From ce9089558281c457da84b0e6262cac0bf95c2e01 Mon Sep 17 00:00:00 2001 From: Steve Scaffidi Date: Mon, 14 Oct 2024 22:20:07 -0400 Subject: [PATCH] random other things --- ...stio-fortsa-cm-metrics-svc_v1_service.yaml | 19 ++ ...c.authorization.k8s.io_v1_clusterrole.yaml | 13 ++ .../istio-fortsa.clusterserviceversion.yaml | 175 +++++++++++++++++- bundle/metadata/annotations.yaml | 4 + bundle/tests/scorecard/config.yaml | 70 +++++++ chart/istio-fortsa/.helmignore | 23 +++ chart/istio-fortsa/Chart.yaml | 21 +++ chart/istio-fortsa/templates/_helpers.tpl | 62 +++++++ .../templates/cm-metrics-svc.yaml | 14 ++ chart/istio-fortsa/templates/deployment.yaml | 66 +++++++ .../templates/leader-election-rbac.yaml | 53 ++++++ .../istio-fortsa/templates/manager-rbac.yaml | 61 ++++++ .../templates/metrics-reader-rbac.yaml | 11 ++ chart/istio-fortsa/templates/proxy-rbac.yaml | 34 ++++ .../templates/serviceaccount.yaml | 8 + chart/istio-fortsa/values.yaml | 55 ++++++ config/manager/kustomization.yaml | 4 +- config/manager/manager.yaml | 2 +- config/rbac/role.yaml | 54 +----- ...ation_v1_mutatingwebhookconfiguration.yaml | 1 + config/samples/core_v1_namespace.yaml | 1 + config/samples/core_v1_pod.yaml | 1 + config/samples/kustomization.yaml | 3 +- 23 files changed, 696 insertions(+), 59 deletions(-) create mode 100644 bundle/manifests/istio-fortsa-cm-metrics-svc_v1_service.yaml create mode 100644 bundle/manifests/istio-fortsa-metrics-reader_rbac.authorization.k8s.io_v1_clusterrole.yaml create mode 100644 bundle/tests/scorecard/config.yaml create mode 100644 chart/istio-fortsa/.helmignore create mode 100644 chart/istio-fortsa/Chart.yaml create mode 100644 chart/istio-fortsa/templates/_helpers.tpl create mode 100644 chart/istio-fortsa/templates/cm-metrics-svc.yaml create mode 100644 chart/istio-fortsa/templates/deployment.yaml create mode 100644 chart/istio-fortsa/templates/leader-election-rbac.yaml create mode 100644 chart/istio-fortsa/templates/manager-rbac.yaml create mode 100644 chart/istio-fortsa/templates/metrics-reader-rbac.yaml create mode 100644 chart/istio-fortsa/templates/proxy-rbac.yaml create mode 100644 chart/istio-fortsa/templates/serviceaccount.yaml create mode 100644 chart/istio-fortsa/values.yaml create mode 100644 config/samples/admissionregistration_v1_mutatingwebhookconfiguration.yaml create mode 100644 config/samples/core_v1_namespace.yaml create mode 100644 config/samples/core_v1_pod.yaml diff --git a/bundle/manifests/istio-fortsa-cm-metrics-svc_v1_service.yaml b/bundle/manifests/istio-fortsa-cm-metrics-svc_v1_service.yaml new file mode 100644 index 0000000..bc69761 --- /dev/null +++ b/bundle/manifests/istio-fortsa-cm-metrics-svc_v1_service.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Service +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/name: istio-fortsa + control-plane: controller-manager + name: istio-fortsa-cm-metrics-svc +spec: + ports: + - name: https + port: 8443 + protocol: TCP + targetPort: https + selector: + control-plane: controller-manager +status: + loadBalancer: {} diff --git a/bundle/manifests/istio-fortsa-metrics-reader_rbac.authorization.k8s.io_v1_clusterrole.yaml b/bundle/manifests/istio-fortsa-metrics-reader_rbac.authorization.k8s.io_v1_clusterrole.yaml new file mode 100644 index 0000000..2b5940f --- /dev/null +++ b/bundle/manifests/istio-fortsa-metrics-reader_rbac.authorization.k8s.io_v1_clusterrole.yaml @@ -0,0 +1,13 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/name: istio-fortsa + name: istio-fortsa-metrics-reader +rules: +- nonResourceURLs: + - /metrics + verbs: + - get diff --git a/bundle/manifests/istio-fortsa.clusterserviceversion.yaml b/bundle/manifests/istio-fortsa.clusterserviceversion.yaml index 3a43f79..74faa94 100644 --- a/bundle/manifests/istio-fortsa.clusterserviceversion.yaml +++ b/bundle/manifests/istio-fortsa.clusterserviceversion.yaml @@ -4,10 +4,10 @@ metadata: annotations: alm-examples: '[]' capabilities: Basic Install - createdAt: "2024-09-20T12:49:41Z" + createdAt: "2024-10-15T02:19:39Z" operators.operatorframework.io/builder: operator-sdk-v1.36.1 operators.operatorframework.io/project_layout: go.kubebuilder.io/v4 - name: istio-fortsa.v0.0.3 + name: istio-fortsa.v0.0.4 namespace: placeholder spec: apiservicedefinitions: {} @@ -19,7 +19,173 @@ spec: mediatype: "" install: spec: - deployments: [] + clusterPermissions: + - rules: + - apiGroups: + - "" + resources: + - events + verbs: + - create + - patch + - apiGroups: + - "" + resources: + - mutatingwebhookconfigurations + - namespaces + - pods + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - "" + resources: + - mutatingwebhookconfigurations/finalizers + - namespaces/finalizers + - pods/finalizers + verbs: + - update + - apiGroups: + - "" + resources: + - mutatingwebhookconfigurations/status + - namespaces/status + - pods/status + verbs: + - get + - patch + - update + - apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create + - apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create + serviceAccountName: istio-fortsa-controller-manager + deployments: + - label: + app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/name: istio-fortsa + control-plane: controller-manager + name: istio-fortsa-controller-manager + spec: + replicas: 1 + selector: + matchLabels: + control-plane: controller-manager + strategy: {} + template: + metadata: + annotations: + kubectl.kubernetes.io/default-container: manager + labels: + control-plane: controller-manager + spec: + containers: + - args: + - --secure-listen-address=0.0.0.0:8443 + - --upstream=http://127.0.0.1:8080/ + - --logtostderr=true + - --v=0 + image: gcr.io/kubebuilder/kube-rbac-proxy:v0.16.0 + name: kube-rbac-proxy + ports: + - containerPort: 8443 + name: https + protocol: TCP + resources: + limits: + cpu: 500m + memory: 128Mi + requests: + cpu: 5m + memory: 64Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + - args: + - --health-probe-bind-address=:8081 + - --metrics-bind-address=127.0.0.1:8080 + - --leader-elect + command: + - /istio-fortsa + image: ghcr.io/hercynium/istio-fortsa:0.0.4 + livenessProbe: + httpGet: + path: /healthz + port: 8081 + initialDelaySeconds: 15 + periodSeconds: 20 + name: manager + readinessProbe: + httpGet: + path: /readyz + port: 8081 + initialDelaySeconds: 5 + periodSeconds: 10 + resources: + limits: + cpu: 500m + memory: 128Mi + requests: + cpu: 10m + memory: 64Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + serviceAccountName: istio-fortsa-controller-manager + terminationGracePeriodSeconds: 10 + permissions: + - rules: + - apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - watch + - create + - update + - patch + - delete + - apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - get + - list + - watch + - create + - update + - patch + - delete + - apiGroups: + - "" + resources: + - events + verbs: + - create + - patch + serviceAccountName: istio-fortsa-controller-manager strategy: deployment installModes: - supported: false @@ -36,6 +202,7 @@ spec: - name: Istio Fortsa url: https://istio-fortsa.domain maturity: alpha + minKubeVersion: 1.24.0 provider: name: istio-fortza - version: 0.0.3 + version: 0.0.4 diff --git a/bundle/metadata/annotations.yaml b/bundle/metadata/annotations.yaml index 49192b6..08aeb8b 100644 --- a/bundle/metadata/annotations.yaml +++ b/bundle/metadata/annotations.yaml @@ -8,3 +8,7 @@ annotations: operators.operatorframework.io.metrics.builder: operator-sdk-v1.36.1 operators.operatorframework.io.metrics.mediatype.v1: metrics+v1 operators.operatorframework.io.metrics.project_layout: go.kubebuilder.io/v4 + + # Annotations for testing. + operators.operatorframework.io.test.mediatype.v1: scorecard+v1 + operators.operatorframework.io.test.config.v1: tests/scorecard/ diff --git a/bundle/tests/scorecard/config.yaml b/bundle/tests/scorecard/config.yaml new file mode 100644 index 0000000..b020daf --- /dev/null +++ b/bundle/tests/scorecard/config.yaml @@ -0,0 +1,70 @@ +apiVersion: scorecard.operatorframework.io/v1alpha3 +kind: Configuration +metadata: + name: config +stages: +- parallel: true + tests: + - entrypoint: + - scorecard-test + - basic-check-spec + image: quay.io/operator-framework/scorecard-test:v1.36.1 + labels: + suite: basic + test: basic-check-spec-test + storage: + spec: + mountPath: {} + - entrypoint: + - scorecard-test + - olm-bundle-validation + image: quay.io/operator-framework/scorecard-test:v1.36.1 + labels: + suite: olm + test: olm-bundle-validation-test + storage: + spec: + mountPath: {} + - entrypoint: + - scorecard-test + - olm-crds-have-validation + image: quay.io/operator-framework/scorecard-test:v1.36.1 + labels: + suite: olm + test: olm-crds-have-validation-test + storage: + spec: + mountPath: {} + - entrypoint: + - scorecard-test + - olm-crds-have-resources + image: quay.io/operator-framework/scorecard-test:v1.36.1 + labels: + suite: olm + test: olm-crds-have-resources-test + storage: + spec: + mountPath: {} + - entrypoint: + - scorecard-test + - olm-spec-descriptors + image: quay.io/operator-framework/scorecard-test:v1.36.1 + labels: + suite: olm + test: olm-spec-descriptors-test + storage: + spec: + mountPath: {} + - entrypoint: + - scorecard-test + - olm-status-descriptors + image: quay.io/operator-framework/scorecard-test:v1.36.1 + labels: + suite: olm + test: olm-status-descriptors-test + storage: + spec: + mountPath: {} +storage: + spec: + mountPath: {} diff --git a/chart/istio-fortsa/.helmignore b/chart/istio-fortsa/.helmignore new file mode 100644 index 0000000..0e8a0eb --- /dev/null +++ b/chart/istio-fortsa/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/chart/istio-fortsa/Chart.yaml b/chart/istio-fortsa/Chart.yaml new file mode 100644 index 0000000..9000753 --- /dev/null +++ b/chart/istio-fortsa/Chart.yaml @@ -0,0 +1,21 @@ +apiVersion: v2 +name: istio-fortsa +description: A Helm chart for Kubernetes +# A chart can be either an 'application' or a 'library' chart. +# +# Application charts are a collection of templates that can be packaged into versioned archives +# to be deployed. +# +# Library charts provide useful utilities or functions for the chart developer. They're included as +# a dependency of application charts to inject those utilities and functions into the rendering +# pipeline. Library charts do not define any templates and therefore cannot be deployed. +type: application +# This is the chart version. This version number should be incremented each time you make changes +# to the chart and its templates, including the app version. +# Versions are expected to follow Semantic Versioning (https://semver.org/) +version: 0.1.0 +# This is the version number of the application being deployed. This version number should be +# incremented each time you make changes to the application. Versions are not expected to +# follow Semantic Versioning. They should reflect the version the application is using. +# It is recommended to use it with quotes. +appVersion: "0.1.0" diff --git a/chart/istio-fortsa/templates/_helpers.tpl b/chart/istio-fortsa/templates/_helpers.tpl new file mode 100644 index 0000000..5283353 --- /dev/null +++ b/chart/istio-fortsa/templates/_helpers.tpl @@ -0,0 +1,62 @@ +{{/* +Expand the name of the chart. +*/}} +{{- define "istio-fortsa.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "istio-fortsa.fullname" -}} +{{- if .Values.fullnameOverride }} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- $name := default .Chart.Name .Values.nameOverride }} +{{- if contains $name .Release.Name }} +{{- .Release.Name | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end }} +{{- end }} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "istio-fortsa.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Common labels +*/}} +{{- define "istio-fortsa.labels" -}} +helm.sh/chart: {{ include "istio-fortsa.chart" . }} +{{ include "istio-fortsa.