pingcap · Yisaer · Dec 20, 2019 · Dec 19, 2019 · Dec 19, 2019 · Dec 19, 2019
diff --git a/charts/tidb-operator/templates/admission/admission-webhook-deployment.yaml b/charts/tidb-operator/templates/admission/admission-webhook-deployment.yaml
@@ -1,4 +1,4 @@
-{{- if eq .Values.admissionWebhook.create true }}
+{{- if .Values.admissionWebhook.create }}
 apiVersion: apps/v1
 kind: Deployment
 metadata:

diff --git a/charts/tidb-operator/templates/admission/admission-webhook-rbac.yaml b/charts/tidb-operator/templates/admission/admission-webhook-rbac.yaml
@@ -1,4 +1,4 @@
-{{- if and (eq .Values.admissionWebhook.create true) (eq .Values.admissionWebhook.rbac.create true) }}
+{{- if and ( .Values.admissionWebhook.create ) ( .Values.admissionWebhook.rbac.create ) }}
 apiVersion: v1
 kind: ServiceAccount
 metadata:

diff --git a/charts/tidb-operator/templates/admission/admission-webhook-registration.yaml b/charts/tidb-operator/templates/admission/admission-webhook-registration.yaml
@@ -1,4 +1,4 @@
-{{- if eq .Values.admissionWebhook.create true }}
+{{- if .Values.admissionWebhook.create }}
 apiVersion: apiregistration.k8s.io/v1beta1
 kind: APIService
 metadata:
@@ -10,7 +10,7 @@ metadata:
     app.kubernetes.io/component: admission-webhook
     helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+"  "_" }}
 spec:
-  {{- if eq .Values.admissionWebhook.apiservice.insecureSkipTLSVerify true }}
+  {{- if .Values.admissionWebhook.apiservice.insecureSkipTLSVerify }}
   insecureSkipTLSVerify: true
   {{- else }}
   caBundle: {{ .Values.admissionWebhook.apiservice.cert | b64enc }}
@@ -23,6 +23,7 @@ spec:
     namespace: {{ .Release.Namespace }}
   version: v1alpha1
 ---
+{{- if .Values.admissionWebhook.hooksEnabled.pods }}
 apiVersion: admissionregistration.k8s.io/v1beta1
 kind: ValidatingWebhookConfiguration
 metadata:
@@ -92,5 +93,40 @@ webhooks:
         apiGroups: [""]
         apiVersions: ["v1"]
         resources: ["pods"]
+{{- end }}
 ---
+{{- if .Values.admissionWebhook.hooksEnabled.statefulSets }}
+apiVersion: admissionregistration.k8s.io/v1beta1
+kind: ValidatingWebhookConfiguration
+metadata:
+  name: validation-update-tidb-admission-webhook-cfg
+  labels:
+    app.kubernetes.io/name: {{ template "chart.name" . }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/component: admission-webhook
+    helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+"  "_" }}
+webhooks:
+  - name: update.stsadmission.tidb.pingcap.com
+    failurePolicy: {{ .Values.admissionWebhook.failurePolicy.updateStatefulSet | default "Ignore" }}
+    clientConfig:
+      service:
+        name: kubernetes
+        namespace: default
+        path: "/apis/admission.tidb.pingcap.com/v1alpha1/admissionreviews"
+      {{- if .Values.admissionWebhook.cabundle }}
+      caBundle: {{ .Values.admissionWebhook.cabundle | b64enc }}
+      {{- else }}
+      caBundle: null
+      {{- end }}
+    rules:
+      - operations: [ "UPDATE" ]
+        apiGroups: [ "apps", "" ]
+        apiVersions: ["v1beta1", "v1"]
+        resources: ["statefulsets"]
+      - operations: [ "UPDATE" ]
+        apiGroups: [ "apps.pingcap.com"]
+        apiVersions: ["v1alpha1"]
+        resources: ["statefulsets"]
+{{- end }}
 {{- end }}
diff --git a/charts/tidb-operator/templates/admission/admission-webhook-secret.yaml b/charts/tidb-operator/templates/admission/admission-webhook-secret.yaml
@@ -1,4 +1,4 @@
-{{- if and (eq .Values.admissionWebhook.create true) (eq .Values.admissionWebhook.apiservice.insecureSkipTLSVerify false ) }}
+{{- if and ( .Values.admissionWebhook.create ) ( eq .Values.admissionWebhook.apiservice.insecureSkipTLSVerify false ) }}
 apiVersion: v1
 kind: Secret
 metadata:

diff --git a/charts/tidb-operator/templates/admission/admission-webhook-service.yaml b/charts/tidb-operator/templates/admission/admission-webhook-service.yaml
@@ -1,4 +1,4 @@
-{{- if eq .Values.admissionWebhook.create true }}
+{{- if .Values.admissionWebhook.create }}
 apiVersion: v1
 kind: Service
 metadata:

diff --git a/charts/tidb-operator/values.yaml b/charts/tidb-operator/values.yaml
@@ -182,13 +182,22 @@ admissionWebhook:
   serviceAccount: tidb-admission-webhook
   rbac:
     create: true
+  hooksEnabled:
+    ## statefulsets hook would check requests for updating tidbcluster's statefulsets
+    ## If enabled it, the statefulsets of tidbcluseter would update in partition by tidbcluster's annotation
+    statefulSets: false
+    ## pods hook would check requests for creating and deleting tidbcluster's pods
+    ## if enabled it, the pods of tidbcluster would safely created or deleted by webhook instead of controller
+    pods: true
   ## failurePolicy are applied to ValidatingWebhookConfiguration which affect tidb-admission-webhook
   ## refer to https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#failure-policy
   failurePolicy:
     ## deletePod Webhook would check the deleting request of tidbcluster pod and the failurePolicy is recommended as Fail
-    ## createPod Webhook would check the creating request of tidbcluster pod and the failurePolicy is recommended as Ignore
     deletePod: Fail
+    ## createPod Webhook would check the creating request of tidbcluster pod and the failurePolicy is recommended as Ignore
     createPod: Ignore
+    ## updateStatefulSet Webhook would check the updating request of tidbcluster statefulset and the failurePolicy is recommended as Ignore
+    updateStatefulSet: Ignore
   ## tidb-admission-webhook deployed as kubernetes apiservice server
   ## refer to https://github.com/openshift/generic-admission-server
   apiservice:
@@ -206,4 +215,3 @@ admissionWebhook:
   ## or you can get the cabundle by:
   ## kubectl get configmap -n kube-system extension-apiserver-authentication -o=jsonpath='{.data.client-ca-file}'
   cabundle: ""
-
diff --git a/manifests/patch-e2e.sh b/manifests/patch-e2e.sh
diff --git a/manifests/webhook.yaml b/manifests/webhook.yaml