Helm: add support for auto upgrading CRDs

Introduces a pre-upgrade hook that will upgrade/create any of the CRD manifests that are bundled in the vso docker image.

Other fixes:
- make the component label test more reliable by checking all documents individually.
- configure a backoff in the pre-delete "pdcc" Job.

Author: benashz

Dockerfile

@@ -31,13 +31,20 @@ ARG LD_FLAGS
 # Build
 RUN CGO_ENABLED=0 GOOS=$GOOS GOARCH=$GOARCH go build -ldflags "$LD_FLAGS" -a -o $BIN_NAME main.go
 
+# setup scripts directory needed for upgrading CRDs.
+RUN mkdir scripts
+COPY chart/crds scripts/crds
+RUN ln -s ../$BIN_NAME scripts/upgrade-crds
+
 # dev image
 # -----------------------------------
 # Use distroless as minimal base image to package the manager binary
 # Refer to https://github.com/GoogleContainerTools/distroless for more details
 FROM gcr.io/distroless/static:nonroot as dev
+ENV BIN_NAME=vault-secrets-operator
 WORKDIR /
 COPY --from=dev-builder /workspace/$BIN_NAME /
+COPY --from=dev-builder /workspace/scripts /scripts
 USER 65532:65532
 
 ENTRYPOINT ["/vault-secrets-operator"]
@@ -59,7 +66,8 @@ LABEL revision=$PRODUCT_REVISION
 
 WORKDIR /
 
-COPY dist/$TARGETOS/$TARGETARCH/$BIN_NAME /
+COPY dist/$TARGETOS/$TARGETARCH/$BIN_NAME /$BIN_NAME
+COPY dist/$TARGETOS/$TARGETARCH/scripts /scripts
 COPY LICENSE /licenses/copyright.txt
 
 USER 65532:65532
@@ -93,7 +101,8 @@ LABEL name="Vault Secrets Operator" \
 
 WORKDIR /
 
-COPY dist/$TARGETOS/$TARGETARCH/$BIN_NAME /
+COPY dist/$TARGETOS/$TARGETARCH/$BIN_NAME /$BIN_NAME
+COPY dist/$TARGETOS/$TARGETARCH/scripts /scripts
 COPY LICENSE /licenses/copyright.txt
 COPY --from=build-ubi /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem /etc/pki/ca-trust/extracted/pem/
 

Makefile

@@ -274,7 +274,10 @@ docker-push: ## Push docker image with the manager.
 
 .PHONY: ci-build
 ci-build: ## Build operator binary (without generating assets).
-	mkdir -p $(BUILD_DIR)/$(GOOS)/$(GOARCH)
+	rm -rf $(BUILD_DIR)/$(GOOS)/$(GOARCH)/scripts
+	mkdir -p $(BUILD_DIR)/$(GOOS)/$(GOARCH)/scripts
+	cp -a chart/crds $(BUILD_DIR)/$(GOOS)/$(GOARCH)/scripts/.
+	ln -s ../$(BIN_NAME) $(BUILD_DIR)/$(GOOS)/$(GOARCH)/scripts/upgrade-crds
 	CGO_ENABLED=0 GOOS=$(GOOS) GOARCH=$(GOARCH) go build \
 		-ldflags "${LD_FLAGS} $(shell GOOS=$(GOOS) GOARCH=$(GOARCH) ./scripts/ldflags-version.sh)" \
 		-a \

