From a55c3860d828e461dfb3e1513d0e59aa6de5d692 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Max=20Neunh=C3=B6ffer?= Date: Wed, 25 Sep 2019 12:38:10 +0200 Subject: [PATCH] Preparations for 0.3.16. (#454) * Preparations for 0.3.16. * Document permissions needed. * Add note to README.md. --- CHANGELOG.md | 15 +++++++++++++- Makefile | 2 +- README.md | 13 ++++++++++++ VERSION | 2 +- .../Kubernetes/DeploymentResource.md | 20 +++++++++++++++++-- 5 files changed, 47 insertions(+), 5 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 5def94e13..aa394c335 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,6 +1,19 @@ # Change Log -## [0.3.13]() (2019-08-02) +## [0.3.16](https://github.com/arangodb/kube-arangodb/tree/0.3.16) (2019-09-25) +- Revised helm charts. +- Use separate service account for operator. +- Support for ResignLeadership job. +- Allow to set ImagePullSecrets in pods. +- Bug fixes. + +## [0.3.15]() (never released, only previews existed) + +## [0.3.14](https://github.com/arangodb/kube-arangodb/tree/0.3.14) (2019-08-07) +- Bug fixes for custom sidecars. +- More tests + +## [0.3.13](https://github.com/arangodb/kube-arangodb/tree/0.3.13) (2019-08-02) - Added side car changed to pod rotation criterium - Added ArangoDB version and image id to member status - Fix bug with MemberOfCluster condition diff --git a/Makefile b/Makefile index c9227dc1e..76ef70be1 100644 --- a/Makefile +++ b/Makefile @@ -201,7 +201,7 @@ dashboard/assets.go: $(DASHBOARDSOURCES) $(DASHBOARDDIR)/Dockerfile.build $(DASHBOARDBUILDIMAGE) go run github.com/jessevdk/go-assets-builder -s /dashboard/build/ -o dashboard/assets.go -p dashboard dashboard/build -$(BIN): $(SOURCES) dashboard/assets.go +$(BIN): $(SOURCES) dashboard/assets.go VERSION @mkdir -p $(BINDIR) CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -installsuffix netgo -ldflags "-X main.projectVersion=$(VERSION) -X main.projectBuild=$(COMMIT)" -o $(BIN) $(REPOPATH) diff --git a/README.md b/README.md index 15d03712b..3eb5fbcf2 100644 --- a/README.md +++ b/README.md @@ -66,6 +66,19 @@ Feature-wise production readiness table: | Prometheus Metrics export | 0.3.11 | new - alpha | needs Prometheus | | User sidecar containers | 0.3.11 | new - alpha | | +## Release notes for 0.3.16 + +In this release we have reworked the Helm charts. One notable change is +that we now create a new service account specifically for the operator. +The actual deployment still runs by default under the `default` service +account unless one changes that. Note that the service account under +which the ArangoDB runs needs a small set of extra permissions. For +the `default` service account we grant them when the operator is +deployed. If you use another service account you have to grant these +permissions yourself. See +[here](docs/Manual/Deployment/Kubernetes/DeploymentResource.md#specgroupserviceaccountname-string) +for details. + ## Installation of latest release using Kubectl ```bash diff --git a/VERSION b/VERSION index fa5d271cc..551904f21 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -0.3.14+git \ No newline at end of file +0.3.15+git diff --git a/docs/Manual/Deployment/Kubernetes/DeploymentResource.md b/docs/Manual/Deployment/Kubernetes/DeploymentResource.md index 9e8597adc..1a9d7049a 100644 --- a/docs/Manual/Deployment/Kubernetes/DeploymentResource.md +++ b/docs/Manual/Deployment/Kubernetes/DeploymentResource.md @@ -480,10 +480,26 @@ and `iops` is not forwarded to the pods resource requirements. ### `spec..serviceAccountName: string` This setting specifies the `serviceAccountName` for the `Pods` created -for each server of this group. +for each server of this group. If empty, it defaults to using the +`default` service account. Using an alternative `ServiceAccount` is typically used to separate access rights. -The ArangoDB deployments do not require any special rights. +The ArangoDB deployments need some very minimal access rights. With the +deployment of the operator, we grant the following rights for the `default` +service account: + +``` +rules: +- apiGroups: + - "" + resources: + - pods + verbs: + - get +``` + +If you are using a different service account, please grant these rights +to that service account. ### `spec..priorityClassName: string`