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "istio-fortsa.selectorLabels" -}} +app.kubernetes.io/name: {{ include "istio-fortsa.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} + +{{/* +Create the name of the service account to use +*/}} +{{- define "istio-fortsa.serviceAccountName" -}} +{{- if .Values.serviceAccount.create }} +{{- default (include "istio-fortsa.fullname" .) .Values.serviceAccount.name }} +{{- else }} +{{- default "default" .Values.serviceAccount.name }} +{{- end }} +{{- end }} diff --git a/chart/istio-fortsa/templates/cm-metrics-svc.yaml b/chart/istio-fortsa/templates/cm-metrics-svc.yaml new file mode 100644 index 0000000..d2dbeab --- /dev/null +++ b/chart/istio-fortsa/templates/cm-metrics-svc.yaml @@ -0,0 +1,14 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ include "istio-fortsa.fullname" . }}-cm-metrics-svc + labels: + control-plane: controller-manager + {{- include "istio-fortsa.labels" . | nindent 4 }} +spec: + type: {{ .Values.cmMetricsSvc.type }} + selector: + control-plane: controller-manager + {{- include "istio-fortsa.selectorLabels" . | nindent 4 }} + ports: + {{- .Values.cmMetricsSvc.ports | toYaml | nindent 2 }} \ No newline at end of file diff --git a/chart/istio-fortsa/templates/deployment.yaml b/chart/istio-fortsa/templates/deployment.yaml new file mode 100644 index 0000000..e37751f --- /dev/null +++ b/chart/istio-fortsa/templates/deployment.yaml @@ -0,0 +1,66 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "istio-fortsa.fullname" . }}-controller-manager + labels: + control-plane: controller-manager + {{- include "istio-fortsa.labels" . | nindent 4 }} +spec: + replicas: {{ .Values.controllerManager.replicas }} + selector: + matchLabels: + control-plane: controller-manager + {{- include "istio-fortsa.selectorLabels" . | nindent 6 }} + template: + metadata: + labels: + control-plane: controller-manager + {{- include "istio-fortsa.selectorLabels" . | nindent 8 }} + annotations: + kubectl.kubernetes.io/default-container: manager + spec: + containers: + - args: {{- toYaml .Values.controllerManager.kubeRbacProxy.args | nindent 8 }} + env: + - name: KUBERNETES_CLUSTER_DOMAIN + value: {{ quote .Values.kubernetesClusterDomain }} + image: {{ .Values.controllerManager.kubeRbacProxy.image.repository }}:{{ .Values.controllerManager.kubeRbacProxy.image.tag + | default .Chart.AppVersion }} + name: kube-rbac-proxy + ports: + - containerPort: 8443 + name: https + protocol: TCP + resources: {{- toYaml .Values.controllerManager.kubeRbacProxy.resources | nindent + 10 }} + securityContext: {{- toYaml .Values.controllerManager.kubeRbacProxy.containerSecurityContext + | nindent 10 }} + - args: {{- toYaml .Values.controllerManager.manager.args | nindent 8 }} + command: + - /istio-fortsa + env: + - name: KUBERNETES_CLUSTER_DOMAIN + value: {{ quote .Values.kubernetesClusterDomain }} + image: {{ .Values.controllerManager.manager.image.repository }}:{{ .Values.controllerManager.manager.image.tag + | default .Chart.AppVersion }} + livenessProbe: + httpGet: + path: /healthz + port: 8081 + initialDelaySeconds: 15 + periodSeconds: 20 + name: manager + readinessProbe: + httpGet: + path: /readyz + port: 8081 + initialDelaySeconds: 5 + periodSeconds: 10 + resources: {{- toYaml .Values.controllerManager.manager.resources | nindent 10 + }} + securityContext: {{- toYaml .Values.controllerManager.manager.containerSecurityContext + | nindent 10 }} + securityContext: {{- toYaml .Values.controllerManager.podSecurityContext | nindent + 8 }} + serviceAccountName: {{ include "istio-fortsa.fullname" . }}-controller-manager + terminationGracePeriodSeconds: 10 \ No newline at end of file diff --git a/chart/istio-fortsa/templates/leader-election-rbac.yaml b/chart/istio-fortsa/templates/leader-election-rbac.yaml new file mode 100644 index 0000000..2e2568a --- /dev/null +++ b/chart/istio-fortsa/templates/leader-election-rbac.yaml @@ -0,0 +1,53 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ include "istio-fortsa.fullname" . }}-leader-election-role + labels: + {{- include "istio-fortsa.labels" . | nindent 4 }} +rules: +- apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ include "istio-fortsa.fullname" . }}-leader-election-rolebinding + labels: + {{- include "istio-fortsa.