diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 080b4ac..4ceeb00 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -52,7 +52,7 @@ jobs: type=ref,event=pr type=semver,pattern={{version}} type=semver,pattern={{major}}.{{minor}} - type=sha,prefix={{branch}}- + type=sha,prefix= - uses: docker/build-push-action@v2 with: diff --git a/.github/workflows/helm.yaml b/.github/workflows/helm.yaml index 841ccc6..48136a9 100644 --- a/.github/workflows/helm.yaml +++ b/.github/workflows/helm.yaml @@ -4,6 +4,7 @@ on: push: branches: - main + tags: [ v* ] jobs: release: diff --git a/Makefile b/Makefile index a9197a5..3b1890f 100644 --- a/Makefile +++ b/Makefile @@ -258,3 +258,13 @@ catalog-build: opm ## Build a catalog image. .PHONY: catalog-push catalog-push: ## Push a catalog image. $(MAKE) docker-push IMG=$(CATALOG_IMG) +######################### Helmify +HELMIFY ?= $(LOCALBIN)/helmify + +.PHONY: helmify +helmify: $(HELMIFY) ## Download helmify locally if necessary. +$(HELMIFY): $(LOCALBIN) + test -s $(LOCALBIN)/helmify || GOBIN=$(LOCALBIN) go install github.com/arttor/helmify/cmd/helmify@v0.4.5 + +helm: manifests kustomize helmify + $(KUSTOMIZE) build config/default | $(HELMIFY) deploy/charts/rls-operator diff --git a/config/manager/kustomization.yaml b/config/manager/kustomization.yaml index 5c5f0b8..ad13e96 100644 --- a/config/manager/kustomization.yaml +++ b/config/manager/kustomization.yaml @@ -1,2 +1,8 @@ resources: - manager.yaml +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +images: +- name: controller + newName: controller + newTag: latest diff --git a/config/manager/manager.yaml b/config/manager/manager.yaml index f4a31e2..1fce8cf 100644 --- a/config/manager/manager.yaml +++ b/config/manager/manager.yaml @@ -70,7 +70,7 @@ spec: - /manager args: - --leader-elect - image: controller:latest + image: ghcr.io/snapp-incubator/contour-global-ratelimit-operator:main name: manager securityContext: allowPrivilegeEscalation: false diff --git a/config/rbac/auth_proxy_service.yaml b/config/rbac/auth_proxy_service.yaml index 5676b64..9696906 100644 --- a/config/rbac/auth_proxy_service.yaml +++ b/config/rbac/auth_proxy_service.yaml @@ -18,4 +18,4 @@ spec: protocol: TCP targetPort: https selector: - control-plane: controller-manager + control-plane: controller-manager \ No newline at end of file diff --git a/config/rbac/kustomization.yaml b/config/rbac/kustomization.yaml index 731832a..39a81d8 100644 --- a/config/rbac/kustomization.yaml +++ b/config/rbac/kustomization.yaml @@ -16,3 +16,4 @@ resources: - auth_proxy_role.yaml - auth_proxy_role_binding.yaml - auth_proxy_client_clusterrole.yaml +- xds_svc.yaml diff --git a/config/rbac/xds_svc.yaml b/config/rbac/xds_svc.yaml new file mode 100644 index 0000000..d820d3e --- /dev/null +++ b/config/rbac/xds_svc.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Service +metadata: + labels: + control-plane: controller-manager + app.kubernetes.io/name: service + app.kubernetes.io/created-by: contour-global-ratelimit-operator + app.kubernetes.io/part-of: contour-global-ratelimit-operator + app.kubernetes.io/managed-by: kustomize + name: controller-manager + namespace: system +spec: + ports: + - name: xds + port: 18000 + protocol: TCP + targetPort: xds + selector: + control-plane: controller-manager \ No newline at end of file diff --git a/deploy/charts/rls-operator/.helmignore b/deploy/charts/rls-operator/.helmignore new file mode 100644 index 0000000..0e8a0eb --- /dev/null +++ b/deploy/charts/rls-operator/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/deploy/charts/rls-operator/Chart.yaml b/deploy/charts/rls-operator/Chart.yaml new file mode 100644 index 0000000..aec96b4 --- /dev/null +++ b/deploy/charts/rls-operator/Chart.yaml @@ -0,0 +1,21 @@ +apiVersion: v2 +name: rls-operator +description: A Helm chart for Kubernetes +# A chart can be either an 'application' or a 'library' chart. +# +# Application charts are a collection of templates that can be packaged into versioned archives +# to be deployed. +# +# Library charts provide useful utilities or functions for the chart developer. They're included as +# a dependency of application charts to inject those utilities and functions into the rendering +# pipeline. Library charts do not define any templates and therefore cannot be deployed. +type: application +# This is the chart version. This version