Merge pull request #332 from rmgrimm/apicurio-registry-and-enhanced-c…

…runchy

Add Apicurio Registry and enhance Crunchy Postgres

.wordlist-md

@@ -9,9 +9,11 @@ Alertmanager
 AmazonS
 AmazonSageMakerFullAccess
 Ansible
+Apicurio
 ArgoCD
 ArgoCD's
 Authorino
+AutoCreateUserSchema
 Bitnami
 CICD
 CRD
@@ -95,6 +97,7 @@ SDKs
 SNO
 SSO
 Sagemaker
+Schemas
 SecretManager
 SecureCluster
 ServiceMesh
@@ -226,6 +229,7 @@ operatorGroups
 patchesJson
 performant
 postgres
+postgresql
 pre
 prem
 prometheus
@@ -241,6 +245,7 @@ runtime
 sagemaker
 sandboxed
 scalable
+schemas
 secretGenerator
 seldon
 selectable

apicurio-registry-operator/.editorconfig

@@ -0,0 +1,8 @@
+# Apicurio Registry Operator EditorConfig File
+
+[*]
+end_of_line = lf
+indent_style = space
+indent_size = 2
+insert_final_newline = true
+trim_trailing_whitespace = true

apicurio-registry-operator/README.md

@@ -0,0 +1,44 @@
+# Apicurio Registry Operator
+
+Install Apicurio Registry Operator.
+
+Do not use the `base` directory directly, as you will need to patch the `channel` based on the intended version of Apicurio Registry.
+
+the current *overlays* available are for the following channels:
+
+* [2.x](operator/overlays/2.x)
+
+## Usage
+
+If you have cloned the `gitops-catalog` repository, you can install Apicurio Registry Operator based on the overlay of your choice by running from the root (`gitops-catalog`) directory.
+
+```
+oc apply -k apicurio-registry-operator/operator/overlays/<channel>
+```
+
+Or, without cloning:
+
+```
+oc apply -k https://github.com/redhat-cop/gitops-catalog/apicurio-registry-operator/operator/overlays/<channel>
+```
+
+As part of a different overlay in your own GitOps repo:
+
+```
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - https://github.com/redhat-cop/gitops-catalog/apicurio-registry-operator/operator/overlays/<channel>?ref=main
+```
+
+## Deploying Apicurio Registry
+
+If you would like to deploy Apicurio Registry, you can try one of the samples in the `instance/overlays` directory.
+
+## All-in-One
+
+If you would like to deploy the operator *and* Apicurio Registry and a backing store all in one line, use one of the `aggregate` directories, for example:
+
+```
+oc apply -k https://github.com/redhat-cop/gitops-catalog/apicurio-registry-operator/aggregate/apicurio-registry-sql?ref=main
+```

apicurio-registry-operator/aggregate/apicurio-registry-sql/kustomization.yaml

@@ -0,0 +1,57 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  - ../../../crunchy-postgres-operator/operator/overlays/v5
+  - ../../../crunchy-postgres-operator/instance/overlays/predefined-user-pass-and-db
+  - ../../operator/overlays/2.x
+  - ../../instance/overlays/postgresql
+
+components:
+  - ../../../crunchy-postgres-operator/operator/components/separate-namespace
+  - ../../../crunchy-postgres-operator/operator/components/feature-gates
+  - ../../../crunchy-postgres-operator/instance/components/auto-create-user-schema
+
+patches:
+  - target:
+      group: postgres-operator.crunchydata.com
+      version: v1beta1
+      kind: PostgresCluster
+      name: default
+    path: patch-postgres-cluster.yaml
+  - target:
+      group: ''
+      version: v1
+      kind: Secret
+      name: default-pguser-dbuser
+    path: patch-dbuser-credentials.yaml
+
+replacements:
+  - source:
+      group: ''
+      version: v1
+      kind: Secret
+      name: apicurio-registry-db-pguser-apicurio
+      fieldPath: metadata.labels.postgres-operator\.crunchydata\.com/pguser
+    targets:
+      - select:
+          group: registry.apicur.io
+          version: v1
+          kind: ApicurioRegistry
+          name: default
+        fieldPaths:
+          - spec.configuration.sql.dataSource.userName
+  - source:
+      group: ''
+      version: v1
+      kind: Secret
+      name: apicurio-registry-db-pguser-apicurio
+      fieldPath: stringData.password
+    targets:
+      - select:
+          group: registry.apicur.io
+          version: v1
+          kind: ApicurioRegistry
+          name: default
+        fieldPaths:
+          - spec.configuration.sql.dataSource.password

apicurio-registry-operator/aggregate/apicurio-registry-sql/patch-dbuser-credentials.yaml

