: 20
+        readinessProbe:
+          httpGet:
+            path: /readyz
+            port: 8081
+          initialDelaySeconds: 5
+          periodSeconds: 10
       {{- with .Values.imagePullSecrets }}
       imagePullSecrets:
         {{- toYaml . | nindent 8 }}
@@ -109,9 +116,7 @@ spec:
         {{- toYaml . | nindent 6 }}
       {{- end }}
       {{- end }}
-      volumes:
       {{- with .Values.extraVolumes }}
+      volumes:
         {{- toYaml . | nindent 6 }}
       {{- end }}
-      - emptyDir: {}
-        name: tmp-dir

deploy/helm/pulumi-operator/templates/edit_clusterrole.yaml

@@ -0,0 +1,22 @@
+{{- if and .Values.rbac.create .Values.rbac.createClusterAggregationRoles }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ include "pulumi-kubernetes-operator.fullname" . }}-edit
+  labels:
+  {{- include "pulumi-kubernetes-operator.labels" . | nindent 4 }}
+    rbac.authorization.k8s.io/aggregate-to-admin: "true"
+    rbac.authorization.k8s.io/aggregate-to-edit: "true"
+rules:
+- apiGroups:
+  - pulumi.com
+  - auto.pulumi.com
+  resources:
+  - '*'
+  verbs:
+  - create
+  - delete
+  - deletecollection
+  - patch
+  - update
+{{- end }}