From bc08fcbd53e89d1166e69c688a6203f2b8b82e52 Mon Sep 17 00:00:00 2001 From: Bryce Palmer Date: Wed, 29 Mar 2023 15:30:09 -0400 Subject: [PATCH 1/4] refactor manifests to enable use of kustomize Signed-off-by: Bryce Palmer --- Makefile | 16 ++- config/00_namespace.yaml | 4 - config/aggregated-apiserver.yaml | 97 -------------- config/apiserver/apiserver.yaml | 126 ++++++++++++++++++ config/apiserver/kustomization.yaml | 8 ++ config/apiservice.yaml | 18 --- config/controller-manager.yaml | 44 ------ config/crd/kustomization.yaml | 27 ++++ config/crd/kustomizeconfig.yaml | 19 +++ .../cainjection_in_bundlemetadata.yaml | 7 + .../cainjection_in_catalogsources.yaml | 7 + .../crd/patches/cainjection_in_packages.yaml | 7 + .../patches/webhook_in_bundlemetadata.yaml | 16 +++ .../patches/webhook_in_catalogsources.yaml | 16 +++ config/crd/patches/webhook_in_packages.yaml | 16 +++ config/default/kustomization.yaml | 48 +++++++ config/default/manager_auth_proxy_patch.yaml | 55 ++++++++ config/default/manager_config_patch.yaml | 10 ++ config/{ => etcd}/etcd.yaml | 6 +- config/etcd/kustomization.yaml | 2 + config/manager/kustomization.yaml | 8 ++ config/manager/manager.yaml | 102 ++++++++++++++ config/prometheus/kustomization.yaml | 2 + config/prometheus/monitor.yaml | 26 ++++ config/rbac.yaml | 101 -------------- config/rbac/apiserver_role.yaml | 25 ++++ config/rbac/apiserver_rolebindings.yaml | 27 ++++ .../rbac/auth_proxy_client_clusterrole.yaml | 16 +++ config/rbac/auth_proxy_role.yaml | 24 ++++ config/rbac/auth_proxy_role_binding.yaml | 19 +++ config/rbac/auth_proxy_service.yaml | 21 +++ config/rbac/kustomization.yaml | 20 +++ config/rbac/leader_election_role.yaml | 44 ++++++ config/rbac/leader_election_role_binding.yaml | 19 +++ config/rbac/role.yaml | 47 +++++-- config/rbac/role_binding.yaml | 19 +++ config/rbac/service_account.yaml | 25 ++++ config/samples/catalogsource.yaml | 7 - .../samples/core_v1beta1_catalogsource.yaml | 13 ++ main.go | 2 +- .../core/bundlemetadata_controller.go | 6 +- .../core/catalogsource_controller.go | 3 + pkg/controllers/core/package_controller.go | 6 +- 43 files changed, 836 insertions(+), 295 deletions(-) delete mode 100644 config/00_namespace.yaml delete mode 100644 config/aggregated-apiserver.yaml create mode 100644 config/apiserver/apiserver.yaml create mode 100644 config/apiserver/kustomization.yaml delete mode 100644 config/apiservice.yaml delete mode 100644 config/controller-manager.yaml create mode 100644 config/crd/kustomization.yaml create mode 100644 config/crd/kustomizeconfig.yaml create mode 100644 config/crd/patches/cainjection_in_bundlemetadata.yaml create mode 100644 config/crd/patches/cainjection_in_catalogsources.yaml create mode 100644 config/crd/patches/cainjection_in_packages.yaml create mode 100644 config/crd/patches/webhook_in_bundlemetadata.yaml create mode 100644 config/crd/patches/webhook_in_catalogsources.yaml create mode 100644 config/crd/patches/webhook_in_packages.yaml create mode 100644 config/default/kustomization.yaml create mode 100644 config/default/manager_auth_proxy_patch.yaml create mode 100644 config/default/manager_config_patch.yaml rename config/{ => etcd}/etcd.yaml (93%) create mode 100644 config/etcd/kustomization.yaml create mode 100644 config/manager/kustomization.yaml create mode 100644 config/manager/manager.yaml create mode 100644 config/prometheus/kustomization.yaml create mode 100644 config/prometheus/monitor.yaml delete mode 100644 config/rbac.yaml create mode 100644 config/rbac/apiserver_role.yaml create mode 100644 config/rbac/apiserver_rolebindings.yaml create mode 100644 config/rbac/auth_proxy_client_clusterrole.yaml create mode 100644 config/rbac/auth_proxy_role.yaml create mode 100644 config/rbac/auth_proxy_role_binding.yaml create mode 100644 config/rbac/auth_proxy_service.yaml create mode 100644 config/rbac/kustomization.yaml create mode 100644 config/rbac/leader_election_role.yaml create mode 100644 config/rbac/leader_election_role_binding.yaml create mode 100644 config/rbac/role_binding.yaml create mode 100644 config/rbac/service_account.yaml delete mode 100644 config/samples/catalogsource.yaml create mode 100644 config/samples/core_v1beta1_catalogsource.yaml diff --git a/Makefile b/Makefile index c57ac622..6302abb9 100644 --- a/Makefile +++ b/Makefile @@ -133,10 +133,20 @@ controller-gen: $(CONTROLLER_GEN) ## Download controller-gen locally if necessar $(CONTROLLER_GEN): $(LOCALBIN) GOBIN=$(LOCALBIN) go install sigs.k8s.io/controller-tools/cmd/controller-gen@$(CONTROLLER_TOOLS_VERSION) -KUSTOMIZE = $(shell pwd)/bin/kustomize +## Tool Binaries +KUSTOMIZE ?= $(LOCALBIN)/kustomize +## Tool Versions +KUSTOMIZE_VERSION ?= v5.0.1 + +KUSTOMIZE_INSTALL_SCRIPT ?= "https://raw.githubusercontent.com/kubernetes-sigs/kustomize/master/hack/install_kustomize.sh" .PHONY: kustomize -kustomize: ## Download kustomize locally if necessary. - $(call go-get-tool,$(KUSTOMIZE),sigs.k8s.io/kustomize/kustomize/v3@v3.8.7) +kustomize: $(KUSTOMIZE) ## Download kustomize locally if necessary. If wrong version is installed, it will be removed before downloading. +$(KUSTOMIZE): $(LOCALBIN) + @if test -x $(LOCALBIN)/kustomize && ! $(LOCALBIN)/kustomize version | grep -q $(KUSTOMIZE_VERSION); then \ + echo "$(LOCALBIN)/kustomize version is not expected $(KUSTOMIZE_VERSION). Removing it before installing."; \ + rm -rf $(LOCALBIN)/kustomize; \ + fi + test -s $(LOCALBIN)/kustomize || { curl -Ss $(KUSTOMIZE_INSTALL_SCRIPT) | bash -s -- $(subst v,,$(KUSTOMIZE_VERSION)) $(LOCALBIN); } ENVTEST = $(shell pwd)/bin/setup-envtest .PHONY: envtest diff --git a/config/00_namespace.yaml b/config/00_namespace.yaml deleted file mode 100644 index 91ec2ad3..00000000 --- a/config/00_namespace.yaml +++ /dev/null @@ -1,4 +0,0 @@ -apiVersion: v1 -kind: Namespace -metadata: - name: catalogd-system \ No newline at end of file diff --git a/config/aggregated-apiserver.yaml b/config/aggregated-apiserver.yaml deleted file mode 100644 index 897d40fa..00000000 --- a/config/aggregated-apiserver.yaml +++ /dev/null @@ -1,97 +0,0 @@ ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: catalogd-apiserver - namespace: catalogd-system - labels: - api: catalogd - apiserver: "true" -spec: - selector: - matchLabels: - api: catalogd - apiserver: "true" - replicas: 1 - template: - metadata: - labels: - api: catalogd - apiserver: "true" - spec: - containers: - - name: apiserver - image: quay.io/operator-framework/catalogd-server:latest - imagePullPolicy: IfNotPresent - volumeMounts: - - name: apiserver-certs - mountPath: /apiserver.local.config/certificates - readOnly: true - command: - - "./apiserver" - args: - - "--etcd-servers=http://etcd-svc:2379" - - "--tls-cert-file=/apiserver.local.config/certificates/tls.crt" - - "--tls-private-key-file=/apiserver.local.config/certificates/tls.key" - - "--audit-log-path=-" - - "--feature-gates=APIPriorityAndFairness=false" - - "--audit-log-maxage=0" - - "--audit-log-maxbackup=0" - - "--profiling" - resources: - requests: - cpu: 100m - memory: 20Mi - limits: - cpu: 100m - memory: 30Mi - volumes: - - name: apiserver-certs - secret: - secretName: catalogd ---- -apiVersion: v1 -kind: Service -metadata: - name: catalogd - namespace: catalogd-system - labels: - api: catalogd - apiserver: "true" -spec: - ports: - - port: 443 - protocol: TCP - targetPort: 443 - selector: - api: catalogd - apiserver: "true" ---- -apiVersion: cert-manager.io/v1 -kind: Issuer -metadata: - labels: - api: catalogd - apiserver: "true" - name: selfsigned-issuer - namespace: catalogd-system -spec: - selfSigned: {} ---- -apiVersion: cert-manager.io/v1 -kind: Certificate -metadata: - labels: - api: catalogd - apiserver: "true" - name: catalogd-cert - namespace: catalogd-system -spec: - dnsNames: - - catalogd.catalogd-system.svc - - catalogd.catalogd-system.svc.cluster.local - - localhost - issuerRef: - kind: Issuer - name: selfsigned-issuer - secretName: catalogd diff --git a/config/apiserver/apiserver.yaml b/config/apiserver/apiserver.yaml new file mode 100644 index 00000000..4958aefd --- /dev/null +++ b/config/apiserver/apiserver.yaml @@ -0,0 +1,126 @@ +apiVersion: apiregistration.k8s.io/v1 +kind: APIService +metadata: + name: v1beta1.core.rukpak.io + labels: + api: catalogd + apiserver: "true" + app.kubernetes.io/name: apiservice + app.kubernetes.io/instance: system + app.kubernetes.io/component: apiservice + app.kubernetes.io/created-by: catalogd + app.kubernetes.io/part-of: catalogd + app.kubernetes.io/managed-by: kustomize +spec: + version: v1beta1 + group: core.rukpak.io + groupPriorityMinimum: 2000 + service: + name: catalogd + namespace: system + versionPriority: 10 + caBundle: "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUR6RENDQXJTZ0F3SUJBZ0lVT0t0RXJnS3pGMTl4ZXh6cUVXbExxcGlmN2lnd0RRWUpLb1pJaHZjTkFRRUwKQlFBd2RERUxNQWtHQTFVRUJoTUNkVzR4Q3pBSkJnTlZCQWdNQW5OME1Rb3dDQVlEVlFRSERBRnNNUW93Q0FZRApWUVFLREFGdk1Rc3dDUVlEVlFRTERBSnZkVEV6TURFR0ExVUVBd3dxY25WcmNHRnJMWEJoWTJ0aFoyVnpaWEoyClpYSXRZMlZ5ZEdsbWFXTmhkR1V0WVhWMGFHOXlhWFI1TUI0WERUSXlNVEF3TnpFNU1Ua3dNMW9YRFRJek1UQXcKTnpFNU1Ua3dNMW93ZERFTE1Ba0dBMVVFQmhNQ2RXNHhDekFKQmdOVkJBZ01Bbk4wTVFvd0NBWURWUVFIREFGcwpNUW93Q0FZRFZRUUtEQUZ2TVFzd0NRWURWUVFMREFKdmRURXpNREVHQTFVRUF3d3FjblZyY0dGckxYQmhZMnRoCloyVnpaWEoyWlhJdFkyVnlkR2xtYVdOaGRHVXRZWFYwYUc5eWFYUjVNSUlCSWpBTkJna3Foa2lHOXcwQkFRRUYKQUFPQ0FROEFNSUlCQ2dLQ0FRRUFxZlRZSkpURmwwZ2F0RVQvUDlFTlhsWjRqYUdLSklMSFZVb2VjankwRmxVRgpDVnYvdTYrMzNwcnFBNjBiWmpzenFzN1FmTmZRTmd3azllTE03TDRiNVkyZnc1SitPTEhtSlc3S0FHVTcxa2JsCnBWaXZ6MFBjbUdNZlFFQU1kYTB0T2xZRjQyNEIvZTE2TEwyNDBQNzdxOFprQzEvU3N1NVlpMkVvRzlOQ3c2ZUgKalhRT2dXcFd0OE1VT1E1ZmZYRUdBcTlwcWJNeGN0UUxDS3JHVlVHVGdmaHQvb2xKWlcxbTJ6QVhEVDRQa0ZYRQo2MnNNVFBmamFFNWtmeUhxKy9nRXlUU0FPbW1LVzdJOXBNOHdZcVJ1ZHB4alZrWm5UQWlMVkNDckk2SGhaVVlECmpURThzTlhld2J2WU5rdnlVUnN4QjdEWHdOcE1kN2d3SzhiQ1BqTHBiUUlEQVFBQm8xWXdWREFkQmdOVkhRNEUKRmdRVVZjeXQ1L2F2RVc2SXJiOC9CKzkvYjhDZnFEb3dId1lEVlIwakJCZ3dGb0FVVmN5dDUvYXZFVzZJcmI4LwpCKzkvYjhDZnFEb3dFZ1lEVlIwVEFRSC9CQWd3QmdFQi93SUJBVEFOQmdrcWhraUc5dzBCQVFzRkFBT0NBUUVBClhFbU15L0tnMUZnVFdnL244ajcrak5aSFhHcWs2ZnZQMzNVbTZMaTdVL0JSOWZyQ05rQk9GSU9ZV21BWUlBQksKbEhSMStDQkJ5NncwSjFVMjZ4VEVaTnVPQVhOSHdPQVlNaURia2xRamlIMEdtcWpNUGxDQlhoUGpHTEhBK2h0dwpXd3JTL2h1bkJlU2RmbERtYThUbm9OMDUzTHZBanFNN3cwU3JOaWw3ZzhtM2k2djFmdGxNNkNJU1N0M05wRTZNCllnU2pMRTRLNmxCVFI0VU81K0hsanBVK2JWUCtHcDRMWHBGaEZJMU9jZjAxTC9iRGF3elhmYXNoNm8yVS9lOE8KOUZTa1Q2TzFlVW5COFRyRVMrZDlaKzBQS2dqZXAzU0NmV1N5WDFSdzZKZGM3SmNYY0I0ZmdLQ3FMNWtIbHNXUgpNcXErQ3UycVlZbnNiclo4ZVZaUGtRPT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=" +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: apiserver + namespace: system + labels: + api: catalogd + apiserver: "true" + app.kubernetes.io/name: deployment + app.kubernetes.io/instance: system + app.kubernetes.io/component: apiservice + app.kubernetes.io/created-by: catalogd + app.kubernetes.io/part-of: catalogd + app.kubernetes.io/managed-by: kustomize +spec: + selector: + matchLabels: + api: catalogd + apiserver: "true" + replicas: 1 + template: + metadata: + labels: + api: catalogd + apiserver: "true" + spec: + serviceAccountName: apiserver + containers: + - name: apiserver + image: apiserver:latest + imagePullPolicy: IfNotPresent + volumeMounts: + - name: catalogd-apiserver-certs + mountPath: /apiserver.local.config/certificates + readOnly: true + command: + - "./apiserver" + args: + - "--etcd-servers=http://catalogd-etcd-svc:2379" + - "--tls-cert-file=/apiserver.local.config/certificates/tls.crt" + - "--tls-private-key-file=/apiserver.local.config/certificates/tls.key" + - "--audit-log-path=-" + - "--feature-gates=APIPriorityAndFairness=false" + - "--audit-log-maxage=0" + - "--audit-log-maxbackup=0" + - "--profiling" + resources: + requests: + cpu: 100m + memory: 20Mi + limits: + cpu: 100m + memory: 30Mi + volumes: + - name: catalogd-apiserver-certs + secret: + secretName: catalogd-apiserver +--- +apiVersion: v1 +kind: Service +metadata: + name: apiserver + namespace: system + labels: + api: catalogd + apiserver: "true" +spec: + ports: + - port: 443 + protocol: TCP + targetPort: 443 + selector: + api: catalogd + apiserver: "true" +--- +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + labels: + api: catalogd + apiserver: "true" + name: selfsigned-issuer + namespace: system +spec: + selfSigned: {} +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + labels: + api: catalogd + apiserver: "true" + name: server-cert + namespace: system +spec: + dnsNames: + - catalogd-apiserver.catalogd.svc + - catalogd-apiserver.catalogd.svc.cluster.local + - localhost + issuerRef: + kind: Issuer + name: catalogd-selfsigned-issuer + secretName: catalogd-apiserver diff --git a/config/apiserver/kustomization.yaml b/config/apiserver/kustomization.yaml new file mode 100644 index 00000000..d3eb5475 --- /dev/null +++ b/config/apiserver/kustomization.yaml @@ -0,0 +1,8 @@ +resources: +- apiserver.yaml +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +images: +- name: apiserver + newName: docker.io/anik120/rukpak-packageserver + newTag: latest diff --git a/config/apiservice.yaml b/config/apiservice.yaml deleted file mode 100644 index 0711194e..00000000 --- a/config/apiservice.yaml +++ /dev/null @@ -1,18 +0,0 @@ - -apiVersion: apiregistration.k8s.io/v1 -kind: APIService -metadata: - name: v1beta1.core.catalogd.io - labels: - api: catalogd - apiserver: "true" -spec: - version: v1beta1 - group: core.catalogd.io - groupPriorityMinimum: 2000 - service: - name: catalogd - namespace: catalogd-system - versionPriority: 10 - caBundle: "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUR6RENDQXJTZ0F3SUJBZ0lVT0t0RXJnS3pGMTl4ZXh6cUVXbExxcGlmN2lnd0RRWUpLb1pJaHZjTkFRRUwKQlFBd2RERUxNQWtHQTFVRUJoTUNkVzR4Q3pBSkJnTlZCQWdNQW5OME1Rb3dDQVlEVlFRSERBRnNNUW93Q0FZRApWUVFLREFGdk1Rc3dDUVlEVlFRTERBSnZkVEV6TURFR0ExVUVBd3dxY25WcmNHRnJMWEJoWTJ0aFoyVnpaWEoyClpYSXRZMlZ5ZEdsbWFXTmhkR1V0WVhWMGFHOXlhWFI1TUI0WERUSXlNVEF3TnpFNU1Ua3dNMW9YRFRJek1UQXcKTnpFNU1Ua3dNMW93ZERFTE1Ba0dBMVVFQmhNQ2RXNHhDekFKQmdOVkJBZ01Bbk4wTVFvd0NBWURWUVFIREFGcwpNUW93Q0FZRFZRUUtEQUZ2TVFzd0NRWURWUVFMREFKdmRURXpNREVHQTFVRUF3d3FjblZyY0dGckxYQmhZMnRoCloyVnpaWEoyWlhJdFkyVnlkR2xtYVdOaGRHVXRZWFYwYUc5eWFYUjVNSUlCSWpBTkJna3Foa2lHOXcwQkFRRUYKQUFPQ0FROEFNSUlCQ2dLQ0FRRUFxZlRZSkpURmwwZ2F0RVQvUDlFTlhsWjRqYUdLSklMSFZVb2VjankwRmxVRgpDVnYvdTYrMzNwcnFBNjBiWmpzenFzN1FmTmZRTmd3azllTE03TDRiNVkyZnc1SitPTEhtSlc3S0FHVTcxa2JsCnBWaXZ6MFBjbUdNZlFFQU1kYTB0T2xZRjQyNEIvZTE2TEwyNDBQNzdxOFprQzEvU3N1NVlpMkVvRzlOQ3c2ZUgKalhRT2dXcFd0OE1VT1E1ZmZYRUdBcTlwcWJNeGN0UUxDS3JHVlVHVGdmaHQvb2xKWlcxbTJ6QVhEVDRQa0ZYRQo2MnNNVFBmamFFNWtmeUhxKy9nRXlUU0FPbW1LVzdJOXBNOHdZcVJ1ZHB4alZrWm5UQWlMVkNDckk2SGhaVVlECmpURThzTlhld2J2WU5rdnlVUnN4QjdEWHdOcE1kN2d3SzhiQ1BqTHBiUUlEQVFBQm8xWXdWREFkQmdOVkhRNEUKRmdRVVZjeXQ1L2F2RVc2SXJiOC9CKzkvYjhDZnFEb3dId1lEVlIwakJCZ3dGb0FVVmN5dDUvYXZFVzZJcmI4LwpCKzkvYjhDZnFEb3dFZ1lEVlIwVEFRSC9CQWd3QmdFQi93SUJBVEFOQmdrcWhraUc5dzBCQVFzRkFBT0NBUUVBClhFbU15L0tnMUZnVFdnL244ajcrak5aSFhHcWs2ZnZQMzNVbTZMaTdVL0JSOWZyQ05rQk9GSU9ZV21BWUlBQksKbEhSMStDQkJ5NncwSjFVMjZ4VEVaTnVPQVhOSHdPQVlNaURia2xRamlIMEdtcWpNUGxDQlhoUGpHTEhBK2h0dwpXd3JTL2h1bkJlU2RmbERtYThUbm9OMDUzTHZBanFNN3cwU3JOaWw3ZzhtM2k2djFmdGxNNkNJU1N0M05wRTZNCllnU2pMRTRLNmxCVFI0VU81K0hsanBVK2JWUCtHcDRMWHBGaEZJMU9jZjAxTC9iRGF3elhmYXNoNm8yVS9lOE8KOUZTa1Q2TzFlVW5COFRyRVMrZDlaKzBQS2dqZXAzU0NmV1N5WDFSdzZKZGM3SmNYY0I0ZmdLQ3FMNWtIbHNXUgpNcXErQ3UycVlZbnNiclo4ZVZaUGtRPT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=" ---- diff --git a/config/controller-manager.yaml b/config/controller-manager.yaml deleted file mode 100644 index c6920af2..00000000 --- a/config/controller-manager.yaml +++ /dev/null @@ -1,44 +0,0 @@ ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: catalogd-controller - namespace: catalogd-system - labels: - api: catalogd - controller: "true" -spec: - selector: - matchLabels: - api: catalogd - controller: "true" - replicas: 1 - template: - metadata: - labels: - api: catalogd - controller: "true" - spec: - containers: - - name: controller - image: quay.io/operator-framework/catalogd-controller:latest - imagePullPolicy: IfNotPresent - ports: - - containerPort: 8080 - command: - - "./manager" - args: - # If you are interested in enabling the endpoints for collecting - # performance metrics via pprof uncomment the below line: - # - --profiling=true - resources: - requests: - cpu: 1000m - memory: 200Mi - limits: - cpu: 1000m - memory: 300Mi - volumes: - - name: apiserver-certs - secret: - secretName: catalogd diff --git a/config/crd/kustomization.yaml b/config/crd/kustomization.yaml new file mode 100644 index 00000000..d20749c7 --- /dev/null +++ b/config/crd/kustomization.yaml @@ -0,0 +1,27 @@ +# This kustomization.yaml is not intended to be run by itself, +# since it depends on service name and namespace that are out of this kustomize package. +# It should be run by config/default +resources: +- bases/core.catalogd.io_bundlemetadata.yaml +- bases/core.catalogd.io_packages.yaml +- bases/core.catalogd.io_catalogsources.yaml +#+kubebuilder:scaffold:crdkustomizeresource + +patches: +# [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix. +# patches here are for enabling the conversion webhook for each CRD +#- patches/webhook_in_bundlemetadata.yaml +#- patches/webhook_in_packages.yaml +#- patches/webhook_in_catalogsources.yaml +#+kubebuilder:scaffold:crdkustomizewebhookpatch + +# [CERTMANAGER] To enable cert-manager, uncomment all the sections with [CERTMANAGER] prefix. +# patches here are for enabling the CA injection for each CRD +#- patches/cainjection_in_bundlemetadata.yaml +#- patches/cainjection_in_packages.yaml +#- patches/cainjection_in_catalogsources.yaml +#+kubebuilder:scaffold:crdkustomizecainjectionpatch + +# the following config is for teaching kustomize how to do kustomization for CRDs. +configurations: +- kustomizeconfig.yaml diff --git a/config/crd/kustomizeconfig.yaml b/config/crd/kustomizeconfig.yaml new file mode 100644 index 00000000..ec5c150a --- /dev/null +++ b/config/crd/kustomizeconfig.yaml @@ -0,0 +1,19 @@ +# This file is for teaching kustomize how to substitute name and namespace reference in CRD +nameReference: +- kind: Service + version: v1 + fieldSpecs: + - kind: CustomResourceDefinition + version: v1 + group: apiextensions.k8s.io + path: spec/conversion/webhook/clientConfig/service/name + +namespace: +- kind: CustomResourceDefinition + version: v1 + group: apiextensions.k8s.io + path: spec/conversion/webhook/clientConfig/service/namespace + create: false + +varReference: +- path: metadata/annotations diff --git a/config/crd/patches/cainjection_in_bundlemetadata.yaml b/config/crd/patches/cainjection_in_bundlemetadata.yaml new file mode 100644 index 00000000..1195dc41 --- /dev/null +++ b/config/crd/patches/cainjection_in_bundlemetadata.yaml @@ -0,0 +1,7 @@ +# The following patch adds a directive for certmanager to inject CA into the CRD +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME) + name: bundlemetadata.core.rukpak.io diff --git