@@ -0,0 +1,21 @@
+# Validate expectations before making changes
+- op: test
+  path: /metadata/name
+  value: default-pguser-dbuser
+- op: test
+  path: /metadata/labels/postgres-operator.crunchydata.com~1cluster
+  value: default
+- op: test
+  path: /metadata/labels/postgres-operator.crunchydata.com~1pguser
+  value: dbuser
+
+# Customize for Apicurio Registry
+- op: replace
+  path: /metadata/name
+  value: apicurio-registry-db-pguser-apicurio
+- op: replace
+  path: /metadata/labels/postgres-operator.crunchydata.com~1cluster
+  value: apicurio-registry-db
+- op: replace
+  path: /metadata/labels/postgres-operator.crunchydata.com~1pguser
+  value: apicurio

apicurio-registry-operator/aggregate/apicurio-registry-sql/patch-postgres-cluster.yaml

@@ -0,0 +1,21 @@
+# Validate expectations before making changes
+- op: test
+  path: /metadata/name
+  value: default
+- op: test
+  path: /spec/users/0/name
+  value: dbuser
+- op: test
+  path: /spec/users/0/databases/0
+  value: db
+
+# Update postgrescluster for use by Apicurio Registry
+- op: replace
+  path: /metadata/name
+  value: apicurio-registry-db
+- op: replace
+  path: /spec/users/0/name
+  value: apicurio
+- op: replace
+  path: /spec/users/0/databases/0
+  value: registry

apicurio-registry-operator/instance/base/apicurio-registry.yaml

@@ -0,0 +1,19 @@
+apiVersion: registry.apicur.io/v1
+kind: ApicurioRegistry
+metadata:
+  name: default
+spec:
+  deployment:
+    host: apicurio-registry
+    managedResources:
+      disableIngress: true
+  configuration:
+    persistence: sql
+    security: { }
+    # Too many bugs with Apicurio Registry handling SSL itself right now, so just disable Ingress and do it manually
+    # See https://issues.redhat.com/browse/IPT-1159
+    # Then the above issue is worked around, the pathing/redirects are then broken, so Apicurio Registry still isn't
+    # usable. When it's all fixed, maybe re-enable the following:
+    # https:
+    #   disableHttp: true
+    #   secretName: apicurio-registry-cert

apicurio-registry-operator/instance/base/kustomization.yaml

@@ -0,0 +1,5 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  - apicurio-registry.yaml

apicurio-registry-operator/instance/components/https-ingress/ingress.yaml

@@ -0,0 +1,23 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: apicurio-registry
+  annotations:
+    route.openshift.io/termination: edge
+spec:
+  ingressClassName: openshift-default
+  tls:
+    - secretName: apicurio-registry-cert
+      hosts:
+        - apicurio-registry.apps.cluster.example.com
+  rules:
+    - host: apicurio-registry.apps.cluster.example.com
+      http:
+        paths:
+          - path: /
+            pathType: Prefix
+            backend:
+              service:
+                name: default-service
+                port:
+                  name: http

apicurio-registry-operator/instance/components/https-ingress/kustomization.yaml

@@ -0,0 +1,5 @@
+apiVersion: kustomize.config.k8s.io/v1alpha1
+kind: Component
+
+resources:
+  - ingress.yaml

apicurio-registry-operator/instance/overlays/postgresql-tls-letsencrypt/apicurio-registry-cert.yaml

