Pause rolling-upgrade process of tidb statefulset

Makefile

@@ -29,7 +29,7 @@ docker-push: docker
 docker: build
 	docker build --tag "${DOCKER_REGISTRY}/pingcap/tidb-operator:latest" images/tidb-operator
 
-build: controller-manager scheduler discovery
+build: controller-manager scheduler discovery webhook
 
 controller-manager:
 	$(GO) -ldflags '$(LDFLAGS)' -o images/tidb-operator/bin/tidb-controller-manager cmd/controller-manager/main.go
@@ -40,6 +40,9 @@ scheduler:
 discovery:
 	$(GO) -ldflags '$(LDFLAGS)' -o images/tidb-operator/bin/tidb-discovery cmd/discovery/main.go
 
+webhook:
+	$(GO) -ldflags '$(LDFLAGS)' -o images/tidb-operator/bin/tidb-webhook cmd/webhook/main.go
+
 e2e-setup:
 	# ginkgo doesn't work with retool for Go 1.11
 	@GO111MODULE=on CGO_ENABLED=0 go get github.com/onsi/ginkgo@v1.6.0

cmd/webhook/main.go

@@ -0,0 +1,84 @@
+// Copyright 2018 PingCAP, Inc.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package main
+
+import (
+	"os"
+	"os/signal"
+	"syscall"
+
+	"github.com/golang/glog"
+	"github.com/pingcap/tidb-operator/pkg/webhook"
+	"github.com/pingcap/tidb-operator/pkg/webhook/util"
+)
+
+func main() {
+
+	cli, kubeCli, err := util.GetNewClient()
+	if err != nil {
+		glog.Fatalf("failed to get client: %v", err)
+	}
+
+	ns := os.Getenv("NAMESPACE")
+	if ns == "" {
+		glog.Fatalf("fail to get namespace in environment")
+	}
+
+	svc := os.Getenv("SERVICENAME")
+	if svc == "" {
+		glog.Fatalf("fail to get servicename in environment")
+	}
+
+	// create cert file
+	cert, err := util.SetupServerCert(ns, svc)
+	if err != nil {
+		glog.Fatalf("fail to setup server cert: %v", err)
+	}
+	webhookServer := webhook.NewWebHookServer(kubeCli, cli, cert)
+
+	// before start webhook server, create validating-webhook-configuration
+	err = webhookServer.RegisterWebhook(ns, svc)
+	if err != nil {
+		glog.Fatalf("fail to create validaing webhook configuration: %v", err)
+	}
+
+	sigs := make(chan os.Signal, 1)
+	done := make(chan bool, 1)
+
+	signal.Notify(sigs, syscall.SIGINT, syscall.SIGTERM)
+
+	go func() {
+		<-sigs
+
+		// FIXME Consider whether delete the configuration when the service is shutdown.
+		if err := webhookServer.UnregisterWebhook(); err != nil {
+			glog.Errorf("fail to delete validating configuration %v", err)
+		}
+
+		// Graceful shutdown the server
+		if err := webhookServer.Shutdown(); err != nil {
+			glog.Errorf("fail to shutdown server %v", err)
+		}
+
+		done <- true
+	}()
+
+	if err := webhookServer.Run(); err != nil {
+		glog.Errorf("stop http server %v", err)
+	}
+
+	<-done
+
+	glog.Infof("webhook server terminate safely.")
+}

images/tidb-operator/Dockerfile

@@ -4,3 +4,4 @@ RUN apk add tzdata --no-cache
 ADD bin/tidb-controller-manager /usr/local/bin/tidb-controller-manager
 ADD bin/tidb-scheduler /usr/local/bin/tidb-scheduler
 ADD bin/tidb-discovery /usr/local/bin/tidb-discovery
+ADD bin/tidb-webhook /usr/local/bin/tidb-webhook

manifests/webhook-rbac.yaml

@@ -0,0 +1,18 @@
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1beta1
+metadata:
+  name: admission-webhook-example-rbac
+subjects:
+- kind: ServiceAccount
+  namespace: pingcap
+  name: admission-webhook-example-sa
+roleRef:
+  kind: ClusterRole
+  name: cluster-admin
+  apiGroup: rbac.authorization.k8s.io
+---
+kind: ServiceAccount
+apiVersion: v1
+metadata:
+  namespace: pingcap
+  name: admission-webhook-example-sa

manifests/webhook.yaml

@@ -0,0 +1,44 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: admission-webhook-example-svc
+  namespace: pingcap
+  labels:
+    app: admission-webhook-example
+spec:
+  ports:
+  - port: 443
+    targetPort: 443
+  selector:
+    app: admission-webhook-example
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: admission-webhook-example-deployment
+  namespace: pingcap
+  labels:
+    app: admission-webhook-example
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: admission-webhook-example
+  template:
+    metadata:
+      namespace: pingcap
+      labels:
+        app: admission-webhook-example
+    spec:
+      serviceAccount: admission-webhook-example-sa
+      containers:
+        - name: admission-webhook-example
+          image: hub.pingcap.net/yinliang/pingcap/tidb-operator:latest
+          imagePullPolicy: Always
+          command: 
+          - /usr/local/bin/tidb-webhook
+          env:
+            - name: NAMESPACE
+              value: pingcap
+            - name: SERVICENAME
+              value: admission-webhook-example-svc

pkg/label/label.go

@@ -50,6 +50,8 @@ const (
 	AnnPVCDeferDeleting = "tidb.pingcap.com/pvc-defer-deleting"
 	// AnnPVCPodScheduling is pod scheduling annotation key, it represents whether the pod is scheduling
 	AnnPVCPodScheduling = "tidb.pingcap.com/pod-scheduling"
+	// AnnTiDBPartition is pod annotation which TiDB pod chould upgrade to
+	AnnTiDBPartition string = "tidb.pingcap.com/tidb-partition"
 
 	// PDLabelVal is PD label value
 	PDLabelVal string = "pd"

pkg/tkctl/cmd/cmd.go

@@ -24,6 +24,7 @@ import (
 	"github.com/pingcap/tidb-operator/pkg/tkctl/cmd/get"
 	"github.com/pingcap/tidb-operator/pkg/tkctl/cmd/info"
 	"github.com/pingcap/tidb-operator/pkg/tkctl/cmd/list"
+	"github.com/pingcap/tidb-operator/pkg/tkctl/cmd/upinfo"
 	"github.com/pingcap/tidb-operator/pkg/tkctl/cmd/use"
 	"github.com/pingcap/tidb-operator/pkg/tkctl/config"
 	"github.com/spf13/cobra"
@@ -69,6 +70,7 @@ func NewTkcCommand(streams genericclioptions.IOStreams) *cobra.Command {
 				info.NewCmdInfo(tkcContext, streams),
 				use.NewCmdUse(tkcContext, streams),
 				version.NewCmdVersion(tkcContext, streams.Out),
+				upinfo.NewCmdUpInfo(tkcContext, streams),
 			},
 		},
 		{