feat(deps): update chart emqx-operator (2.2.29 → 2.3.0)#1029
Open
renovate[bot] wants to merge 1 commit intomainfrom
Open
feat(deps): update chart emqx-operator (2.2.29 → 2.3.0)#1029renovate[bot] wants to merge 1 commit intomainfrom
renovate[bot] wants to merge 1 commit intomainfrom
Conversation
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
--- kubernetes/main/apps/database/emqx/app Kustomization: flux-system/emqx-operator HelmRelease: database/emqx-operator
+++ kubernetes/main/apps/database/emqx/app Kustomization: flux-system/emqx-operator HelmRelease: database/emqx-operator
@@ -13,13 +13,13 @@
spec:
chart: emqx-operator
sourceRef:
kind: HelmRepository
name: emqx
namespace: flux-system
- version: 2.2.29
+ version: 2.3.0
dependsOn:
- name: cert-manager
namespace: cert-manager
install:
remediation:
retries: 3 |
--- HelmRelease: database/emqx-operator ClusterRole: database/emqx-manager-role
+++ HelmRelease: database/emqx-operator ClusterRole: database/emqx-manager-role
@@ -1,17 +1,20 @@
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: emqx-manager-role
+ labels:
+ app.kubernetes.io/name: emqx-operator
+ app.kubernetes.io/instance: emqx-operator
+ app.kubernetes.io/managed-by: Helm
rules:
- apiGroups:
- ''
resources:
- configmaps
- - endpoints
- persistentvolumes
- secrets
- services
verbs:
- create
- get
@@ -67,42 +70,33 @@
- list
- update
- watch
- apiGroups:
- apps.emqx.io
resources:
- - emqxbrokers
- - emqxenterprises
- emqxes
- - emqxplugins
- rebalances
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- apps.emqx.io
resources:
- - emqxbrokers/finalizers
- - emqxenterprises/finalizers
- emqxes/finalizers
- - emqxplugins/finalizers
- rebalances/finalizers
verbs:
- update
- apiGroups:
- apps.emqx.io
resources:
- - emqxbrokers/status
- - emqxenterprises/status
- emqxes/status
- - emqxplugins/status
- rebalances/status
verbs:
- get
- patch
- update
- apiGroups:
--- HelmRelease: database/emqx-operator ClusterRoleBinding: database/emqx-manager-rolebinding
+++ HelmRelease: database/emqx-operator ClusterRoleBinding: database/emqx-manager-rolebinding
@@ -1,11 +1,15 @@
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: emqx-manager-rolebinding
+ labels:
+ app.kubernetes.io/name: emqx-operator
+ app.kubernetes.io/instance: emqx-operator
+ app.kubernetes.io/managed-by: Helm
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: emqx-manager-role
subjects:
- kind: ServiceAccount
--- HelmRelease: database/emqx-operator Role: database/emqx-leader-election-role
+++ HelmRelease: database/emqx-operator Role: database/emqx-leader-election-role
@@ -1,12 +1,16 @@
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: emqx-leader-election-role
namespace: database
+ labels:
+ app.kubernetes.io/name: emqx-operator
+ app.kubernetes.io/instance: emqx-operator
+ app.kubernetes.io/managed-by: Helm
rules:
- apiGroups:
- ''
resources:
- configmaps
verbs:
--- HelmRelease: database/emqx-operator RoleBinding: database/emqx-leader-election-rolebinding
+++ HelmRelease: database/emqx-operator RoleBinding: database/emqx-leader-election-rolebinding
@@ -1,12 +1,16 @@
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: emqx-leader-election-rolebinding
namespace: database
+ labels:
+ app.kubernetes.io/name: emqx-operator
+ app.kubernetes.io/instance: emqx-operator
+ app.kubernetes.io/managed-by: Helm
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: emqx-leader-election-role
subjects:
- kind: ServiceAccount
--- HelmRelease: database/emqx-operator Service: database/emqx-controller-manager-metrics-service
