diff --git a/.github/workflows/generate-operator.yaml b/.github/workflows/generate-operator.yaml index 354a7c6..e040971 100644 --- a/.github/workflows/generate-operator.yaml +++ b/.github/workflows/generate-operator.yaml @@ -33,8 +33,24 @@ jobs: - name: Configure Operator Manifests run: | ./chart-patch.sh - cat overlays/resource_limits.yaml >> simple-arc-operator/config/manager/kustomization.yaml - cat overlays/role_permissions.yaml >> simple-arc-operator/config/rbac/kustomization.yaml + + yq -yi '.spec.template.spec.containers[0].resources.limits.memory = "500Mi"' \ + simple-arc-operator/config/manager/manager.yaml + + yq -yi '.rules + [ + { + "apiGroups": ["apiextensions.k8s.io"], + "resources": ["customresourcedefinitions"], + "verbs": ["*"] + }, + { + "apiGroups": ["cert-manager.io"], + "resources": ["certificates", "issuers"], + "verbs": ["*"] + } + ]' \ + simple-arc-operator/config/rbac/role.yaml + mkdir -p simple-arc-operator/config/manifests/base &&\ cp overlays/simple-arc-operator.clusterserviceversion.yaml "$_" diff --git a/simple-arc-operator/config/manager/kustomization.yaml b/simple-arc-operator/config/manager/kustomization.yaml index 5b90f29..5c5f0b8 100644 --- a/simple-arc-operator/config/manager/kustomization.yaml +++ b/simple-arc-operator/config/manager/kustomization.yaml @@ -1,11 +1,2 @@ resources: - manager.yaml - -patchesJson6902: -- target: - kind: Deployment - name: controller-manager - patch: |- - - op: replace - path: /spec/template/spec/containers/0/resources/limits/memory - value: 500mi diff --git a/simple-arc-operator/config/manager/manager.yaml b/simple-arc-operator/config/manager/manager.yaml index b074f16..ee9285c 100644 --- a/simple-arc-operator/config/manager/manager.yaml +++ b/simple-arc-operator/config/manager/manager.yaml @@ -10,6 +10,13 @@ metadata: app.kubernetes.io/part-of: simple-arc-operator app.kubernetes.io/managed-by: kustomize name: system +spec: + template: + spec: + containers: + - resources: + limits: + memory: 500Mi --- apiVersion: apps/v1 kind: Deployment @@ -36,66 +43,37 @@ spec: labels: control-plane: controller-manager spec: - # TODO(user): Uncomment the following code to configure the nodeAffinity expression - # according to the platforms which are supported by your solution. - # It is considered best practice to support multiple architectures. You can - # build your manager image using the makefile target docker-buildx. - # affinity: - # nodeAffinity: - # requiredDuringSchedulingIgnoredDuringExecution: - # nodeSelectorTerms: - # - matchExpressions: - # - key: kubernetes.io/arch - # operator: In - # values: - # - amd64 - # - arm64 - # - ppc64le - # - s390x - # - key: kubernetes.io/os - # operator: In - # values: - # - linux securityContext: runAsNonRoot: true - # TODO(user): For common cases that do not require escalating privileges - # it is recommended to ensure that all your Pods/Containers are restrictive. - # More info: https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted - # Please uncomment the following code if your project does NOT have to work on old Kubernetes - # versions < 1.19 or on vendors versions which do NOT support this field by default (i.e. Openshift < 4.11 ). - # seccompProfile: - # type: RuntimeDefault containers: - - args: - - --leader-elect - - --leader-election-id=simple-arc-operator - image: controller:latest - name: manager - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - "ALL" - livenessProbe: - httpGet: - path: /healthz - port: 8081 - initialDelaySeconds: 15 - periodSeconds: 20 - readinessProbe: - httpGet: - path: /readyz - port: 8081 - initialDelaySeconds: 5 - periodSeconds: 10 - # TODO(user): Configure the resources accordingly based on the project