From 4f77ec1ce31864662251e0445a0e8614fd60dbe9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Natalie=20Klestrup=20R=C3=B6ijezon?= Date: Wed, 22 Jan 2025 12:48:38 +0100 Subject: [PATCH 1/3] Remove secret migration job entirely Fixes #477 This was a temporary migration tool for upgrading from 24.3. Anyone upgrading from 24.3 will need to first upgrade to 24.7 or 24.11 before 25.3 (or do the step manually). Bear in mind that we don't officially support skipping releases when upgrading. --- .../templates/secret_migration_job.yaml | 57 ------------------ .../templates/secret_migration_rbac.yaml | 58 ------------------- deploy/helm/secret-operator/values.yaml | 17 +----- 3 files changed, 2 insertions(+), 130 deletions(-) delete mode 100644 deploy/helm/secret-operator/templates/secret_migration_job.yaml delete mode 100644 deploy/helm/secret-operator/templates/secret_migration_rbac.yaml diff --git a/deploy/helm/secret-operator/templates/secret_migration_job.yaml b/deploy/helm/secret-operator/templates/secret_migration_job.yaml deleted file mode 100644 index 3a7bc819..00000000 --- a/deploy/helm/secret-operator/templates/secret_migration_job.yaml +++ /dev/null @@ -1,57 +0,0 @@ ---- -{{ if .Values.secretMigrationJob.enabled -}} -# Migrates the TLS CA key pair from the hard-coded default namespace to the operator namespace -# See https://github.com/stackabletech/secret-operator/issues/453 -apiVersion: batch/v1 -kind: Job -metadata: - name: {{ include "operator.fullname" . }}-secret-migration - annotations: - "helm.sh/hook": pre-install - "helm.sh/hook-delete-policy": hook-succeeded - "helm.sh/hook-weight": "-5" - labels: - {{- include "operator.labels" . | nindent 4 }} -spec: - template: - metadata: - {{- with .Values.podAnnotations }} - annotations: - {{- toYaml . | nindent 8 }} - {{- end }} - labels: - {{- include "operator.selectorLabels" . | nindent 8 }} - spec: - {{- with .Values.image.pullSecrets }} - imagePullSecrets: - {{- toYaml . | nindent 8 }} - {{- end }} - serviceAccountName: {{ include "operator.fullname" . }}-secret-migration-serviceaccount - securityContext: - {{- toYaml .Values.podSecurityContext | nindent 8 }} - containers: - - name: migrate-secret - image: "{{ .Values.secretMigrationJob.image.repository }}:{{ .Values.secretMigrationJob.image.tag }}" - imagePullPolicy: {{ .Values.secretMigrationJob.image.pullPolicy }} - resources: - {{ .Values.secretMigrationJob.resources | toYaml | nindent 12 }} - command: ["bash", "-c"] - args: - - | - #!/bin/bash - set -euo pipefail - SOURCE_NAMESPACE=default - TARGET_NAMESPACE={{ .Values.secretClasses.tls.caSecretNamespace | default .Release.Namespace }} - - # only continue if secret exists - if source_ca_secret="$(kubectl get secret -n $SOURCE_NAMESPACE secret-provisioner-tls-ca -o json)"; then - echo "secret exists in namespace $SOURCE_NAMESPACE" - # only continue if secret in target namespace does NOT exist - if ! kubectl get secret -n $TARGET_NAMESPACE secret-provisioner-tls-ca; then - echo "secret does not exist in namespace $TARGET_NAMESPACE" - # copy secret from default to {{ .Values.secretClasses.tls.caSecretNamespace | default .Release.Namespace }} - echo "$source_ca_secret" | jq 'del(.metadata["namespace","creationTimestamp","resourceVersion","selfLink","uid"])' | kubectl apply -n $TARGET_NAMESPACE -f - - fi - fi - restartPolicy: Never -{{- end }} diff --git a/deploy/helm/secret-operator/templates/secret_migration_rbac.yaml b/deploy/helm/secret-operator/templates/secret_migration_rbac.yaml deleted file mode 100644 index 561a2416..00000000 --- a/deploy/helm/secret-operator/templates/secret_migration_rbac.yaml +++ /dev/null @@ -1,58 +0,0 @@ ---- -{{ if .Values.secretMigrationJob.enabled -}} -apiVersion: v1 -kind: ServiceAccount -metadata: - name: {{ include "operator.fullname" . }}-secret-migration-serviceaccount - labels: - {{- include "operator.labels" . | nindent 4 }} - annotations: - "helm.sh/hook": pre-install - "helm.sh/hook-delete-policy": hook-succeeded - "helm.sh/hook-weight": "-10" - {{- with .Values.serviceAccount.annotations }} - {{- toYaml . | nindent 4 }} - {{- end }} ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: {{ include "operator.fullname" . }}-secret-migration-clusterrolebinding - annotations: - "helm.sh/hook": pre-install - "helm.sh/hook-delete-policy": hook-succeeded - "helm.sh/hook-weight": "-10" - labels: - {{- include "operator.labels" . | nindent 4 }} -subjects: - - kind: ServiceAccount - name: {{ include "operator.fullname" . }}-secret-migration-serviceaccount - namespace: {{ .Release.Namespace }} -roleRef: - kind: ClusterRole - name: {{ include "operator.fullname" . }}-secret-migration-clusterrole - apiGroup: rbac.authorization.k8s.io ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: {{ include "operator.fullname" . }}-secret-migration-clusterrole - annotations: - "helm.sh/hook": pre-install - "helm.sh/hook-delete-policy": hook-succeeded - "helm.sh/hook-weight": "-10" - labels: - {{- include "operator.labels" . | nindent 4 }} -rules: - - apiGroups: - - "" - resources: - - secrets - verbs: - - get - - list - - watch - - create - - patch - - update -{{- end }} diff --git a/deploy/helm/secret-operator/values.yaml b/deploy/helm/secret-operator/values.yaml index 5659eac2..63e86e02 100644 --- a/deploy/helm/secret-operator/values.yaml +++ b/deploy/helm/secret-operator/values.yaml @@ -5,20 +5,6 @@ image: pullPolicy: IfNotPresent pullSecrets: [] -secretMigrationJob: - enabled: true - image: - repository: docker.stackable.tech/stackable/tools - tag: 1.0.0-stackable24.11.0 - pullPolicy: IfNotPresent - resources: - requests: - cpu: 100m - memory: 128Mi - limits: - cpu: 100m - memory: 128Mi - csiProvisioner: image: repository: docker.stackable.tech/k8s/sig-storage/csi-provisioner @@ -73,7 +59,8 @@ podAnnotations: {} labels: stackable.tech/vendor: Stackable -podSecurityContext: {} +podSecurityContext: + {} # fsGroup: 2000 securityContext: From f3bcfa677e5eb2ebe19a6d8d8e048524da80eb36 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Natalie=20Klestrup=20R=C3=B6ijezon?= Date: Wed, 22 Jan 2025 12:54:28 +0100 Subject: [PATCH 2/3] Changelog --- CHANGELOG.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index a474ba13..13fe4e16 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,6 +4,11 @@ All notable changes to this project will be documented in this file. ## [Unreleased] +### Removed + +- Removed CA secret migration job ([#548]). + - BREAKING: This means that direct upgrades from 24.3 are no longer supported. Users of 24.3 must first upgrade to 24.7 or 24.11 before continuing. Bear in mind that we officially only support direct upgrades (24.3 -> 24.7 -> 24.11 -> ...). + ### Added - Made RSA key length configurable for certificates issued by cert-manager ([#528]). @@ -22,6 +27,7 @@ All notable changes to this project will be documented in this file. [#528]: https://github.com/stackabletech/secret-operator/pull/528 [#536]: https://github.com/stackabletech/secret-operator/pull/536 [#543]: https://github.com/stackabletech/secret-operator/pull/543 +[#548]: https://github.com/stackabletech/secret-operator/pull/548 ## [24.11.0] - 2024-11-18 From 815640b2401fd4befab1b21946b242f41ed01595 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Natalie=20Klestrup=20R=C3=B6ijezon?= Date: Wed, 22 Jan 2025 13:21:18 +0100 Subject: [PATCH 3/3] Update deploy/helm/secret-operator/values.yaml Co-authored-by: Sebastian Bernauer --- deploy/helm/secret-operator/values.yaml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/deploy/helm/secret-operator/values.yaml b/deploy/helm/secret-operator/values.yaml index 63e86e02..fe64da25 100644 --- a/deploy/helm/secret-operator/values.yaml +++ b/deploy/helm/secret-operator/values.yaml @@ -59,8 +59,7 @@ podAnnotations: {} labels: stackable.tech/vendor: Stackable -podSecurityContext: - {} +podSecurityContext: {} # fsGroup: 2000 securityContext: