patch cdi-operator and cdi-deployment

Signed-off-by: Maksim Fedotov <[email protected]>
deckhouse · Nov 14, 2024 · c72da88 · c72da88
1 parent a0bd249
commit c72da88
Show file tree

Hide file tree

Showing 2 changed files with 70 additions and 0 deletions.
diff --git a/templates/cdi/cdi-operator/deployment.yaml b/templates/cdi/cdi-operator/deployment.yaml
@@ -110,10 +110,57 @@ spec:
             {{- end }}
         volumeMounts:
         {{- include "kube_api_rewriter.kubeconfig_volume_mount" . | nindent 8 }}
+      - name: kube-rbac-proxy
+        {{- include "helm_lib_module_container_security_context_read_only_root_filesystem" . | nindent 8 }}
+        image: {{ include "helm_lib_module_common_image" (list . "kubeRbacProxy") }}
+        args:
+        - "--secure-listen-address=$(KUBE_RBAC_PROXY_LISTEN_ADDRESS):8082"
+        - "--client-ca-file=/etc/kube-rbac-proxy/ca.crt"
+        - "--v=2"
+        - "--logtostderr=true"
+        - "--stale-cache-interval=1h30m"
+        - "--livez-path=/livez"
+        env:
+        - name: KUBE_RBAC_PROXY_LISTEN_ADDRESS
+          valueFrom:
+            fieldRef:
+              fieldPath: status.podIP
+        - name: KUBE_RBAC_PROXY_CONFIG
+          value: |
+            excludePaths:
+            - /config
+            upstreams:
+            - upstream: http://127.0.0.1:8080/metrics
+              path: /metrics
+              authorization:
+                resourceAttributes:
+                  namespace: d8-virtualization
+                  apiGroup: apps
+                  apiVersion: v1
+                  resource: deployments
+                  subresource: http
+                  name: virtualization-controller
+        resources:
+          requests:
+            {{- include "helm_lib_module_ephemeral_storage_only_logs" . | nindent 12 }}
+{{- if not ( .Values.global.enabledModules | has "vertical-pod-autoscaler") }}
+            {{- include "helm_lib_container_kube_rbac_proxy_resources" . | nindent 12 }}
+{{- end }}
+        volumeMounts:
+          - name: kube-rbac-proxy-ca
+            mountPath: /etc/kube-rbac-proxy
+        ports:
+          - containerPort: 8082
+            name: https-metrics
+            protocol: TCP
       {{- include "helm_lib_priority_class" (tuple . $priorityClassName) | nindent 6 }}
       {{- include "helm_lib_node_selector" (tuple . "system") | nindent 6 }}
       {{- include "helm_lib_tolerations" (tuple . "system") | nindent 6 }}
       {{- include "helm_lib_module_pod_security_context_run_as_user_nobody" . | nindent 6 }}
       serviceAccountName: cdi-operator
       volumes:
       {{- include "kube_api_rewriter.kubeconfig_volume" . | nindent 6 }}
+      - name: kube-rbac-proxy-ca
+        configMap:
+          defaultMode: 420
+          name: kube-rbac-proxy-ca.crt
diff --git a/templates/cdi/config.yaml b/templates/cdi/config.yaml
@@ -88,6 +88,29 @@ spec:
         patch: {{ include "kube_api_rewriter.pod_spec_strategic_patch_json" (tuple . "cdi-deployment") }}
         type: strategic
 
+      # Add kube-rbac-proxy as a sidecar container to cdi-deployment
+      {{- $kubeRbacProxySettings := dict }}
+      {{- $_ := set $kubeRbacProxySettings "containerName" "kube-rbac-proxy" }}
+      {{- $_ := set $kubeRbacProxySettings "namespace" "d8-virtualization" }}
+      {{- $_ := set $kubeRbacProxySettings "apiGroup" "apps" }}
+      {{- $_ := set $kubeRbacProxySettings "apiVersion" "v1" }}
+      {{- $_ := set $kubeRbacProxySettings "resource" "deployment" }}
+      {{- $_ := set $kubeRbacProxySettings "subresource" "prometheus-metrics" }}
+      {{- $_ := set $kubeRbacProxySettings "name" "cdi-deployment" }}
+      {{- $_ := set $kubeRbacProxySettings "listenPort" "8082" }}
+      {{- $_ := set $kubeRbacProxySettings "clientCAFile" "/etc/kube-rbac-proxy/ca.crt" }}
+      {{- $_ := set $kubeRbacProxySettings "logLevel" "2" }}
+      {{- $_ := set $kubeRbacProxySettings "staleCacheInterval" "1h30m" }}
+      {{- $_ := set $kubeRbacProxySettings "livezPath" "/livez" }}
+      {{- $_ := set $kubeRbacProxySettings "excludePath" "/config" }}
+      {{- $_ := set $kubeRbacProxySettings "upstream" "http://127.0.0.1:8080/metrics" }}
+      {{- $_ := set $kubeRbacProxySettings "path" "/metrics" }}
+      {{- $_ := set $kubeRbacProxySettings "portName" "https-metrics" }}
+      - resourceName: cdi-deployment
+        resourceType: Deployment
+        patch: {{ include "kube_rbac_proxy.pod_spec_strategic_patch_json" (tuple . $kubeRbacProxySettings) }}
+        type: strategic
+
       # Add rewriter proxy container port to the Service used by webhook configurations.
       # First need to set name for existing port to make strategic patch works later.
       - resourceName: cdi-api