a/config/crd/patches/cainjection_in_catalogsources.yaml b/config/crd/patches/cainjection_in_catalogsources.yaml new file mode 100644 index 00000000..16a6ab47 --- /dev/null +++ b/config/crd/patches/cainjection_in_catalogsources.yaml @@ -0,0 +1,7 @@ +# The following patch adds a directive for certmanager to inject CA into the CRD +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME) + name: catalogsources.core.rukpak.io diff --git a/config/crd/patches/cainjection_in_packages.yaml b/config/crd/patches/cainjection_in_packages.yaml new file mode 100644 index 00000000..498a5dd8 --- /dev/null +++ b/config/crd/patches/cainjection_in_packages.yaml @@ -0,0 +1,7 @@ +# The following patch adds a directive for certmanager to inject CA into the CRD +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME) + name: packages.core.rukpak.io diff --git a/config/crd/patches/webhook_in_bundlemetadata.yaml b/config/crd/patches/webhook_in_bundlemetadata.yaml new file mode 100644 index 00000000..bdac0ec1 --- /dev/null +++ b/config/crd/patches/webhook_in_bundlemetadata.yaml @@ -0,0 +1,16 @@ +# The following patch enables a conversion webhook for the CRD +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: bundlemetadata.core.rukpak.io +spec: + conversion: + strategy: Webhook + webhook: + clientConfig: + service: + namespace: system + name: webhook-service + path: /convert + conversionReviewVersions: + - v1 diff --git a/config/crd/patches/webhook_in_catalogsources.yaml b/config/crd/patches/webhook_in_catalogsources.yaml new file mode 100644 index 00000000..c1397eba --- /dev/null +++ b/config/crd/patches/webhook_in_catalogsources.yaml @@ -0,0 +1,16 @@ +# The following patch enables a conversion webhook for the CRD +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: catalogsources.core.rukpak.io +spec: + conversion: + strategy: Webhook + webhook: + clientConfig: + service: + namespace: system + name: webhook-service + path: /convert + conversionReviewVersions: + - v1 diff --git a/config/crd/patches/webhook_in_packages.yaml b/config/crd/patches/webhook_in_packages.yaml new file mode 100644 index 00000000..5bb59a4a --- /dev/null +++ b/config/crd/patches/webhook_in_packages.yaml @@ -0,0 +1,16 @@ +# The following patch enables a conversion webhook for the CRD +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: packages.core.rukpak.io +spec: + conversion: + strategy: Webhook + webhook: + clientConfig: + service: + namespace: system + name: webhook-service + path: /convert + conversionReviewVersions: + - v1 diff --git a/config/default/kustomization.yaml b/config/default/kustomization.yaml new file mode 100644 index 00000000..0e883e44 --- /dev/null +++ b/config/default/kustomization.yaml @@ -0,0 +1,48 @@ +# Adds namespace to all resources. +namespace: catalogd-system + +# Value of this field is prepended to the +# names of all resources, e.g. a deployment named +# "wordpress" becomes "alices-wordpress". +# Note that it should also match with the prefix (text before '-') of the namespace +# field above. +namePrefix: catalogd- + +# Labels to add to all resources and selectors. +#commonLabels: +# someName: someValue + +# [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix including the one in +# crd/kustomization.yaml +#- ../webhook +# [CERTMANAGER] To enable cert-manager, uncomment all sections with 'CERTMANAGER'. 'WEBHOOK' components are required. +#- ../certmanager +# [PROMETHEUS] To enable prometheus monitor, uncomment all sections with 'PROMETHEUS'. +#- ../prometheus + +# Protect the /metrics endpoint by putting it behind auth. +# If you want your controller-manager to expose the /metrics +# endpoint w/o any authn/z, please comment the following line. + + + +# [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix including the one in +# crd/kustomization.yaml +#- manager_webhook_patch.yaml + +# [CERTMANAGER] To enable cert-manager, uncomment all sections with 'CERTMANAGER'. +# Uncomment 'CERTMANAGER' sections in crd/kustomization.yaml to enable the CA injection in the admission webhooks. +# 'CERTMANAGER' needs to be enabled to use ca injection +#- webhookcainjection_patch.yaml + +# the following config is for teaching kustomize how to do var substitution +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: +- ../crd +- ../rbac +- ../manager +- ../apiserver +- ../etcd +patches: +- path: manager_auth_proxy_patch.yaml diff --git a/config/default/manager_auth_proxy_patch.yaml b/config/default/manager_auth_proxy_patch.yaml new file mode 100644 index 00000000..687c4a7a --- /dev/null +++ b/config/default/manager_auth_proxy_patch.yaml @@ -0,0 +1,55 @@ +# This patch inject a sidecar container which is a HTTP proxy for the +# controller manager, it performs RBAC authorization against the Kubernetes API using SubjectAccessReviews. +apiVersion: apps/v1 +kind: Deployment +metadata: + name: controller-manager + namespace: system +spec: + template: + spec: + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: kubernetes.io/arch + operator: In + values: + - amd64 + - arm64 + - ppc64le + - s390x + - key: kubernetes.io/os + operator: In + values: + - linux + containers: + - name: kube-rbac-proxy + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - "ALL" + image: gcr.io/kubebuilder/kube-rbac-proxy:v0.13.0 + args: + - "--secure-listen-address=0.0.0.0:8443" + - "--upstream=http://127.0.0.1:8080/" + - "--logtostderr=true" + - "--v=0" + ports: + - containerPort: 8443 + protocol: TCP + name: https + resources: + limits: + cpu: 500m + memory: 128Mi + requests: + cpu: 5m + memory: 64Mi + - name: manager + args: + - "--health-probe-bind-address=:8081" + - "--metrics-bind-address=127.0.0.1:8080" + - "--leader-elect" diff --git a/config/default/manager_config_patch.yaml b/config/default/manager_config_patch.yaml new file mode 100644 index 00000000..f6f58916 --- /dev/null +++ b/config/default/manager_config_patch.yaml @@ -0,0 +1,10 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: controller-manager + namespace: system +spec: + template: + spec: + containers: + - name: manager diff --git a/config/etcd.yaml b/config/etcd/etcd.yaml similarity index 93% rename from config/etcd.yaml rename to config/etcd/etcd.yaml index 8e3125a8..9b401257 100644 --- a/config/etcd.yaml +++ b/config/etcd/etcd.yaml @@ -3,7 +3,7 @@ apiVersion: apps/v1 kind: StatefulSet metadata: name: etcd - namespace: catalogd-system + namespace: system spec: selector: matchLabels: @@ -63,7 +63,7 @@ spec: - metadata: name: etcd-data-dir annotations: - volume.beta.kubernetes.io/storage-class: standard + volume.beta.kubernetes.io/storage-class: local-path spec: accessModes: [ "ReadWriteOnce" ] resources: @@ -74,7 +74,7 @@ apiVersion: v1 kind: Service metadata: name: etcd-svc - namespace: catalogd-system + namespace: system labels: app: etcd spec: diff --git a/config/etcd/kustomization.yaml b/config/etcd/kustomization.yaml new file mode 100644 index 00000000..35505723 --- /dev/null +++ b/config/etcd/kustomization.yaml @@ -0,0 +1,2 @@ +resources: +- etcd.yaml diff --git a/config/manager/kustomization.yaml b/config/manager/kustomization.yaml new file mode 100644 index 00000000..d6669ca5 --- /dev/null +++ b/config/manager/kustomization.yaml @@ -0,0 +1,8 @@ +resources: +- manager.yaml +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +images: +- name: controller + newName: docker.io/anik120/catalogsource-controller + newTag: manifests diff --git a/config/manager/manager.yaml b/config/manager/manager.yaml new file mode 100644 index 00000000..15c4a600 --- /dev/null +++ b/config/manager/manager.yaml @@ -0,0 +1,102 @@ +apiVersion: v1 +kind: Namespace +metadata: + labels: + control-plane: controller-manager + app.kubernetes.io/name: namespace + app.kubernetes.io/instance: system + app.kubernetes.io/component: manager + app.kubernetes.io/created-by: catalogd + app.kubernetes.io/part-of: catalogd + app.kubernetes.io/managed-by: kustomize + name: system +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: controller-manager + namespace: system + labels: + control-plane: controller-manager + app.kubernetes.io/name: deployment + app.kubernetes.io/instance: controller-manager + app.kubernetes.io/component: manager + app.kubernetes.io/created-by: catalogd + app.kubernetes.io/part-of: catalogd + app.kubernetes.io/managed-by: kustomize +spec: + selector: + matchLabels: + control-plane: controller-manager + replicas: 1 + template: + metadata: + annotations: + kubectl.kubernetes.io/default-container: manager + labels: + control-plane: controller-manager + spec: + # TODO(user): Uncomment the following code to configure the nodeAffinity expression + # according to the platforms which are supported by your solution. + # It is considered best practice to support multiple architectures. You can + # build your manager image using the makefile target docker-buildx. + # affinity: + # nodeAffinity: + # requiredDuringSchedulingIgnoredDuringExecution: + # nodeSelectorTerms: + # - matchExpressions: + # - key: kubernetes.io/arch + # operator: In + # values: + # - amd64 + # - arm64 + # - ppc64le + # - s390x + # - key: kubernetes.io/os + # operator: In + # values: + # - linux + securityContext: + runAsNonRoot: true + # TODO(user): For common cases that do not require escalating privileges + # it is recommended to ensure that all your Pods/Containers are restrictive. + # More info: https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted + # Please uncomment the following code if your project does NOT have