chart/templates/deployment.yaml

@@ -9,6 +9,7 @@ metadata:
   name: {{ include "vso.chart.fullname" . }}-controller-manager
   namespace: {{ .Release.Namespace }}
   labels:
+    app.kubernetes.io/component: controller-manager
   {{- include "vso.chart.labels" . | nindent 4 }}
 {{ include "vso.imagePullSecrets" .}}
 ---
@@ -167,6 +168,7 @@ metadata:
   name: {{ printf "%s-%s" "pdcc" (include "vso.chart.fullname" .) | trunc 63 | trimSuffix "-" }}
   namespace: {{ .Release.Namespace }}
   labels:
+    app.kubernetes.io/component: controller-manager
   {{- include "vso.chart.labels" . | nindent 4 }}
   annotations:
     # This is what defines this resource as a hook. Without this line, the
@@ -177,6 +179,7 @@ metadata:
       {{- toYaml .Values.controller.annotations | nindent 4 }}
     {{- end }}
 spec:
+  backoffLimit: 5
   template:
     metadata:
       # This name is truncated because kubernetes applies labels to the job which contain the job and pod
@@ -195,15 +198,20 @@ spec:
         - --pre-delete-hook-timeout-seconds={{ .Values.controller.preDeleteHookTimeoutSeconds }}
         command:
         - /vault-secrets-operator
-        resources: {{- toYaml .Values.controller.manager.resources | nindent 10 }}
+        {{- with .Values.hooks.resources  }}
+        resources:
+        {{- toYaml . | nindent 10 }}
+        {{- end}}
+        {{- with  .Values.controller.securityContext }}
         securityContext:
-          {{- toYaml .Values.controller.securityContext | nindent 10 }}
+        {{- toYaml .| nindent 10 }}
+        {{- end}}
       restartPolicy: Never
-      {{- if .Values.controller.nodeSelector }}
+      {{- with .Values.controller.nodeSelector }}
       nodeSelector:
-      {{- toYaml .Values.controller.nodeSelector | nindent 8 }}
+      {{- toYaml . | nindent 8 }}
       {{- end }}
-      {{- if .Values.controller.tolerations }}
+      {{- with .Values.controller.tolerations }}
       tolerations:
-      {{- toYaml .Values.controller.tolerations | nindent 8 }}
+      {{- toYaml .| nindent 8 }}
       {{- end }}

chart/templates/hook-upgrade-crds.yaml

@@ -0,0 +1,111 @@
+{{- if .Values.hooks.upgradeCRDs.enabled -}}
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ template "vso.chart.fullname" . }}-upgrade-crds
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/component: controller-manager
+{{ include "vso.chart.labels" . | indent 4 }}
+  annotations:
+    helm.sh/hook: pre-upgrade
+    helm.sh/hook-delete-policy: "hook-succeeded,before-hook-creation"
+    helm.sh/hook-weight: "1"
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ template "vso.chart.fullname" . }}-upgrade-crds
+  labels:
+    app.kubernetes.io/component: rbac
+{{ include "vso.chart.labels" . | indent 4 }}
+  annotations:
+    helm.sh/hook: pre-upgrade
+    helm.sh/hook-delete-policy: "hook-succeeded,before-hook-creation"
+    helm.sh/hook-weight: "2"
+rules:
+  - apiGroups:
+    - apiextensions.k8s.io
+    resources:
+    - customresourcedefinitions
+    verbs:
+    - create
+    - delete
+    - get
+    - list
+    - patch
+    - update
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ template "vso.chart.fullname" . }}-upgrade-crds
+  labels:
+    app.kubernetes.io/component: rbac
+{{ include "vso.chart.labels" . | indent 4 }}
+  annotations:
+    helm.sh/hook: pre-upgrade
+    helm.sh/hook-delete-policy: "hook-succeeded,before-hook-creation"
+    helm.sh/hook-weight: "2"
+subjects:
+  - kind: ServiceAccount
+    name: {{ template "vso.chart.fullname" . }}-upgrade-crds
+    namespace: {{ .Release.Namespace }}
+roleRef:
+  kind: ClusterRole
+  name: {{ template "vso.chart.fullname" . }}-upgrade-crds
+  apiGroup: rbac.authorization.k8s.io
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ printf "%s-%s" "upgrade-crds" (include "vso.chart.fullname" .) | trunc 63 | trimSuffix "-" }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/component: controller-manager
+  {{- include "vso.chart.labels" . | nindent 4 }}
+  annotations:
+    # This is what defines this resource as a hook. Without this line, the
+    # job is considered part of the release.
+    helm.sh/hook: pre-upgrade
+    helm.sh/hook-delete-policy: "hook-succeeded,before-hook-creation"
+    helm.sh/hook-weight: "99"
+    {{- if .Values.controller.annotations }}
+      {{- toYaml .Values.controller.annotations | nindent 4 }}
+    {{- end }}
+spec:
+  backoffLimit: {{ .Values.hooks.upgradeCRDs.backoffLimit | default 5 }}
+  template:
+    metadata:
+      name: {{ printf "%s-%s" "upgrade-crds" (include "vso.chart.fullname" .) | trunc 63 | trimSuffix "-" }}
+    spec:
+      serviceAccountName: {{ template "vso.chart.fullname" . }}-upgrade-crds
+      securityContext:
+        {{- toYaml .Values.controller.podSecurityContext | nindent 8 }}
+      containers:
+      - name: pre-upgrade-crds
+        image: {{ .Values.controller.manager.image.repository }}:{{ .Values.controller.manager.image.tag }}
+        env:
+        - name: VSO_UPGRADE_CRDS_TIMEOUT
+          value: .Values.hooks.upgradeCRDs.executionTimeout
+        command:
+        - /scripts/upgrade-crds
+        {{- with .Values.hooks.resources  }}
+        resources:
+        {{- toYaml . | nindent 10 }}
+        {{- end}}
+        {{- with  .Values.controller.securityContext }}
+        securityContext:
+        {{- toYaml .| nindent 10 }}
+        {{- end}}
+      restartPolicy: Never
+      {{- with .Values.controller.nodeSelector }}
+      nodeSelector:
+      {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.controller.tolerations }}
+      tolerations:
+      {{- toYaml .| nindent 8 }}
+      {{- end }}
+{{- end -}}

