diff --git a/.github/workflows/pr-check.yml b/.github/workflows/pr-check.yml index 6f5297f..c53a900 100644 --- a/.github/workflows/pr-check.yml +++ b/.github/workflows/pr-check.yml @@ -30,7 +30,7 @@ jobs: - name: Checkout source code uses: actions/checkout@v3 - name: Build image - run: docker build -f build/Dockerfile . + run: docker build -f build/Dockerfile --build-arg SKIP_TESTS=true . scorecard: runs-on: ubuntu-22.04 steps: diff --git a/Makefile b/Makefile index 61a30fe..3b9c661 100644 --- a/Makefile +++ b/Makefile @@ -5,12 +5,16 @@ # - use environment variables to overwrite this value (e.g export VERSION=0.0.2) VERSION ?= 1.0.6 +ifneq (,$(shell which kubectl 2>/dev/null)$(shell which oc 2>/dev/null)) + include build/make/deploy.mk +endif + # Add silent flag for all commands by default ifndef VERBOSE MAKEFLAGS += --silent endif -PROJECT_DIR := $(shell dirname $(abspath $(lastword $(MAKEFILE_LIST)))) +PROJECT_DIR := $(shell pwd) CHECLUSTER_CRD_PATH = "$(PROJECT_DIR)/config/crd/bases/che.eclipse.org_kubernetesimagepullers.yaml" # CHANNEL define the bundle package name @@ -19,6 +23,9 @@ PACKAGE = kubernetes-imagepuller-operator # CHANNEL define the bundle channel CHANNEL = stable +# DEPLOYMENT_DIR defines the directory where the deployment manifests are generated +DEPLOYMENT_DIR=$(PROJECT_DIR)/deploy/deployment + # IMAGE_TAG_BASE defines the docker.io namespace and part of the image name for remote images. # This variable is used to construct full image tags for bundle and catalog images. IMAGE_TAG_BASE ?= quay.io/eclipse/kubernetes-image-puller-operator @@ -94,13 +101,13 @@ run: manifests generate fmt vet ## Run a controller from your host. ##@ Development docker-build: ## Build docker image with the manager. - docker build --no-cache -t ${IMG} -f build/Dockerfile . + $(IMAGE_TOOL) build --no-cache -t ${IMG} -f build/Dockerfile . docker-push: ## Push docker image with the manager. - docker push ${IMG} + $(IMAGE_TOOL) push ${IMG} manifests: download-controller-gen ## Generate WebhookConfiguration, ClusterRole and CustomResourceDefinition objects. - $(CONTROLLER_GEN) crd:crdVersions=v1 rbac:roleName=manager-role webhook paths="./..." output:crd:artifacts:config=config/crd/bases + $(CONTROLLER_GEN) crd:crdVersions=v1 rbac:roleName=manager-role paths="./..." output:crd:artifacts:config=config/crd/bases # remove yaml delimitier, which makes OLM catalog source image broken. sed -i '/---/d' "$(CHECLUSTER_CRD_PATH)" @@ -117,26 +124,38 @@ vet: ## Run go vet against code. go vet ./... ENVTEST_ASSETS_DIR=$(shell pwd)/testbin +test: SHELL := /bin/bash test: manifests generate fmt vet ## Run tests. mkdir -p ${ENVTEST_ASSETS_DIR} test -f ${ENVTEST_ASSETS_DIR}/setup-envtest.sh || curl -sSLo ${ENVTEST_ASSETS_DIR}/setup-envtest.sh https://raw.githubusercontent.com/kubernetes-sigs/controller-runtime/v0.8.3/hack/setup-envtest.sh source ${ENVTEST_ASSETS_DIR}/setup-envtest.sh; fetch_envtest_tools $(ENVTEST_ASSETS_DIR); setup_envtest_env $(ENVTEST_ASSETS_DIR); go test ./... -coverprofile cover.out -install: manifests download-kustomize ## Install CRDs into the K8s cluster specified in ~/.kube/config. - $(KUSTOMIZE) build config/crd | kubectl apply -f - - -uninstall: manifests download-kustomize ## Uninstall CRDs from the K8s cluster specified in ~/.kube/config. - $(KUSTOMIZE) build config/crd | kubectl delete -f - - -deploy: manifests download-kustomize ## Deploy controller to the K8s cluster specified in ~/.kube/config. +# Set a new operator