Skip to content

Commit

Permalink
feat: support cnpg operator namespace-restricted installation (#430)
Browse files Browse the repository at this point in the history
Add a way to deploy the operator in single-namespace mode, restricting the operator's capabilities to solely the namespace in which it has been installed.

Closes #435 

Co-authored-by: Leonardo Cecchi <[email protected]>
Co-authored-by: Jaime Silvela <[email protected]>
Co-authored-by: Jonathan Gonzalez V. <[email protected]>
Signed-off-by: Niccolò Fei <[email protected]>
  • Loading branch information
4 people authored Nov 28, 2024
1 parent 2ee4e01 commit 7b388ba
Show file tree
Hide file tree
Showing 14 changed files with 436 additions and 222 deletions.
27 changes: 27 additions & 0 deletions .github/actions/deploy-cluster/action.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,27 @@
name: Deploy a CNPG Cluster
description: Deploys a CNPG Cluster
inputs:
namespace:
description: 'The name of the namespace where the Cluster will be deployed'
required: false
default: 'default'
runs:
using: composite
steps:
- name: Deploy a cluster
shell: bash
env:
NAMESPACE: ${{ inputs.namespace }}
run: |
cat <<EOF | kubectl apply -f -
# Example of PostgreSQL cluster
apiVersion: postgresql.cnpg.io/v1
kind: Cluster
metadata:
name: cluster-example
namespace: $NAMESPACE
spec:
instances: 3
storage:
size: 1Gi
EOF
15 changes: 14 additions & 1 deletion .github/actions/deploy-operator/action.yml
Original file line number Diff line number Diff line change
@@ -1,16 +1,29 @@
name: Deploy the CNPG Operator
description: Deploys the CNPG Operator to a Kubernetes cluster
inputs:
namespace:
description: 'The name of the namespace where the operator will be deployed'
required: false
default: 'cnpg-system'
cluster-wide:
description: 'If the operator should be deployed cluster-wide or in single-namespace mode'
required: false
default: 'true'
runs:
using: composite
steps:
- name: Deploy the operator
shell: bash
env:
NAMESPACE: ${{ inputs.namespace }}
CLUSTER_WIDE: ${{ inputs.cluster-wide }}
run:
helm dependency update charts/cloudnative-pg

helm upgrade
--install
--namespace cnpg-system
--namespace $NAMESPACE
--create-namespace
--set config.clusterWide=$CLUSTER_WIDE
--wait
cnpg charts/cloudnative-pg
12 changes: 10 additions & 2 deletions .github/actions/verify-cluster-ready/action.yml
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,10 @@ inputs:
description: The name of the cluster to verify
required: true
default: database-cluster
namespace:
description: 'The name of the namespace where the Cluster is deployed'
required: false
default: 'default'
ready-instances:
description: The amount of ready instances to wait for
required: true
Expand All @@ -15,15 +19,19 @@ runs:
steps:
- name: Wait for the cluster to become ready
shell: bash
env:
CLUSTER_NAME: ${{ inputs.cluster-name }}
NAMESPACE: ${{ inputs.namespace }}
EXPECTED_READY_INSTANCES: ${{ inputs.ready-instances }}
run: |
ITER=0
while true; do
if [[ $ITER -ge 300 ]]; then
echo "Cluster not ready"
exit 1
fi
READY_INSTANCES=$(kubectl get clusters.postgresql.cnpg.io ${INPUT_CLUSTER_NAME} -o jsonpath='{.status.readyInstances}')
if [[ "$READY_INSTANCES" == ${INPUT_READY_INSTANCES} ]]; then
READY_INSTANCES=$(kubectl get clusters.postgresql.cnpg.io $CLUSTER_NAME -n $NAMESPACE -o jsonpath='{.status.readyInstances}')
if [[ "$READY_INSTANCES" == "$EXPECTED_READY_INSTANCES" ]]; then
echo "Cluster up and running"
break
fi
Expand Down
58 changes: 45 additions & 13 deletions .github/workflows/tests-operator.yml
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,7 @@ on:

jobs:
deploy_operator:
name: Deploy the operator in cluster-wide mode
runs-on: ubuntu-24.04
steps:
- name: Checkout
Expand All @@ -21,21 +22,52 @@ jobs:
uses: ./.github/actions/deploy-operator

- name: Deploy a cluster
run: |
cat <<EOF | kubectl apply -f -
# Example of PostgreSQL cluster
apiVersion: postgresql.cnpg.io/v1
kind: Cluster
metadata:
name: cluster-example
spec:
instances: 3
storage:
size: 1Gi
EOF
uses: ./.github/actions/deploy-cluster