chart/templates/tests/test-runner.yaml

@@ -9,6 +9,7 @@ metadata:
   name: {{ template "vso.chart.fullname" . }}-test
   namespace: {{ .Release.Namespace }}
   labels:
+    app.kubernetes.io/component: controller-manager
     app: {{ template "vso.chart.name" . }}
     chart: {{ template "vso.chart.chart" . }}
     heritage: {{ .Release.Service }}

chart/values.yaml

@@ -4,7 +4,6 @@
 # Top level configuration for the vault secrets operator deployment.
 # This consists of a controller and a kube rbac proxy container.
 controller:
-
   # Set the number of replicas for the operator.
   # @type: integer
   replicas: 1
@@ -753,6 +752,33 @@ telemetry:
     # @type: string
     scrapeTimeout: 10s
 
+# Configure the behaviour of Helm hooks.
+hooks:
+  # Resources common to all hooks.
+  resources:
+    limits:
+      cpu: 500m
+      memory: 128Mi
+    requests:
+      cpu: 10m
+      memory: 64Mi
+  # Configure the Helm pre-upgrade hook that handles custom resource definition (CRD) upgrades.
+  upgradeCRDs:
+    # Set to true to automatically upgrade the CRDs.
+    # Disabling this will require manual intervention to upgrade the CRDs, so it is recommended to
+    # always leave it enabled.
+    # @type: boolean
+    enabled: true
+
+    # Limit the number of retries for the CRD upgrade.
+    # @type: integer
+    backoffLimit:  5
+
+    # Set the timeout for the CRD upgrade. The operation should typically take less than 5s
+    # to complete.
+    # @type: string
+    executionTimeout: 30s
+
 ## Used by unit tests, and will not be rendered except when using `helm template`, this can be safely ignored.
 tests:
   # @type: boolean

go.mod

@@ -29,12 +29,13 @@ require (
 	github.com/stretchr/testify v1.9.0
 	golang.org/x/crypto v0.23.0
 	google.golang.org/api v0.181.0
-	gopkg.in/yaml.v3 v3.0.1
 	k8s.io/api v0.30.1
+	k8s.io/apiextensions-apiserver v0.30.1
 	k8s.io/apimachinery v0.30.1
 	k8s.io/client-go v0.30.1
 	k8s.io/utils v0.0.0-20230726121419-3b25d923346b
 	sigs.k8s.io/controller-runtime v0.18.3
+	sigs.k8s.io/yaml v1.4.0
 )
 
 require (
@@ -167,10 +168,9 @@ require (
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
-	k8s.io/apiextensions-apiserver v0.30.1 // indirect
+	gopkg.in/yaml.v3 v3.0.1 // indirect
 	k8s.io/klog/v2 v2.120.1 // indirect
 	k8s.io/kube-openapi v0.0.0-20240228011516-70dd3763d340 // indirect
 	sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect
 	sigs.k8s.io/structured-merge-diff/v4 v4.4.1 // indirect
-	sigs.k8s.io/yaml v1.4.0 // indirect
 )