number should be incremented each time you make changes +# to the chart and its templates, including the app version. +# Versions are expected to follow Semantic Versioning (https://semver.org/) +version: 0.1.0 +# This is the version number of the application being deployed. This version number should be +# incremented each time you make changes to the application. Versions are not expected to +# follow Semantic Versioning. They should reflect the version the application is using. +# It is recommended to use it with quotes. +appVersion: "0.1.0" diff --git a/deploy/charts/rls-operator/templates/_helpers.tpl b/deploy/charts/rls-operator/templates/_helpers.tpl new file mode 100644 index 0000000..d85fee8 --- /dev/null +++ b/deploy/charts/rls-operator/templates/_helpers.tpl @@ -0,0 +1,62 @@ +{{/* +Expand the name of the chart. +*/}} +{{- define "rls-operator.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "rls-operator.fullname" -}} +{{- if .Values.fullnameOverride }} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- $name := default .Chart.Name .Values.nameOverride }} +{{- if contains $name .Release.Name }} +{{- .Release.Name | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end }} +{{- end }} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "rls-operator.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Common labels +*/}} +{{- define "rls-operator.labels" -}} +helm.sh/chart: {{ include "rls-operator.chart" . }} +{{ include "rls-operator.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "rls-operator.selectorLabels" -}} +app.kubernetes.io/name: {{ include "rls-operator.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} + +{{/* +Create the name of the service account to use +*/}} +{{- define "rls-operator.serviceAccountName" -}} +{{- if .Values.serviceAccount.create }} +{{- default (include "rls-operator.fullname" .) .Values.serviceAccount.name }} +{{- else }} +{{- default "default" .Values.serviceAccount.name }} +{{- end }} +{{- end }} diff --git a/deploy/charts/rls-operator/templates/controller-manager.yaml b/deploy/charts/rls-operator/templates/controller-manager.yaml new file mode 100644 index 0000000..bc1face --- /dev/null +++ b/deploy/charts/rls-operator/templates/controller-manager.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ include "rls-operator.fullname" . }}-controller-manager + labels: + app.kubernetes.io/created-by: contour-global-ratelimit-operator + app.kubernetes.io/part-of: contour-global-ratelimit-operator + control-plane: controller-manager + {{- include "rls-operator.labels" . | nindent 4 }} +spec: + type: {{ .Values.controllerManager.type }} + selector: + control-plane: controller-manager + {{- include "rls-operator.selectorLabels" . | nindent 4 }} + ports: + {{- .Values.controllerManager.ports | toYaml | nindent 2 -}} \ No newline at end of file diff --git a/deploy/charts/rls-operator/templates/deployment.yaml b/deploy/charts/rls-operator/templates/deployment.yaml new file mode 100644 index 0000000..c08952f --- /dev/null +++ b/deploy/charts/rls-operator/templates/deployment.yaml @@ -0,0 +1,89 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "rls-operator.fullname" . }}-controller-manager + labels: + app.kubernetes.io/component: manager + app.kubernetes.io/created-by: contour-global-ratelimit-operator + app.kubernetes.io/part-of: contour-global-ratelimit-operator + control-plane: controller-manager + {{- include "rls-operator.labels" . | nindent 4 }} +spec: + replicas: {{ .Values.controllerManager.replicas }} + selector: + matchLabels: + control-plane: controller-manager + {{- include "rls-operator.selectorLabels" . | nindent 6 }} + template: + metadata: + labels: + control-plane: controller-manager + {{- include "rls-operator.selectorLabels" . | nindent 8 }} + annotations: + kubectl.kubernetes.io/default-container: manager + spec: + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: kubernetes.io/arch + operator: In + values: + - amd64 + - arm64 + - ppc64le + - s390x + - key: kubernetes.io/os + operator: In + values: + - linux + containers: + - args: {{- toYaml .Values.controllerManager.kubeRbacProxy.args | nindent 8 }} + env: + - name: KUBERNETES_CLUSTER_DOMAIN + value: {{ quote .Values.kubernetesClusterDomain }} + image: {{ .Values.controllerManager.kubeRbacProxy.image.repository }}:{{ .Values.controllerManager.kubeRbacProxy.image.tag + | default .Chart.AppVersion }} + name: kube-rbac-proxy + ports: + - containerPort: 8443 + name: https + protocol: TCP + resources: {{- toYaml .Values.controllerManager.kubeRbacProxy.resources | nindent + 10 }} + securityContext: {{- toYaml .Values.controllerManager.kubeRbacProxy.containerSecurityContext + | nindent 10 }} + - args: {{- toYaml .Values.controllerManager.manager.args | nindent 8 }} + command: + - /manager + env: + - name: KUBERNETES_CLUSTER_DOMAIN + value: {{ quote .Values.kubernetesClusterDomain }} + image: {{ .Values.controllerManager.manager.image.repository }}:{{ .Values.controllerManager.manager.image.tag + | default .Chart.AppVersion }} + livenessProbe: + httpGet: + path: /healthz + port: 8081 + initialDelaySeconds: 15 + periodSeconds: 20 + name: manager + ports: + - containerPort: 18000 + name: xds + protocol: TCP + readinessProbe: + httpGet: + path: /readyz + port: 8081 + initialDelaySeconds: 5 + periodSeconds: 10 + resources: {{- toYaml .Values.controllerManager.manager.resources | nindent 10 + }} + securityContext: {{- toYaml .Values.controllerManager.manager.containerSecurityContext + | nindent 10 }} + securityContext: + runAsNonRoot: true + serviceAccountName: {{ include "rls-operator.fullname" . }}-controller-manager + terminationGracePeriodSeconds: 10 \ No newline at end of file diff --git a/deploy/charts/rls-operator/templates/leader-election-rbac.yaml b/deploy/charts/rls-operator/templates/leader-election-rbac.yaml new file mode 100644 index 0000000..167bbb1 --- /dev/null +++ b/deploy/charts/rls-operator/templates/leader-election-rbac.yaml @@ -0,0 +1,59 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ include "rls-operator.fullname" . }}-leader-election-role + labels: + app.kubernetes.io/component: rbac + app.kubernetes.io/created-by: contour-global-ratelimit-operator + app.kubernetes.io/part-of: contour-global-ratelimit-operator + {{- include "rls-operator.labels" . | nindent 4 }} +rules: +- apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ include "rls-operator.fullname" . }}-leader-election-rolebinding + labels: + app.kubernetes.io/component: rbac + app.kubernetes.io/created-by: contour-global-ratelimit-operator + app.kubernetes.io/part-of: contour-global-ratelimit-operator + {{- include "rls-operator.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: '{{ include "rls-operator.fullname" . }}-leader-election-role' +subjects: +- kind: ServiceAccount + name: '{{ include "rls-operator.fullname" . }}-controller-manager' + namespace: '{{ .Release.Namespace }}' \ No newline at end of file diff --git a/deploy/charts/rls-operator/templates/manager-rbac.yaml b/deploy/charts/rls-operator/templates/manager-rbac.yaml new file mode 100644 index 0000000..0d2b6ab --- /dev/null +++ b/deploy/charts/rls-operator/templates/manager-rbac.yaml @@ -0,0 +1,45 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ include "rls-operator.fullname" . }}-manager-role + labels: + {{- include "rls-operator.labels" . | nindent 4 }} +rules: +- apiGroups: + - projectcontour.io + resources: + - httpproxies + verbs: + - get + - list + - watch +- apiGroups: + - projectcontour.io + resources: + - httpproxies/finalizers + verbs: + - update +- apiGroups: + - projectcontour.io + resources: + - httpproxies/status + verbs: + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ include "rls-operator.fullname" . }}-manager-rolebinding + labels: + app.kubernetes.io/component: rbac + app.kubernetes.io/created-by: contour-global-ratelimit-operator + app.kubernetes.io/part-of: contour-global-ratelimit-operator + {{- include "rls-operator.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: '{{ include "rls-operator.fullname" . }}-manager-role' +subjects: +- kind: ServiceAccount + name: '{{ include "rls-operator.fullname" . }}-controller-manager' + namespace: '{{ .Release.Namespace }}' \ No newline at end of file diff --git a/deploy/charts/rls-operator/templates/metrics-reader-rbac.yaml b/deploy/charts/rls-operator/templates/metrics-reader-rbac.yaml new file mode 100644 index 0000000..d59af49 --- /dev/null +++ b/deploy/charts/rls-operator/templates/metrics-reader-rbac.yaml @@ -0,0 +1,14 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ include "rls-operator.fullname" . }}-metrics-reader + labels: + app.kubernetes.io/component: kube-rbac-proxy + app.kubernetes.io/created-by: contour-global-ratelimit-operator + app.kubernetes.io/part-of: contour-global-ratelimit-operator + {{- include "rls-operator.labels" . | nindent 4 }} +rules: +- nonResourceURLs: + - /metrics + verbs: + - get \ No newline at end of file diff --git a/deploy/charts/rls-operator/templates/metrics-service.yaml b/deploy/charts/rls-operator/templates/metrics-service.yaml new file mode 100644 index 0000000..380c6f1 --- /dev/null +++ b/deploy/charts/rls-operator/templates/metrics-service.