updating to 0.24.0

Author: kmadel

charts/vcluster/Chart.yaml

@@ -23,4 +23,4 @@ sources:
   - https://github.com/loft-demos/vcluster-charts/charts/vcluster
 type: application
 
-version: 0.23.0 # version is auto-generated by release pipeline
+version: 0.24.0 # version is auto-generated by release pipeline

charts/vcluster/templates/_exportKubeConfig.tpl

@@ -0,0 +1,37 @@
+{{- define "vcluster.exportKubeConfig.validate" }}
+{{- /*
+  Verify that exportKubeConfig.secret and exportKubeConfig.additionalSecrets are
+  not set at the same time.
+*/}}
+{{- $secretSet := false }}
+{{- if .Values.exportKubeConfig.secret }}
+{{- $secretSet = or (.Values.exportKubeConfig.secret.name | trim | ne "") (.Values.exportKubeConfig.secret.namespace | trim | ne "") }}
+{{- end }}
+{{- $additionalSecretsSet := false }}
+{{- if .Values.exportKubeConfig.additionalSecrets }}
+{{- $additionalSecretsSet = gt (len .Values.exportKubeConfig.additionalSecrets) 0 }}
+{{- end }}
+{{- if and $secretSet $additionalSecretsSet }}
+{{- fail "exportKubeConfig.secret and exportKubeConfig.additionalSecrets cannot be set at the same time" }}
+{{- end }}
+{{- /*
+  Verify that additional secrets have name or namespace set.
+*/}}
+{{- range $_, $additionalSecret := .Values.exportKubeConfig.additionalSecrets }}
+{{- $nameSet := false }}
+{{- $namespaceSet := false }}
+{{- if $additionalSecret.name }}
+{{- if $additionalSecret.name | trim | ne "" }}
+{{- $nameSet = true }}
+{{- end }}
+{{- end }}
+{{- if $additionalSecret.namespace }}
+{{- if $additionalSecret.namespace | trim | ne "" }}
+{{- $namespaceSet = true }}
+{{- end }}
+{{- end }}
+{{- if not (or $nameSet $namespaceSet) }}
+{{- fail (cat "additional secret must have name and/or namespace set, found:" (toJson $additionalSecret)) }}
+{{- end }}
+{{- end }}
+{{- end }}

charts/vcluster/templates/clusterrole.yaml

@@ -75,7 +75,7 @@ rules:
     verbs: ["get", "watch", "list"]
   {{- end }}
   {{- if .Values.sync.fromHost.runtimeClasses.enabled }}
-  - apiGroups: ["nodes.k8s.io"]
+  - apiGroups: ["node.k8s.io"]
     resources: ["runtimeclasses"]
     verbs: ["get", "watch", "list"]
   {{- end }}