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: '{{ include "istio-fortsa.fullname" . }}-leader-election-role' +subjects: +- kind: ServiceAccount + name: '{{ include "istio-fortsa.fullname" . }}-controller-manager' + namespace: '{{ .Release.Namespace }}' \ No newline at end of file diff --git a/chart/istio-fortsa/templates/manager-rbac.yaml b/chart/istio-fortsa/templates/manager-rbac.yaml new file mode 100644 index 0000000..1694e17 --- /dev/null +++ b/chart/istio-fortsa/templates/manager-rbac.yaml @@ -0,0 +1,61 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ include "istio-fortsa.fullname" . }}-manager-role + labels: + {{- include "istio-fortsa.labels" . | nindent 4 }} +rules: +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch +- apiGroups: + - "" + resources: + - mutatingwebhookconfigurations + - namespaces + - pods + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - "" + resources: + - mutatingwebhookconfigurations/finalizers + - namespaces/finalizers + - pods/finalizers + verbs: + - update +- apiGroups: + - "" + resources: + - mutatingwebhookconfigurations/status + - namespaces/status + - pods/status + verbs: + - get + - patch + - update +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ include "istio-fortsa.fullname" . }}-manager-rolebinding + labels: + {{- include "istio-fortsa.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: '{{ include "istio-fortsa.fullname" . }}-manager-role' +subjects: +- kind: ServiceAccount + name: '{{ include "istio-fortsa.fullname" . }}-controller-manager' + namespace: '{{ .Release.Namespace }}' \ No newline at end of file diff --git a/chart/istio-fortsa/templates/metrics-reader-rbac.yaml b/chart/istio-fortsa/templates/metrics-reader-rbac.yaml new file mode 100644 index 0000000..0234344 --- /dev/null +++ b/chart/istio-fortsa/templates/metrics-reader-rbac.yaml @@ -0,0 +1,11 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ include "istio-fortsa.fullname" . }}-metrics-reader + labels: + {{- include "istio-fortsa.labels" . | nindent 4 }} +rules: +- nonResourceURLs: + - /metrics + verbs: + - get \ No newline at end of file diff --git a/chart/istio-fortsa/templates/proxy-rbac.yaml b/chart/istio-fortsa/templates/proxy-rbac.yaml new file mode 100644 index 0000000..19cf9d7 --- /dev/null +++ b/chart/istio-fortsa/templates/proxy-rbac.yaml @@ -0,0 +1,34 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ include "istio-fortsa.fullname" . }}-proxy-role + labels: + {{- include "istio-fortsa.labels" . | nindent 4 }} +rules: +- apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create +- apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ include "istio-fortsa.fullname" . }}-proxy-rolebinding + labels: + {{- include "istio-fortsa.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: '{{ include "istio-fortsa.fullname" . }}-proxy-role' +subjects: +- kind: ServiceAccount + name: '{{ include "istio-fortsa.fullname" . }}-controller-manager' + namespace: '{{ .Release.Namespace }}' \ No newline at end of file diff --git a/chart/istio-fortsa/templates/serviceaccount.yaml b/chart/istio-fortsa/templates/serviceaccount.yaml new file mode 100644 index 0000000..4fc5db9 --- /dev/null +++ b/chart/istio-fortsa/templates/serviceaccount.