to work on old Kubernetes + # versions < 1.19 or on vendors versions which do NOT support this field by default (i.e. Openshift < 4.11 ). + # seccompProfile: + # type: RuntimeDefault + containers: + - command: + - "./manager" + args: + - --leader-elect + image: controller:latest + name: manager + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - "ALL" + livenessProbe: + httpGet: + path: /healthz + port: 8081 + initialDelaySeconds: 15 + periodSeconds: 20 + readinessProbe: + httpGet: + path: /readyz + port: 8081 + initialDelaySeconds: 5 + periodSeconds: 10 + # TODO(user): Configure the resources accordingly based on the project requirements. + # More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + resources: + limits: + cpu: 1000m + memory: 1000Mi + requests: + cpu: 1000m + memory: 200Mi + serviceAccountName: controller-manager + terminationGracePeriodSeconds: 10 diff --git a/config/prometheus/kustomization.yaml b/config/prometheus/kustomization.yaml new file mode 100644 index 00000000..ed137168 --- /dev/null +++ b/config/prometheus/kustomization.yaml @@ -0,0 +1,2 @@ +resources: +- monitor.yaml diff --git a/config/prometheus/monitor.yaml b/config/prometheus/monitor.yaml new file mode 100644 index 00000000..8d96dc19 --- /dev/null +++ b/config/prometheus/monitor.yaml @@ -0,0 +1,26 @@ + +# Prometheus Monitor Service (Metrics) +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + labels: + control-plane: controller-manager + app.kubernetes.io/name: servicemonitor + app.kubernetes.io/instance: controller-manager-metrics-monitor + app.kubernetes.io/component: metrics + app.kubernetes.io/created-by: catalogd + app.kubernetes.io/part-of: catalogd + app.kubernetes.io/managed-by: kustomize + name: controller-manager-metrics-monitor + namespace: system +spec: + endpoints: + - path: /metrics + port: https + scheme: https + bearerTokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token + tlsConfig: + insecureSkipVerify: true + selector: + matchLabels: + control-plane: controller-manager diff --git a/config/rbac.yaml b/config/rbac.yaml deleted file mode 100644 index 6c0d4bbc..00000000 --- a/config/rbac.yaml +++ /dev/null @@ -1,101 +0,0 @@ ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: catalogd-apiserver-auth-reader -rules: - - apiGroups: - - "" - resourceNames: - - extension-apiserver-authentication - resources: - - configmaps - verbs: - - get - - list ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: catalogd-apiserver-auth-reader - namespace: catalogd-system -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: catalogd-apiserver-auth-reader -subjects: - - kind: ServiceAccount - namespace: catalogd-system - name: default ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: catalogd-apiserver-auth-delegator - namespace: catalogd-system -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: system:auth-delegator -subjects: - - kind: ServiceAccount - namespace: catalogd-system - name: default ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: catalogd-controller - namespace: catalogd-system -rules: - - apiGroups: - - 'core.catalogd.io' - resources: - - '*' - verbs: - - '*' - - apiGroups: - - '' - resources: - - 'configmaps' - - 'namespaces' - - 'pods' - - 'pods/log' - verbs: - - 'get' - - 'list' - - 'watch' - - apiGroups: - - 'admissionregistration.k8s.io' - resources: - - '*' - verbs: - - 'list' - - 'watch' - - nonResourceURLs: - - '*' - verbs: - - '*' - - apiGroups: - - 'batch' - resources: - - 'jobs' - verbs: - - 'create' - - 'get' - - 'list' - - 'watch' ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: catalogd-controller - namespace: catalogd-system -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: catalogd-controller -subjects: - - kind: ServiceAccount - namespace: catalogd-system - name: default diff --git a/config/rbac/apiserver_role.yaml b/config/rbac/apiserver_role.yaml new file mode 100644 index 00000000..86fa259c --- /dev/null +++ b/config/rbac/apiserver_role.yaml @@ -0,0 +1,25 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: apiserver-auth-reader +rules: + - apiGroups: + - "" + resources: + - configmaps + - namespaces + verbs: + - get + - list + - watch + - apiGroups: + - 'admissionregistration.k8s.io' + resources: + - '*' + verbs: + - 'list' + - 'watch' + - nonResourceURLs: + - '*' + verbs: + - '*' diff --git a/config/rbac/apiserver_rolebindings.yaml b/config/rbac/apiserver_rolebindings.yaml new file mode 100644 index 00000000..18ac8395 --- /dev/null +++ b/config/rbac/apiserver_rolebindings.yaml @@ -0,0 +1,27 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: apiserver-auth-reader + namespace: system +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: catalogd-apiserver-auth-reader +subjects: + - kind: ServiceAccount + namespace: catalogd-system + name: catalogd-apiserver +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: apiserver-auth-delegator + namespace: system +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: system:auth-delegator +subjects: + - kind: ServiceAccount + namespace: catalogd-system + name: catalogd-apiserver diff --git a/config/rbac/auth_proxy_client_clusterrole.yaml b/config/rbac/auth_proxy_client_clusterrole.yaml new file mode 100644 index 00000000..42068354 --- /dev/null +++ b/config/rbac/auth_proxy_client_clusterrole.yaml @@ -0,0 +1,16 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/name: clusterrole + app.kubernetes.io/instance: metrics-reader + app.kubernetes.io/component: kube-rbac-proxy + app.kubernetes.io/created-by: catalogd + app.kubernetes.io/part-of: catalogd + app.kubernetes.io/managed-by: kustomize + name: metrics-reader +rules: +- nonResourceURLs: + - "/metrics" + verbs: + - get diff --git a/config/rbac/auth_proxy_role.yaml b/config/rbac/auth_proxy_role.yaml new file mode 100644 index 00000000..86ca3cc0 --- /dev/null +++ b/config/rbac/auth_proxy_role.yaml @@ -0,0 +1,24 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/name: clusterrole + app.kubernetes.io/instance: proxy-role + app.kubernetes.io/component: kube-rbac-proxy + app.kubernetes.io/created-by: catalogd + app.kubernetes.io/part-of: catalogd + app.kubernetes.io/managed-by: kustomize + name: proxy-role +rules: +- apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create +- apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create diff --git a/config/rbac/auth_proxy_role_binding.yaml b/config/rbac/auth_proxy_role_binding.yaml new file mode 100644 index 00000000..8c40d628 --- /dev/null +++ b/config/rbac/auth_proxy_role_binding.yaml @@ -0,0 +1,19 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app.kubernetes.io/name: clusterrolebinding + app.kubernetes.io/instance: proxy-rolebinding + app.kubernetes.io/component: kube-rbac-proxy + app.kubernetes.io/created-by: catalogd + app.kubernetes.io/part-of: catalogd + app.kubernetes.io/managed-by: kustomize + name: proxy-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: proxy-role +subjects: +- kind: ServiceAccount + name: controller-manager + namespace: system diff --git a/config/rbac/auth_proxy_service.yaml b/config/rbac/auth_proxy_service.yaml new file mode 100644 index 00000000..fcd6f2ae --- /dev/null +++ b/config/rbac/auth_proxy_service.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Service +metadata: + labels: + control-plane: controller-manager + app.kubernetes.io/name: service + app.kubernetes.io/instance: controller-manager-metrics-service + app.kubernetes.io/component: kube-rbac-proxy + app.kubernetes.io/created-by: catalogd + app.kubernetes.io/part-of: catalogd + app.kubernetes.io/managed-by: kustomize + name: controller-manager-metrics-service + namespace: system +spec: + ports: + - name: https + port: 8443 + protocol: TCP + targetPort: https + selector: + control-plane: controller-manager diff --git a/config/rbac/kustomization.yaml b/config/rbac/kustomization.yaml new file mode 100644 index 00000000..68abd2f7 --- /dev/null +++ b/config/rbac/kustomization.yaml @@ -0,0 +1,20 @@ +resources: +# All RBAC will be applied under this service account in +# the deployment namespace. You may comment out this resource +# if your manager will use a service account that exists at +# runtime. Be sure to update RoleBinding and ClusterRoleBinding +# subjects if changing service account names. +- service_account.yaml +- role.yaml +- role_binding.yaml +- leader_election_role.yaml +- leader_election_role_binding.yaml +# Comment the following 4 lines if you want to disable +# the auth proxy (https://github.com/brancz/kube-rbac-proxy) +# which protects your /metrics endpoint. +- auth_proxy_service.yaml +- auth_proxy_role.yaml +- auth_proxy_role_binding.yaml +- auth_proxy_client_clusterrole.yaml +- apiserver_role.yaml +- apiserver_rolebindings.yaml diff --git a/config/rbac/leader_election_role.yaml b/config/rbac/leader_election_role.yaml new file mode 100644 index 00000000..c76dcdca --- /dev/null +++ b/config/rbac/leader_election_role.yaml @@ -0,0 +1,44 @@ +# permissions to do leader election. +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + labels: + app.kubernetes.io/name: role + app.kubernetes.io/instance: leader-election-role + app.kubernetes.io/component: rbac + app.kubernetes.io/created-by: catalogd + app.kubernetes.io/part-of: catalogd + app.kubernetes.io/managed-by: kustomize + name: leader-election-role +rules: +- apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch diff --git a/config/rbac/leader_election_role_binding.yaml b/config/rbac/leader_election_role_binding.yaml new file mode 100644 index 00000000..b5bee512 --- /dev/null +++ b/config/rbac/leader_election_role_binding.yaml @@ -0,0 +1,19 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + labels: + app.kubernetes.io/name: rolebinding + app.kubernetes.io/instance: leader-election-rolebinding + app.kubernetes.io/component: rbac + app.kubernetes.io/created-by: catalogd + app.kubernetes.io/part-of: catalogd + app.kubernetes.io/managed-by: kustomize + name: leader-election-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: leader-election-role +subjects: +- kind: ServiceAccount + name: controller-manager + namespace: system diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml index 2d7bdf2b..60eafe06 100644 --- a/config/rbac/role.yaml +++ b/config/rbac/role.yaml @@ -5,9 +5,34 @@ metadata: creationTimestamp: null name: manager-role rules: +- apiGroups: + - batch + resources: + - jobs + verbs: + - create + - get + - list + - watch +- apiGroups: + - "" + resources: + - pods + verbs: + - get + - list + - watch - apiGroups: - "" resources: + - pods/log + verbs: + - get + - list + - watch +- apiGroups: + - core.catalogd.io + resources: - bundlemetadata verbs: - create @@ -18,13 +43,13 @@ rules: - update - watch - apiGroups: - - "" + - core.catalogd.io resources: - bundlemetadata/finalizers verbs: - update - apiGroups: - - "" + - core.catalogd.io resources: - bundlemetadata/status verbs: @@ -32,9 +57,9 @@ rules: - patch - update - apiGroups: - - "" + - core.catalogd.io resources: - - packages + - catalogsources verbs: - create - delete @@ -44,15 +69,15 @@ rules: - update - watch - apiGroups: - - "" + - core.catalogd.io resources: - - packages/finalizers + - catalogsources/finalizers verbs: - update - apiGroups: - - "" + - core.catalogd.io resources: - - packages/status + - catalogsources/status verbs: - get - patch @@ -60,7 +85,7 @@ rules: - apiGroups: - core.catalogd.io resources: - - catalogsources + - packages verbs: - create - delete @@ -72,13 +97,13 @@ rules: - apiGroups: - core.catalogd.io resources: - - catalogsources/finalizers + - packages/finalizers verbs: - update - apiGroups: - core.catalogd.io resources: - - catalogsources/status + - packages/status verbs: - get - patch diff --git a/config/rbac/role_binding.yaml b/config/rbac/role_binding.yaml new file mode 100644 index 00000000..da9b5ab5 --- /dev/null +++ b/config/rbac/role_binding.yaml @@ -0,0 +1,19 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app.kubernetes.io/name: clusterrolebinding + app.kubernetes.io/instance: manager-rolebinding + app.kubernetes.io/component: rbac + app.kubernetes.io/created-by: catalogd + app.kubernetes.io/part-of: catalogd + app.kubernetes.io/managed-by: kustomize + name: manager-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: manager-role +subjects: +- kind: ServiceAccount + name: controller-manager + namespace: system diff --git a/config/rbac/service_account.yaml b/config/rbac/service_account.yaml new file mode 100644 index 00000000..42fe8e19 --- /dev/null +++ b/config/rbac/service_account.yaml @@ -0,0 +1,25 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + app.kubernetes.io/name: serviceaccount + app.kuberentes.io/instance: controller-manager + app.kubernetes.io/component: rbac + app.kubernetes.io/created-by: catalogd + app.kubernetes.io/part-of: catalogd + app.kubernetes.io/managed-by: kustomize + name: controller-manager + namespace: system +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + app.kubernetes.io/name: serviceaccount + app.kuberentes.io/instance: apiserver + app.kubernetes.io/component: rbac + app.kubernetes.io/created-by: catalogd + app.kubernetes.io/part-of: catalogd + app.kubernetes.io/managed-by: kustomize + name: apiserver + namespace: system diff --git a/config/samples/catalogsource.yaml b/config/samples/catalogsource.yaml deleted file mode 100644 index 1f86ac90..00000000 --- a/config/samples/catalogsource.yaml +++ /dev/null @@ -1,7 +0,0 @@ -apiVersion: core.catalogd.io/v1beta1 -kind: CatalogSource -metadata: - name: catalogsource-sample -spec: - image: quay.io/operatorhubio/catalog:latest - diff --git a/config/samples/core_v1beta1_catalogsource.yaml b/config/samples/core_v1beta1_catalogsource.yaml new file mode 100644 index 00000000..4e72b78c --- /dev/null +++ b/config/samples/core_v1beta1_catalogsource.yaml @@ -0,0 +1,13 @@ +apiVersion: core.catalogd.io/v1beta1 +kind: CatalogSource +metadata: + labels: + app.kubernetes.io/name: catalogsource + app.kubernetes.io/instance: catalogsource-sample + app.kubernetes.io/part-of: catalogd + app.kuberentes.io/managed-by: kustomize + app.kubernetes.io/created-by: catalogd + name: catalogsource-sample +spec: + image: quay.io/operatorhubio/catalog:latest + pollingInterval: 45m diff --git a/main.go b/main.go index 4cf674bb..04ad2153 100644 --- a/main.go +++ b/main.go @@ -76,7 +76,7 @@ func main() { Port: 9443, HealthProbeBindAddress: probeAddr, LeaderElection: enableLeaderElection, - LeaderElectionID: "510231d7.", + LeaderElectionID: "catalogd-operator-lock", }) if err != nil { setupLog.Error(err, "unable to start manager") diff --git a/pkg/controllers/core/bundlemetadata_controller.go b/pkg/controllers/core/bundlemetadata_controller.go index e31d66b5..efb8c7e3 100644 --- a/pkg/controllers/core/bundlemetadata_controller.go +++ b/pkg/controllers/core/bundlemetadata_controller.go @@ -33,9 +33,9 @@ type BundleMetadataReconciler struct { Scheme *runtime.Scheme } -//+kubebuilder:rbac:groups=core,resources=bundlemetadata,verbs=get;list;watch;create;update;patch;delete -//+kubebuilder:rbac:groups=core,resources=bundlemetadata/status,verbs=get;update;patch -//+kubebuilder:rbac:groups=core,resources=bundlemetadata/finalizers,verbs=update +//+kubebuilder:rbac:groups=core.catalogd.io,resources=bundlemetadata,verbs=get;list;watch;create;update;patch;delete +//+kubebuilder:rbac:groups=core.catalogd.io,resources=bundlemetadata/status,verbs=get;update;patch +//+kubebuilder:rbac:groups=core.catalogd.io,resources=bundlemetadata/finalizers,verbs=update // Reconcile is part of the main kubernetes reconciliation loop which aims to // move the current state of the cluster closer to the desired state. diff --git a/pkg/controllers/core/catalogsource_controller.go b/pkg/controllers/core/catalogsource_controller.go index f4e47c3e..c71b5c3a 100644 --- a/pkg/controllers/core/catalogsource_controller.go +++ b/pkg/controllers/core/catalogsource_controller.go @@ -50,6 +50,9 @@ type CatalogSourceReconciler struct { //+kubebuilder:rbac:groups=core.catalogd.io,resources=catalogsources,verbs=get;list;watch;create;update;patch;delete //+kubebuilder:rbac:groups=core.catalogd.io,resources=catalogsources/status,verbs=get;update;patch //+kubebuilder:rbac:groups=core.catalogd.io,resources=catalogsources/finalizers,verbs=update +//+kubebuilder:rbac:groups=core,resources=pods,verbs=get;list;watch +//+kubebuilder:rbac:groups=core,resources=pods/log,verbs=get;list;watch +//+kubebuilder:rbac:groups=batch,resources=jobs,verbs=create;get;list;watch // Reconcile is part of the main kubernetes reconciliation loop which aims to // move the current state of the cluster closer to the desired state. diff --git a/pkg/controllers/core/package_controller.go b/pkg/controllers/core/package_controller.go index 250a528b..652b2de6 100644 --- a/pkg/controllers/core/package_controller.go +++ b/pkg/controllers/core/package_controller.go @@ -33,9 +33,9 @@ type PackageReconciler struct { Scheme *runtime.Scheme } -//+kubebuilder:rbac:groups=core,resources=packages,verbs=get;list;watch;create;update;patch;delete -//+kubebuilder:rbac:groups=core,resources=packages/status,verbs=get;update;patch -//+kubebuilder:rbac:groups=core,resources=packages/finalizers,verbs=update +//+kubebuilder:rbac:groups=core.catalogd.io,resources=packages,verbs=get;list;watch;create;update;patch;delete +//+kubebuilder:rbac:groups=core.catalogd.io,resources=packages/status,verbs=get;update;patch +//+kubebuilder:rbac:groups=core.catalogd.io,resources=packages/finalizers,verbs=update // Reconcile is part of the main kubernetes reconciliation loop which aims to // move the current state of the cluster closer to the desired state. From 879e6736449418108d36b565a69bb21f5bc7c351 Mon Sep 17 00:00:00 2001 From: Bryce Palmer Date: Wed, 29 Mar 2023 15:53:46 -0400 Subject: [PATCH 2/4] fix incorrect tag Signed-off-by: Bryce Palmer --- config/manager/kustomization.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/manager/kustomization.yaml b/config/manager/kustomization.yaml index d6669ca5..cdf7f32f 100644 --- a/config/manager/kustomization.yaml +++ b/config/manager/kustomization.yaml @@ -5,4 +5,4 @@ kind: Kustomization images: - name: controller newName: docker.io/anik120/catalogsource-controller - newTag: manifests + newTag: latest From 630f2f7231288e198e10b47005cb24c814c3742a Mon Sep 17 00:00:00 2001 From: Bryce Palmer Date: Thu, 30 Mar 2023 11:18:21 -0400 Subject: [PATCH 3/4] revert storage-class Signed-off-by: Bryce Palmer --- config/etcd/etcd.