charts/vcluster/templates/service-monitor.yaml

@@ -7,7 +7,9 @@ metadata:
   labels:
     app: vcluster
     chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
+  {{- if or (not .Values.controlPlane.serviceMonitor.labels) (not (hasKey .Values.controlPlane.serviceMonitor.labels "release")) }}
     release: "{{ .Release.Name }}"
+  {{- end}}
     heritage: "{{ .Release.Service }}"
   {{- if .Values.controlPlane.serviceMonitor.labels }}
 {{ toYaml .Values.controlPlane.serviceMonitor.labels | indent 4 }}
@@ -24,11 +26,15 @@ spec:
       release: "{{ .Release.Name }}"
       chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
       heritage: "{{ .Release.Service }}"
+      vcluster.loft.sh/service: "true"
   endpoints:
   - interval: 30s
     port: https
     path: /metrics
     scheme: https
+    relabelings:
+      - targetLabel: endpoint
+        replacement: "apiserver"
     tlsConfig:
       ca:
         secret:
@@ -41,4 +47,46 @@ spec:
       keySecret:
         name: vc-{{ .Release.Name }}
         key: client-key
+  {{- if eq (include "vcluster.distro" .) "k8s" }}
+  - interval: 30s
+    port: https
+    path: /controller-manager/metrics
+    scheme: https
+    relabelings:
+      - targetLabel: endpoint
+        replacement: "controller-manager"
+    tlsConfig:
+      ca:
+        secret:
+          name: vc-{{ .Release.Name }}
+          key: certificate-authority
+      cert:
+        secret:
+          name: vc-{{ .Release.Name }}
+          key: client-certificate
+      keySecret:
+        name: vc-{{ .Release.Name }}
+        key: client-key
+  {{- if .Values.controlPlane.advanced.virtualScheduler.enabled }}
+  - interval: 30s
+    port: https
+    path: /scheduler/metrics
+    scheme: https
+    relabelings:
+      - targetLabel: endpoint
+        replacement: "scheduler"
+    tlsConfig:
+      ca:
+        secret:
+          name: vc-{{ .Release.Name }}
+          key: certificate-authority
+      cert:
+        secret:
+          name: vc-{{ .Release.Name }}
+          key: client-certificate
+      keySecret:
+        name: vc-{{ .Release.Name }}
+        key: client-key
+  {{- end }}
+  {{- end }}
 {{- end }}

charts/vcluster/templates/service.yaml

@@ -9,6 +9,7 @@ metadata:
     chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
     release: "{{ .Release.Name }}"
     heritage: "{{ .Release.Service }}"
+    vcluster.loft.sh/service: "true"
     {{- if .Values.controlPlane.service.labels }}
 {{ toYaml .Values.controlPlane.service.labels | indent 4 }}
     {{- end }}

charts/vcluster/templates/statefulset.yaml

@@ -118,10 +118,6 @@ spec:
         - name: coredns
           configMap:
             name: vc-coredns-{{ .Release.Name }}
-        # - name: custom-config-volume
-        #   configMap:
-        #     name: coredns-custom
-        #     optional: true
         {{- end }}
         {{- if .Values.controlPlane.statefulSet.persistence.dataVolume }}
 {{ toYaml .Values.controlPlane.statefulSet.persistence.dataVolume | indent 8 }}

charts/vcluster/tests/service-monitor_test.yaml

@@ -16,6 +16,33 @@ tests:
       controlPlane:
         serviceMonitor:
           enabled: true
+    asserts:
+      - hasDocuments:
+          count: 1
+      - equal:
+          path: metadata.name
+          value: vc-my-release
+      - equal:
+          path: metadata.namespace
+          value: my-namespace
+      - equal:
+          path: spec.selector.matchLabels.app
+          value: vcluster
+      - lengthEqual:
+          path: spec.endpoints
+          count: 2
+
+  - it: check defaults k3s
+    release:
+      name: my-release
+      namespace: my-namespace
+    set:
+      controlPlane:
+        distro:
+          k3s:
+            enabled: true
+        serviceMonitor:
+          enabled: true
     asserts:
       - hasDocuments:
           count: 1
@@ -31,3 +58,38 @@ tests:
       - lengthEqual:
           path: spec.endpoints
           count: 1
+
+  - it: override release label
+    release:
+      name: my-release
+      namespace: my-namespace
+    set:
+      controlPlane:
+        serviceMonitor:
+          enabled: true
+          labels:
+            release: kube-prometheus-stack
+    asserts:
+      - hasDocuments:
+          count: 1
+      - equal:
+          path: metadata.labels.release
+          value: kube-prometheus-stack
+
+  - it: check virtual scheduler
+    release:
+      name: my-release
+      namespace: my-namespace
+    set:
+      controlPlane:
+        advanced:
+          virtualScheduler:
+            enabled: true
+        serviceMonitor:
+          enabled: true
+    asserts:
+      - hasDocuments:
+          count: 1
+      - lengthEqual:
+          path: spec.endpoints
+          count: 3