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "istio-fortsa.fullname" . }}-controller-manager + labels: + {{- include "istio-fortsa.labels" . | nindent 4 }} + annotations: + {{- toYaml .Values.controllerManager.serviceAccount.annotations | nindent 4 }} \ No newline at end of file diff --git a/chart/istio-fortsa/values.yaml b/chart/istio-fortsa/values.yaml new file mode 100644 index 0000000..2f4d8bb --- /dev/null +++ b/chart/istio-fortsa/values.yaml @@ -0,0 +1,55 @@ +cmMetricsSvc: + ports: + - name: https + port: 8443 + protocol: TCP + targetPort: https + type: ClusterIP +controllerManager: + kubeRbacProxy: + args: + - --secure-listen-address=0.0.0.0:8443 + - --upstream=http://127.0.0.1:8080/ + - --logtostderr=true + - --v=0 + containerSecurityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + image: + repository: gcr.io/kubebuilder/kube-rbac-proxy + tag: v0.16.0 + resources: + limits: + cpu: 500m + memory: 128Mi + requests: + cpu: 5m + memory: 64Mi + manager: + args: + - --health-probe-bind-address=:8081 + - --metrics-bind-address=127.0.0.1:8080 + - --leader-elect + containerSecurityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + image: + repository: ghcr.io/hercynium/istio-fortsa + tag: 0.0.4 + resources: + limits: + cpu: 500m + memory: 128Mi + requests: + cpu: 10m + memory: 64Mi + podSecurityContext: + runAsNonRoot: true + replicas: 1 + serviceAccount: + annotations: {} +kubernetesClusterDomain: cluster.local diff --git a/config/manager/kustomization.yaml b/config/manager/kustomization.yaml index ad13e96..25df5d4 100644 --- a/config/manager/kustomization.yaml +++ b/config/manager/kustomization.yaml @@ -4,5 +4,5 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization images: - name: controller - newName: controller - newTag: latest + newName: ghcr.io/hercynium/istio-fortsa + newTag: 0.0.4 diff --git a/config/manager/manager.yaml b/config/manager/manager.yaml index fb05164..8672bf2 100644 --- a/config/manager/manager.yaml +++ b/config/manager/manager.yaml @@ -59,7 +59,7 @@ spec: # type: RuntimeDefault containers: - command: - - /manager + - /istio-fortsa args: - --leader-elect image: controller:latest diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml index 07d4f57..e4dcdfc 100644 --- a/config/rbac/role.yaml +++ b/config/rbac/role.yaml @@ -15,57 +15,7 @@ rules: - "" resources: - mutatingwebhookconfigurations - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - "" - resources: - - mutatingwebhookconfigurations/finalizers - verbs: - - update -- apiGroups: - - "" - resources: - - mutatingwebhookconfigurations/status - verbs: - - get - - patch - - update -- apiGroups: - - "" - resources: - namespaces - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - "" - resources: - - namespaces/finalizers - verbs: - - update -- apiGroups: - - "" - resources: - - namespaces/status - verbs: - - get - - patch - - update -- apiGroups: - - "" - resources: - pods verbs: - create @@ -78,12 +28,16 @@ rules: - apiGroups: - "" resources: + - mutatingwebhookconfigurations/finalizers + - namespaces/finalizers - pods/finalizers verbs: - update - apiGroups: - "" resources: + - mutatingwebhookconfigurations/status + - namespaces/status - pods/status verbs: - get diff --git a/config/samples/admissionregistration_v1_mutatingwebhookconfiguration.yaml b/config/samples/admissionregistration_v1_mutatingwebhookconfiguration.yaml new file mode 100644 index 0000000..ed97d53 --- /dev/null +++ b/config/samples/admissionregistration_v1_mutatingwebhookconfiguration.yaml @@ -0,0 +1 @@ +--- diff --git a/config/samples/core_v1_namespace.yaml b/config/samples/core_v1_namespace.yaml new file mode 100644 index 0000000..ed97d53 --- /dev/null +++ b/config/samples/core_v1_namespace.yaml @@ -0,0 +1 @@ +--- diff --git a/config/samples/core_v1_pod.yaml b/config/samples/core_v1_pod.yaml new file mode 100644 index 0000000..ed97d53 --- /dev/null +++ b/config/samples/core_v1_pod.yaml @@ -0,0 +1 @@ +--- diff --git a/config/samples/kustomization.yaml b/config/samples/kustomization.yaml index 25431ea..c87d378 100644 --- a/config/samples/kustomization.yaml +++ b/config/samples/kustomization.yaml @@ -1,7 +1,6 @@ ## Append samples you want in your CSV to this file as resources ## resources: - core_v1_pod.yaml -- core_v1_mutatingwebhookconfiguration.yaml +- admissionregistration_v1_mutatingwebhookconfiguration.yaml - core_v1_namespace.yaml -- _v1_pod.yaml #+kubebuilder:scaffold:manifestskustomizesamples