@@ -0,0 +1,24 @@
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: apicurio-registry-cert
+  annotations:
+    acme.cert-manager.io/http01-override-ingress-name: apicurio-registry
+    cert-manager.io/issue-temporary-certificate: 'true'
+spec:
+  issuerRef:
+    group: cert-manager.io
+    kind: ClusterIssuer
+    name: letsencrypt-prod
+  secretName: apicurio-registry-cert
+  dnsNames:
+    # These should be replaced in a kustomize overlay, according to intended hostnames
+    - apicurio-registry.apps.cluster.example.com
+  usages:
+    - digital signature
+    - key encipherment
+  secretTemplate:
+    annotations:
+      kubernetes.io/description: >-
+        Secret issued via cert-manager which will be referenced and used by Apicurio Registry for securing
+        HTTPS traffic

apicurio-registry-operator/instance/overlays/postgresql-tls-letsencrypt/kustomization.yaml

@@ -0,0 +1,33 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  - ../postgresql
+  - apicurio-registry-cert.yaml
+
+components:
+  - ../../components/https-ingress
+
+replacements:
+  - source:
+      group: registry.apicur.io
+      version: v1
+      kind: ApicurioRegistry
+      name: default
+      fieldPath: spec.deployment.host
+    targets:
+      - select:
+          group: cert-manager.io
+          version: v1
+          kind: Certificate
+          name: apicurio-registry-cert
+        fieldPaths:
+          - spec.dnsNames.0
+      - select:
+          group: networking.k8s.io
+          version: v1
+          kind: Ingress
+          name: apicurio-registry
+        fieldPaths:
+          - spec.tls.0.hosts.0
+          - spec.rules.0.host

apicurio-registry-operator/instance/overlays/postgresql/kustomization.yaml

@@ -0,0 +1,13 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  - ../../base
+
+patches:
+  - target:
+      group: registry.apicur.io
+      version: v1
+      kind: ApicurioRegistry
+      name: default
+    path: patch-apicurio-registry.yaml

apicurio-registry-operator/instance/overlays/postgresql/patch-apicurio-registry.yaml

@@ -0,0 +1,11 @@
+- op: replace
+  path: /spec/configuration/persistence
+  value: sql
+
+- op: add
+  path: /spec/configuration/sql
+  value:
+    dataSource:
+      url: jdbc:postgresql://apicurio-registry-db-primary:5432/registry
+      userName: registry-user
+      password: registry-password

apicurio-registry-operator/operator/base/kustomization.yaml

@@ -0,0 +1,7 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  - namespace.yaml
+  - operator-group.yaml
+  - subscription.yaml

apicurio-registry-operator/operator/base/namespace.yaml

@@ -0,0 +1,8 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: apicurio-registry-operator
+  annotations:
+    openshift.io/display-name: Red Hat build of Apicurio Registry Operator
+  labels:
+    openshift.io/cluster-monitoring: 'true'

apicurio-registry-operator/operator/base/operator-group.yaml

@@ -0,0 +1,6 @@
+apiVersion: operators.coreos.com/v1
+kind: OperatorGroup
+metadata:
+  name: apicurio-registry-operator
+  namespace: apicurio-registry-operator
+spec:

apicurio-registry-operator/operator/base/subscription.yaml

@@ -0,0 +1,11 @@
+apiVersion: operators.coreos.com/v1alpha1
+kind: Subscription
+metadata:
+  name: service-registry-operator
+  namespace: apicurio-registry-operator
+spec:
+  channel: patch-me-see-overlays-dir
+  installPlanApproval: Automatic
+  name: service-registry-operator
+  source: redhat-operators
+  sourceNamespace: openshift-marketplace

apicurio-registry-operator/operator/overlays/2.x/kustomization.yaml

@@ -0,0 +1,11 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  - ../../base
+
+patches:
+  - target:
+      kind: Subscription
+      name: service-registry-operator
+    path: patch-subscription.yaml

apicurio-registry-operator/operator/overlays/2.x/patch-subscription.yaml

@@ -0,0 +1,3 @@
+- op: replace
+  path: /spec/channel
+  value: 2.x

crunchy-postgres-operator/.editorconfig

@@ -0,0 +1,8 @@
+# Crunchy Postgres Operator EditorConfig File
+
+[*]
+end_of_line = lf
+indent_style = space
+indent_size = 2
+insert_final_newline = true
+trim_trailing_whitespace = true