charts/vcluster/tests/statefulset_test.yaml

@@ -914,3 +914,25 @@ tests:
       - equal:
           path: kind
           value: StatefulSet
+
+  - it: fails when you set both exportKubeConfig.secret and exportKubeConfig.additionalSecrets
+    set:
+      exportKubeConfig:
+        secret:
+          name: my-secret
+        additionalSecrets:
+          - name: another-secret
+    asserts:
+      - failedTemplate:
+          errorMessage: "exportKubeConfig.secret and exportKubeConfig.additionalSecrets cannot be set at the same time"
+
+  - it: fails when additional secret does not have at least name or namespace
+    set:
+      exportKubeConfig:
+        additionalSecrets:
+          - name: my-secret
+            context: my-context
+          - server: my-server
+    asserts:
+      - failedTemplate:
+          errorMessage: "additional secret must have name and/or namespace set, found: {\"server\":\"my-server\"}"

charts/vcluster/values.schema.json

@@ -1636,13 +1636,51 @@
         },
         "secret": {
           "$ref": "#/$defs/ExportKubeConfigSecretReference",
-          "description": "Declare in which host cluster secret vCluster should store the generated virtual cluster kubeconfig.\nIf this is not defined, vCluster will create it with `vc-NAME`. If you specify another name,\nvCluster creates the config in this other secret."
+          "description": "Declare in which host cluster secret vCluster should store the generated virtual cluster kubeconfig.\nIf this is not defined, vCluster will create it with `vc-NAME`. If you specify another name,\nvCluster creates the config in this other secret.\n\nDeprecated: Use AdditionalSecrets instead."
+        },
+        "additionalSecrets": {
+          "items": {
+            "$ref": "#/$defs/ExportKubeConfigAdditionalSecretReference"
+          },
+          "type": "array",
+          "description": "AdditionalSecrets specifies the additional host cluster secrets in which vCluster will store the\ngenerated virtual cluster kubeconfigs."
         }
       },
       "additionalProperties": false,
       "type": "object",
       "description": "ExportKubeConfig describes how vCluster should export the vCluster kubeconfig."
     },
+    "ExportKubeConfigAdditionalSecretReference": {
+      "properties": {
+        "context": {
+          "type": "string",
+          "description": "Context is the name of the context within the generated kubeconfig to use."
+        },
+        "server": {
+          "type": "string",
+          "description": "Override the default https://localhost:8443 and specify a custom hostname for the generated kubeconfig."
+        },
+        "insecure": {
+          "type": "boolean",
+          "description": "If tls should get skipped for the server"
+        },
+        "serviceAccount": {
+          "$ref": "#/$defs/ExportKubeConfigServiceAccount",
+          "description": "ServiceAccount can be used to generate a service account token instead of the default certificates."
+        },
+        "name": {
+          "type": "string",
+          "description": "Name is the name of the secret where the kubeconfig is stored."
+        },
+        "namespace": {
+          "type": "string",
+          "description": "Namespace where vCluster stores the kubeconfig secret. If this is not equal to the namespace\nwhere you deployed vCluster, you need to make sure vCluster has access to this other namespace."
+        }
+      },
+      "additionalProperties": false,
+      "type": "object",
+      "description": "ExportKubeConfigAdditionalSecretReference defines the additional host cluster secret in which vCluster stores the generated virtual cluster kubeconfigs."
+    },
     "ExportKubeConfigSecretReference": {
       "properties": {
         "name": {

charts/vcluster/values.yaml

@@ -972,6 +972,8 @@ exportKubeConfig:
   # Declare in which host cluster secret vCluster should store the generated virtual cluster kubeconfig.
   # If this is not defined, vCluster will create it with `vc-NAME`. If you specify another name,
   # vCluster creates the config in this other secret.
+
+  # Deprecated: Use AdditionalSecrets instead.
   secret:
     # Name is the name of the secret where the kubeconfig should get stored.
     name: ""