Merge branch 'main' into feat/new-status-check

aenix-io · Jun 13, 2024 · 8537c86 · 8537c86
2 parents 3f7ae6c + 9978183
commit 8537c86
Show file tree

Hide file tree

Showing 60 changed files with 2,142 additions and 450 deletions.
diff --git a/.crd-docs.yaml b/.crd-docs.yaml
@@ -0,0 +1,10 @@
+processor:
+  ignoreTypes:
+    - "(EtcdCluster)List$"
+    - "(EtcdCluster)Status$"
+  ignoreFields:
+    - "status$"
+    - "TypeMeta$"
+
+render:
+  kubernetesVersion: 1.30.0
diff --git a/.github/workflows/docker-publish.yaml b/.github/workflows/docker-publish.yaml
@@ -29,7 +29,7 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v4.1.4
+        uses: actions/checkout@v4.1.6
 
       # Install the cosign tool except on PR
       # https://github.com/sigstore/cosign-installer
@@ -49,7 +49,7 @@ jobs:
       # https://github.com/docker/login-action
       - name: Log into registry ${{ env.REGISTRY }}
         if: github.event_name != 'pull_request'
-        uses: docker/login-action@v3.1.0
+        uses: docker/login-action@v3.2.0
         with:
           registry: ${{ env.REGISTRY }}
           username: ${{ github.actor }}

diff --git a/.github/workflows/helm-publish.yaml b/.github/workflows/helm-publish.yaml
@@ -23,7 +23,7 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v4.1.4
+        uses: actions/checkout@v4.1.6
 
       - name: Install Helm
         uses: azure/setup-helm@v4.2.0

diff --git a/.github/workflows/hugo.yaml b/.github/workflows/hugo.yaml
@@ -41,7 +41,7 @@ jobs:
       - name: Install Dart Sass
         run: sudo snap install dart-sass
       - name: Checkout
-        uses: actions/checkout@v4.1.4
+        uses: actions/checkout@v4.1.6
         with:
           submodules: recursive
           fetch-depth: 0

diff --git a/.github/workflows/make-test-e2e.yaml b/.github/workflows/make-test-e2e.yaml
@@ -15,22 +15,28 @@ jobs:
     strategy:
       matrix:
         k8s:
-          - version: 1.28.3
+          - version: v1.28.0
             attribute: penultimate
-          - version: 1.29.3
+          - version: v1.29.0
             attribute: previous
-          - version: 1.30.0
+          - version: default
             attribute: latest
     runs-on: ubuntu-22.04
     steps:
-      - uses: actions/checkout@v4.1.4
+      - uses: actions/checkout@v4.1.6
       - uses: actions/setup-go@v5.0.1
         with:
-          go-version: 1.22.2
+          go-version: 1.22.4
       - uses: docker/setup-buildx-action@v3.3.0
       - uses: tale/kubectl-action@v1.4.0
         with:
           kubectl-version: v1.30.0
           # Empty kubeconfig file
           base64-kube-config: "YXBpVmVyc2lvbjogdjEKa2luZDogQ29uZmlnCnByZWZlcmVuY2VzOiB7fQo="
-      - run: ENVTEST_K8S_VERSION=${{ matrix.k8s.version }} make test-e2e
+      - run: |
+          if [ "${{ matrix.k8s.version }}" = "default" ]; then
+            # For latest version use default from Makefile
+            make test-e2e
+          else
+            K8S_VERSION=${{ matrix.k8s.version }} make test-e2e
+          fi
diff --git a/.github/workflows/make-test.yaml b/.github/workflows/make-test.yaml
@@ -15,16 +15,22 @@ jobs:
     strategy:
       matrix:
         k8s:
-          - version: 1.28.3
+          - version: v1.28.0
             attribute: penultimate
-          - version: 1.29.3
+          - version: v1.29.0
             attribute: previous
-          - version: 1.30.0
+          - version: default
             attribute: latest
     runs-on: ubuntu-22.04
     steps:
-      - uses: actions/checkout@v4.1.4
+      - uses: actions/checkout@v4.1.6
       - uses: actions/setup-go@v5.0.1
         with:
-          go-version: 1.22.2
-      - run: ENVTEST_K8S_VERSION=${{ matrix.k8s.version }} make test
+          go-version: 1.22.4
+      - run: |
+          if [ "${{ matrix.k8s.version }}" = "default" ]; then
+            # For latest version use default from Makefile
+            make test
+          else
+            K8S_VERSION=${{ matrix.k8s.version }} make test
+          fi
diff --git a/.github/workflows/nilaway-lint.yaml b/.github/workflows/nilaway-lint.yaml
@@ -7,8 +7,8 @@ jobs:
   nilaway-lint:
     runs-on: ubuntu-22.04
     steps:
-      - uses: actions/checkout@v4.1.4
+      - uses: actions/checkout@v4.1.6
       - uses: actions/setup-go@v5.0.1
         with:
-          go-version: 1.22.2
+          go-version: 1.22.4
       - run: make nilaway-lint
diff --git a/.github/workflows/pre-commit.yaml b/.github/workflows/pre-commit.yaml
@@ -7,8 +7,8 @@ jobs:
   pre-commit:
     runs-on: ubuntu-22.04
     steps:
-      - uses: actions/checkout@v4.1.4
+      - uses: actions/checkout@v4.1.6
       - uses: actions/setup-go@v5.0.1
         with:
-          go-version: 1.22.2
+          go-version: 1.22.4
       - uses: pre-commit/action@v3.0.1
diff --git a/.github/workflows/release-assets.yaml b/.github/workflows/release-assets.yaml
@@ -14,10 +14,10 @@ jobs:
     permissions:
       contents: write
     steps:
-      - uses: actions/checkout@v4.1.4
+      - uses: actions/checkout@v4.1.6
       - uses: actions/setup-go@v5.0.1
         with:
-          go-version: 1.22.2
+          go-version: 1.22.4
       - name: Get tag from current run
         run: |
           TAG=${{ github.ref_name }}

diff --git a/.gitignore b/.gitignore
@@ -22,6 +22,7 @@ vendor
 
 # editor and IDE paraphernalia
 .idea
+.vscode
 *.swp
 *.swo
 *~
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -6,7 +6,7 @@ repos:
   hooks:
     - id: trailing-whitespace
     - id: end-of-file-fixer
-      exclude: "^charts/etcd-operator/(values.schema.json|README.md)$"
+      exclude: "^charts/etcd-operator/(values.schema.json|README.md)|site/content/en/docs/v([.0-9]+)/reference/api.md$"
     - id: check-added-large-files
 - repo: local
   hooks:
@@ -24,6 +24,11 @@ repos:
       entry: sh -c "make lint-fix"
       language: system
       require_serial: true
+    - id: make-generate-docs
+      name: make-generate-docs
+      entry: sh -c "make generate-docs"
+      language: system
+      require_serial: true
     - id: make-mod-tidy
       name: make-mod-tidy
       entry: sh -c "make mod-tidy"

diff --git a/CODEOWNERS b/CODEOWNERS
@@ -1,10 +1,10 @@
-/.github @hiddenmarten @AlexGluck
+/.github @hiddenmarten @AlexGluck @aobort
 /api @sircthulhu @Kirill-Garbar
-/charts @hiddenmarten @AlexGluck
+/charts @hiddenmarten @AlexGluck @aobort
 /cmd @sircthulhu @Kirill-Garbar
 /config @sircthulhu @Kirill-Garbar
 /hack @sircthulhu @Kirill-Garbar
 /internal @sircthulhu @Kirill-Garbar @sergeyshevch
-/test @sircthulhu @Kirill-Garbar @hiddenmarten @AlexGluck
+/test @sircthulhu @Kirill-Garbar @hiddenmarten @AlexGluck @aobort
 /site @sergeyshevch @Kirill-Garbar
 /*.md @kvaps @Kirill-Garbar
diff --git a/Dockerfile b/Dockerfile
@@ -1,5 +1,5 @@
 # Build the manager binary
-FROM golang:1.22.2 AS builder
+FROM golang:1.22.4 AS builder
 ARG TARGETOS TARGETARCH
 
 WORKDIR /workspace
@@ -11,7 +11,7 @@ COPY go.mod go.sum ./
 RUN go mod download
 
 # Copy the go source
-COPY cmd/main.go ./cmd/
+COPY cmd/ ./cmd/
 COPY api/ ./api/
 COPY internal/ ./internal/
 

diff --git a/Makefile b/Makefile
@@ -1,10 +1,10 @@
 
 # Image URL to use all building/pushing image targets
 IMG ?= ghcr.io/aenix-io/etcd-operator:latest
-# ENVTEST_K8S_VERSION refers to the version of kubebuilder assets to be downloaded by envtest binary.
+# K8S_VERSION refers to the version of kubebuilder assets to be downloaded by envtest binary.
 # renovate: datasource=github-tags depName=kubernetes/kubernetes
-ENVTEST_K8S_VERSION ?= v1.30.0
-ENVTEST_K8S_VERSION_TRIMMED_V = $(subst v,,$(ENVTEST_K8S_VERSION))
+K8S_VERSION ?= v1.30.0
+K8S_VERSION_TRIMMED_V = $(subst v,,$(K8S_VERSION))
 
 # Get the currently used golang install path (in GOPATH/bin, unless GOBIN is set)
 ifeq (,$(shell go env GOBIN))
@@ -55,6 +55,11 @@ manifests: controller-gen yq ## Generate WebhookConfiguration, ClusterRole and C
 generate: controller-gen ## Generate code containing DeepCopy, DeepCopyInto, and DeepCopyObject method implementations.
 	$(CONTROLLER_GEN) object:headerFile="hack/boilerplate.go.txt" paths="./..."
 
+.PHONY: generate-docs
+generate-docs: crd-ref-docs ## Generate CRD reference documentation.
+	@$(eval VERSION := $(shell $(YQ) '.params.version' site/hugo.yaml))
+	$(CRD_REF_DOCS) --config=.crd-docs.yaml --renderer=markdown --templates-dir="site/reference-templates" --output-path="site/content/en/docs/$(VERSION)/reference/api.md"
+
 .PHONY: fmt
 fmt: ## Run go fmt against code.
 	go fmt ./...
@@ -69,7 +74,9 @@ mod-tidy: ## Run go mod tidy against code.
 
 .PHONY: test
 test: manifests generate fmt vet envtest ## Run tests.
-	KUBEBUILDER_ASSETS="$(shell $(ENVTEST) use $(ENVTEST_K8S_VERSION_TRIMMED_V) --bin-dir $(LOCALBIN) -p path)" go test $$(go list ./... | grep -v /e2e) -coverprofile cover.out
+	@echo "Check for kubernetes version $(K8S_VERSION_TRIMMED_V) in $(ENVTEST)"
+	@$(ENVTEST) list | grep -q $(K8S_VERSION_TRIMMED_V)
+	KUBEBUILDER_ASSETS="$(shell $(ENVTEST) use $(K8S_VERSION_TRIMMED_V) --bin-dir $(LOCALBIN) -p path)" go test $$(go list ./... | grep -v /e2e) -coverprofile cover.out
 
 # Utilize Kind or modify the e2e tests to load the image locally, enabling compatibility with other vendors.
 .PHONY: test-e2e  # Run the e2e tests against a Kind k8s instance that is spun up.
@@ -155,9 +162,9 @@ KIND_CLUSTER_NAME ?= etcd-operator-kind
 NAMESPACE ?= etcd-operator-system
 
 # renovate: datasource=github-tags depName=prometheus-operator/prometheus-operator
-PROMETHEUS_OPERATOR_VERSION ?= v0.73.2
+PROMETHEUS_OPERATOR_VERSION ?= v0.74.0
 # renovate: datasource=github-tags depName=jetstack/cert-manager
-CERT_MANAGER_VERSION ?= v1.14.5
+CERT_MANAGER_VERSION ?= v1.15.0
 
 ifndef ignore-not-found
   ignore-not-found = false
@@ -191,9 +198,13 @@ kind-load: docker-build kind ## Build and upload docker image to the local Kind
 	$(KIND) load docker-image ${IMG} --name $(KIND_CLUSTER_NAME)
 
 .PHONY: kind-create
-kind-create: kind ## Create kubernetes cluster using Kind.
+kind-create: kind yq ## Create kubernetes cluster using Kind.
 	@if ! $(KIND) get clusters | grep -q $(KIND_CLUSTER_NAME); then \
-		$(KIND) create cluster --name $(KIND_CLUSTER_NAME); \
+		$(KIND) create cluster --name $(KIND_CLUSTER_NAME) --image kindest/node:$(K8S_VERSION); \
+	fi
+	@if ! $(CONTAINER_TOOL) container inspect $$($(KIND) get nodes) | $(YQ) e '.[0].Config.Image' | grep -q $(K8S_VERSION); then \
+  		$(KIND) delete cluster --name $(KIND_CLUSTER_NAME); \
+		$(KIND) create cluster --name $(KIND_CLUSTER_NAME) --image kindest/node:$(K8S_VERSION); \
 	fi
 
 .PHONY: kind-delete
@@ -234,6 +245,7 @@ KIND ?= $(LOCALBIN)/kind
 HELM ?= $(LOCALBIN)/helm
 HELM_DOCS ?= $(LOCALBIN)/helm-docs
 YQ = $(LOCALBIN)/yq
+CRD_REF_DOCS ?= $(LOCALBIN)/crd-ref-docs
 
 ## Tool Versions
 # renovate: datasource=github-tags depName=kubernetes-sigs/kustomize
@@ -242,17 +254,17 @@ KUSTOMIZE_VERSION ?= v5.3.0
 CONTROLLER_TOOLS_VERSION ?= v0.15.0
 ENVTEST_VERSION ?= latest
 # renovate: datasource=github-tags depName=golangci/golangci-lint
-GOLANGCI_LINT_VERSION ?= v1.58.0
+GOLANGCI_LINT_VERSION ?= v1.59.0
 # renovate: datasource=github-tags depName=kubernetes-sigs/kind
-KIND_VERSION ?= v0.22.0
+KIND_VERSION ?= v0.23.0
 # renovate: datasource=github-tags depName=helm/helm
-HELM_VERSION ?= v3.14.4
+HELM_VERSION ?= v3.15.1
 # renovate: datasource=github-tags depName=losisin/helm-values-schema-json
-HELM_SCHEMA_VERSION ?= v1.3.0
+HELM_SCHEMA_VERSION ?= v1.4.0
 # renovate: datasource=github-tags depName=norwoodj/helm-docs
 HELM_DOCS_VERSION ?= v1.13.1
 # renovate: datasource=github-tags depName=mikefarah/yq
-YQ_VERSION ?= v4.43.1
+YQ_VERSION ?= v4.44.1
 
 ## Tool install scripts
 KUSTOMIZE_INSTALL_SCRIPT ?= "https://raw.githubusercontent.com/kubernetes-sigs/kustomize/master/hack/install_kustomize.sh"
@@ -274,6 +286,10 @@ controller-gen: $(LOCALBIN)
 envtest: $(LOCALBIN)
 	@test -x $(ENVTEST) || GOBIN=$(LOCALBIN) go install sigs.k8s.io/controller-runtime/tools/setup-envtest@$(ENVTEST_VERSION)
 