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/etcd/etcd.yaml b/config/etcd/etcd.yaml index 9b401257..e3f32cee 100644 --- a/config/etcd/etcd.yaml +++ b/config/etcd/etcd.yaml @@ -63,7 +63,7 @@ spec: - metadata: name: etcd-data-dir annotations: - volume.beta.kubernetes.io/storage-class: local-path + volume.beta.kubernetes.io/storage-class: standard spec: accessModes: [ "ReadWriteOnce" ] resources: From 7a347fb46a4eb44bcc06796e2d7ba541c4623f5c Mon Sep 17 00:00:00 2001 From: Bryce Palmer Date: Fri, 31 Mar 2023 11:05:48 -0400 Subject: [PATCH 4/4] address review comments Signed-off-by: Bryce Palmer --- config/apiserver/apiserver.yaml | 8 +- config/apiserver/kustomization.yaml | 2 +- ...d.operatorframework.io_bundlemetadata.yaml | 98 ++++++++++++++++ ...d.operatorframework.io_catalogsources.yaml | 65 +++++++++++ ...atalogd.operatorframework.io_packages.yaml | 109 ++++++++++++++++++ config/crd/kustomization.yaml | 25 +--- config/crd/kustomizeconfig.yaml | 19 --- .../cainjection_in_bundlemetadata.yaml | 7 -- .../cainjection_in_catalogsources.yaml | 7 -- .../crd/patches/cainjection_in_packages.yaml | 7 -- .../patches/webhook_in_bundlemetadata.yaml | 16 --- .../patches/webhook_in_catalogsources.yaml | 16 --- config/crd/patches/webhook_in_packages.yaml | 16 --- config/default/kustomization.yaml | 27 ----- config/manager/kustomization.yaml | 2 +- config/manager/manager.yaml | 1 + config/rbac/role.yaml | 50 ++++---- .../samples/core_v1beta1_catalogsource.yaml | 2 +- pkg/apis/core/doc.go | 2 +- pkg/apis/core/v1beta1/bundlemetadata_types.go | 2 +- pkg/apis/core/v1beta1/catalogsource_types.go | 2 +- pkg/apis/core/v1beta1/doc.go | 2 +- pkg/apis/core/v1beta1/package_types.go | 2 +- pkg/apis/core/v1beta1/register.go | 2 +- pkg/apis/doc.go | 2 +- .../core/bundlemetadata_controller.go | 6 +- .../core/catalogsource_controller.go | 6 +- pkg/controllers/core/package_controller.go | 6 +- 28 files changed, 325 insertions(+), 184 deletions(-) create mode 100644 config/crd/bases/catalogd.operatorframework.io_bundlemetadata.yaml create mode 100644 config/crd/bases/catalogd.operatorframework.io_catalogsources.yaml create mode 100644 config/crd/bases/catalogd.operatorframework.io_packages.yaml delete mode 100644 config/crd/kustomizeconfig.yaml delete mode 100644 config/crd/patches/cainjection_in_bundlemetadata.yaml delete mode 100644 config/crd/patches/cainjection_in_catalogsources.yaml delete mode 100644 config/crd/patches/cainjection_in_packages.yaml delete mode 100644 config/crd/patches/webhook_in_bundlemetadata.yaml delete mode 100644 config/crd/patches/webhook_in_catalogsources.yaml delete mode 100644 config/crd/patches/webhook_in_packages.yaml diff --git a/config/apiserver/apiserver.yaml b/config/apiserver/apiserver.yaml index 4958aefd..ee508fce 100644 --- a/config/apiserver/apiserver.yaml +++ b/config/apiserver/apiserver.yaml @@ -1,7 +1,7 @@ apiVersion: apiregistration.k8s.io/v1 kind: APIService metadata: - name: v1beta1.core.rukpak.io + name: v1beta1.catalogd.operatorframework.io labels: api: catalogd apiserver: "true" @@ -11,15 +11,17 @@ metadata: app.kubernetes.io/created-by: catalogd app.kubernetes.io/part-of: catalogd app.kubernetes.io/managed-by: kustomize + annotations: + # Have cert manager inject the caBundle field using the cert we created + cert-manager.io/inject-ca-from: catalogd-system/server-cert spec: version: v1beta1 - group: core.rukpak.io + group: catalogd.operatorframework.io groupPriorityMinimum: 2000 service: name: catalogd namespace: system versionPriority: 10 - caBundle: "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUR6RENDQXJTZ0F3SUJBZ0lVT0t0RXJnS3pGMTl4ZXh6cUVXbExxcGlmN2lnd0RRWUpLb1pJaHZjTkFRRUwKQlFBd2RERUxNQWtHQTFVRUJoTUNkVzR4Q3pBSkJnTlZCQWdNQW5OME1Rb3dDQVlEVlFRSERBRnNNUW93Q0FZRApWUVFLREFGdk1Rc3dDUVlEVlFRTERBSnZkVEV6TURFR0ExVUVBd3dxY25WcmNHRnJMWEJoWTJ0aFoyVnpaWEoyClpYSXRZMlZ5ZEdsbWFXTmhkR1V0WVhWMGFHOXlhWFI1TUI0WERUSXlNVEF3TnpFNU1Ua3dNMW9YRFRJek1UQXcKTnpFNU1Ua3dNMW93ZERFTE1Ba0dBMVVFQmhNQ2RXNHhDekFKQmdOVkJBZ01Bbk4wTVFvd0NBWURWUVFIREFGcwpNUW93Q0FZRFZRUUtEQUZ2TVFzd0NRWURWUVFMREFKdmRURXpNREVHQTFVRUF3d3FjblZyY0dGckxYQmhZMnRoCloyVnpaWEoyWlhJdFkyVnlkR2xtYVdOaGRHVXRZWFYwYUc5eWFYUjVNSUlCSWpBTkJna3Foa2lHOXcwQkFRRUYKQUFPQ0FROEFNSUlCQ2dLQ0FRRUFxZlRZSkpURmwwZ2F0RVQvUDlFTlhsWjRqYUdLSklMSFZVb2VjankwRmxVRgpDVnYvdTYrMzNwcnFBNjBiWmpzenFzN1FmTmZRTmd3azllTE03TDRiNVkyZnc1SitPTEhtSlc3S0FHVTcxa2JsCnBWaXZ6MFBjbUdNZlFFQU1kYTB0T2xZRjQyNEIvZTE2TEwyNDBQNzdxOFprQzEvU3N1NVlpMkVvRzlOQ3c2ZUgKalhRT2dXcFd0OE1VT1E1ZmZYRUdBcTlwcWJNeGN0UUxDS3JHVlVHVGdmaHQvb2xKWlcxbTJ6QVhEVDRQa0ZYRQo2MnNNVFBmamFFNWtmeUhxKy9nRXlUU0FPbW1LVzdJOXBNOHdZcVJ1ZHB4alZrWm5UQWlMVkNDckk2SGhaVVlECmpURThzTlhld2J2WU5rdnlVUnN4QjdEWHdOcE1kN2d3SzhiQ1BqTHBiUUlEQVFBQm8xWXdWREFkQmdOVkhRNEUKRmdRVVZjeXQ1L2F2RVc2SXJiOC9CKzkvYjhDZnFEb3dId1lEVlIwakJCZ3dGb0FVVmN5dDUvYXZFVzZJcmI4LwpCKzkvYjhDZnFEb3dFZ1lEVlIwVEFRSC9CQWd3QmdFQi93SUJBVEFOQmdrcWhraUc5dzBCQVFzRkFBT0NBUUVBClhFbU15L0tnMUZnVFdnL244ajcrak5aSFhHcWs2ZnZQMzNVbTZMaTdVL0JSOWZyQ05rQk9GSU9ZV21BWUlBQksKbEhSMStDQkJ5NncwSjFVMjZ4VEVaTnVPQVhOSHdPQVlNaURia2xRamlIMEdtcWpNUGxDQlhoUGpHTEhBK2h0dwpXd3JTL2h1bkJlU2RmbERtYThUbm9OMDUzTHZBanFNN3cwU3JOaWw3ZzhtM2k2djFmdGxNNkNJU1N0M05wRTZNCllnU2pMRTRLNmxCVFI0VU81K0hsanBVK2JWUCtHcDRMWHBGaEZJMU9jZjAxTC9iRGF3elhmYXNoNm8yVS9lOE8KOUZTa1Q2TzFlVW5COFRyRVMrZDlaKzBQS2dqZXAzU0NmV1N5WDFSdzZKZGM3SmNYY0I0ZmdLQ3FMNWtIbHNXUgpNcXErQ3UycVlZbnNiclo4ZVZaUGtRPT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=" --- apiVersion: apps/v1 kind: Deployment diff --git a/config/apiserver/kustomization.yaml b/config/apiserver/kustomization.yaml index d3eb5475..f6743b3a 100644 --- a/config/apiserver/kustomization.yaml +++ b/config/apiserver/kustomization.yaml @@ -4,5 +4,5 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization images: - name: apiserver - newName: docker.io/anik120/rukpak-packageserver + newName: quay.io/operator-framework/catalogd-server newTag: latest diff --git a/config/crd/bases/catalogd.operatorframework.io_bundlemetadata.yaml b/config/crd/bases/catalogd.operatorframework.io_bundlemetadata.yaml new file mode 100644 index 00000000..400bfd71 --- /dev/null +++ b/config/crd/bases/catalogd.operatorframework.io_bundlemetadata.yaml @@ -0,0 +1,98 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.9.0 + creationTimestamp: null + name: bundlemetadata.catalogd.operatorframework.io +spec: + group: catalogd.operatorframework.io + names: + kind: BundleMetadata + listKind: BundleMetadataList + plural: bundlemetadata + singular: bundlemetadata + scope: Cluster + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + description: BundleMetadata + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: BundleMetadataSpec defines the desired state of BundleMetadata + properties: + catalogSource: + description: CatalogSource is the name of the CatalogSource that provides + this bundle + type: string + image: + description: Image is a reference to the image that provides the bundle + contents + type: string + package: + description: Package is the name of the package that provides this + bundle + type: string + properties: + description: Properties is a string of references to property objects + that are part of the bundle + items: + description: 'TODO: In the future we should remove this in favor + of using `property.Property` from https://pkg.go.dev/github.com/operator-framework/operator-registry@v1.26.3/alpha/property#Property + This will likely require some changes to the `property.Property` + type to make it suitable for usage within the Spec for a CustomResource' + properties: + type: + type: string + value: + format: byte + type: string + required: + - type + - value + type: object + type: array + relatedImages: + description: RelatedImages are the RelatedImages in the bundle + items: + description: 'TODO: In the future we should remove this in favor + of using `model.RelatedImage` (or similar) from https://pkg.go.dev/github.com/operator-framework/operator-registry@v1.26.3/alpha/model#RelatedImage + This will likely require some changes to the `model.RelatedImage` + type to make it suitable for usage within the Spec for a CustomResource' + properties: + image: + type: string + name: + type: string + required: + - image + - name + type: object + type: array + required: + - catalogSource + - image + - package + - properties + - relatedImages + type: object + status: + description: BundleMetadataStatus defines the observed state of BundleMetadata + type: object + type: object + served: true + storage: true diff --git a/config/crd/bases/catalogd.operatorframework.io_catalogsources.yaml b/config/crd/bases/catalogd.operatorframework.io_catalogsources.yaml new file mode 100644 index 00000000..5a95aecf --- /dev/null +++ b/config/crd/bases/catalogd.operatorframework.io_catalogsources.yaml @@ -0,0 +1,65 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.9.0 + creationTimestamp: null + name: catalogsources.catalogd.operatorframework.io +spec: + group: catalogd.operatorframework.io + names: + kind: CatalogSource + listKind: CatalogSourceList + plural: catalogsources + singular: catalogsource + scope: Cluster + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + description: CatalogSource + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: CatalogSourceSpec defines the desired state of CatalogSource + properties: + image: + description: Image is the Catalog image that contains Operators' metadata + in the FBC format https://olm.operatorframework.io/docs/reference/file-based-catalogs/#docs + type: string + pollingInterval: + description: PollingInterval is used to determine the time interval + between checks of the latest index image version. The image is polled + to see if a new version of the image is available. If available, + the latest image is pulled and the cache is updated to contain the + new content. + type: string + required: + - image + type: object + status: + description: CatalogSourceStatus defines the observed state of CatalogSource + properties: + latestImagePoll: + description: The last time the image has been polled to ensure the + image is up-to-date + format: date-time + type: string + required: + - latestImagePoll + type: object + type: object + served: true + storage: true diff --git a/config/crd/bases/catalogd.operatorframework.io_packages.yaml b/config/crd/bases/catalogd.operatorframework.io_packages.yaml new file mode 100644 index 00000000..4c03968e --- /dev/null +++ b/config/crd/bases/catalogd.operatorframework.io_packages.yaml @@ -0,0 +1,109 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.9.0 + creationTimestamp: null + name: packages.catalogd.operatorframework.io +spec: + group: catalogd.operatorframework.io + names: + kind: Package + listKind: PackageList + plural: packages + singular: package + scope: Cluster + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + description: Package + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: PackageSpec defines the desired state of Package + properties: + catalogSource: + description: CatalogSource is the name of the CatalogSource this package + belongs to + type: string + catalogSourceDisplayName: + type: string + catalogSourcePublisher: + type: string + channels: + description: Channels are the declared channels for the package, ala + `stable` or `alpha`. + items: + description: PackageChannel defines a single channel under a package, + pointing to a version of that package. + properties: + entries: + description: Entries is all the channel entries within a channel + items: + properties: + name: + type: string + replaces: + type: string + skipRange: + type: string + skips: + items: + type: string + type: array + required: + - name + type: object + type: array + name: + description: Name is the name of the channel, e.g. `alpha` or + `stable` + type: string + required: + - entries + - name + type: object + type: array + defaultChannel: + description: DefaultChannel is, if specified, the name of the default + channel for the package. The default channel will be installed if + no other channel is explicitly given. If the package has a single + channel, then that channel is implicitly the default. + type: string + description: + description: Description is the description of the package + type: string + icon: + description: Icon is the Base64data image of the package for console + display + properties: + base64data: + type: string + mediatype: + type: string + type: object + required: + - catalogSource + - channels + - defaultChannel + - description + type: object + status: + description: PackageStatus defines the observed state of Package + type: object + type: object + served: true + storage: true diff --git a/config/crd/kustomization.yaml b/config/crd/kustomization.yaml index d20749c7..5d7c1db6 100644 --- a/config/crd/kustomization.yaml +++ b/config/crd/kustomization.yaml @@ -2,26 +2,7 @@ # since it depends on service name and namespace that are out of this kustomize package. # It should be run by config/default resources: -- bases/core.catalogd.io_bundlemetadata.yaml -- bases/core.catalogd.io_packages.yaml -- bases/core.catalogd.io_catalogsources.yaml +- bases/catalogd.operatorframework.io_bundlemetadata.yaml +- bases/catalogd.operatorframework.io_packages.yaml +- bases/catalogd.operatorframework.io_catalogsources.yaml #+kubebuilder:scaffold:crdkustomizeresource - -patches: -# [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix. -# patches here are for enabling the conversion webhook for each CRD -#- patches/webhook_in_bundlemetadata.yaml -#- patches/webhook_in_packages.yaml -#- patches/webhook_in_catalogsources.yaml -#+kubebuilder:scaffold:crdkustomizewebhookpatch - -# [CERTMANAGER] To enable cert-manager, uncomment all the sections with [CERTMANAGER] prefix. -# patches here are for enabling the CA injection for each CRD -#- patches/cainjection_in_bundlemetadata.yaml -#- patches/cainjection_in_packages.yaml -#- patches/cainjection_in_catalogsources.yaml -#+kubebuilder:scaffold:crdkustomizecainjectionpatch - -# the following config is for teaching kustomize how to do kustomization for CRDs. -configurations: -- kustomizeconfig.yaml diff --git a/config/crd/kustomizeconfig.yaml b/config/crd/kustomizeconfig.yaml deleted file mode 100644 index ec5c150a..00000000 --- a/config/crd/kustomizeconfig.yaml +++ /dev/null @@ -1,19 +0,0 @@ -# This file is for teaching kustomize how to substitute name and namespace reference in CRD -nameReference: -- kind: Service - version: v1 - fieldSpecs: - - kind: CustomResourceDefinition - version: v1 - group: apiextensions.k8s.io - path: spec/conversion/webhook/clientConfig/service/name - -namespace: -- kind: CustomResourceDefinition - version: v1 - group: apiextensions.k8s.io - path: spec/conversion/webhook/clientConfig/service/namespace - create: false - -varReference: -- path: metadata/annotations diff --git a/config/crd/patches/cainjection_in_bundlemetadata.yaml b/config/crd/patches/cainjection_in_bundlemetadata.yaml deleted file mode 100644 index 1195dc41..00000000 --- a/config/crd/patches/cainjection_in_bundlemetadata.yaml +++ /dev/null @@ -1,7 +0,0 @@ -# The following patch adds a directive for certmanager to inject CA into the CRD -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME) - name: bundlemetadata.core.rukpak.io diff --git a/config/crd/patches/cainjection_in_catalogsources.yaml b/config/crd/patches/cainjection_in_catalogsources.yaml deleted file mode 100644 index 16a6ab47..00000000 --- a/config/crd/patches/cainjection_in_catalogsources.yaml +++ /dev/null @@ -1,7 +0,0 @@ -# The following patch adds a directive for certmanager to inject CA into the CRD -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME) - name: catalogsources.core.rukpak.io diff --git a/config/crd/patches/cainjection_in_packages.yaml b/config/crd/patches/cainjection_in_packages.yaml deleted file mode 100644 index 498a5dd8..00000000 --- a/config/crd/patches/cainjection_in_packages.yaml +++ /dev/null @@ -1,7 +0,0 @@ -# The following patch adds a directive for certmanager to inject CA into the CRD -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME) - name: packages.core.rukpak.io diff --git a/config/crd/patches/webhook_in_bundlemetadata.yaml b/config/crd/patches/webhook_in_bundlemetadata.yaml deleted file mode 100644 index bdac0ec1..00000000 --- a/config/crd/patches/webhook_in_bundlemetadata.yaml +++ /dev/null @@ -1,16 +0,0 @@ -# The following patch enables a conversion webhook for the CRD -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: bundlemetadata.core.rukpak.io -spec: - conversion: - strategy: Webhook - webhook: - clientConfig: - service: - namespace: system - name: webhook-service - path: /convert - conversionReviewVersions: - - v1 diff --git a/config/crd/patches/webhook_in_catalogsources.yaml b/config/crd/patches/webhook_in_catalogsources.yaml deleted file mode 100644 index c1397eba..00000000 --- a/config/crd/patches/webhook_in_catalogsources.yaml +++ /dev/null @@ -1,16 +0,0 @@ -# The following patch enables a conversion webhook for the CRD -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: catalogsources.core.rukpak.io -spec: - conversion: - strategy: Webhook - webhook: - clientConfig: - service: - namespace: system - name: webhook-service - path: /convert - conversionReviewVersions: - - v1 diff --git a/config/crd/patches/webhook_in_packages.yaml b/config/crd/patches/webhook_in_packages.yaml deleted file mode 100644 index 5bb59a4a..00000000 --- a/config/crd/patches/webhook_in_packages.yaml +++ /dev/null @@ -1,16 +0,0 @@ -# The following patch enables a conversion webhook for the CRD -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: packages.core.rukpak.io -spec: - conversion: - strategy: Webhook - webhook: - clientConfig: - service: - namespace: system - name: webhook-service - path: /convert - conversionReviewVersions: - - v1 diff --git a/config/default/kustomization.yaml b/config/default/kustomization.yaml index 0e883e44..9b6ad8ed 100644 --- a/config/default/kustomization.yaml +++ b/config/default/kustomization.yaml @@ -8,33 +8,6 @@ namespace: catalogd-system # field above. namePrefix: catalogd- -# Labels to add to all resources and selectors. -#commonLabels: -# someName: someValue - -# [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix including the one in -# crd/kustomization.yaml -#- ../webhook -# [CERTMANAGER] To enable cert-manager, uncomment all sections with 'CERTMANAGER'. 