+++ HelmRelease: database/emqx-operator Service: database/emqx-controller-manager-metrics-service
@@ -1,18 +1,22 @@
---
apiVersion: v1
kind: Service
metadata:
+ name: emqx-controller-manager-metrics-service
+ namespace: database
labels:
control-plane: controller-manager
- name: emqx-controller-manager-metrics-service
- namespace: database
+ app.kubernetes.io/name: emqx-operator
+ app.kubernetes.io/instance: emqx-operator
+ app.kubernetes.io/managed-by: Helm
spec:
ports:
- - name: metrics
- port: 8080
- targetPort: metrics
+ - name: https
+ port: 8443
+ protocol: TCP
+ targetPort: 8443
selector:
control-plane: controller-manager
app.kubernetes.io/name: emqx-operator
app.kubernetes.io/instance: emqx-operator
--- HelmRelease: database/emqx-operator Service: database/emqx-webhook-service
+++ HelmRelease: database/emqx-operator Service: database/emqx-webhook-service
@@ -1,15 +0,0 @@
----
-apiVersion: v1
-kind: Service
-metadata:
- name: emqx-webhook-service
- namespace: database
-spec:
- ports:
- - port: 443
- targetPort: 9443
- selector:
- control-plane: controller-manager
- app.kubernetes.io/name: emqx-operator
- app.kubernetes.io/instance: emqx-operator
-
--- HelmRelease: database/emqx-operator Deployment: database/emqx-controller-manager
+++ HelmRelease: database/emqx-operator Deployment: database/emqx-controller-manager
@@ -1,17 +1,17 @@
---
apiVersion: apps/v1
kind: Deployment
metadata:
+ name: emqx-controller-manager
+ namespace: database
labels:
control-plane: controller-manager
app.kubernetes.io/name: emqx-operator
app.kubernetes.io/instance: emqx-operator
app.kubernetes.io/managed-by: Helm
- name: emqx-controller-manager
- namespace: database
spec:
replicas: 1
revisionHistoryLimit: 10
selector:
matchLabels:
control-plane: controller-manager
@@ -23,38 +23,32 @@
control-plane: controller-manager
app.kubernetes.io/name: emqx-operator
app.kubernetes.io/instance: emqx-operator
app.kubernetes.io/managed-by: Helm
spec:
containers:
- - args:
+ - command:
+ - /manager
+ args:
+ - --metrics-bind-address=:8443
- --leader-elect
- - --metrics-bind-address=:8080
- --health-probe-bind-address=:8081
- - --zap-devel=false
- command:
- - /manager
- image: ghcr.io/emqx/emqx-operator:2.2.29
+ - --zap-devel=true
+ image: ghcr.io/emqx/emqx-operator:2.3.0
imagePullPolicy: IfNotPresent
+ name: manager
+ ports:
+ - containerPort: 8443
+ name: metrics
+ protocol: TCP
livenessProbe:
httpGet:
path: /healthz
port: 8081
initialDelaySeconds: 15
periodSeconds: 20
- name: manager
- ports:
- - containerPort: 8080
- name: metrics
- protocol: TCP
- - containerPort: 9443
- name: webhook-server
- protocol: TCP
- env:
- - name: ENABLE_WEBHOOKS
- value: 'true'
readinessProbe:
httpGet:
path: /readyz
port: 8081
initialDelaySeconds: 5
periodSeconds: 10
@@ -64,20 +58,14 @@
memory: 512Mi
requests:
cpu: 10m
memory: 512Mi
securityContext:
allowPrivilegeEscalation: false
- volumeMounts:
- - mountPath: /tmp/k8s-webhook-server/serving-certs
- name: cert
- readOnly: true
+ capabilities:
+ drop:
+ - ALL
securityContext:
runAsNonRoot: true
serviceAccountName: emqx
terminationGracePeriodSeconds: 10
- volumes:
- - name: cert
- secret:
- defaultMode: 420
- secretName: emqx-webhook-server-cert
--- HelmRelease: database/emqx-operator MutatingWebhookConfiguration: database/emqx-mutating-webhook-configuration
+++ HelmRelease: database/emqx-operator MutatingWebhookConfiguration: database/emqx-mutating-webhook-configuration
@@ -1,72 +0,0 @@
----
-apiVersion: admissionregistration.k8s.io/v1
-kind: MutatingWebhookConfiguration
-metadata:
- annotations:
- cert-manager.io/inject-ca-from: database/emqx-serving-cert
- name: emqx-mutating-webhook-configuration
-webhooks:
-- admissionReviewVersions:
- - v1
- - v1beta1
- clientConfig:
- service:
- name: emqx-webhook-service
- namespace: database
- path: /mutate-apps-emqx-io-v1beta4-emqxbroker
- failurePolicy: Fail
- name: mutating.broker.emqx.io
- rules:
- - apiGroups:
- - apps.emqx.io
- apiVersions:
- - v1beta4
- operations:
- - CREATE
- - UPDATE
- resources:
- - emqxbrokers
- sideEffects: None
-- admissionReviewVersions:
- - v1
- - v1beta1
- clientConfig:
- service:
- name: emqx-webhook-service
- namespace: database
- path: /mutate-apps-emqx-io-v1beta4-emqxenterprise
- failurePolicy: Fail
- name: mutating.enterprise.emqx.io
- rules:
- - apiGroups:
- - apps.emqx.io
- apiVersions:
- - v1beta4
- operations:
- - CREATE
- - UPDATE
- resources:
- - emqxenterprises
- sideEffects: None
-- admissionReviewVersions:
- - v1
- - v1beta1
- clientConfig:
- service:
- name: emqx-webhook-service
- namespace: database
- path: /mutate-apps-emqx-io-v1beta4-emqxplugin
- failurePolicy: Fail
- name: mutating.emqxplugin.emqx.io
- rules:
- - apiGroups:
- - apps.emqx.io
- apiVersions:
- - v1beta4
- operations:
- - CREATE
- - UPDATE
- resources:
- - emqxplugins
- sideEffects: None
-
--- HelmRelease: database/emqx-operator ValidatingWebhookConfiguration: database/emqx-validating-webhook-configuration
+++ HelmRelease: database/emqx-operator ValidatingWebhookConfiguration: database/emqx-validating-webhook-configuration
@@ -1,93 +0,0 @@
----
-apiVersion: admissionregistration.k8s.io/v1
-kind: ValidatingWebhookConfiguration
-metadata:
- annotations:
- cert-manager.io/inject-ca-from: database/emqx-serving-cert
- name: emqx-validating-webhook-configuration
-webhooks:
-- admissionReviewVersions:
- - v1
- - v1beta1
- clientConfig:
- service:
- name: emqx-webhook-service
- namespace: database
- path: /validate-apps-emqx-io-v2beta1-rebalance
- failurePolicy: Fail
- name: validator.rebalance.emqx.io
- rules:
- - apiGroups:
- - apps.emqx.io
- apiVersions:
- - v2beta1
- operations:
- - CREATE
- - UPDATE
- resources:
- - rebalances
- sideEffects: None
-- admissionReviewVersions:
- - v1
- - v1beta1
- clientConfig:
- service:
- name: emqx-webhook-service
- namespace: database
- path: /validate-apps-emqx-io-v1beta4-emqxbroker
- failurePolicy: Fail
- name: validator.broker.emqx.io
- rules:
- - apiGroups:
- - apps.emqx.io
- apiVersions:
- - v1beta4
- operations:
- - CREATE
- - UPDATE
- resources:
- - emqxbrokers
- sideEffects: None
-- admissionReviewVersions:
- - v1
- - v1beta1
- clientConfig:
- service:
- name: emqx-webhook-service
- namespace: database
- path: /validate-apps-emqx-io-v1beta4-emqxenterprise
- failurePolicy: Fail
- name: validator.enterprise.emqx.io
- rules:
- - apiGroups:
- - apps.emqx.io
- apiVersions:
- - v1beta4
- operations:
- - CREATE
- - UPDATE
- resources:
- - emqxenterprises
- sideEffects: None
-- admissionReviewVersions:
- - v1
- - v1beta1
- clientConfig:
- service:
- name: emqx-webhook-service
- namespace: database
- path: /validate-apps-emqx-io-v1beta4-emqxplugin
- failurePolicy: Fail
- name: validator.emqxplugin.emqx.io
- rules:
- - apiGroups:
- - apps.emqx.io
- apiVersions:
- - v1beta4
- operations:
- - CREATE
- - UPDATE
- resources:
- - emqxplugins
- sideEffects: None
-
--- HelmRelease: database/emqx-operator Certificate: database/emqx-serving-cert
+++ HelmRelease: database/emqx-operator Certificate: database/emqx-serving-cert
@@ -1,15 +0,0 @@
----
-apiVersion: cert-manager.io/v1
-kind: Certificate
-metadata:
- name: emqx-serving-cert
- namespace: database
-spec:
- dnsNames:
- - emqx-webhook-service.database.svc
- - emqx-webhook-service.database.svc.cluster.local
- issuerRef:
- kind: Issuer
- name: emqx-selfsigned-issuer
- secretName: emqx-webhook-server-cert
-
--- HelmRelease: database/emqx-operator Issuer: database/emqx-selfsigned-issuer
+++ HelmRelease: database/emqx-operator Issuer: database/emqx-selfsigned-issuer
@@ -1,9 +0,0 @@
----
-apiVersion: cert-manager.io/v1
-kind: Issuer
-metadata:
- name: emqx-selfsigned-issuer
- namespace: database
-spec:
- selfSigned: {}
-
--- HelmRelease: database/emqx-operator ServiceAccount: database/emqx-pre-upgrade
+++ HelmRelease: database/emqx-operator ServiceAccount: database/emqx-pre-upgrade
@@ -0,0 +1,15 @@
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ name: emqx-pre-upgrade
+ namespace: database
+ labels:
+ app.kubernetes.io/name: emqx-operator
+ app.kubernetes.io/instance: emqx-operator
+ app.kubernetes.io/managed-by: Helm
+ annotations:
+ helm.sh/hook: pre-install,pre-upgrade
+ helm.sh/hook-weight: '-10'
+ helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+
--- HelmRelease: database/emqx-operator ClusterRole: database/emqx-pre-upgrade
+++ HelmRelease: database/emqx-operator ClusterRole: database/emqx-pre-upgrade
@@ -0,0 +1,30 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+ name: emqx-pre-upgrade
+ labels:
+ app.kubernetes.io/name: emqx-operator
+ app.kubernetes.io/instance: emqx-operator
+ app.kubernetes.io/managed-by: Helm
+ annotations:
+ helm.sh/hook: pre-install,pre-upgrade
+ helm.sh/hook-weight: '-10'
+ helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+rules:
+- apiGroups:
+ - apiextensions.k8s.io
+ resources:
+ - customresourcedefinitions
+ verbs:
+ - get
+ - patch
+- apiGroups:
+ - apps.emqx.io
+ resources:
+ - emqxbrokers
+ - emqxenterprises
+ - emqxplugins
+ verbs:
+ - list
+
--- HelmRelease: database/emqx-operator ClusterRoleBinding: database/emqx-pre-upgrade
+++ HelmRelease: database/emqx-operator ClusterRoleBinding: database/emqx-pre-upgrade
@@ -0,0 +1,22 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+ name: emqx-pre-upgrade
+ labels:
+ app.kubernetes.io/name: emqx-operator
+ app.kubernetes.io/instance: emqx-operator
+ app.kubernetes.io/managed-by: Helm
+ annotations:
+ helm.sh/hook: pre-install,pre-upgrade
+ helm.sh/hook-weight: '-10'
+ helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: emqx-pre-upgrade
+subjects:
+- kind: ServiceAccount
+ name: emqx-pre-upgrade
+ namespace: database
+
--- HelmRelease: database/emqx-operator Job: database/emqx-pre-upgrade
+++ HelmRelease: database/emqx-operator Job: database/emqx-pre-upgrade
@@ -0,0 +1,107 @@
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: emqx-pre-upgrade
+ namespace: database
+ labels:
+ app.kubernetes.io/name: emqx-operator
+ app.kubernetes.io/instance: emqx-operator
+ app.kubernetes.io/managed-by: Helm
+ annotations:
+ helm.sh/hook: pre-install,pre-upgrade
+ helm.sh/hook-weight: '-5'
+ helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+spec:
+ backoffLimit: 3
+ ttlSecondsAfterFinished: 300
+ template:
+ metadata:
+ labels:
+ app.kubernetes.io/name: emqx-operator
+ app.kubernetes.io/instance: emqx-operator
+ spec:
+ restartPolicy: OnFailure
+ serviceAccountName: emqx-pre-upgrade
+ securityContext:
+ runAsNonRoot: true
+ runAsUser: 65534
+ containers:
+ - name: cleanup
+ image: alpine/k8s:1.31.4
+ imagePullPolicy: IfNotPresent
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ command:
+ - /bin/sh
+ - -ec
+ - |
+ echo "=== EMQX Operator pre-upgrade cleanup (2.2.x -> 2.3.0) ==="
+
+ # Step 1: Check for existing legacy custom resources.
