Merge commit from fork

* fix(etcd): using rangeEnd function to restrict permissions

Signed-off-by: Dario Tranchitella <dario@tranchitella.eu>

* Update internal/datastore/etcd.go

Co-authored-by: Simon Kienzler <SimonKienzler@users.noreply.github.com>

---------

Signed-off-by: Dario Tranchitella <dario@tranchitella.eu>
Co-authored-by: Simon Kienzler <SimonKienzler@users.noreply.github.com>

.github/dependabot.yml

@@ -0,0 +1,20 @@
+version: 2
+updates:
+  - package-ecosystem: gomod
+    directory: /
+    schedule:
+      interval: daily
+    rebase-strategy: disabled
+    commit-message:
+      prefix: "feat(deps)"
+    groups:
+      arrow:
+        patterns:
+          - "k8s.io*"
+  - package-ecosystem: github-actions
+    directory: /
+    schedule:
+      interval: daily
+    rebase-strategy: disabled
+    commit-message:
+      prefix: "chore(ci)"

.github/workflows/ci.yaml

@@ -12,12 +12,12 @@ jobs:
     runs-on: ubuntu-22.04
     steps:
       - uses: actions/checkout@v2
-      - uses: actions/setup-go@v3
+      - uses: actions/setup-go@v5
         with:
           go-version: '1.22'
           check-latest: true
       - name: Run golangci-lint
-        uses: golangci/golangci-lint-action@v3.2.0
+        uses: golangci/golangci-lint-action@v6.1.0
         with:
           version: v1.54.2
           only-new-issues: false
@@ -29,7 +29,7 @@ jobs:
       - uses: actions/checkout@v2
         with:
           fetch-depth: 0
-      - uses: actions/setup-go@v3
+      - uses: actions/setup-go@v5
         with:
           go-version: '1.22'
           check-latest: true

.github/workflows/e2e.yaml

@@ -6,6 +6,7 @@ on:
     paths:
       - '.github/workflows/e2e.yml'
       - 'api/**'
+      - 'charts/kamaji/**'
       - 'controllers/**'
       - 'e2e/*'
       - 'Dockerfile'
@@ -19,6 +20,7 @@ on:
     paths:
       - '.github/workflows/e2e.yml'
       - 'api/**'
+      - 'charts/kamaji/**'
       - 'controllers/**'
       - 'e2e/*'
       - 'Dockerfile'
@@ -36,7 +38,7 @@ jobs:
       - uses: actions/checkout@v2
         with:
           fetch-depth: 0
-      - uses: actions/setup-go@v3
+      - uses: actions/setup-go@v5
         with:
           go-version: '1.22'
           check-latest: true

.github/workflows/helm.yaml

@@ -25,6 +25,10 @@ jobs:
       - uses: azure/setup-helm@v1
         with:
           version: 3.3.4
+      - name: Building dependencies
+        run: |-
+          helm repo add clastix https://clastix.github.io/charts 
+          helm dependency build ./charts/kamaji
       - name: Linting Chart
         run: helm lint ./charts/kamaji
   release:

.gitignore

@@ -37,3 +37,4 @@ bin
 **/server-csr.json
 !deploy/kine/mysql/server-csr.json
 !deploy/kine/nats/server-csr.json
+charts/kamaji/charts

Makefile

@@ -307,6 +307,8 @@ env:
 
 .PHONY: e2e
 e2e: env load helm ginkgo cert-manager ## Create a KinD cluster, install Kamaji on it and run the test suite.
+	$(HELM) repo add clastix https://clastix.github.io/charts
+	$(HELM) dependency build ./charts/kamaji
 	$(HELM) upgrade --debug --install kamaji ./charts/kamaji --create-namespace --namespace kamaji-system --set "image.pullPolicy=Never" --set "telemetry.disabled=true"
 	$(MAKE) datastores
 	$(GINKGO) -v ./e2e

charts/kamaji/Chart.lock

@@ -0,0 +1,6 @@
+dependencies:
+- name: kamaji-etcd
+  repository: https://clastix.github.io/charts
+  version: 0.7.0
+digest: sha256:2e23a11b06da2aa3a935a56a93d56876c6c8ef0a7800ee44070f9a269dfbca71
+generated: "2024-08-10T23:03:35.382486587+02:00"

charts/kamaji/Chart.yaml

@@ -17,8 +17,33 @@ name: kamaji
 sources:
 - https://github.com/clastix/kamaji
 type: application
-version: 1.0.0
+version: 2.0.0
+dependencies:
+- name: kamaji-etcd
+  repository: https://clastix.github.io/charts
+  version: ">=0.7.0"
+  condition: kamaji-etcd.deploy
 annotations:
   catalog.cattle.io/certified: partner
   catalog.cattle.io/release-name: kamaji
   catalog.cattle.io/display-name: Kamaji
+  artifacthub.io/crds: |
+    - kind: TenantControlPlane
+      version: v1alpha1
+      name: tenantcontrolplanes.kamaji.clastix.io
+      displayName: TenantControlPlane
+      description: TenantControlPlane defines the desired state for a Control Plane backed by Kamaji.
+    - kind: DataStore
+      version: v1alpha1
+      name: datastores.kamaji.clastix.io
+      displayName: DataStore
+      description: DataStores is holding all the required details to communicate with a Datastore, such as etcd, MySQL, PostgreSQL, and NATS.
+  artifacthub.io/links: |
+    - name: CLASTIX
+      url: https://clastix.io
+    - name: support
+      url: https://clastix.io/support
+  artifacthub.io/operator: "true"
+  artifacthub.io/operatorCapabilities: "full lifecycle"
+  artifacthub.io/changes: |
+    - Using dependency chart `kamaji-etcd` as a default DataStore.

charts/kamaji/README.md

@@ -1,6 +1,6 @@
 # kamaji
 
-![Version: 1.0.0](https://img.shields.io/badge/Version-1.0.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v1.0.0](https://img.shields.io/badge/AppVersion-v1.0.0-informational?style=flat-square)
+![Version: 2.0.0](https://img.shields.io/badge/Version-2.0.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v1.0.0](https://img.shields.io/badge/AppVersion-v1.0.0-informational?style=flat-square)
 
 Kamaji is the Hosted Control Plane Manager for Kubernetes.
 
@@ -20,6 +20,10 @@ Kamaji is the Hosted Control Plane Manager for Kubernetes.
 
 Kubernetes: `>=1.21.0-0`
 
+| Repository | Name | Version |
+|------------|------|---------|
+| https://clastix.github.io/charts | kamaji-etcd | >=0.7.0 |
+
 [Kamaji](https://github.com/clastix/kamaji) requires a [multi-tenant `etcd`](https://github.com/clastix/kamaji-internal/blob/master/deploy/getting-started-with-kamaji.md#setup-internal-multi-tenant-etcd) cluster.
 This Helm Chart starting from v0.1.1 provides the installation of an internal `etcd` in order to streamline the local test. If you'd like to use an externally managed etcd instance, you can specify the overrides and by setting the value `etcd.deploy=false`.
 
@@ -66,49 +70,7 @@ Here the values you can override:
 | Key | Type | Default | Description |
 |-----|------|---------|-------------|
 | affinity | object | `{}` | Kubernetes affinity rules to apply to Kamaji controller pods |
-| cfssl.image.repository | string | `"cfssl/cfssl"` |  |
-| cfssl.image.tag | string | `"latest"` |  |
-| datastore.basicAuth.passwordSecret.keyPath | string | `nil` | The Secret key where the data is stored. |
-| datastore.basicAuth.passwordSecret.name | string | `nil` | The name of the Secret containing the password used to connect to the relational database. |
-| datastore.basicAuth.passwordSecret.namespace | string | `nil` | The namespace of the Secret containing the password used to connect to the relational database. |
-| datastore.basicAuth.usernameSecret.keyPath | string | `nil` | The Secret key where the data is stored. |
-| datastore.basicAuth.usernameSecret.name | string | `nil` | The name of the Secret containing the username used to connect to the relational database. |
-| datastore.basicAuth.usernameSecret.namespace | string | `nil` | The namespace of the Secret containing the username used to connect to the relational database. |
-| datastore.driver | string | `"etcd"` | (string) The Kamaji Datastore driver, supported: etcd, MySQL, PostgreSQL (defaults=etcd). |
-| datastore.enabled | bool | `true` | (bool) Enable the Kamaji Datastore creation (default=true) |
-| datastore.endpoints | list | `[]` | (array) List of endpoints of the selected Datastore. When letting the Chart install the etcd datastore, this field is populated automatically. |
-| datastore.nameOverride | string | `nil` | The Datastore name override, if empty and enabled=true defaults to `default`, if enabled=false, this is the name of the Datastore to connect to. |
-| datastore.tlsConfig.certificateAuthority.certificate.keyPath | string | `nil` | Key of the Secret which contains the content of the certificate. |
-| datastore.tlsConfig.certificateAuthority.certificate.name | string | `nil` | Name of the Secret containing the CA required to establish the mandatory SSL/TLS connection to the datastore. |
-| datastore.tlsConfig.certificateAuthority.certificate.namespace | string | `nil` | Namespace of the Secret containing the CA required to establish the mandatory SSL/TLS connection to the datastore. |
-| datastore.tlsConfig.certificateAuthority.privateKey.keyPath | string | `nil` | Key of the Secret which contains the content of the private key. |
-| datastore.tlsConfig.certificateAuthority.privateKey.name | string | `nil` | Name of the Secret containing the CA private key required to establish the mandatory SSL/TLS connection to the datastore. |
-| datastore.tlsConfig.certificateAuthority.privateKey.namespace | string | `nil` | Namespace of the Secret containing the CA private key required to establish the mandatory SSL/TLS connection to the datastore. |
-| datastore.tlsConfig.clientCertificate.certificate.keyPath | string | `nil` | Key of the Secret which contains the content of the certificate. |
-| datastore.tlsConfig.clientCertificate.certificate.name | string | `nil` | Name of the Secret containing the client certificate required to establish the mandatory SSL/TLS connection to the datastore. |
-| datastore.tlsConfig.clientCertificate.certificate.namespace | string | `nil` | Namespace of the Secret containing the client certificate required to establish the mandatory SSL/TLS connection to the datastore. |
-| datastore.tlsConfig.clientCertificate.privateKey.keyPath | string | `nil` | Key of the Secret which contains the content of the private key. |
-| datastore.tlsConfig.clientCertificate.privateKey.name | string | `nil` | Name of the Secret containing the client certificate private key required to establish the mandatory SSL/TLS connection to the datastore. |
-| datastore.tlsConfig.clientCertificate.privateKey.namespace | string | `nil` | Namespace of the Secret containing the client certificate private key required to establish the mandatory SSL/TLS connection to the datastore. |
-| datastore.tlsConfig.enabled | bool | `true` |  |
-| etcd.compactionInterval | int | `0` | ETCD Compaction interval (e.g. "5m0s"). (default: "0" (disabled)) |
-| etcd.deploy | bool | `true` | Install an etcd with enabled multi-tenancy along with Kamaji |
-| etcd.image | object | `{"pullPolicy":"IfNotPresent","repository":"quay.io/coreos/etcd","tag":"v3.5.6"}` | Install specific etcd image |
-| etcd.livenessProbe | object | `{"failureThreshold":8,"httpGet":{"path":"/health?serializable=true","port":2381,"scheme":"HTTP"},"initialDelaySeconds":10,"periodSeconds":10,"timeoutSeconds":15}` | The livenessProbe for the etcd container |
-| etcd.overrides.caSecret.name | string | `"etcd-certs"` | Name of the secret which contains CA's certificate and private key. (default: "etcd-certs") |
-| etcd.overrides.caSecret.namespace | string | `"kamaji-system"` | Namespace of the secret which contains CA's certificate and private key. (default: "kamaji-system") |
-| etcd.overrides.clientSecret.name | string | `"root-client-certs"` | Name of the secret which contains ETCD client certificates. (default: "root-client-certs") |
-| etcd.overrides.clientSecret.namespace | string | `"kamaji-system"` | Name of the namespace where the secret which contains ETCD client certificates is. (default: "kamaji-system") |
-| etcd.overrides.endpoints | object | `{"etcd-0":"etcd-0.etcd.kamaji-system.svc.cluster.local","etcd-1":"etcd-1.etcd.kamaji-system.svc.cluster.local","etcd-2":"etcd-2.etcd.kamaji-system.svc.cluster.local"}` | (map) Dictionary of the endpoints for the etcd cluster's members, key is the name of the etcd server. Don't define the protocol (TLS is automatically inflected), or any port, inflected from .etcd.peerApiPort value. |
-| etcd.peerApiPort | int | `2380` | The peer API port which servers are listening to. |
-| etcd.persistence.accessModes[0] | string | `"ReadWriteOnce"` |  |
-| etcd.persistence.customAnnotations | object | `{}` | The custom annotations to add to the PVC |
-| etcd.persistence.size | string | `"10Gi"` |  |
-| etcd.persistence.storageClassName | string | `""` |  |
-| etcd.port | int | `2379` | The client request port. |
-| etcd.serviceAccount.create | bool | `true` | Create a ServiceAccount, required to install and provision the etcd backing storage (default: true) |
-| etcd.serviceAccount.name | string | `""` | Define the ServiceAccount name to use during the setup and provision of the etcd backing storage (default: "") |
-| etcd.tolerations | list | `[]` | (array) Kubernetes affinity rules to apply to Kamaji etcd pods |
+| defaultDatastoreName | string | `"default"` | Specify the default DataStore name for the Kamaji instance. |
 | extraArgs | list | `[]` | A list of extra arguments to add to the kamaji controller default ones |
 | fullnameOverride | string | `""` |  |
 | healthProbeBindAddress | string | `":8081"` | The address the probe endpoint binds to. (default ":8081") |
@@ -116,9 +78,13 @@ Here the values you can override:
 | image.repository | string | `"clastix/kamaji"` | The container image of the Kamaji controller. |
 | image.tag | string | `nil` | Overrides the image tag whose default is the chart appVersion. |
 | imagePullSecrets | list | `[]` |  |
+| kamaji-etcd.datastore.enabled | bool | `true` |  |
+| kamaji-etcd.datastore.name | string | `"default"` |  |
+| kamaji-etcd.deploy | bool | `true` |  |
+| kamaji-etcd.fullnameOverride | string | `"kamaji-etcd"` |  |
 | livenessProbe | object | `{"httpGet":{"path":"/healthz","port":"healthcheck"},"initialDelaySeconds":15,"periodSeconds":20}` | The livenessProbe for the controller container |
-| loggingDevel.enable | bool | `false` | (string) Development Mode defaults(encoder=consoleEncoder,logLevel=Debug,stackTraceLevel=Warn). Production Mode defaults(encoder=jsonEncoder,logLevel=Info,stackTraceLevel=Error) (default false) |
-| metricsBindAddress | string | `":8080"` | (string) The address the metric endpoint binds to. (default ":8080") |
+| loggingDevel.enable | bool | `false` | Development Mode defaults(encoder=consoleEncoder,logLevel=Debug,stackTraceLevel=Warn). Production Mode defaults(encoder=jsonEncoder,logLevel=Info,stackTraceLevel=Error) (default false) |
+| metricsBindAddress | string | `":8080"` | The address the metric endpoint binds to. (default ":8080") |
 | nameOverride | string | `""` |  |
 | nodeSelector | object | `{}` | Kubernetes node selector rules to schedule Kamaji controller |
 | podAnnotations | object | `{}` | The annotations to apply to the Kamaji controller pods. |

charts/kamaji/templates/_helpers_datastore.tpl

@@ -1,94 +0,0 @@
-{{/*
-Create a default fully qualified datastore name.
-*/}}
-{{- define "datastore.fullname" -}}
-{{- if .Values.datastore.enabled }}
-{{- default "default" .Values.datastore.nameOverride | trunc 63 | trimSuffix "-" }}
-{{- else }}
-{{- required "A valid .Values.datastore.nameOverride required!" .Values.datastore.nameOverride }}
-{{- end }}
-{{- end }}
-
-{{/*
-Common labels
-*/}}
-{{- define "datastore.labels" -}}
-kamaji.clastix.io/datastore: {{ .Values.datastore.driver }}
-helm.sh/chart: {{ include "kamaji.chart" . }}
-{{ include "kamaji.selectorLabels" . }}
-{{- if .Chart.AppVersion }}
-app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
-{{- end }}
-app.kubernetes.io/managed-by: {{ .Release.Service }}
-{{- end }}
-
-{{/*
-Datastore endpoints, in case of ETCD, retrieving the one provided by the chart.
-*/}}
-{{- define "datastore.endpoints" -}}
-{{- if eq .Values.datastore.driver "etcd" }}
-{{ include "etcd.endpoints" . }}
-{{- else }}
-{{ .Values.datastore.endpoints }}
-{{- end }}
-{{- end }}
-
-{{/*
-The Certificate Authority section for the DataSource object.
-*/}}
-{{- define "datastore.certificateAuthority" -}}
-{{- if eq .Values.datastore.driver "etcd" }}
-certificate:
-  secretReference:
-    name: {{ include "etcd.caSecretName" . }}
-    namespace: {{ include "etcd.caSecretNamespace" . }}
-    keyPath: ca.crt
-privateKey:
-  secretReference:
-    name: {{ include "etcd.caSecretName" . }}
-    namespace: {{ include "etcd.caSecretNamespace" . }}
-    keyPath: ca.key
-{{- else }}
-certificate:
-  secretReference:
-    name: {{ .Values.datastore.tlsConfig.certificateAuthority.certificate.name }}
-    namespace: {{ .Values.datastore.tlsConfig.certificateAuthority.certificate.namespace }}
-    keyPath: {{ .Values.datastore.tlsConfig.certificateAuthority.certificate.keyPath }}
-{{- if .Values.datastore.tlsConfig.certificateAuthority.privateKey.name }}
-privateKey:
-  secretReference:
-    name: {{ .Values.datastore.tlsConfig.certificateAuthority.privateKey.name }}
-    namespace: {{ .Values.datastore.tlsConfig.certificateAuthority.privateKey.namespace }}
-    keyPath: {{ .Values.datastore.tlsConfig.certificateAuthority.privateKey.keyPath }}
-{{- end }}
-{{- end }}
-{{- end }}
-
-{{/*
-The Client Certificate section for the DataSource object.
-*/}}
-{{- define "datastore.clientCertificate" -}}
-{{- if eq .Values.datastore.driver "etcd" }}
-certificate:
-    secretReference:
-      name: {{ include "etcd.clientSecretName" . }}
-      namespace: {{ include "etcd.clientSecretNamespace" . }}
-      keyPath: tls.crt
-privateKey:
-    secretReference:
-      name: {{ include "etcd.clientSecretName" . }}
-      namespace: {{ include "etcd.clientSecretNamespace" . }}
-      keyPath: tls.key
-{{- else }}
-certificate:
-  secretReference:
-    name: {{ .Values.datastore.tlsConfig.clientCertificate.certificate.name }}
-    namespace: {{ .Values.datastore.tlsConfig.clientCertificate.certificate.namespace }}
-    keyPath: {{ .Values.datastore.tlsConfig.clientCertificate.certificate.keyPath }}
-privateKey:
-  secretReference:
-    name: {{ .Values.datastore.tlsConfig.clientCertificate.privateKey.name }}
-    namespace: {{ .Values.datastore.tlsConfig.clientCertificate.privateKey.namespace }}
-    keyPath: {{ .Values.datastore.tlsConfig.clientCertificate.privateKey.keyPath }}
-{{- end }}
-{{- end }}

charts/kamaji/templates/_helpers_etcd.tpl

@@ -1,142 +0,0 @@
-{{/*
-Create a default fully qualified etcd name.
-*/}}
-{{- define "etcd.fullname" -}}
-{{- printf "etcd" }}
-{{- end }}
-
-{{/*
-Create the name of the service account to use
-*/}}
-{{- define "etcd.serviceAccountName" -}}
-{{- if .Values.etcd.serviceAccount.create }}
-{{- default (include "etcd.fullname" .) .Values.etcd.serviceAccount.name }}
-{{- else }}
-{{- default "default" .Values.etcd.serviceAccount.name }}
-{{- end }}
-{{- end }}
-
-{{/*
-Create the name of the Service to use
-*/}}
-{{- define "etcd.serviceName" -}}
-{{- printf "%s" (include "etcd.fullname" .) | trunc 63 | trimSuffix "-" }}
-{{- end }}
-
-{{/*
-Common labels
-*/}}
-{{- define "etcd.labels" -}}
-app.kubernetes.io/name: {{ include "kamaji.name" . }}
-app.kubernetes.io/instance: {{ .Release.Name }}
-app.kubernetes.io/components: etcd
-{{- end }}
-
-{{/*
-Selector labels.
-*/}}
-{{- define "etcd.selectorLabels" -}}
-app.kubernetes.io/name: {{ include "kamaji.name" . }}
-app.kubernetes.io/instance: {{ .Release.Name }}
-app.kubernetes.io/component: etcd
-{{- end }}
-
-{{/*
-Name of the etcd CA secret.
-*/}}
-{{- define "etcd.caSecretName" }}
-{{- if .Values.etcd.deploy }}
-{{- printf "%s-%s" (include "etcd.fullname" .) "certs" | trunc 63 | trimSuffix "-" }}
-{{- else }}
-{{- required "A valid .Values.etcd.overrides.caSecret.name required!" .Values.etcd.overrides.caSecret.name }}
-{{- end }}
-{{- end }}
-
-{{/*
-Namespace of the etcd CA secret.
-*/}}
-{{- define "etcd.caSecretNamespace" }}
-{{- if .Values.etcd.deploy }}
-{{- .Release.Namespace }}
-{{- else }}
-{{- required "A valid .Values.etcd.overrides.caSecret.namespace required!" .Values.etcd.overrides.caSecret.namespace }}
-{{- end }}
-{{- end }}
-
-{{/*
-Name of the certificate signing requests for the certificates required by etcd.
-*/}}
-{{- define "etcd.csrConfigMapName" }}
-{{- printf "%s-csr" (include "etcd.fullname" .) }}
-{{- end }}
-
-{{/*
-Name of the etcd root-client secret.
-*/}}
-{{- define "etcd.clientSecretName" }}
-{{- if .Values.etcd.deploy }}
-{{- printf "root-client-certs" }}
-{{- else }}
-{{- required "A valid .Values.etcd.overrides.clientSecret.name required!" .Values.etcd.overrides.clientSecret.name }}
-{{- end }}
-{{- end }}
-
-{{/*
-Namespace of the etcd root-client secret.
-*/}}
-{{- define "etcd.clientSecretNamespace" }}
-{{- if .Values.etcd.deploy }}
-{{- .Release.Namespace }}
-{{- else }}
-{{- required "A valid .Values.etcd.overrides.clientSecret.namespace required!" .Values.etcd.overrides.clientSecret.namespace }}
-{{- end }}
-{{- end }}
-
-{{/*
-Comma separated list of etcd endpoints, using the overrides in case of unmanaged etcd.
-*/}}
-{{- define "etcd.endpoints" }}
-{{- $list := list -}}
-{{- if .Values.etcd.deploy }}
-    {{- range $count := until 3 -}}
-        {{- $list = append $list (printf "%s-%d.%s.%s.svc.cluster.local:%d" "etcd" $count ( include "etcd.serviceName" . ) $.Release.Namespace (int $.Values.etcd.port) ) -}}
-    {{- end }}
-{{- else if .Values.etcd.overrides.endpoints }}
-    {{- range $v := .Values.etcd.overrides.endpoints -}}
-        {{- $list = append $list (printf "%s:%d" $v (int $.Values.etcd.port) ) -}}
-    {{- end -}}
-{{- else if not .Values.etcd.overrides.endpoints }}
-    {{- fail "A valid .Values.etcd.overrides.endpoints required!" }}
-{{- end }}
-{{- $list | toYaml }}
-{{- end }}
-
-{{/*
-Key-value of the etcd peers, using the overrides in case of unmanaged etcd.
-*/}}
-{{- define "etcd.initialCluster" }}
-{{- $list := list -}}
-{{- if .Values.etcd.deploy }}
-    {{- range $i, $count := until 3 -}}
-        {{- $list = append $list ( printf "etcd-%d=https://%s-%d.%s.%s.svc.cluster.local:%d" $i "etcd" $count ( include "etcd.serviceName" . ) $.Release.Namespace (int $.Values.etcd.peerApiPort) ) -}}
-    {{- end }}
-{{- else if .Values.etcd.overrides.endpoints }}
-    {{- range $k, $v := .Values.etcd.overrides.endpoints -}}
-        {{- $list = append $list ( printf "%s=%s:%d" $k $v (int $.Values.etcd.peerApiPort) ) -}}
-    {{- end -}}
-{{- else if not .Values.etcd.overrides.endpoints }}
-    {{- fail "A valid .Values.etcd.overrides.endpoints required!" }}
-{{- end }}
-{{- join "," $list -}}
-{{- end }}
-
-{{/*
-Retrieve the current Kubernetes version to launch a kubectl container with the minimum version skew possible.
-*/}}
-{{- define "etcd.jobsTagKubeVersion" -}}
-{{- if contains "-eks-" .Capabilities.KubeVersion.GitVersion }}
-{{- print "v" .Capabilities.KubeVersion.Major "." (.Capabilities.KubeVersion.Minor | replace "+" "") -}}
-{{- else }}
-{{- print "v" .Capabilities.KubeVersion.Major "." .Capabilities.KubeVersion.Minor -}}
-{{- end }}
-{{- end }}

charts/kamaji/templates/controller.yaml

@@ -33,7 +33,8 @@ spec:
         - --leader-elect
         - --metrics-bind-address={{ .Values.metricsBindAddress }}
         - --tmp-directory={{ .Values.temporaryDirectoryPath }}
-        - --datastore={{ include "datastore.fullname" . }}
+        {{- $datastoreName := .Values.defaultDatastoreName | required ".Values.defaultDatastoreName is required!" }}
+        - --datastore={{ $datastoreName }}
         {{- if .Values.telemetry.disabled }}
         - --disable-telemetry
         {{- end }}

charts/kamaji/templates/datastore.yaml

@@ -1,33 +0,0 @@
-{{- if .Values.datastore.enabled}}
-apiVersion: kamaji.clastix.io/v1alpha1
-kind: DataStore
-metadata:
-  name: {{ include "datastore.fullname" . }}
-  annotations:
-    "helm.sh/hook": pre-install
-  labels:
-    {{- include "datastore.labels" . | nindent 4 }}
-spec:
-  driver: {{ .Values.datastore.driver }}
-  endpoints:
-    {{- include "datastore.endpoints" . | indent 4 }}
-{{- if (and .Values.datastore.basicAuth.usernameSecret.name .Values.datastore.basicAuth.passwordSecret.name) }}
-  basicAuth:
-    username:
-      secretReference:
-        {{- .Values.datastore.basicAuth.usernameSecret | toYaml | nindent 8 }}
-    password:
-      secretReference:
-        {{- .Values.datastore.basicAuth.passwordSecret | toYaml | nindent 8 }}
-{{- end }}
-{{- if .Values.datastore.tlsConfig.enabled }}
-  tlsConfig:
-    certificateAuthority:
-      {{- include "datastore.certificateAuthority" . | indent 6 }}
-
-    {{- if .Values.datastore.tlsConfig.clientCertificate }}
-    clientCertificate:
-      {{- include "datastore.clientCertificate" . | indent 6 }}
-    {{- end }}
-{{- end}}
-{{- end}}

charts/kamaji/templates/etcd_cm.yaml

@@ -1,98 +0,0 @@
-{{- if .Values.etcd.deploy }}
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  labels:
-    {{- include "etcd.labels" . | nindent 4 }}
-  name: {{ include "etcd.csrConfigMapName" . }}
-  namespace: {{ .Release.Namespace }}
-  annotations:
-    "helm.sh/hook": pre-install
-    "helm.sh/hook-weight": "-5"
-    "helm.sh/hook-delete-policy": "hook-succeeded,hook-failed"
-data:
-  ca-csr.json: |-
-    {
-      "CN": "Clastix CA",
-      "key": {
-        "algo": "rsa",
-        "size": 2048
-      },
-      "names": [
-        {
-          "C": "IT",
-          "ST": "Italy",
-          "L": "Milan"
-        }
-      ]
-    }
-  config.json: |-
-    {
-      "signing": {
-        "default": {
-          "expiry": "8760h"
-        },
-        "profiles": {
-          "server-authentication": {
-            "usages": ["signing", "key encipherment", "server auth"],
-            "expiry": "8760h"
-          },
-          "client-authentication": {
-            "usages": ["signing", "key encipherment", "client auth"],
-            "expiry": "8760h"
-          },
-          "peer-authentication": {
-            "usages": ["signing", "key encipherment", "server auth", "client auth"],
-            "expiry": "8760h"
-          }
-        }
-      }
-    }
-  server-csr.json: |-
-    {
-      "CN": "etcd",
-      "key": {
-        "algo": "rsa",
-        "size": 2048
-      },
-      "hosts": [
-{{- range $count := until 3 -}}
-        {{ printf "\"etcd-%d.%s.%s.svc.cluster.local\"," $count (include "etcd.serviceName" .) $.Release.Namespace }}
-{{- end }}
-        "etcd-server.{{ .Release.Namespace }}.svc.cluster.local",
-        "etcd-server.{{ .Release.Namespace }}.svc",
-        "etcd-server",
-        "127.0.0.1"
-      ]
-    }
-  peer-csr.json: |-
-    {
-      "CN": "etcd",
-      "key": {
-        "algo": "rsa",
-        "size": 2048
-      },
-      "hosts": [
-{{- range $count := until 3 -}}
-        {{ printf "\"etcd-%d\"," $count }}
-        {{ printf "\"etcd-%d.%s\"," $count (include "etcd.serviceName" .) }}
-        {{ printf "\"etcd-%d.%s.%s.svc\"," $count (include "etcd.serviceName" .) $.Release.Namespace }}
-        {{ printf "\"etcd-%d.%s.%s.svc.cluster.local\"," $count (include "etcd.serviceName" .) $.Release.Namespace }}
-{{- end }}
-        "127.0.0.1"
-      ]
-    }
-  root-client-csr.json: |-
-    {
-      "CN": "root",
-      "key": {
-        "algo": "rsa",
-        "size": 2048
-      },
-      "names": [
-        {
-          "O": "system:masters"
-        }
-      ]
-    }
-{{- end }}

charts/kamaji/templates/etcd_job_postdelete.yaml

@@ -1,35 +0,0 @@
-{{- if .Values.etcd.deploy }}
-apiVersion: batch/v1
-kind: Job
-metadata:
-  labels:
-    {{- include "etcd.labels" . | nindent 4 }}
-  annotations:
-    "helm.sh/hook": pre-delete
-    "helm.sh/hook-weight": "-5"
-    "helm.sh/hook-delete-policy": "hook-succeeded,hook-failed"
-  name: "{{ .Release.Name }}-etcd-teardown"
-  namespace: {{ .Release.Namespace }}
-spec:
-  template:
-    metadata:
-      name: "{{ .Release.Name }}"
-    spec:
-      serviceAccountName: {{ include "etcd.serviceAccountName" . }}
-      restartPolicy: Never
-      containers:
-        - name: kubectl
-          image: {{ printf "clastix/kubectl:%s" (include "etcd.jobsTagKubeVersion" .) }}
-          command:
-            - kubectl
-            - --namespace={{ .Release.Namespace }}
-            - delete
-            - secret
-            - --ignore-not-found=true
-            - {{ include "etcd.caSecretName" . }}
-            - {{ include "etcd.clientSecretName" . }}
-      {{- with .Values.tolerations }}
-      tolerations:
-        {{- toYaml . | nindent 8 }}
-      {{- end }}
-{{- end }}

charts/kamaji/templates/etcd_job_postinstall.yaml

@@ -1,74 +0,0 @@
-{{- if .Values.etcd.deploy }}
-apiVersion: batch/v1
-kind: Job
-metadata:
-  labels:
-    {{- include "etcd.labels" . | nindent 4 }}
-  annotations:
-    "helm.sh/hook": post-install
-    "helm.sh/hook-weight": "-5"
-    "helm.sh/hook-delete-policy": "hook-succeeded,hook-failed"
-  name: "{{ .Release.Name }}-etcd-setup"
-  namespace: {{ .Release.Namespace }}
-spec:
-  template:
-    metadata:
-      name: "{{ .Release.Name }}"
-    spec:
-      serviceAccountName: {{ include "etcd.serviceAccountName" . }}
-      restartPolicy: Never
-      initContainers:
-        - name: kubectl
-          image: {{ printf "clastix/kubectl:%s" (include "etcd.jobsTagKubeVersion" .) }}
-          command:
-            - sh
-            - -c
-            - |-
-              kubectl --namespace={{ .Release.Namespace }} rollout status sts/etcd --timeout=300s
-      containers:
-        - command:
-            - bash
-            - -c
-            - |-
-              etcdctl member list -w table
-              if etcdctl user get root &>/dev/null; then
-                echo "User already exists, nothing to do"
-              else
-                etcdctl user add --no-password=true root &&
-                etcdctl role add root &&
-                etcdctl user grant-role root root &&
-                etcdctl auth enable
-              fi
-          env:
-            - name: ETCDCTL_ENDPOINTS
-              value: https://etcd-0.{{ include "etcd.serviceName" . }}.{{ .Release.Namespace }}.svc.cluster.local:2379
-            - name: ETCDCTL_CACERT
-              value: /opt/certs/ca/ca.crt
-            - name: ETCDCTL_CERT
-              value: /opt/certs/root-certs/tls.crt
-            - name: ETCDCTL_KEY
-              value: /opt/certs/root-certs/tls.key
-          image: quay.io/coreos/etcd:v3.5.1
-          imagePullPolicy: Always
-          name: etcd-client
-          volumeMounts:
-            - name: root-certs
-              mountPath: /opt/certs/root-certs
-            - name: certs
-              mountPath: /opt/certs/ca
-      securityContext:
-        runAsUser: 1000
-        runAsGroup: 1000
-        fsGroup: 1000
-      volumes:
-        - name: root-certs
-          secret:
-            secretName: {{ include "etcd.clientSecretName" . }}
-        - name: certs
-          secret:
-            secretName: {{ include "etcd.caSecretName" . }}
-      {{- with .Values.tolerations }}
-      tolerations:
-        {{- toYaml . | nindent 8 }}
-      {{- end }}
-{{- end }}

charts/kamaji/templates/etcd_job_preinstall.yaml

@@ -1,72 +0,0 @@
-{{- if .Values.etcd.deploy }}
-apiVersion: batch/v1
-kind: Job
-metadata:
-  labels:
-    {{- include "etcd.labels" . | nindent 4 }}
-  annotations:
-    "helm.sh/hook": pre-install
-    "helm.sh/hook-weight": "-5"
-    "helm.sh/hook-delete-policy": "hook-succeeded"
-  name: "{{ .Release.Name }}-etcd-certs"
-  namespace: {{ .Release.Namespace }}
-spec:
-  template:
-    metadata:
-      name: "{{ .Release.Name }}"
-    spec:
-      serviceAccountName: {{ include "etcd.serviceAccountName" . }}
-      restartPolicy: Never
-      initContainers:
-        - name: cfssl
-          image: "{{ .Values.cfssl.image.repository }}:{{ .Values.cfssl.image.tag }}"
-          command:
-            - bash
-            - -c
-            - |-
-              cfssl gencert -initca /csr/ca-csr.json | cfssljson -bare /certs/ca &&
-              mv /certs/ca.pem /certs/ca.crt && mv /certs/ca-key.pem /certs/ca.key &&
-              cfssl gencert -ca=/certs/ca.crt -ca-key=/certs/ca.key -config=/csr/config.json -profile=peer-authentication /csr/peer-csr.json | cfssljson -bare /certs/peer &&
-              cfssl gencert -ca=/certs/ca.crt -ca-key=/certs/ca.key -config=/csr/config.json -profile=peer-authentication /csr/server-csr.json | cfssljson -bare /certs/server &&
-              cfssl gencert -ca=/certs/ca.crt -ca-key=/certs/ca.key -config=/csr/config.json -profile=client-authentication /csr/root-client-csr.json | cfssljson -bare /certs/root-client
-          volumeMounts:
-            - mountPath: /certs
-              name: certs
-            - mountPath: /csr
-              name: csr
-      containers:
-        - name: kubectl
-          image: {{ printf "clastix/kubectl:%s" (include "etcd.jobsTagKubeVersion" .) }}
-          command: ["/bin/sh", "-c"]
-          args:
-            - |
-              if kubectl get secret {{ include "etcd.caSecretName" . }} --namespace={{ .Release.Namespace }} &>/dev/null; then
-                echo "Secret {{ include "etcd.caSecretName" . }} already exists"
-              else
-                echo "Creating secret {{ include "etcd.caSecretName" . }}"
-                kubectl --namespace={{ .Release.Namespace }} create secret generic {{ include "etcd.caSecretName" . }} --from-file=/certs/ca.crt --from-file=/certs/ca.key --from-file=/certs/peer-key.pem --from-file=/certs/peer.pem --from-file=/certs/server-key.pem --from-file=/certs/server.pem
-              fi
-              if kubectl get secret {{ include "etcd.clientSecretName" . }} --namespace={{ .Release.Namespace }} &>/dev/null; then
-                echo "Secret {{ include "etcd.clientSecretName" . }} already exists"
-              else
-                echo "Creating secret {{ include "etcd.clientSecretName" . }}"
-                kubectl --namespace={{ .Release.Namespace }} create secret tls {{ include "etcd.clientSecretName" . }} --key=/certs/root-client-key.pem --cert=/certs/root-client.pem
-              fi
-          volumeMounts:
-            - mountPath: /certs
-              name: certs
-      securityContext:
-        runAsUser: 1000
-        runAsGroup: 1000
-        fsGroup: 1000
-      volumes:
-        - name: csr
-          configMap:
-            name: {{ include "etcd.csrConfigMapName" . }}
-        - name: certs
-          emptyDir: {}
-      {{- with .Values.tolerations }}
-      tolerations:
-        {{- toYaml . | nindent 8 }}
-      {{- end }}
-{{- end }}

charts/kamaji/templates/etcd_rbac.yaml

@@ -1,56 +0,0 @@
-{{- if .Values.etcd.deploy }}
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  labels:
-    {{- include "etcd.labels" . | nindent 4 }}
-  name: etcd-gen-certs-role
-  annotations:
-    "helm.sh/hook": pre-install
-    "helm.sh/hook-weight": "-5"
-  namespace: {{ .Release.Namespace }}
-rules:
-  - apiGroups:
-      - ""
-    resources:
-      - secrets
-    verbs:
-      - get
-      - delete
-    resourceNames:
-      - {{ include "etcd.caSecretName" . }}
-      - {{ include "etcd.clientSecretName" . }}
-  - apiGroups:
-      - ""
-    resources:
-      - secrets
-    verbs:
-      - create
-  - apiGroups:
-      - apps
-    resources:
-      - statefulsets
-    verbs:
-      - get
-      - list
-      - watch
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  labels:
-    {{- include "etcd.labels" . | nindent 4 }}
-  name: etcd-gen-certs-rolebiding
-  namespace: {{ .Release.Namespace }}
-  annotations:
-    "helm.sh/hook": pre-install
-    "helm.sh/hook-weight": "-5"
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: etcd-gen-certs-role
-subjects:
-  - kind: ServiceAccount
-    name: {{ include "etcd.serviceAccountName" . }}
-    namespace: {{ .Release.Namespace }}
-{{- end }}

charts/kamaji/templates/etcd_sa.yaml

@@ -1,12 +0,0 @@
-{{- if .Values.etcd.deploy }}
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  labels:
-    {{- include "etcd.labels" . | nindent 4 }}
-  name: {{ include "etcd.serviceAccountName" . }}
-  annotations:
-    "helm.sh/hook": pre-install
-    "helm.sh/hook-weight": "-5"
-  namespace: {{ .Release.Namespace }}
-{{- end }}

charts/kamaji/templates/etcd_service.yaml

@@ -1,18 +0,0 @@
-{{- if .Values.etcd.deploy }}
-apiVersion: v1
-kind: Service
-metadata:
-  labels:
-    {{- include "etcd.labels" . | nindent 4 }}
-  name: {{ include "etcd.serviceName" . }}
-  namespace: {{ .Release.Namespace }}
-spec:
-  clusterIP: None
-  ports:
-    - port: {{ .Values.etcd.port }}
-      name: client
-    - port: {{ .Values.etcd.peerApiPort }}
-      name: peer
-  selector:
-    {{- include "etcd.selectorLabels" . | nindent 4 }}
-{{- end }}

charts/kamaji/templates/etcd_sts.yaml

@@ -1,101 +0,0 @@
-{{- if .Values.etcd.deploy }}
-apiVersion: apps/v1
-kind: StatefulSet
-metadata:
-  labels:
-    {{- include "etcd.labels" . | nindent 4 }}
-  name: {{ include "etcd.fullname" . }}
-  namespace: {{ .Release.Namespace }}
-spec:
-  serviceName: {{ include "etcd.serviceName" . }}
-  selector:
-    matchLabels:
-      {{- include "etcd.selectorLabels" . | nindent 6 }}
-  replicas: 3
-  template:
-    metadata:
-      name: etcd
-      labels:
-        {{- include "etcd.selectorLabels" . | nindent 8 }}
-    spec:
-      volumes:
-        - name: certs
-          secret:
-            secretName: {{ include "etcd.caSecretName" . }}
-      {{- with .Values.etcd.tolerations }}
-      tolerations:
-        {{- toYaml . | nindent 8 }}
-      {{- end }}
-      containers:
-        - name: etcd
-          image: {{ .Values.etcd.image.repository }}:{{ .Values.etcd.image.tag | default "v3.5.4" }}
-          imagePullPolicy: {{ .Values.etcd.image.pullPolicy }}
-          ports:
-            - containerPort: 2379
-              name: client
-            - containerPort: 2380
-              name: peer
-          volumeMounts:
-            - name: data
-              mountPath: /var/run/etcd
-            - name: certs
-              mountPath: /etc/etcd/pki
-          command:
-            - etcd
-            - --data-dir=/var/run/etcd
-            - --name=$(POD_NAME)
-            - --initial-cluster-state=new
-            - --initial-cluster={{ include "etcd.initialCluster" . }}
-            - --initial-advertise-peer-urls=https://$(POD_NAME).etcd.$(POD_NAMESPACE).svc.cluster.local:2380
-            - --advertise-client-urls=https://$(POD_NAME).etcd.$(POD_NAMESPACE).svc.cluster.local:2379
-            - --initial-cluster-token=kamaji
-            - --listen-client-urls=https://0.0.0.0:2379
-            - --listen-metrics-urls=http://0.0.0.0:2381
-            - --listen-peer-urls=https://0.0.0.0:2380
-            - --client-cert-auth=true
-            - --peer-client-cert-auth=true
-            - --trusted-ca-file=/etc/etcd/pki/ca.crt
-            - --cert-file=/etc/etcd/pki/server.pem
-            - --key-file=/etc/etcd/pki/server-key.pem
-            - --peer-trusted-ca-file=/etc/etcd/pki/ca.crt
-            - --peer-cert-file=/etc/etcd/pki/peer.pem
-            - --peer-key-file=/etc/etcd/pki/peer-key.pem
-            - --auto-compaction-mode=periodic
-            - --auto-compaction-retention= {{ .Values.etcd.compactionInterval }}
-            - --snapshot-count=10000
-            - --quota-backend-bytes=8589934592
-            - --v=8
-          env:
-            - name: POD_NAME
-              valueFrom:
-                fieldRef:
-                  fieldPath: metadata.name
-            - name: POD_NAMESPACE
-              valueFrom:
-                fieldRef:
-                  fieldPath: metadata.namespace
-          {{- with .Values.etcd.livenessProbe }}
-          livenessProbe:
-            {{- toYaml . | nindent 12 }}
-          {{- end }}
-          {{- with .Values.etcd.startupProbe }}
-          startupProbe:
-            {{- toYaml . | nindent 12 }}
-          {{- end }}
-  volumeClaimTemplates:
-  - metadata:
-      name: data
-      {{- with .Values.etcd.persistence.customAnnotations }}
-      annotations:
-        {{- toYaml . | nindent 8 }}
-      {{- end }}
-    spec:
-      storageClassName: {{ .Values.etcd.persistence.storageClassName }}
-      accessModes:
-      {{- range .Values.etcd.persistence.accessModes }}
-      - {{ . | quote }}
-      {{- end }}
-      resources:
-        requests:
-          storage: {{ .Values.etcd.persistence.size }}
-{{- end }}

charts/kamaji/values.yaml

@@ -15,74 +15,10 @@ image:
 # -- A list of extra arguments to add to the kamaji controller default ones
 extraArgs: []
 
-
 serviceMonitor:
   # -- Toggle the ServiceMonitor true if you have Prometheus Operator installed and configured
   enabled: false
 
-etcd:
-  # -- Install an etcd with enabled multi-tenancy along with Kamaji
-  deploy: true
-
-  # -- The peer API port which servers are listening to.
-  peerApiPort: 2380
-
-  # -- The client request port.
-  port: 2379
-
-  # -- Install specific etcd image
-  image:
-    repository: quay.io/coreos/etcd
-    tag: "v3.5.6"
-    pullPolicy: IfNotPresent
-
-  # -- The livenessProbe for the etcd container
-  livenessProbe:
-    failureThreshold: 8
-    httpGet:
-      path: /health?serializable=true
-      port: 2381
-      scheme: HTTP
-    initialDelaySeconds: 10
-    periodSeconds: 10
-    timeoutSeconds: 15
-
-  serviceAccount:
-    # -- Create a ServiceAccount, required to install and provision the etcd backing storage (default: true)
-    create: true
-    # -- Define the ServiceAccount name to use during the setup and provision of the etcd backing storage (default: "")
-    name: ""
-  persistence:
-    size: 10Gi
-    storageClassName: ""
-    accessModes:
-    - ReadWriteOnce
-    # -- The custom annotations to add to the PVC
-    customAnnotations: {}
-    #  volumeType: local
-
-  # -- (array) Kubernetes affinity rules to apply to Kamaji etcd pods
-  tolerations: []
-
-  overrides:
-    caSecret:
-      # -- Name of the secret which contains CA's certificate and private key. (default: "etcd-certs")
-      name: etcd-certs
-      # -- Namespace of the secret which contains CA's certificate and private key. (default: "kamaji-system")
-      namespace: kamaji-system
-    clientSecret:
-      # -- Name of the secret which contains ETCD client certificates. (default: "root-client-certs")
-      name: root-client-certs
-      # -- Name of the namespace where the secret which contains ETCD client certificates is. (default: "kamaji-system")
-      namespace: kamaji-system
-    # -- (map) Dictionary of the endpoints for the etcd cluster's members, key is the name of the etcd server. Don't define the protocol (TLS is automatically inflected), or any port, inflected from .etcd.peerApiPort value.
-    endpoints:
-      etcd-0: etcd-0.etcd.kamaji-system.svc.cluster.local
-      etcd-1: etcd-1.etcd.kamaji-system.svc.cluster.local
-      etcd-2: etcd-2.etcd.kamaji-system.svc.cluster.local
-  # -- ETCD Compaction interval (e.g. "5m0s"). (default: "0" (disabled))
-  compactionInterval: 0
-
 # -- The address the probe endpoint binds to. (default ":8081")
 healthProbeBindAddress: ":8081"
 
@@ -102,7 +38,7 @@ readinessProbe:
   initialDelaySeconds: 5
   periodSeconds: 10
 
-# -- (string) The address the metric endpoint binds to. (default ":8080")
+# -- The address the metric endpoint binds to. (default ":8080")
 metricsBindAddress: ":8080"
 
 imagePullSecrets: []
@@ -156,72 +92,20 @@ affinity: {}
 temporaryDirectoryPath: "/tmp/kamaji"
 
 loggingDevel:
-  # -- (string) Development Mode defaults(encoder=consoleEncoder,logLevel=Debug,stackTraceLevel=Warn). Production Mode defaults(encoder=jsonEncoder,logLevel=Info,stackTraceLevel=Error) (default false)
+  # -- Development Mode defaults(encoder=consoleEncoder,logLevel=Debug,stackTraceLevel=Warn). Production Mode defaults(encoder=jsonEncoder,logLevel=Info,stackTraceLevel=Error) (default false)
   enable: false
 
-datastore:
-  # -- (bool) Enable the Kamaji Datastore creation (default=true)
-  enabled: true
-  # -- (string) The Datastore name override, if empty and enabled=true defaults to `default`, if enabled=false, this is the name of the Datastore to connect to.
-  nameOverride:
-  # -- (string) The Kamaji Datastore driver, supported: etcd, MySQL, PostgreSQL (defaults=etcd).
-  driver: etcd
-  # -- (array) List of endpoints of the selected Datastore. When letting the Chart install the etcd datastore, this field is populated automatically.
-  endpoints: []
-  basicAuth:
-    usernameSecret:
-      # -- The name of the Secret containing the username used to connect to the relational database.
-      name:
-      # -- The namespace of the Secret containing the username used to connect to the relational database.
-      namespace:
-      # -- The Secret key where the data is stored.
-      keyPath:
-    passwordSecret:
-      # -- The name of the Secret containing the password used to connect to the relational database.
-      name:
-      # -- The namespace of the Secret containing the password used to connect to the relational database.
-      namespace:
-      # -- The Secret key where the data is stored.
-      keyPath:
-  tlsConfig:
-    enabled: true
-    certificateAuthority:
-      certificate:
-        # -- Name of the Secret containing the CA required to establish the mandatory SSL/TLS connection to the datastore.
-        name:
-        # -- Namespace of the Secret containing the CA required to establish the mandatory SSL/TLS connection to the datastore.
-        namespace:
-        # -- Key of the Secret which contains the content of the certificate.
-        keyPath:
-      privateKey:
-        # -- Name of the Secret containing the CA private key required to establish the mandatory SSL/TLS connection to the datastore.
-        name:
-        # -- Namespace of the Secret containing the CA private key required to establish the mandatory SSL/TLS connection to the datastore.
-        namespace:
-        # -- Key of the Secret which contains the content of the private key.
-        keyPath:
-    clientCertificate:
-      certificate:
-        # -- Name of the Secret containing the client certificate required to establish the mandatory SSL/TLS connection to the datastore.
-        name:
-        # -- Namespace of the Secret containing the client certificate required to establish the mandatory SSL/TLS connection to the datastore.
-        namespace:
-        # -- Key of the Secret which contains the content of the certificate.
-        keyPath:
-      privateKey:
-        # -- Name of the Secret containing the client certificate private key required to establish the mandatory SSL/TLS connection to the datastore.
-        name:
-        # -- Namespace of the Secret containing the client certificate private key required to establish the mandatory SSL/TLS connection to the datastore.
-        namespace:
-        # -- Key of the Secret which contains the content of the private key.
-        keyPath:
+# -- Specify the default DataStore name for the Kamaji instance.
+defaultDatastoreName: default
 
-cfssl:
-  image:
-    repository: cfssl/cfssl
-    tag: latest
+kamaji-etcd:
+  deploy: true
+  fullnameOverride: kamaji-etcd
+  datastore:
+    enabled: true
+    name: default
 
 # -- Disable the analytics traces collection
 telemetry:
-  disabled: false 
+  disabled: false
   

docs/content/guides/alternative-datastore.md

@@ -26,7 +26,7 @@ For example, with a PostgreSQL datastore installed:
 
 ```bash
 helm install kamaji charts/kamaji -n kamaji-system --create-namespace \
-  --set etcd.deploy=false \
+  --set kamaji-etcd.deploy=false \
   --set datastore.driver=PostgreSQL \
   --set datastore.endpoints[0]=postgres-default-rw.kamaji-system.svc:5432 \
   --set datastore.basicAuth.usernameSecret.name=postgres-default-superuser \

docs/content/guides/datastore-migration.md

@@ -172,4 +172,25 @@ After a while, depending on the amount of data to migrate, the Tenant Control Pl
 > Please, note the datastore migration leaves the data on the default datastore, so you have to remove it manually.
 
 ## Post migration
-After migrating data to the new datastore, complete the migration procedure by restarting the `kubelet.service` on all the tenant worker nodes.
+After migrating data to the new datastore, complete the migration procedure by restarting the `kubelet.service` on all the tenant worker nodes.
+
+## Troubleshooting
+
+### Migration Job Image Version
+When migrating between datastores, the Kamaji controller automatically creates a migration job to transfer data from the source to the destination datastore. By default, this job uses the same image version as the running Kamaji controller. If you need to use a different image version for the migration job, you can specify it by passing extra arguments to the controller:
+
+```shell
+helm upgrade kamaji clastix/kamaji -n kamaji-system 
+--set extraArgs[0]=--migrate-image=custom/kamaji:version`
+```
+
+### Handling Private Registry Images
+If the Kamaji controller images are stored in a private registry that requires authentication, the migration job will fail because it does not use any `ImagePullSecret` by default. You need to attach your registry secret to the `kamaji-controller-manager` service account, which is used by the migration job. You can do this with the following command:
+
+```shell
+kubectl -n kamaji-system patch serviceaccount kamaji-controller-manager \
+        -p '{"imagePullSecrets": [{"name": "myregistry-credentials"}]}'
+```
+
+This command patches the kamaji-controller-manager service account to include your registry secret, allowing the migration job to pull images from the private registry successfully.
+

e2e/worker_kubeadm_join_test.go

@@ -11,6 +11,8 @@ import (
 	"strings"
 	"time"
 
+	"github.com/docker/docker/api/types/container"
+	"github.com/docker/docker/api/types/mount"
 	. "github.com/onsi/ginkgo/v2"
 	. "github.com/onsi/gomega"
 	"github.com/testcontainers/testcontainers-go"
@@ -73,9 +75,17 @@ var _ = Describe("starting a kind worker with kubeadm", func() {
 
 		workerContainer, err = testcontainers.GenericContainer(ctx, testcontainers.GenericContainerRequest{
 			ContainerRequest: testcontainers.ContainerRequest{
+				HostConfigModifier: func(config *container.HostConfig) {
+					config.Mounts = []mount.Mount{
+						{
+							Type:   mount.TypeBind,
+							Source: "/lib/modules",
+							Target: "/lib/modules",
+						},
+					}
+				},
 				Name:       fmt.Sprintf("%s-worker-node", tcp.GetName()),
 				Image:      fmt.Sprintf("kindest/node:%s", tcp.Spec.Kubernetes.Version),
-				Mounts:     testcontainers.ContainerMounts{testcontainers.BindMount("/lib/modules", "/lib/modules")},
 				Networks:   []string{"kind"},
 				Privileged: true,
 			},
@@ -135,7 +145,7 @@ var _ = Describe("starting a kind worker with kubeadm", func() {
 		By("executing the command in the worker node", func() {
 			cmds := append(strings.Split(strings.TrimSpace(joinCommandBuffer.String()), " "), "--ignore-preflight-errors", "SystemVerification")
 
-			exitCode, err := workerContainer.Exec(ctx, cmds)
+			exitCode, _, err := workerContainer.Exec(ctx, cmds)
 			Expect(exitCode).To(Equal(0))
 			Expect(err).ToNot(HaveOccurred())
 		})

go.mod

@@ -8,76 +8,82 @@ require (
 	github.com/JamesStewy/go-mysqldump v0.2.2
 	github.com/blang/semver v3.5.1+incompatible
 	github.com/clastix/kamaji-telemetry v1.0.0
+	github.com/docker/docker v27.1.1+incompatible
 	github.com/go-logr/logr v1.4.2
-	github.com/go-pg/pg/v10 v10.10.6
-	github.com/go-sql-driver/mysql v1.6.0
+	github.com/go-pg/pg/v10 v10.13.0
+	github.com/go-sql-driver/mysql v1.8.1
 	github.com/google/go-cmp v0.6.0
 	github.com/google/uuid v1.6.0
 	github.com/json-iterator/go v1.1.12
 	github.com/juju/mutex/v2 v2.0.0
-	github.com/nats-io/nats.go v1.34.1
-	github.com/onsi/ginkgo/v2 v2.17.1
-	github.com/onsi/gomega v1.32.0
+	github.com/nats-io/nats.go v1.36.0
+	github.com/onsi/ginkgo/v2 v2.20.0
+	github.com/onsi/gomega v1.34.1
 	github.com/pkg/errors v0.9.1
 	github.com/spf13/cobra v1.8.1
 	github.com/spf13/pflag v1.0.5
-	github.com/spf13/viper v1.10.1
-	github.com/testcontainers/testcontainers-go v0.13.0
-	go.etcd.io/etcd/api/v3 v3.5.10
-	go.etcd.io/etcd/client/v3 v3.5.10
-	go.uber.org/automaxprocs v1.5.1
+	github.com/spf13/viper v1.19.0
+	github.com/testcontainers/testcontainers-go v0.32.0
+	go.etcd.io/etcd/api/v3 v3.5.15
+	go.etcd.io/etcd/client/v3 v3.5.15
+	go.uber.org/automaxprocs v1.5.3
 	gomodules.xyz/jsonpatch/v2 v2.4.0
 	k8s.io/api v0.30.2
 	k8s.io/apimachinery v0.30.2
 	k8s.io/apiserver v0.30.2
 	k8s.io/client-go v0.30.2
 	k8s.io/cluster-bootstrap v0.0.0
-	k8s.io/klog/v2 v2.120.1
+	k8s.io/klog/v2 v2.130.1
 	k8s.io/kubelet v0.0.0
-	k8s.io/kubernetes v1.30.2
+	k8s.io/kubernetes v1.30.3
 	k8s.io/utils v0.0.0-20230726121419-3b25d923346b
 	sigs.k8s.io/controller-runtime v0.18.4
 )
 
 require (
+	dario.cat/mergo v1.0.0 // indirect
+	filippo.io/edwards25519 v1.1.0 // indirect
 	github.com/Azure/go-ansiterm v0.0.0-20210617225240-d185dfc1b5a1 // indirect
 	github.com/DATA-DOG/go-sqlmock v1.5.0 // indirect
-	github.com/Microsoft/go-winio v0.6.0 // indirect
-	github.com/Microsoft/hcsshim v0.8.25 // indirect
+	github.com/Microsoft/go-winio v0.6.2 // indirect
+	github.com/Microsoft/hcsshim v0.11.5 // indirect
 	github.com/beorn7/perks v1.0.1 // indirect
 	github.com/blang/semver/v4 v4.0.0 // indirect
 	github.com/cenkalti/backoff/v4 v4.2.1 // indirect
 	github.com/cespare/xxhash/v2 v2.2.0 // indirect
-	github.com/containerd/cgroups v1.1.0 // indirect
-	github.com/containerd/containerd v1.5.9 // indirect
+	github.com/containerd/containerd v1.7.18 // indirect
+	github.com/containerd/errdefs v0.1.0 // indirect
+	github.com/containerd/log v0.1.0 // indirect
 	github.com/coredns/caddy v1.1.1 // indirect
 	github.com/coredns/corefile-migration v1.0.21 // indirect
 	github.com/coreos/go-semver v0.3.1 // indirect
 	github.com/coreos/go-systemd/v22 v22.5.0 // indirect
-	github.com/davecgh/go-spew v1.1.1 // indirect
-	github.com/distribution/reference v0.5.0 // indirect
-	github.com/docker/distribution v2.8.1+incompatible // indirect
-	github.com/docker/docker v20.10.11+incompatible // indirect
-	github.com/docker/go-connections v0.4.0 // indirect
+	github.com/cpuguy83/dockercfg v0.3.1 // indirect
+	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
+	github.com/distribution/reference v0.6.0 // indirect
+	github.com/docker/go-connections v0.5.0 // indirect
 	github.com/docker/go-units v0.5.0 // indirect
 	github.com/emicklei/go-restful/v3 v3.11.0 // indirect
 	github.com/evanphx/json-patch v5.6.0+incompatible // indirect
 	github.com/evanphx/json-patch/v5 v5.9.0 // indirect
+	github.com/felixge/httpsnoop v1.0.4 // indirect
 	github.com/fsnotify/fsnotify v1.7.0 // indirect
 	github.com/go-errors/errors v1.4.2 // indirect
+	github.com/go-logr/stdr v1.2.2 // indirect
 	github.com/go-logr/zapr v1.3.0 // indirect
+	github.com/go-ole/go-ole v1.2.6 // indirect
 	github.com/go-openapi/jsonpointer v0.19.6 // indirect
 	github.com/go-openapi/jsonreference v0.20.2 // indirect
 	github.com/go-openapi/swag v0.22.3 // indirect
 	github.com/go-pg/zerochecker v0.2.0 // indirect
-	github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572 // indirect
+	github.com/go-task/slim-sprig/v3 v3.0.0 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
 	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
 	github.com/golang/protobuf v1.5.4 // indirect
 	github.com/google/btree v1.0.1 // indirect
 	github.com/google/gnostic-models v0.6.8 // indirect
 	github.com/google/gofuzz v1.2.0 // indirect
-	github.com/google/pprof v0.0.0-20210720184732-4bb14d4b1be1 // indirect
+	github.com/google/pprof v0.0.0-20240727154555-813a5fbdbec8 // indirect
 	github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 // indirect
 	github.com/gregjones/httpcache v0.0.0-20180305231024-9cad4c3443a7 // indirect
 	github.com/hashicorp/hcl v1.0.0 // indirect
@@ -89,13 +95,16 @@ require (
 	github.com/klauspost/compress v1.17.8 // indirect
 	github.com/liggitt/tabwriter v0.0.0-20181228230101-89fcab3d43de // indirect
 	github.com/lithammer/dedent v1.1.0 // indirect
-	github.com/magiconair/properties v1.8.5 // indirect
+	github.com/lufia/plan9stats v0.0.0-20211012122336-39d0f177ccd0 // indirect
+	github.com/magiconair/properties v1.8.7 // indirect
 	github.com/mailru/easyjson v0.7.7 // indirect
 	github.com/matttproud/golang_protobuf_extensions/v2 v2.0.0 // indirect
-	github.com/mitchellh/mapstructure v1.4.3 // indirect
-	github.com/moby/sys/mount v0.2.0 // indirect
-	github.com/moby/sys/mountinfo v0.6.2 // indirect
-	github.com/moby/term v0.0.0-20221205130635-1aeaba878587 // indirect
+	github.com/mitchellh/mapstructure v1.5.0 // indirect
+	github.com/moby/docker-image-spec v1.3.1 // indirect
+	github.com/moby/patternmatcher v0.6.0 // indirect
+	github.com/moby/sys/sequential v0.5.0 // indirect
+	github.com/moby/sys/user v0.1.0 // indirect
+	github.com/moby/term v0.5.0 // indirect
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
 	github.com/modern-go/reflect2 v1.0.2 // indirect
 	github.com/monochromegane/go-gitignore v0.0.0-20200626010858-205db1a8cc00 // indirect
@@ -104,50 +113,58 @@ require (
 	github.com/nats-io/nkeys v0.4.7 // indirect
 	github.com/nats-io/nuid v1.0.1 // indirect
 	github.com/opencontainers/go-digest v1.0.0 // indirect
-	github.com/opencontainers/image-spec v1.0.2 // indirect
-	github.com/opencontainers/runc v1.1.12 // indirect
-	github.com/pelletier/go-toml v1.9.4 // indirect
+	github.com/opencontainers/image-spec v1.1.0 // indirect
+	github.com/pelletier/go-toml/v2 v2.2.2 // indirect
 	github.com/peterbourgon/diskv v2.0.1+incompatible // indirect
-	github.com/pmezard/go-difflib v1.0.0 // indirect
+	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
+	github.com/power-devops/perfstat v0.0.0-20210106213030-5aafc221ea8c // indirect
 	github.com/prometheus/client_golang v1.18.0 // indirect
 	github.com/prometheus/client_model v0.5.0 // indirect
 	github.com/prometheus/common v0.45.0 // indirect
 	github.com/prometheus/procfs v0.12.0 // indirect
-	github.com/sirupsen/logrus v1.9.0 // indirect
-	github.com/spf13/afero v1.9.2 // indirect
-	github.com/spf13/cast v1.4.1 // indirect
-	github.com/spf13/jwalterweatherman v1.1.0 // indirect
-	github.com/subosito/gotenv v1.2.0 // indirect
+	github.com/sagikazarmark/locafero v0.4.0 // indirect
+	github.com/sagikazarmark/slog-shim v0.1.0 // indirect
+	github.com/shirou/gopsutil/v3 v3.23.12 // indirect
+	github.com/shoenig/go-m1cpu v0.1.6 // indirect
+	github.com/sirupsen/logrus v1.9.3 // indirect
+	github.com/sourcegraph/conc v0.3.0 // indirect
+	github.com/spf13/afero v1.11.0 // indirect
+	github.com/spf13/cast v1.6.0 // indirect
+	github.com/subosito/gotenv v1.6.0 // indirect
+	github.com/tklauser/go-sysconf v0.3.12 // indirect
+	github.com/tklauser/numcpus v0.6.1 // indirect
 	github.com/tmthrgd/go-hex v0.0.0-20190904060850-447a3041c3bc // indirect
 	github.com/vmihailenco/bufpool v0.1.11 // indirect
 	github.com/vmihailenco/msgpack/v5 v5.3.4 // indirect
 	github.com/vmihailenco/tagparser v0.1.2 // indirect
 	github.com/vmihailenco/tagparser/v2 v2.0.0 // indirect
 	github.com/xlab/treeprint v1.2.0 // indirect
-	go.etcd.io/etcd/client/pkg/v3 v3.5.10 // indirect
-	go.opencensus.io v0.24.0 // indirect
+	github.com/yusufpapurcu/wmi v1.2.3 // indirect
+	go.etcd.io/etcd/client/pkg/v3 v3.5.15 // indirect
+	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.49.0 // indirect
+	go.opentelemetry.io/otel v1.24.0 // indirect
+	go.opentelemetry.io/otel/metric v1.24.0 // indirect
+	go.opentelemetry.io/otel/trace v1.24.0 // indirect
 	go.starlark.net v0.0.0-20230525235612-a134d8f9ddca // indirect
 	go.uber.org/multierr v1.11.0 // indirect
 	go.uber.org/zap v1.26.0 // indirect
-	golang.org/x/crypto v0.22.0 // indirect
-	golang.org/x/exp v0.0.0-20220827204233-334a2380cb91 // indirect
-	golang.org/x/mod v0.15.0 // indirect
-	golang.org/x/net v0.23.0 // indirect
-	golang.org/x/oauth2 v0.12.0 // indirect
-	golang.org/x/sync v0.6.0 // indirect
-	golang.org/x/sys v0.19.0 // indirect
-	golang.org/x/term v0.19.0 // indirect
-	golang.org/x/text v0.14.0 // indirect
-	golang.org/x/time v0.3.0 // indirect
-	golang.org/x/tools v0.18.0 // indirect
-	google.golang.org/appengine v1.6.7 // indirect
-	google.golang.org/genproto v0.0.0-20230803162519-f966b187b2e5 // indirect
-	google.golang.org/genproto/googleapis/api v0.0.0-20230726155614-23370e0ffb3e // indirect
-	google.golang.org/genproto/googleapis/rpc v0.0.0-20230822172742-b8732ec3820d // indirect
-	google.golang.org/grpc v1.58.3 // indirect
-	google.golang.org/protobuf v1.33.0 // indirect
+	golang.org/x/crypto v0.26.0 // indirect
+	golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56 // indirect
+	golang.org/x/net v0.28.0 // indirect
+	golang.org/x/oauth2 v0.18.0 // indirect
+	golang.org/x/sync v0.8.0 // indirect
+	golang.org/x/sys v0.23.0 // indirect
+	golang.org/x/term v0.23.0 // indirect
+	golang.org/x/text v0.17.0 // indirect
+	golang.org/x/time v0.5.0 // indirect
+	golang.org/x/tools v0.24.0 // indirect
+	google.golang.org/appengine v1.6.8 // indirect
+	google.golang.org/genproto/googleapis/api v0.0.0-20240311132316-a219d84964c2 // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20240314234333-6e1732d8331c // indirect
+	google.golang.org/grpc v1.62.1 // indirect
+	google.golang.org/protobuf v1.34.1 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
-	gopkg.in/ini.v1 v1.66.2 // indirect
+	gopkg.in/ini.v1 v1.67.0 // indirect
 	gopkg.in/square/go-jose.v2 v2.6.0 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
@@ -158,7 +175,7 @@ require (
 	k8s.io/kube-openapi v0.0.0-20240228011516-70dd3763d340 // indirect
 	k8s.io/kube-proxy v0.0.0 // indirect
 	k8s.io/system-validators v1.8.0 // indirect
-	mellium.im/sasl v0.3.0 // indirect
+	mellium.im/sasl v0.3.1 // indirect
 	sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect
 	sigs.k8s.io/kustomize/api v0.13.5-0.20230601165947-6ce0bf390ce3 // indirect
 	sigs.k8s.io/kustomize/kyaml v0.14.3-0.20230601165947-6ce0bf390ce3 // indirect

internal/datastore/etcd.go

@@ -16,13 +16,6 @@ import (
 	"github.com/clastix/kamaji/internal/datastore/errors"
 )
 
-const (
-	// rangeEnd is the key following the last key of the range.
-	// If rangeEnd is ‘\0’, the range is all keys greater than or equal to the key argument
-	// source: https://etcd.io/docs/v3.5/learning/api/
-	rangeEnd = "\\0"
-)
-
 func NewETCDConnection(config ConnectionConfig) (Connection, error) {
 	endpoints := make([]string, 0, len(config.Endpoints))
 
@@ -68,7 +61,8 @@ func (e *EtcdClient) GrantPrivileges(ctx context.Context, user, dbName string) e
 
 	permission := etcdclient.PermissionType(authpb.READWRITE)
 	key := e.buildKey(dbName)
-	if _, err := e.Client.RoleGrantPermission(ctx, user, key, rangeEnd, permission); err != nil {
+
+	if _, err := e.Client.RoleGrantPermission(ctx, user, key, etcdclient.GetPrefixRangeEnd(key), permission); err != nil {
 		return errors.NewGrantPrivilegesError(err)
 	}
 
@@ -170,6 +164,13 @@ func (e *EtcdClient) Driver() string {
 	return string(kamajiv1alpha1.EtcdDriver)
 }
 
+// buildKey adds slashes to the beginning and end of the key. This ensures that the range
+// end for etcd RBAC is calculated using the entire key prefix, not only the key name. If
+// the range end was calculated e.g. for `/cp-a`, the result would be `/cp-b`, which also
+// includes `/cp-aa` (etcd uses lexicographic ordering on key ranges for RBAC). Using
+// `/cp-a/` as the input for the range end calculation results in `/cp-a0`, which doesn't
+// allow for any other potential control plane key prefixes to be located within the range.
+// For more information, see also https://etcd.io/docs/v3.3/learning/api/#key-ranges
 func (e *EtcdClient) buildKey(key string) string {
 	return fmt.Sprintf("/%s/", key)
 }
@@ -181,7 +182,9 @@ func (e *EtcdClient) Migrate(ctx context.Context, tcp kamajiv1alpha1.TenantContr
 		return err
 	}
 
-	response, err := e.Client.Get(ctx, e.buildKey(fmt.Sprintf("%s_%s", tcp.GetNamespace(), tcp.GetName())), etcdclient.WithRange(rangeEnd))
+	key := e.buildKey(fmt.Sprintf("%s_%s", tcp.GetNamespace(), tcp.GetName()))
+
+	response, err := e.Client.Get(ctx, key, etcdclient.WithPrefix())
 	if err != nil {
 		return err
 	}