+.PHONY: crd-ref-docs
+crd-ref-docs: $(LOCALBIN)
+	@test -x $(CRD_REF_DOCS) || GOBIN=$(LOCALBIN) go install github.com/elastic/crd-ref-docs@latest
+
 .PHONY: golangci-lint
 golangci-lint: $(LOCALBIN)
 	@test -x $(GOLANGCI_LINT) && $(GOLANGCI_LINT) version | grep -q $(GOLANGCI_LINT_VERSION) || \

diff --git a/api/v1alpha1/etcdcluster_types.go b/api/v1alpha1/etcdcluster_types.go
@@ -98,6 +98,18 @@ func (r *EtcdCluster) CalculateQuorumSize() int {
 	return int(*r.Spec.Replicas)/2 + 1
 }
 
+func (c *EtcdCluster) IsClientSecurityEnabled() bool {
+	return c.Spec.Security != nil && c.Spec.Security.TLS.ClientSecret != ""
+}
+
+func (c *EtcdCluster) IsServerSecurityEnabled() bool {
+	return c.Spec.Security != nil && c.Spec.Security.TLS.ServerSecret != ""
+}
+
+func (c *EtcdCluster) IsServerTrustedCADefined() bool {
+	return c.Spec.Security != nil && c.Spec.Security.TLS.ServerTrustedCASecret != ""
+}
+
 // +kubebuilder:object:root=true
 
 // EtcdClusterList contains a list of EtcdCluster
@@ -174,24 +186,36 @@ type SecuritySpec struct {
 	// Section for user-managed tls certificates
 	// +optional
 	TLS TLSSpec `json:"tls,omitempty"`
+	// Section to enable etcd auth
+	EnableAuth bool `json:"enableAuth,omitempty"`
 }
 
 // TLSSpec defines user-managed certificates names.
 type TLSSpec struct {
-	// Trusted CA certificate secret to secure peer-to-peer communication between etcd nodes. It is expected to have tls.crt field in the secret.
+	// Trusted CA certificate secret to secure peer-to-peer communication between etcd nodes. It is expected to have ca.crt field in the secret.
+	// This secret must be created in the namespace with etcdCluster CR.
 	// +optional
 	PeerTrustedCASecret string `json:"peerTrustedCASecret,omitempty"`
 	// Certificate secret to secure peer-to-peer communication between etcd nodes. It is expected to have tls.crt and tls.key fields in the secret.
+	// This secret must be created in the namespace with etcdCluster CR.
 	// +optional
 	PeerSecret string `json:"peerSecret,omitempty"`
+	// Trusted CA for etcd server certificates for client-server communication. Is necessary to set trust between operator and etcd.
+	// It is expected to have ca.crt field in the secret. If it is not specified, then insecure communication will be used.
+	// This secret must be created in the namespace with etcdCluster CR.
+	// +optional
+	ServerTrustedCASecret string `json:"serverTrustedCASecret,omitempty"`
 	// Server certificate secret to secure client-server communication. Is provided to the client who connects to etcd by client port (2379 by default).
 	// It is expected to have tls.crt and tls.key fields in the secret.
+	// This secret must be created in the namespace with etcdCluster CR.
 	// +optional
 	ServerSecret string `json:"serverSecret,omitempty"`
-	// Trusted CA for client certificates that are provided by client to etcd. It is expected to have tls.crt field in the secret.
+	// Trusted CA for client certificates that are provided by client to etcd. It is expected to have ca.crt field in the secret.
+	// This secret must be created in the namespace with etcdCluster CR.
 	// +optional
 	ClientTrustedCASecret string `json:"clientTrustedCASecret,omitempty"`
 	// Client certificate for etcd-operator to do maintenance. It is expected to have tls.crt and tls.key fields in the secret.
+	// This secret must be created in the namespace with etcdCluster CR.
 	// +optional
 	ClientSecret string `json:"clientSecret,omitempty"`
 }