operator-framework · joelanford · Oct 24, 2024 · Oct 31, 2024
@@ -61,6 +61,7 @@ import (
 	"github.com/operator-framework/operator-controller/internal/finalizers"
 	"github.com/operator-framework/operator-controller/internal/httputil"
 	"github.com/operator-framework/operator-controller/internal/resolve"
+	"github.com/operator-framework/operator-controller/internal/rukpak/convert"
 	"github.com/operator-framework/operator-controller/internal/rukpak/preflights/crdupgradesafety"
 	"github.com/operator-framework/operator-controller/internal/rukpak/source"
 	"github.com/operator-framework/operator-controller/internal/scheme"
@@ -88,14 +89,15 @@ func podNamespace() string {
 
 func main() {
 	var (
-		metricsAddr               string
-		enableLeaderElection      bool
-		probeAddr                 string
-		cachePath                 string
-		operatorControllerVersion bool
-		systemNamespace           string
-		caCertDir                 string
-		globalPullSecret          string
+		metricsAddr                string
+		enableLeaderElection       bool
+		probeAddr                  string
+		cachePath                  string
+		operatorControllerVersion  bool
+		systemNamespace            string
+		caCertDir                  string
+		globalPullSecret           string
+		registryV1CertProviderName string
 	)
 	flag.StringVar(&metricsAddr, "metrics-bind-address", ":8080", "The address the metric endpoint binds to.")
 	flag.StringVar(&probeAddr, "health-probe-bind-address", ":8081", "The address the probe endpoint binds to.")
@@ -108,10 +110,14 @@ func main() {
 	flag.StringVar(&systemNamespace, "system-namespace", "", "Configures the namespace that gets used to deploy system resources.")
 	flag.StringVar(&globalPullSecret, "global-pull-secret", "", "The <namespace>/<name> of the global pull secret that is going to be used to pull bundle images.")
 
+	features.InitializeFromCLIFlags(pflag.CommandLine)
+	if features.OperatorControllerFeatureGate.Enabled(features.RegistryV1WebhookSupport) {
+		flag.StringVar(&registryV1CertProviderName, "registry-v1-cert-provider", "", "Certificate provider to use for registry+v1 webhook certificates")
+	}
+
 	klog.InitFlags(flag.CommandLine)
 
 	pflag.CommandLine.AddGoFlagSet(flag.CommandLine)
-	features.OperatorControllerFeatureGate.AddFlag(pflag.CommandLine)
 	pflag.Parse()
 
 	if operatorControllerVersion {
@@ -284,9 +290,16 @@ func main() {
 		crdupgradesafety.NewPreflight(aeClient.CustomResourceDefinitions()),
 	}
 
+	rv1CertProvider, err := convert.CertProviderByName(registryV1CertProviderName)
+	if err != nil {
+		setupLog.Error(err, "failed to load certificate provider")
+		os.Exit(1)
+	}
+
 	applier := &applier.Helm{
 		ActionClientGetter: acg,
 		Preflights:         preflights,
+		ConvertToChartOpts: []convert.ToHelmChartOption{convert.WithCertificateProvider(rv1CertProvider)},
 	}
 
 	cm := contentmanager.NewManager(clientRestConfigMapper, mgr.GetConfig(), mgr.GetRESTMapper())