'WEBHOOK' components are required. -#- ../certmanager -# [PROMETHEUS] To enable prometheus monitor, uncomment all sections with 'PROMETHEUS'. -#- ../prometheus - -# Protect the /metrics endpoint by putting it behind auth. -# If you want your controller-manager to expose the /metrics -# endpoint w/o any authn/z, please comment the following line. - - - -# [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix including the one in -# crd/kustomization.yaml -#- manager_webhook_patch.yaml - -# [CERTMANAGER] To enable cert-manager, uncomment all sections with 'CERTMANAGER'. -# Uncomment 'CERTMANAGER' sections in crd/kustomization.yaml to enable the CA injection in the admission webhooks. -# 'CERTMANAGER' needs to be enabled to use ca injection -#- webhookcainjection_patch.yaml - # the following config is for teaching kustomize how to do var substitution apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization diff --git a/config/manager/kustomization.yaml b/config/manager/kustomization.yaml index cdf7f32f..8fde1561 100644 --- a/config/manager/kustomization.yaml +++ b/config/manager/kustomization.yaml @@ -4,5 +4,5 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization images: - name: controller - newName: docker.io/anik120/catalogsource-controller + newName: quay.io/operator-framework/catalogd-controller newTag: latest diff --git a/config/manager/manager.yaml b/config/manager/manager.yaml index 15c4a600..bda5270a 100644 --- a/config/manager/manager.yaml +++ b/config/manager/manager.yaml @@ -98,5 +98,6 @@ spec: requests: cpu: 1000m memory: 200Mi + imagePullPolicy: IfNotPresent serviceAccountName: controller-manager terminationGracePeriodSeconds: 10 diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml index 60eafe06..76c2b05b 100644 --- a/config/rbac/role.yaml +++ b/config/rbac/role.yaml @@ -15,23 +15,7 @@ rules: - list - watch - apiGroups: - - "" - resources: - - pods - verbs: - - get - - list - - watch -- apiGroups: - - "" - resources: - - pods/log - verbs: - - get - - list - - watch -- apiGroups: - - core.catalogd.io + - catalogd.operatorframework.io resources: - bundlemetadata verbs: @@ -43,13 +27,13 @@ rules: - update - watch - apiGroups: - - core.catalogd.io + - catalogd.operatorframework.io resources: - bundlemetadata/finalizers verbs: - update - apiGroups: - - core.catalogd.io + - catalogd.operatorframework.io resources: - bundlemetadata/status verbs: @@ -57,7 +41,7 @@ rules: - patch - update - apiGroups: - - core.catalogd.io + - catalogd.operatorframework.io resources: - catalogsources verbs: @@ -69,13 +53,13 @@ rules: - update - watch - apiGroups: - - core.catalogd.io + - catalogd.operatorframework.io resources: - catalogsources/finalizers verbs: - update - apiGroups: - - core.catalogd.io + - catalogd.operatorframework.io resources: - catalogsources/status verbs: @@ -83,7 +67,7 @@ rules: - patch - update - apiGroups: - - core.catalogd.io + - catalogd.operatorframework.io resources: - packages verbs: @@ -95,16 +79,32 @@ rules: - update - watch - apiGroups: - - core.catalogd.io + - catalogd.operatorframework.io resources: - packages/finalizers verbs: - update - apiGroups: - - core.catalogd.io + - catalogd.operatorframework.io resources: - packages/status verbs: - get - patch - update +- apiGroups: + - "" + resources: + - pods + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - pods/log + verbs: + - get + - list + - watch diff --git a/config/samples/core_v1beta1_catalogsource.yaml b/config/samples/core_v1beta1_catalogsource.yaml index 4e72b78c..b34f3750 100644 --- a/config/samples/core_v1beta1_catalogsource.yaml +++ b/config/samples/core_v1beta1_catalogsource.yaml @@ -1,4 +1,4 @@ -apiVersion: core.catalogd.io/v1beta1 +apiVersion: catalogd.operatorframework.io/v1beta1 kind: CatalogSource metadata: labels: diff --git a/pkg/apis/core/doc.go b/pkg/apis/core/doc.go index 1f5e4571..955ece26 100644 --- a/pkg/apis/core/doc.go +++ b/pkg/apis/core/doc.go @@ -15,7 +15,7 @@ limitations under the License. */ // +k8s:deepcopy-gen=package,register -// +groupName=core.catalogd.io +// +groupName=catalogd.operatorframework.io // Package api is the internal version of the API. package core diff --git a/pkg/apis/core/v1beta1/bundlemetadata_types.go b/pkg/apis/core/v1beta1/bundlemetadata_types.go index cd8d050f..660c5e1a 100644 --- a/pkg/apis/core/v1beta1/bundlemetadata_types.go +++ b/pkg/apis/core/v1beta1/bundlemetadata_types.go @@ -107,7 +107,7 @@ func (in *BundleMetadata) NewList() runtime.Object { func (in *BundleMetadata) GetGroupVersionResource() schema.GroupVersionResource { return schema.GroupVersionResource{ - Group: "core.catalogd.io", + Group: "catalogd.operatorframework.io", Version: "v1beta1", Resource: "bundlemetadata", } diff --git a/pkg/apis/core/v1beta1/catalogsource_types.go b/pkg/apis/core/v1beta1/catalogsource_types.go index 59fe84af..2387ec98 100644 --- a/pkg/apis/core/v1beta1/catalogsource_types.go +++ b/pkg/apis/core/v1beta1/catalogsource_types.go @@ -85,7 +85,7 @@ func (in *CatalogSource) NewList() runtime.Object { func (in *CatalogSource) GetGroupVersionResource() schema.GroupVersionResource { return schema.GroupVersionResource{ - Group: "core.catalogd.io", + Group: "catalogd.operatorframework.io", Version: "v1beta1", Resource: "catalogsources", } diff --git a/pkg/apis/core/v1beta1/doc.go b/pkg/apis/core/v1beta1/doc.go index e7803629..ba44f0f2 100644 --- a/pkg/apis/core/v1beta1/doc.go +++ b/pkg/apis/core/v1beta1/doc.go @@ -22,5 +22,5 @@ limitations under the License. // +k8s:deepcopy-gen=package,register // +k8s:conversion-gen=github.com/operator-framework/catalogd/pkg/apis/core // +k8s:defaulter-gen=TypeMeta -// +groupName=core.catalogd.io +// +groupName=catalogd.operatorframework.io package v1beta1 // import "github.com/operator-framework/catalogd/pkg/apis/core/v1beta1" diff --git a/pkg/apis/core/v1beta1/package_types.go b/pkg/apis/core/v1beta1/package_types.go index f62c0ceb..9ac12837 100644 --- a/pkg/apis/core/v1beta1/package_types.go +++ b/pkg/apis/core/v1beta1/package_types.go @@ -122,7 +122,7 @@ func (in *Package) NewList() runtime.Object { func (in *Package) GetGroupVersionResource() schema.GroupVersionResource { return schema.GroupVersionResource{ - Group: "core.catalogd.io", + Group: "catalogd.operatorframework.io", Version: "v1beta1", Resource: "packages", } diff --git a/pkg/apis/core/v1beta1/register.go b/pkg/apis/core/v1beta1/register.go index 8186764c..531c4772 100644 --- a/pkg/apis/core/v1beta1/register.go +++ b/pkg/apis/core/v1beta1/register.go @@ -24,7 +24,7 @@ import ( var AddToScheme = func(scheme *runtime.Scheme) error { gv := schema.GroupVersion{ - Group: "core.catalogd.io", + Group: "catalogd.operatorframework.io", Version: "v1beta1", } metav1.AddToGroupVersion(scheme, gv) diff --git a/pkg/apis/doc.go b/pkg/apis/doc.go index 77ab342f..3b7ad4cd 100644 --- a/pkg/apis/doc.go +++ b/pkg/apis/doc.go @@ -17,6 +17,6 @@ limitations under the License. //go:generate apiregister-gen --input-dirs ./... -h ../../boilerplate.go.txt // -// +domain=catalogd.io +// +domain=operatorframework.io package apis diff --git a/pkg/controllers/core/bundlemetadata_controller.go b/pkg/controllers/core/bundlemetadata_controller.go index efb8c7e3..0c5d9149 100644 --- a/pkg/controllers/core/bundlemetadata_controller.go +++ b/pkg/controllers/core/bundlemetadata_controller.go @@ -33,9 +33,9 @@ type BundleMetadataReconciler struct { Scheme *runtime.Scheme } -//+kubebuilder:rbac:groups=core.catalogd.io,resources=bundlemetadata,verbs=get;list;watch;create;update;patch;delete -//+kubebuilder:rbac:groups=core.catalogd.io,resources=bundlemetadata/status,verbs=get;update;patch -//+kubebuilder:rbac:groups=core.catalogd.io,resources=bundlemetadata/finalizers,verbs=update +//+kubebuilder:rbac:groups=catalogd.operatorframework.io,resources=bundlemetadata,verbs=get;list;watch;create;update;patch;delete +//+kubebuilder:rbac:groups=catalogd.operatorframework.io,resources=bundlemetadata/status,verbs=get;update;patch +//+kubebuilder:rbac:groups=catalogd.operatorframework.io,resources=bundlemetadata/finalizers,verbs=update // Reconcile is part of the main kubernetes reconciliation loop which aims to // move the current state of the cluster closer to the desired state. diff --git a/pkg/controllers/core/catalogsource_controller.go b/pkg/controllers/core/catalogsource_controller.go index c71b5c3a..6e1a3460 100644 --- a/pkg/controllers/core/catalogsource_controller.go +++ b/pkg/controllers/core/catalogsource_controller.go @@ -47,9 +47,9 @@ type CatalogSourceReconciler struct { OpmImage string } -//+kubebuilder:rbac:groups=core.catalogd.io,resources=catalogsources,verbs=get;list;watch;create;update;patch;delete -//+kubebuilder:rbac:groups=core.catalogd.io,resources=catalogsources/status,verbs=get;update;patch -//+kubebuilder:rbac:groups=core.catalogd.io,resources=catalogsources/finalizers,verbs=update +//+kubebuilder:rbac:groups=catalogd.operatorframework.io,resources=catalogsources,verbs=get;list;watch;create;update;patch;delete +//+kubebuilder:rbac:groups=catalogd.operatorframework.io,resources=catalogsources/status,verbs=get;update;patch +//+kubebuilder:rbac:groups=catalogd.operatorframework.io,resources=catalogsources/finalizers,verbs=update //+kubebuilder:rbac:groups=core,resources=pods,verbs=get;list;watch //+kubebuilder:rbac:groups=core,resources=pods/log,verbs=get;list;watch //+kubebuilder:rbac:groups=batch,resources=jobs,verbs=create;get;list;watch diff --git a/pkg/controllers/core/package_controller.go b/pkg/controllers/core/package_controller.go index 652b2de6..38d61f12 100644 --- a/pkg/controllers/core/package_controller.go +++ b/pkg/controllers/core/package_controller.go @@ -33,9 +33,9 @@ type PackageReconciler struct { Scheme *runtime.Scheme } -//+kubebuilder:rbac:groups=core.catalogd.io,resources=packages,verbs=get;list;watch;create;update;patch;delete -//+kubebuilder:rbac:groups=core.catalogd.io,resources=packages/status,verbs=get;update;patch -//+kubebuilder:rbac:groups=core.catalogd.io,resources=packages/finalizers,verbs=update +//+kubebuilder:rbac:groups=catalogd.operatorframework.io,resources=packages,verbs=get;list;watch;create;update;patch;delete +//+kubebuilder:rbac:groups=catalogd.operatorframework.io,resources=packages/status,verbs=get;update;patch +//+kubebuilder:rbac:groups=catalogd.operatorframework.io,resources=packages/finalizers,verbs=update // Reconcile is part of the main kubernetes reconciliation loop which aims to // move the current state of the cluster closer to the desired state.