diff --git a/CHANGELOG.md b/CHANGELOG.md index a474ba13..13fe4e16 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,6 +4,11 @@ All notable changes to this project will be documented in this file. ## [Unreleased] +### Removed + +- Removed CA secret migration job ([#548]). + - BREAKING: This means that direct upgrades from 24.3 are no longer supported. Users of 24.3 must first upgrade to 24.7 or 24.11 before continuing. Bear in mind that we officially only support direct upgrades (24.3 -> 24.7 -> 24.11 -> ...). + ### Added - Made RSA key length configurable for certificates issued by cert-manager ([#528]). @@ -22,6 +27,7 @@ All notable changes to this project will be documented in this file. [#528]: https://github.com/stackabletech/secret-operator/pull/528 [#536]: https://github.com/stackabletech/secret-operator/pull/536 [#543]: https://github.com/stackabletech/secret-operator/pull/543 +[#548]: https://github.com/stackabletech/secret-operator/pull/548 ## [24.11.0] - 2024-11-18 diff --git a/deploy/helm/secret-operator/templates/secret_migration_job.yaml b/deploy/helm/secret-operator/templates/secret_migration_job.yaml deleted file mode 100644 index 3a7bc819..00000000 --- a/deploy/helm/secret-operator/templates/secret_migration_job.yaml +++ /dev/null @@ -1,57 +0,0 @@ ---- -{{ if .Values.secretMigrationJob.enabled -}} -# Migrates the TLS CA key pair from the hard-coded default namespace to the operator namespace -# See https://github.com/stackabletech/secret-operator/issues/453 -apiVersion: batch/v1 -kind: Job -metadata: - name: {{ include "operator.fullname" . }}-secret-migration - annotations: - "helm.sh/hook": pre-install - "helm.sh/hook-delete-policy": hook-succeeded - "helm.sh/hook-weight": "-5" - labels: - {{- include "operator.labels" . | nindent 4 }} -spec: - template: - metadata: - {{- with .Values.podAnnotations }} - annotations: - {{- toYaml . | nindent 8 }} - {{- end }} - labels: - {{- include "operator.selectorLabels" . | nindent 8 }} - spec: - {{- with .Values.image.pullSecrets }} - imagePullSecrets: - {{- toYaml . | nindent 8 }} - {{- end }} - serviceAccountName: {{ include "operator.fullname" . }}-secret-migration-serviceaccount - securityContext: - {{- toYaml .Values.podSecurityContext | nindent 8 }} - containers: - - name: migrate-secret - image: "{{ .Values.secretMigrationJob.image.repository }}:{{ .Values.secretMigrationJob.image.tag }}" - imagePullPolicy: {{ .Values.secretMigrationJob.image.pullPolicy }} - resources: - {{ .Values.secretMigrationJob.resources | toYaml | nindent 12 }} - command: ["bash", "-c"] - args: - - | - #!/bin/bash - set -euo pipefail - SOURCE_NAMESPACE=default - TARGET_NAMESPACE={{ .Values.secretClasses.tls.caSecretNamespace | default .Release.Namespace }} - - # only continue if secret exists - if source_ca_secret="$(kubectl get secret -n $SOURCE_NAMESPACE secret-provisioner-tls-ca -o json)"; then - echo "secret exists in namespace $SOURCE_NAMESPACE" - # only continue if secret in target namespace does NOT exist - if ! kubectl get secret -n $TARGET_NAMESPACE secret-provisioner-tls-ca; then - echo "secret does not exist in namespace $TARGET_NAMESPACE" - # copy secret from default to {{ .Values.secretClasses.tls.caSecretNamespace | default .Release.Namespace }} - echo "$source_ca_secret" | jq 'del(.metadata["namespace","creationTimestamp","resourceVersion","selfLink","uid"])' | kubectl apply -n $TARGET_NAMESPACE -f - - fi - fi - restartPolicy: Never -{{- end }} diff --git a/deploy/helm/secret-operator/templates/secret_migration_rbac.yaml b/deploy/helm/secret-operator/templates/secret_migration_rbac.yaml deleted file mode 100644 index 561a2416..00000000 --- a/deploy/helm/secret-operator/templates/secret_migration_rbac.yaml +++ /dev/null @@ -1,58 +0,0 @@ ---- -{{ if .Values.secretMigrationJob.enabled -}} -apiVersion: v1 -kind: ServiceAccount -metadata: - name: {{ include "operator.fullname" . }}-secret-migration-serviceaccount - labels: - {{- include "operator.labels" . | nindent 4 }} - annotations: - "helm.sh/hook": pre-install - "helm.sh/hook-delete-policy": hook-succeeded - "helm.sh/hook-weight": "-10" - {{- with .Values.serviceAccount.annotations }} - {{- toYaml . | nindent 4 }} - {{- end }} ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: {{ include "operator.fullname" . }}-secret-migration-clusterrolebinding - annotations: - "helm.sh/hook": pre-install - "helm.sh/hook-delete-policy": hook-succeeded - "helm.sh/hook-weight": "-10" - labels: - {{- include "operator.labels" . | nindent 4 }} -subjects: - - kind: ServiceAccount - name: {{ include "operator.fullname" . }}-secret-migration-serviceaccount - namespace: {{ .Release.Namespace }} -roleRef: - kind: ClusterRole - name: {{ include "operator.fullname" . }}-secret-migration-clusterrole - apiGroup: rbac.authorization.k8s.io ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: {{ include "operator.fullname" . }}-secret-migration-clusterrole - annotations: - "helm.sh/hook": pre-install - "helm.sh/hook-delete-policy": hook-succeeded - "helm.sh/hook-weight": "-10" - labels: - {{- include "operator.labels" . | nindent 4 }} -rules: - - apiGroups: - - "" - resources: - - secrets - verbs: - - get - - list - - watch - - create - - patch - - update -{{- end }} diff --git a/deploy/helm/secret-operator/values.yaml b/deploy/helm/secret-operator/values.yaml index 5659eac2..fe64da25 100644 --- a/deploy/helm/secret-operator/values.yaml +++ b/deploy/helm/secret-operator/values.yaml @@ -5,20 +5,6 @@ image: pullPolicy: IfNotPresent pullSecrets: [] -secretMigrationJob: - enabled: true - image: - repository: docker.stackable.tech/stackable/tools - tag: 1.0.0-stackable24.11.0 - pullPolicy: IfNotPresent - resources: - requests: - cpu: 100m - memory: 128Mi - limits: - cpu: 100m - memory: 128Mi - csiProvisioner: image: repository: docker.stackable.tech/k8s/sig-storage/csi-provisioner