@@ -0,0 +1,155 @@
+annotations:
+  alm-examples: |-
+    [
+      {
+        "apiVersion": "postgresql.cnpg.io/v1",
+        "kind": "Backup",
+        "metadata": {
+          "name": "backup-sample"
+        },
+        "spec": {
+          "cluster": {
+            "name": "cluster-sample"
+          }
+        }
+      },
+      {
+        "apiVersion": "postgresql.cnpg.io/v1",
+        "kind": "Cluster",
+        "metadata": {
+          "name": "cluster-sample"
+        },
+        "spec": {
+          "instances": 3,
+          "logLevel": "info",
+          "primaryUpdateStrategy": "unsupervised",
+          "storage": {
+            "size": "1Gi"
+          },
+          "walStorage": {
+            "size": "1Gi"
+          }
+        }
+      },
+      {
+        "apiVersion": "postgresql.cnpg.io/v1",
+        "kind": "Pooler",
+        "metadata": {
+          "name": "pooler-sample-rw"
+        },
+        "spec": {
+          "cluster": {
+            "name": "cluster-sample"
+          },
+          "instances": 1,
+          "pgbouncer": {
+            "poolMode": "session"
+          },
+          "type": "rw"
+        }
+      },
+      {
+        "apiVersion": "postgresql.cnpg.io/v1",
+        "kind": "ScheduledBackup",
+        "metadata": {
+          "name": "scheduledbackup-sample"
+        },
+        "spec": {
+          "cluster": {
+            "name": "cluster-sample"
+          },
+          "schedule": "0 0 0 * * *"
+        }
+      }
+    ]
+  capabilities: Auto Pilot
+  categories: Database
+  certified: "true"
+  containerImage: ghcr.io/cloudnative-pg/cloudnative-pg@sha256:22fd4647a25a4a97bfa36f322b7188b7fdbce1db28f4197d4d2c84422bebdc08
+  createdAt: "2024-10-16T16:15:22Z"
+  description: CloudNativePG is an open source operator designed to manage highly
+    available PostgreSQL databases with a primary/standby architecture on any supported
+    Kubernetes cluster.
+  features.operators.openshift.io/disconnected: "true"
+  features.operators.openshift.io/fips-compliant: "false"
+  features.operators.openshift.io/proxy-aware: "false"
+  features.operators.openshift.io/tls-profiles: "false"
+  features.operators.openshift.io/token-auth-aws: "false"
+  features.operators.openshift.io/token-auth-azure: "false"
+  features.operators.openshift.io/token-auth-gcp: "false"
+  olm.skipRange: '>= 1.18.0 < 1.24.1'
+  operators.operatorframework.io/builder: operator-sdk-v1.37.0
+  operators.operatorframework.io/project_layout: go.kubebuilder.io/v4
+  repository: https://github.com/cloudnative-pg/cloudnative-pg
+  support: Community
+apiVersion: v2
+description: |
+  Main features:
+
+  * Direct integration with Kubernetes API server for High Availability,
+    without requiring an external tool
+  * Self-Healing capability, through:
+      * failover of the primary instance by promoting the most aligned replica
+      * automated recreation of a replica
+  * Planned switchover of the primary instance by promoting a selected replica
+  * Scale up/down capabilities
+  * Definition of an arbitrary number of instances (minimum 1 - one primary server)
+  * Definition of the *read-write* service, to connect your applications to the only primary server of the cluster
+  * Definition of the *read-only* service, to connect your applications to any of the instances for reading workloads
+  * Declarative management of PostgreSQL configuration
+  * Declarative management of Postgres roles, users and groups
+  * Support for Local Persistent Volumes with PVC templates
+  * Reuse of Persistent Volumes storage in Pods
+  * Separate volume for WAL files
+  * Rolling updates for PostgreSQL minor versions
+  * In-place or rolling updates for operator upgrades
+  * TLS connections and client certificate authentication
+  * Support for custom TLS certificates (including integration with cert-manager)
+  * Continuous WAL archiving to an object store (AWS S3 and S3-compatible, Azure Blob Storage, and Google Cloud Storage)
+  * Backups on volume snapshots (where supported by the underlying storage classes)
+  * Backups on object stores (AWS S3 and S3-compatible, Azure Blob Storage, and Google Cloud Storage)
+  * Full recovery and Point-In-Time recovery from an existing backup on volume snapshots or object stores
+  * Offline import of existing PostgreSQL databases, including major upgrades of PostgreSQL
+  * Fencing of an entire PostgreSQL cluster, or a subset of the instances in a declarative way
+  * Hibernation of a PostgreSQL cluster in a declarative way
+  * Support for Synchronous Replicas
+  * Support for HA physical replication slots at cluster level
+  * Backup from a standby
+  * Backup retention policies (based on recovery window, only on object stores)
+  * Parallel WAL archiving and restore to allow the database to keep up with WAL
+    generation on high write systems
+  * Support tagging backup files uploaded to an object store to enable optional
+    retention management at the object store layer Replica clusters for
+  * PostgreSQL deployments across multiple Kubernetes
+    clusters, enabling private, public, hybrid, and multi-cloud architectures
