making telegraf-operator work (#92)

* making telegraf-operator work * cutting a new version of the chart * addressed review

making telegraf-operator work (#92)
4eb7881d · Giacomo Tirabassi · GitHub · 21c78bc2 · 4eb7881d · 4eb7881d
Unverified Commit 4eb7881d authored May 22, 2020 by Giacomo Tirabassi Committed by GitHub May 22, 2020
10 changed files
--- a/charts/telegraf-operator/Chart.yaml
+++ b/charts/telegraf-operator/Chart.yaml
@@ -31,7 +31,7 @@ type: application

 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
-version: 1.0.0
+version: 1.0.1

 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application.

--- a/charts/telegraf-operator/README.md
+++ b/charts/telegraf-operator/README.md
 # Telegraf-operator

-> Default installation expects cert-manager to be running in the cluster
-
 ## Usage

 ```console
@@ -17,9 +15,16 @@ helm install telegraf-operator influxdata/telegraf-operator
 helm template --namespace=telegraf-operator telegraf-operator .
 ```

-Testing CI template
+Test installation with Kind
 ```shell
-helm template --namespace=telegraf-operator --values=./ci/values.yaml telegraf-operator .
+kind create cluster --name=telegraf-operator-test
+kubectl config use-context kind-telegraf-operator-test
+kubectl apply -f tests/influxdb.yml
+helm install telegraf-operator .
+kubectl apply -f tests/redis.yml
+kind delete cluster --name=telegraf-operator-test
 ```