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ include "rls-operator.fullname" . }}-controller-manager-metrics-service + labels: + app.kubernetes.io/component: kube-rbac-proxy + app.kubernetes.io/created-by: contour-global-ratelimit-operator + app.kubernetes.io/part-of: contour-global-ratelimit-operator + control-plane: controller-manager + {{- include "rls-operator.labels" . | nindent 4 }} +spec: + type: {{ .Values.metricsService.type }} + selector: + control-plane: controller-manager + {{- include "rls-operator.selectorLabels" . | nindent 4 }} + ports: + {{- .Values.metricsService.ports | toYaml | nindent 2 -}} \ No newline at end of file diff --git a/deploy/charts/rls-operator/templates/proxy-rbac.yaml b/deploy/charts/rls-operator/templates/proxy-rbac.yaml new file mode 100644 index 0000000..5e03a90 --- /dev/null +++ b/deploy/charts/rls-operator/templates/proxy-rbac.yaml @@ -0,0 +1,40 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ include "rls-operator.fullname" . }}-proxy-role + labels: + app.kubernetes.io/component: kube-rbac-proxy + app.kubernetes.io/created-by: contour-global-ratelimit-operator + app.kubernetes.io/part-of: contour-global-ratelimit-operator + {{- include "rls-operator.labels" . | nindent 4 }} +rules: +- apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create +- apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ include "rls-operator.fullname" . }}-proxy-rolebinding + labels: + app.kubernetes.io/component: kube-rbac-proxy + app.kubernetes.io/created-by: contour-global-ratelimit-operator + app.kubernetes.io/part-of: contour-global-ratelimit-operator + {{- include "rls-operator.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: '{{ include "rls-operator.fullname" . }}-proxy-role' +subjects: +- kind: ServiceAccount + name: '{{ include "rls-operator.fullname" . }}-controller-manager' + namespace: '{{ .Release.Namespace }}' \ No newline at end of file diff --git a/deploy/charts/rls-operator/templates/serviceaccount.yaml b/deploy/charts/rls-operator/templates/serviceaccount.yaml new file mode 100644 index 0000000..9c8d14c --- /dev/null +++ b/deploy/charts/rls-operator/templates/serviceaccount.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "rls-operator.fullname" . }}-controller-manager + labels: + app.kubernetes.io/component: rbac + app.kubernetes.io/created-by: contour-global-ratelimit-operator + app.kubernetes.io/part-of: contour-global-ratelimit-operator + {{- include "rls-operator.labels" . | nindent 4 }} + annotations: + {{- toYaml .Values.controllerManager.serviceAccount.annotations | nindent 4 }} \ No newline at end of file diff --git a/deploy/charts/rls-operator/values.yaml b/deploy/charts/rls-operator/values.yaml new file mode 100644 index 0000000..cfb8055 --- /dev/null +++ b/deploy/charts/rls-operator/values.yaml @@ -0,0 +1,59 @@ +controllerManager: + kubeRbacProxy: + args: + - --secure-listen-address=0.0.0.0:8443 + - --upstream=http://127.0.0.1:8080/ + - --logtostderr=true + - --v=0 + containerSecurityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + image: + repository: gcr.io/kubebuilder/kube-rbac-proxy + tag: v0.13.1 + resources: + limits: + cpu: 500m + memory: 128Mi + requests: + cpu: 5m + memory: 64Mi + manager: + args: + - --health-probe-bind-address=:8081 + - --metrics-bind-address=127.0.0.1:8080 + - --leader-elect + containerSecurityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + image: + repository: ghcr.io/snapp-incubator/contour-global-ratelimit-operator + tag: main + resources: + limits: + cpu: 500m + memory: 128Mi + requests: + cpu: 10m + memory: 64Mi + ports: + - name: xds + port: 18000 + protocol: TCP + targetPort: xds + replicas: 1 + serviceAccount: + annotations: {} + type: ClusterIP +kubernetesClusterDomain: cluster.local +metricsService: + ports: + - name: https + port: 8443 + protocol: TCP + targetPort: https + type: ClusterIP