requirements. - # More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - resources: - limits: - cpu: 500m - memory: 128Mi - requests: - cpu: 10m - memory: 64Mi + - args: + - --leader-elect + - --leader-election-id=simple-arc-operator + image: controller:latest + name: manager + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + livenessProbe: + httpGet: + path: /healthz + port: 8081 + initialDelaySeconds: 15 + periodSeconds: 20 + readinessProbe: + httpGet: + path: /readyz + port: 8081 + initialDelaySeconds: 5 + periodSeconds: 10 + resources: + limits: + cpu: 500m + memory: 500Mi + requests: + cpu: 10m + memory: 64Mi serviceAccountName: controller-manager terminationGracePeriodSeconds: 10 diff --git a/simple-arc-operator/config/rbac/kustomization.yaml b/simple-arc-operator/config/rbac/kustomization.yaml index 7db3276..731832a 100644 --- a/simple-arc-operator/config/rbac/kustomization.yaml +++ b/simple-arc-operator/config/rbac/kustomization.yaml @@ -16,28 +16,3 @@ resources: - auth_proxy_role.yaml - auth_proxy_role_binding.yaml - auth_proxy_client_clusterrole.yaml - -patchesJson6902: -- target: - kind: ClusterRole - name: manager-role - patch: |- - - op: add - path: /rules/0 - value: - verbs: - - "*" - apiGroups: - - "apiextensions.k8s.io" - resources: - - customresourcedefinitions - - op: add - path: /rules/0 - value: - verbs: - - "*" - apiGroups: - - cert-manager.io - resources: - - certificates - - issuers \ No newline at end of file diff --git a/simple-arc-operator/config/rbac/role.yaml b/simple-arc-operator/config/rbac/role.yaml index ebcac41..0098566 100644 --- a/simple-arc-operator/config/rbac/role.yaml +++ b/simple-arc-operator/config/rbac/role.yaml @@ -1,83 +1,79 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: manager-role -rules: -## -## Base operator rules -## -# We need to get namespaces so the operator can read namespaces to ensure they exist - apiGroups: - - "" + - '' resources: - - namespaces + - namespaces verbs: - - get -# We need to manage Helm release secrets + - get - apiGroups: - - "" + - '' resources: - - secrets + - secrets verbs: - - "*" -# We need to create events on CRs about things happening during reconciliation + - '*' - apiGroups: - - "" + - '' resources: - - events + - events verbs: - - create - -## -## Rules for github-practice.boxboat.com/v1alpha1, Kind: ActionsRunnerController -## + - create - apiGroups: - - github-practice.boxboat.com + - github-practice.boxboat.com resources: - - actionsrunnercontrollers - - actionsrunnercontrollers/status - - actionsrunnercontrollers/finalizers + - actionsrunnercontrollers + - actionsrunnercontrollers/status + - actionsrunnercontrollers/finalizers verbs: - - create - - delete - - get - - list - - patch - - update - - watch + - create + - delete + - get + - list + - patch + - update + - watch - apiGroups: - - "" + - '' resources: - - pods - - services - - services/finalizers - - endpoints - - persistentvolumeclaims - - events - - configmaps - - secrets + - pods + - services + - services/finalizers + - endpoints + - persistentvolumeclaims + - events + - configmaps + - secrets verbs: - - create - - delete - - get - - list - - patch - - update - - watch + - create + - delete + - get + - list + - patch + - update + - watch - apiGroups: - - apps + - apps resources: - - deployments - - daemonsets - - replicasets - - statefulsets + - deployments + - daemonsets + - replicasets + - statefulsets verbs: - - create - - delete - - get - - list - - patch - - update - - watch - -#+kubebuilder:scaffold:rules + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - apiextensions.k8s.io + resources: + - customresourcedefinitions + verbs: + - '*' +- apiGroups: + - cert-manager.io + resources: + - certificates + - issuers + verbs: + - '*'