+  * Connection pooling with PgBouncer
+  * Support for node affinity via `nodeSelector`
+  * Native customizable exporter of user defined metrics for Prometheus through the `metrics` port (9187)
+  * Standard output logging of PostgreSQL error messages in JSON format
+  * Automatically set `readOnlyRootFilesystem` security context for pods
+  * `cnpg` plugin for `kubectl`
+  * Simple bind and search+bind LDAP client authentication
+  * Multi-arch format container images
+keywords:
+- postgresql
+- postgres
+- database
+- sql
+- cloudnativepg
+- cloudnative-pg
+- cnpg
+kubeVersion: '>= 1.23.0'
+maintainers:
+- email: [email protected]
+  name: Jonathan Gonzalez V.
+- email: [email protected]
+  name: Jonathan Battiato
+- email: [email protected]
+  name: Niccolo Fei
+- email: [email protected]
+  name: Gabriele Bartolini
+name: cloudnative-pg
+sources:
+- https://cloudnative-pg.io/
+- https://cloudnative-pg.io/docs/
+version: 1.24.1
@@ -0,0 +1,28 @@
+apiVersion: admissionregistration.k8s.io/v1
+kind: MutatingWebhookConfiguration
+metadata:
+  annotations:
+    cert-manager.io/inject-ca-from: '{{ .Release.Namespace }}/cnpg-controller-manager'
+  name: mbackup.cnpg.io
+webhooks:
+- admissionReviewVersions:
+  - v1
+  clientConfig:
+    service:
+      name: cnpg-controller-manager-service
+      namespace: '{{ .Release.Namespace }}'
+      path: /mutate-postgresql-cnpg-io-v1-backup
+      port: 443
+  failurePolicy: Fail
+  name: mbackup.cnpg.io
+  rules:
+  - apiGroups:
+    - postgresql.cnpg.io
+    apiVersions:
+    - v1
+    operations:
+    - CREATE
+    - UPDATE
+    resources:
+    - backups
+  sideEffects: None
@@ -0,0 +1,28 @@
+apiVersion: admissionregistration.k8s.io/v1
+kind: MutatingWebhookConfiguration
+metadata:
+  annotations:
+    cert-manager.io/inject-ca-from: '{{ .Release.Namespace }}/cnpg-controller-manager'
+  name: mcluster.cnpg.io
+webhooks:
+- admissionReviewVersions:
+  - v1
+  clientConfig:
+    service:
+      name: cnpg-controller-manager-service
+      namespace: '{{ .Release.Namespace }}'
+      path: /mutate-postgresql-cnpg-io-v1-cluster
+      port: 443
+  failurePolicy: Fail
+  name: mcluster.cnpg.io
+  rules:
+  - apiGroups:
+    - postgresql.cnpg.io
+    apiVersions:
+    - v1
+    operations:
+    - CREATE
+    - UPDATE
+    resources:
+    - clusters
+  sideEffects: None
@@ -0,0 +1,28 @@
+apiVersion: admissionregistration.k8s.io/v1
+kind: MutatingWebhookConfiguration
+metadata:
+  annotations:
+    cert-manager.io/inject-ca-from: '{{ .Release.Namespace }}/cnpg-controller-manager'
+  name: mscheduledbackup.cnpg.io
+webhooks:
+- admissionReviewVersions:
+  - v1
+  clientConfig:
+    service:
+      name: cnpg-controller-manager-service
+      namespace: '{{ .Release.Namespace }}'
+      path: /mutate-postgresql-cnpg-io-v1-scheduledbackup
+      port: 443
+  failurePolicy: Fail
+  name: mscheduledbackup.cnpg.io
+  rules:
+  - apiGroups:
+    - postgresql.cnpg.io
+    apiVersions:
+    - v1
+    operations:
+    - CREATE
+    - UPDATE
+    resources:
+    - scheduledbackups
+  sideEffects: None
@@ -0,0 +1,28 @@
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingWebhookConfiguration
+metadata:
+  annotations:
+    cert-manager.io/inject-ca-from: '{{ .Release.Namespace }}/cnpg-controller-manager'
+  name: vbackup.cnpg.io
+webhooks:
+- admissionReviewVersions:
+  - v1
+  clientConfig:
+    service:
+      name: cnpg-controller-manager-service
+      namespace: '{{ .Release.Namespace }}'
+      path: /validate-postgresql-cnpg-io-v1-backup
+      port: 443
+  failurePolicy: Fail
+  name: vbackup.cnpg.io
+  rules:
+  - apiGroups:
+    - postgresql.cnpg.io
+    apiVersions:
+    - v1
+    operations:
+    - CREATE
+    - UPDATE
+    resources:
+    - backups
+  sideEffects: None
@@ -0,0 +1,28 @@
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingWebhookConfiguration
+metadata:
+  annotations:
+    cert-manager.io/inject-ca-from: '{{ .Release.Namespace }}/cnpg-controller-manager'
+  name: vcluster.cnpg.io
+webhooks:
+- admissionReviewVersions:
+  - v1
+  clientConfig:
+    service:
+      name: cnpg-controller-manager-service
+      namespace: '{{ .Release.Namespace }}'
+      path: /validate-postgresql-cnpg-io-v1-cluster
+      port: 443
+  failurePolicy: Fail
+  name: vcluster.cnpg.io
+  rules:
+  - apiGroups:
+    - postgresql.cnpg.io
+    apiVersions:
+    - v1
+    operations:
+    - CREATE
+    - UPDATE
+    resources:
+    - clusters
+  sideEffects: None
@@ -0,0 +1,28 @@
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingWebhookConfiguration
+metadata:
+  annotations:
+    cert-manager.io/inject-ca-from: '{{ .Release.Namespace }}/cnpg-controller-manager'
+  name: vpooler.cnpg.io
+webhooks:
+- admissionReviewVersions:
+  - v1
+  clientConfig:
+    service:
+      name: cnpg-controller-manager-service
+      namespace: '{{ .Release.Namespace }}'
+      path: /validate-postgresql-cnpg-io-v1-pooler
+      port: 443
+  failurePolicy: Fail
+  name: vpooler.cnpg.io
+  rules:
+  - apiGroups:
+    - postgresql.cnpg.io
+    apiVersions:
+    - v1
+    operations:
+    - CREATE
+    - UPDATE
+    resources:
+    - poolers
+  sideEffects: None