+ #
+ # Legacy CRDs (emqxbrokers, emqxenterprises, emqxplugins) are present in
+ # 2.2.x chart templates but absent from 2.3.0, so Helm will delete them
+ # during upgrade. If any CRs exist under those CRDs they would be silently
+ # destroyed. Abort early and ask the user to migrate first.
+ BLOCKED=""
+
+ if kubectl get crd emqxbrokers.apps.emqx.io >/dev/null 2>&1; then
+ N=$(kubectl get emqxbrokers --all-namespaces --no-headers 2>/dev/null | wc -l)
+ if [ "$N" -gt 0 ]; then
+ echo "ERROR: Found $N EmqxBroker CR(s)."
+ BLOCKED="emqxbrokers $BLOCKED"
+ fi
+ fi
+
+ if kubectl get crd emqxenterprises.apps.emqx.io >/dev/null 2>&1; then
+ N=$(kubectl get emqxenterprises --all-namespaces --no-headers 2>/dev/null | wc -l)
+ if [ "$N" -gt 0 ]; then
+ echo "ERROR: Found $N EmqxEnterprise CR(s)."
+ BLOCKED="emqxenterprises $BLOCKED"
+ fi
+ fi
+
+ if kubectl get crd emqxplugins.apps.emqx.io >/dev/null 2>&1; then
+ N=$(kubectl get emqxplugins --all-namespaces --no-headers 2>/dev/null | wc -l)
+ if [ "$N" -gt 0 ]; then
+ echo "ERROR: Found $N EmqxPlugin CR(s)."
+ BLOCKED="emqxplugins $BLOCKED"
+ fi
+ fi
+
+ if [ -n "$BLOCKED" ]; then
+ echo ""
+ echo "Upgrade BLOCKED: legacy custom resources still exist ($BLOCKED)."
+ echo "These CRDs will be removed by the 2.3.0 chart, which would destroy the CRs."
+ echo "Please migrate or delete these resources before upgrading."
+ echo "See: https://github.com/emqx/emqx-operator/blob/main-2.3/README.md#from-22x"
+ exit 1
+ fi
+
+ # Step 2: Patch CRDs to remove conversion webhooks.
+ #
+ # The 2.2.x chart configures Webhook conversion on emqxes and rebalances
+ # CRDs, pointing at the operator's webhook endpoint. During upgrade Helm
+ # will tear down the old Deployment (and its Service) before applying the
+ # new CRD manifests. In the window between those two events the API server
+ # would fail to serve any request that triggers CRD conversion, because the
+ # webhook endpoint no longer exists. Patching the strategy to None *before*
+ # Helm starts the upgrade avoids this.
+ echo "--- Patching CRD emqxes.apps.emqx.io ..."
+ kubectl patch crd emqxes.apps.emqx.io \
+ --type=json \
+ -p='[{"op":"replace","path":"/spec/conversion","value":{"strategy":"None"}}]' \
+ || echo "*** not found or already patched, skipping."
+
+ echo "--- Patching CRD rebalances.apps.emqx.io ..."
+ kubectl patch crd rebalances.apps.emqx.io \
+ --type=json \
+ -p='[{"op":"replace","path":"/spec/conversion","value":{"strategy":"None"}}]' \
+ || echo "*** not found or already patched, skipping."
+
+ echo "=== Pre-upgrade cleanup complete ==="
+ |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
2.2.29→2.3.0Release Notes
emqx/emqx-operator (emqx-operator)
v2.3.0: EMQX Operator 2.3.0Compare Source
Highlights
apps.emqx.io/v2. (#1148, #1160, #1165)apps.emqx.io/v2beta1is now deprecated, earlier versions are no longer supported.base.hoconfile for predictable configuration management. (#1156)Fixes & Improvements
ownerRefcould be lost during resource updates. (#1163)Internal
Please refer to README.md for further details.
Configuration
📅 Schedule: (in timezone Europe/Prague)
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.