+## Cert-manager integration 

+For better security there is already an integration with cert-manger >0.13 that can be enabled but you have to provide your own instalation of cert-manager in the cluster
--- a/charts/telegraf-operator/ci/test-values.yaml
+++ b/charts/telegraf-operator/ci/test-values.yaml
-replicaCount: 3
-image:
-  repository: quay.io/influxdb/telegraf-operator
-  pullPolicy: IfNotPresent
-  sidecarImage: "docker.io/library/telegraf:1.14.1"
-
-classes:
-  secretName: "telegraf-operator-classes"
-  default: "infra"
-  data:
-    infra: |
-      [[outputs.influxdb]]
-        urls = ["http://influxdb.influxdb:8086"]
-      [global_tags]
-        env = "ci"
-        hostname = "$HOSTNAME"
-        nodename = "$NODENAME"
-        type = "infra"
-
-certManager:
-  chart:
-    enable: false
-  certificate:
-    enable: false
-
-imagePullSecrets: []
-nameOverride: ""
-fullnameOverride: ""
-serviceAccount:
-  # Annotations to add to the service account
-  annotations: {}
-podSecurityContext: {}
-  # fsGroup: 2000
-securityContext: {}
-  # capabilities:
-  #   drop:
-  #   - ALL
-  # readOnlyRootFilesystem: true
-  # runAsNonRoot: true
-  # runAsUser: 1000
-resources:
-  limits:
-    cpu: 100m
-    memory: 128Mi
-  requests:
-    cpu: 50m
-    memory: 64Mi
-nodeSelector: {}
-tolerations: []
-affinity: {}
--- a/charts/telegraf-operator/templates/_helpers.tpl
+++ b/charts/telegraf-operator/templates/_helpers.tpl
@@ -65,10 +65,49 @@ Create the name of the service account to use
 {{/*
 Generate certificates for telegraf-operator mutating webhook 
 */}}
-{{- define "telegraf-operator.gen-certs" -}}
+{{- define "telegraf-operator.non_certmanager" -}}
 {{- $altNames := list ( printf "%s.%s" (include "telegraf-operator.name" .) .Release.Namespace ) ( printf "%s.%s.svc" (include "telegraf-operator.name" .) .Release.Namespace ) -}}
 {{- $ca := genCA "telegraf-operator-ca" 365 -}}
 {{- $cert := genSignedCert ( include "telegraf-operator.name" . ) nil $altNames 365 $ca -}}
-tls.crt: {{ $cert.Cert | b64enc }}
-tls.key: {{ $cert.Key | b64enc }}
+apiVersion: admissionregistration.k8s.io/v1beta1
+kind: MutatingWebhookConfiguration
+metadata:
+  annotations:
+    cert-manager.io/inject-ca-from: "{{ .Values.namespace }}/{{ include "telegraf-operator.fullname" . }}"
+  labels:
+    {{- include "telegraf-operator.labels" . | nindent 4 }}
+  name: {{ include "telegraf-operator.fullname" . }}
+webhooks:
+- clientConfig:
+    service:
+      name: {{ include "telegraf-operator.fullname" . }}
+      namespace: {{ .Release.Namespace }}
+      path: /mutate-v1-pod
+    caBundle: {{ $ca.Cert | b64enc }}
+  failurePolicy: Ignore
+  name: telegraf.influxdata.com
+  rules:
+  - apiGroups:
+    - '*'
+    apiVersions:
+    - '*'
+    operations:
+    - CREATE
+    - DELETE
+    resources:
+    - pods
+---
+apiVersion: v1
+kind: Secret
+type: kubernetes.io/tls
+metadata:
+  name: telegraf-operator-tls
+  labels:
+    {{- include "telegraf-operator.labels" . | nindent 4 }}
+  annotations:
+    "helm.sh/hook": "pre-install"
+    "helm.sh/hook-delete-policy": "before-hook-creation"
+data:
+  tls.crt: {{ $cert.Cert | b64enc }}
+  tls.key: {{ $cert.Key | b64enc }}
 {{- end -}}
--- a/charts/telegraf-operator/templates/mutatingwebhookconfiguration.yml
+++ b/charts/telegraf-operator/templates/mutatingwebhookconfiguration.yml
+{{- if eq .Values.certManager.enable true -}}
 apiVersion: admissionregistration.k8s.io/v1beta1
 kind: MutatingWebhookConfiguration
 metadata:
@@ -24,3 +25,4 @@ webhooks:
    - DELETE
    resources:
    - pods
+{{- end }}
--- a/charts/telegraf-operator/templates/secret-classes.yml
+++ b/charts/telegraf-operator/templates/secret-classes.yml
@@ -6,18 +6,3 @@ metadata:
  namespace: {{ .Release.Namespace }}
 stringData: {{ .Values.classes.data | toYaml | nindent 2 }}
 {{- end }}
---
-{{- if eq .Values.certManager.enable false -}}
-apiVersion: v1
-kind: Secret
-type: kubernetes.io/tls
-metadata:
-  name: telegraf-operator-tls
-  labels:
-    {{- include "telegraf-operator.labels" . | nindent 4 }}
-  annotations:
-    "helm.sh/hook": "pre-install"
-    "helm.sh/hook-delete-policy": "before-hook-creation"
-data:
-{{ ( include "telegraf-operator.gen-certs" . ) | indent 2 }}
-{{- end }}
--- a/charts/telegraf-operator/templates/tls.yml
+++ b/charts/telegraf-operator/templates/tls.yml
+{{- if eq .Values.certManager.enable false -}}
+{{ ( include "telegraf-operator.non_certmanager" . ) }}
+{{- end }}
--- a/charts/telegraf-operator/tests/influxdb.yml
+++ b/charts/telegraf-operator/tests/influxdb.yml
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: influxdb
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: influxdb
+  namespace: influxdb
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: influxdb
+  template:
+    metadata:
+      labels:
+        app: influxdb
+    spec:
+      containers:
+        - name: influxdb
+          image: influxdb:1.7.9
+        - name: chronograf
+          image: chronograf:1.6.2
+          args: ["--influxdb-url=http://localhost:8086"]
+---
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    app: influxdb
+  name: influxdb
+  namespace: influxdb
+spec:
+  ports:
+    - name: server
+      port: 8086
+    - name: chronograf
+      port: 8888
+  selector:
+    app: influxdb
--- a/charts/telegraf-operator/tests/redis.yml
+++ b/charts/telegraf-operator/tests/redis.yml
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: test
+---
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  name: redis
+  namespace: test
+spec:
+  selector:
+    matchLabels:
+      app: redis
+  serviceName: redis
+  template:
+    metadata:
+      labels:
+        app: redis
+      annotations:
+        telegraf.influxdata.com/ports: "8080,9090"
+    spec:
+      containers:
+      - name: redis
+        image: redis:alpine
--- a/charts/telegraf-operator/values.yaml
+++ b/charts/telegraf-operator/values.yaml
@@ -7,7 +7,15 @@ image:
 classes:
  secretName: "telegraf-operator-classes"
  default: "infra"
-  data: {}
+  data:
+    infra: |
+      [[outputs.influxdb]]
+        urls = ["http://influxdb.influxdb:8086"]
+      [global_tags]
+        env = "ci"
+        hostname = "$HOSTNAME"
+        nodename = "$NODENAME"
+        type = "infra"

 certManager:
  enable: false