- name: Verify that the cluster is ready
uses: ./.github/actions/verify-cluster-ready
with:
cluster-name: cluster-example
ready-instances: 3
ready-instances: '3'

deploy_operator_single_namespace:
name: Deploy the operator in single-namespace mode
runs-on: ubuntu-24.04
steps:
- name: Checkout
uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
with:
fetch-depth: 0

- name: Setup kind
uses: ./.github/actions/setup-kind

- name: Deploy the operator
uses: ./.github/actions/deploy-operator
with:
namespace: 'single-install'
cluster-wide: 'false'

- name: Deploy a cluster
uses: ./.github/actions/deploy-cluster
with:
namespace: 'single-install'

- name: Verify that the cluster is ready
uses: ./.github/actions/verify-cluster-ready
with:
namespace: 'single-install'
cluster-name: 'cluster-example'
ready-instances: '3'

- name: Create a separate namespace
run: kubectl create ns test-ignore

- name: Deploy a cluster in 'test-ignore'
uses: ./.github/actions/deploy-cluster
with:
namespace: 'test-ignore'

- name: Verify the cluster in 'test-ignore' is being ignored
run: |
kubectl -n test-ignore get pods 2>&1 >/dev/null | grep 'No resources found'
24 changes: 24 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,30 @@ helm upgrade --install cnpg \
cnpg/cloudnative-pg
```

#### Single namespace installation

It is possible to limit the operator's capabilities to solely the namespace in
which it has been installed. With this restriction, the cluster-level
permissions required by the operator will be substantially reduced, and
the security profile of the installation will be enhanced.

You can install the operator in single-namespace mode by setting the
`config.clusterWide` flag to false, as in the following example:

```console
helm upgrade --install cnpg \
--namespace cnpg-system \
--create-namespace \
--set config.clusterWide=false \
cnpg/cloudnative-pg
```

**IMPORTANT**: the single-namespace installation mode can't coexist
with the cluster-wide operator. Otherwise there would be collisions when
managing the resources in the namespace watched by the single-namespace
operator.
It is up to the user to ensure there is no collision between operators.

Refer to the [Operator Chart documentation](charts/cloudnative-pg/README.md) for advanced configuration and monitoring.

## Cluster chart
Expand Down
3 changes: 2 additions & 1 deletion charts/cloudnative-pg/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -30,7 +30,8 @@ CloudNativePG Operator Helm Chart
| additionalEnv | list | `[]` | Array containing extra environment variables which can be templated. For example: - name: RELEASE_NAME value: "{{ .Release.Name }}" - name: MY_VAR value: "mySpecialKey" |
| affinity | object | `{}` | Affinity for the operator to be installed. |
| commonAnnotations | object | `{}` | Annotations to be added to all other resources. |
| config | object | `{"create":true,"data":{},"name":"cnpg-controller-manager-config","secret":false}` | Operator configuration. |
| config | object | `{"clusterWide":true,"create":true,"data":{},"name":"cnpg-controller-manager-config","secret":false}` | Operator configuration. |
| config.clusterWide | bool | `true` | This option determines if the operator is responsible for observing events across the entire Kubernetes cluster or if its focus should be narrowed down to the specific namespace within which it has been deployed. |
| config.create | bool | `true` | Specifies whether the secret should be created. |
| config.data | object | `{}` | The content of the configmap/secret, see https://cloudnative-pg.io/documentation/current/operator_conf/#available-options for all the available options. |
| config.name | string | `"cnpg-controller-manager-config"` | The name of the configmap/secret to use. |
Expand Down
7 changes: 5 additions & 2 deletions charts/cloudnative-pg/templates/NOTES.txt
Original file line number Diff line number Diff line change
@@ -1,18 +1,21 @@

CloudNativePG operator should be installed in namespace "{{ .Release.Namespace }}".
You can now create a PostgreSQL cluster with 3 nodes in the current namespace as follows:
You can now create a PostgreSQL cluster with 3 nodes as follows:

cat <<EOF | kubectl apply -f -
# Example of PostgreSQL cluster
apiVersion: postgresql.cnpg.io/v1
kind: Cluster
metadata:
name: cluster-example
{{if not .Values.config.clusterWide -}}
namespace: {{ .Release.Namespace }}
{{- end }}
spec:
instances: 3
storage:
size: 1Gi
EOF

kubectl get cluster
kubectl get -A cluster

Loading

0 comments on commit 7b388ba

Please sign in to comment.