image for kustomize +kustomize-operator-image: download-kustomize cd "$(PROJECT_DIR)/config/manager" $(KUSTOMIZE) edit set image quay.io/eclipse/kubernetes-image-puller-operator:next=$(IMG) cd "$(PROJECT_DIR)" - $(KUSTOMIZE) build config/default | kubectl apply -f - +gen-deployment: download-kustomize + rm -rf $(DEPLOYMENT_DIR) + for TARGET_PLATFORM in kubernetes openshift; do + PLATFORM_DIR=$(DEPLOYMENT_DIR)/$${TARGET_PLATFORM} + OBJECTS_DIR=$${PLATFORM_DIR}/objects + + mkdir -p $${OBJECTS_DIR} + + COMBINED_FILENAME=$${PLATFORM_DIR}/combined.yaml + $(KUSTOMIZE) build config/$${TARGET_PLATFORM} | cat > $${COMBINED_FILENAME} - + + # Split the giant files output by kustomize per-object + csplit -s -f "temp" --suppress-matched "$${COMBINED_FILENAME}" '/^---$$/' '{*}' + for file in temp??; do + name_kind=$$(yq -r '"\(.metadata.name).\(.kind)"' "$${file}") + mv "$${file}" "$${OBJECTS_DIR}/$${name_kind}.yaml" + done -undeploy: download-kustomize ## Undeploy controller from the K8s cluster specified in ~/.kube/config. - $(KUSTOMIZE) build config/default | kubectl delete -f - + echo "[INFO] Deployments resources generated into $${PLATFORM_DIR}" + done compile: binary="$(BINARY)" @@ -157,7 +176,7 @@ bundle: generate manifests download-kustomize download-operator-sdk ## Generate BUNDLE_PATH=$$($(MAKE) bundle-path) - $(KUSTOMIZE) build config/manifests | \ + $(KUSTOMIZE) build config/openshift/olm | \ $(OPERATOR_SDK) generate bundle \ --quiet \ --overwrite \ @@ -169,7 +188,8 @@ bundle: generate manifests download-kustomize download-operator-sdk ## Generate CSV_PATH=$$($(MAKE) csv-path) yq -riY '.metadata.annotations.containerImage = "'$(IMG)'"' $${CSV_PATH} - yq -riY '.spec.install.spec.deployments[0].spec.template.spec.containers[1].image = "'$(IMG)'"' $${CSV_PATH} + # Update container image for container 'kuebrnetes-image-puller-operator' in the list of deployments + yq -riY '.spec.install.spec.deployments[0].spec.template.spec.containers[] |= (select(.name == "kubernetes-image-puller-operator") .image |= "'$(IMG)'")' $${CSV_PATH} # Copy bundle.Dockerfile to the bundle dir # Update paths (since it is created in the root of the project) and labels diff --git a/PROJECT b/PROJECT index 22ae6e0..6d330dc 100644 --- a/PROJECT +++ b/PROJECT @@ -1,4 +1,4 @@ -domain: eclipse.che +domain: eclipse.org layout: - go.kubebuilder.io/v3 plugins: @@ -16,4 +16,8 @@ resources: kind: KubernetesImagePuller path: github.com/che-incubator/kubernetes-image-puller-operator/api/v1alpha1 version: v1alpha1 + webhooks: + defaulting: true + validation: true + webhookVersion: v1 version: "3" diff --git a/api/v1alpha1/kubernetesimagepuller_webhook.go b/api/v1alpha1/kubernetesimagepuller_webhook.go new file mode 100644 index 0000000..6c726af --- /dev/null +++ b/api/v1alpha1/kubernetesimagepuller_webhook.go @@ -0,0 +1,46 @@ +// +// Copyright (c) 2012-2023 Red Hat, Inc. +// This program and the accompanying materials are made +// available under the terms of the Eclipse Public License 2.0 +// which is available at https://www.eclipse.org/legal/epl-2.0/ +// +// SPDX-License-Identifier: EPL-2.0 +// +// Contributors: +// Red Hat, Inc. - initial API and implementation +// + +package v1alpha1 + +import ( + "context" + + ctrl "sigs.k8s.io/controller-runtime" + + "sigs.k8s.io/controller-runtime/pkg/client" + "sigs.k8s.io/controller-runtime/pkg/webhook" +) + +func (r *KubernetesImagePuller) SetupWebhookWithManager(mgr ctrl.Manager) error { + mgr.GetWebhookServer().Register("/validate-che-eclipse-org-v1alpha1-kubernetesimagepuller", &webhook.Admission{Handler: &validationHandler{k8sClient: mgr.GetClient()}}) + return nil +} + +// +kubebuilder:webhook:path=/validate-che-eclipse-org-v1alpha1-kubernetesimagepuller,mutating=false,failurePolicy=fail,sideEffects=None,groups=che.eclipse.org,resources=kubernetesimagepullers,verbs=create,versions=v1alpha1,name=vkubernetesimagepuller.kb.io,admissionReviewVersions={v1,v1beta1} + +type validationHandler struct { + k8sClient client.Client +} + +func (v *validationHandler) Handle(ctx context.Context, req webhook.AdmissionRequest) webhook.AdmissionResponse { + imagePullers := &KubernetesImagePullerList{} + err := v.k8sClient.List(ctx, imagePullers, &client.ListOptions{Namespace: req.Namespace}) + if err != nil { + return webhook.Denied(err.Error()) + } + + if len(imagePullers.Items) > 0 { + return webhook.Denied("only one KubernetesImagePuller is allowed per namespace") + } + return webhook.Allowed("there are no KubernetesImagePuller resources in this namespace") +} diff --git a/api/v1alpha1/webhook_suite_test.go b/api/v1alpha1/webhook_suite_test.go new file mode 100644 index 0000000..93e4d62 --- /dev/null +++ b/api/v1alpha1/webhook_suite_test.go @@ -0,0 +1,182 @@ +// +// Copyright (c) 2012-2023 Red Hat, Inc. +// This program and the accompanying materials are made +// available under the terms of the Eclipse Public License 2.0 +// which is available at https://www.eclipse.org/legal/epl-2.0/ +// +// SPDX-License-Identifier: EPL-2.0 +// +// Contributors: +// Red Hat, Inc. - initial API and implementation +// + +package v1alpha1 + +import ( + "context" + "crypto/tls" + "fmt" + "net" + "path/filepath" + "testing" + "time" + + . "github.com/onsi/ginkgo" + . "github.com/onsi/gomega" + + admissionv1beta1 "k8s.io/api/admission/v1beta1" + v1 "k8s.io/api/core/v1" + + //+kubebuilder:scaffold:imports + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/runtime" + "k8s.io/client-go/rest" + ctrl "sigs.k8s.io/controller-runtime" + "sigs.k8s.io/controller-runtime/pkg/client" + "sigs.k8s.io/controller-runtime/pkg/envtest" + "sigs.k8s.io/controller-runtime/pkg/envtest/printer" + logf "sigs.k8s.io/controller-runtime/pkg/log" + "sigs.k8s.io/controller-runtime/pkg/log/zap" +) + +// These tests use Ginkgo (BDD-style Go testing framework). Refer to +// http://onsi.github.io/ginkgo/ to learn more about Ginkgo. + +var cfg *rest.Config +var k8sClient client.Client +var testEnv *envtest.Environment +var ctx context.Context +var cancel context.CancelFunc + +func TestAPIs(t *testing.T) { + RegisterFailHandler(Fail) + + RunSpecsWithDefaultAndCustomReporters(t, + "Webhook Suite", + []Reporter{printer.NewlineReporter{}}) +} + +var _ = BeforeSuite(func() { + logf.SetLogger(zap.New(zap.WriteTo(GinkgoWriter), zap.UseDevMode(true))) + + ctx, cancel = context.WithCancel(context.TODO()) + + By("bootstrapping test environment") + testEnv = &envtest.Environment{ + CRDDirectoryPaths: []string{filepath.Join("..", "..", "config", "crd", "bases")}, + ErrorIfCRDPathMissing: false, + WebhookInstallOptions: envtest.WebhookInstallOptions{ + Paths: []string{filepath.Join("..", "..", "config", "webhook")}, + }, + } + + cfg, err := testEnv.Start() + Expect(err).NotTo(HaveOccurred()) + Expect(cfg).NotTo(BeNil()) + + scheme := runtime.NewScheme() + err = AddToScheme(scheme) + Expect(err).NotTo(HaveOccurred()) + + err = admissionv1beta1.AddToScheme(scheme) + Expect(err).NotTo(HaveOccurred()) + + err = v1.AddToScheme(scheme) + Expect(err).NotTo(HaveOccurred()) + + //+kubebuilder:scaffold:scheme + + k8sClient, err = client.New(cfg, client.Options{Scheme: scheme}) + Expect(err).NotTo(HaveOccurred()) + Expect(k8sClient).NotTo(BeNil()) + + // start webhook server using Manager + webhookInstallOptions := &testEnv.WebhookInstallOptions + mgr, err := ctrl.NewManager(cfg, ctrl.Options{ + Scheme: scheme, + Host: webhookInstallOptions.LocalServingHost, + Port: webhookInstallOptions.LocalServingPort, + CertDir: webhookInstallOptions.LocalServingCertDir, + LeaderElection: false, + MetricsBindAddress: "0", + }) + Expect(err).NotTo(HaveOccurred()) + + err = (&KubernetesImagePuller{}).SetupWebhookWithManager(mgr) + Expect(err).NotTo(HaveOccurred()) + + //+kubebuilder:scaffold:webhook + + go func() { + err = mgr.Start(ctx) + if err != nil { + Expect(err).NotTo(HaveOccurred()) + } + }() + + // wait for the webhook server to get ready + dialer := &net.Dialer{Timeout: time.Second} + addrPort := fmt.Sprintf("%s:%d", webhookInstallOptions.LocalServingHost, webhookInstallOptions.LocalServingPort) + Eventually(func() error { + conn, err := tls.DialWithDialer(dialer, "tcp", addrPort, &tls.Config{InsecureSkipVerify: true}) + if err != nil { + return err + } + conn.Close() + return nil + }).Should(Succeed()) + +}, 60) + +var _ = Describe("Create KubernetesImagePuller resource", func() { + + var kip *KubernetesImagePuller + + BeforeEach(func() { + kip = &KubernetesImagePuller{ + ObjectMeta: metav1.ObjectMeta{ + Name: "test-kip", + Namespace: "default", + }, + } + }) + + It("Should create a KubernetesImagePuller resource", func() { + Expect(k8sClient.Create(ctx, kip)).Should(Succeed()) + Expect(k8sClient.Delete(ctx, kip)).Should(Succeed()) + }) + + It("Should not be able to create a second KubernetesImagePuller resource in the same namespace", func() { + secondKip := kip.DeepCopy() + secondKip.ObjectMeta.Name = secondKip.ObjectMeta.Name + "-different" + + Expect(k8sClient.Create(ctx, kip)).Should(Succeed()) + err := k8sClient.Create(ctx, secondKip) + Expect(err.Error()).To(Equal("admission webhook \"vkubernetesimagepuller.kb.io\" denied the request: only one KubernetesImagePuller is allowed per namespace")) + Expect(k8sClient.Delete(ctx, kip)).Should(Succeed()) + }) + + It("Should be able to create a second KubernetesImagePuller resource in a different namespace", func() { + secondKip := kip.DeepCopy() + secondKip.ObjectMeta.Name = secondKip.ObjectMeta.Name + "-different" + secondKip.ObjectMeta.Namespace = secondKip.ObjectMeta.Namespace + "-different" + newNamespace := &v1.Namespace{ + ObjectMeta: metav1.ObjectMeta{ + Name: secondKip.ObjectMeta.Namespace, + }, + } + Expect(k8sClient.Create(ctx, newNamespace)).Should(Succeed()) + Expect(k8sClient.Create(ctx, kip)).Should(Succeed()) + Expect(k8sClient.Create(ctx, secondKip)).Should(Succeed()) + Expect(k8sClient.Delete(ctx, kip)).Should(Succeed()) + Expect(k8sClient.Delete(ctx, secondKip)).Should(Succeed()) + Expect(k8sClient.Delete(ctx, newNamespace)).Should(Succeed()) + }) +}) + +var _ = AfterSuite(func() { + cancel() + By("tearing down the test environment") + err := testEnv.Stop() + Expect(err).NotTo(HaveOccurred()) +}) diff --git a/api/v1alpha1/zz_generated.deepcopy.go b/api/v1alpha1/zz_generated.deepcopy.go index bda604f..09a4cfb 100644 --- a/api/v1alpha1/zz_generated.deepcopy.go +++ b/api/v1alpha1/zz_generated.deepcopy.go @@ -1,4 +1,3 @@ -//go:build !ignore_autogenerated // +build !ignore_autogenerated // diff --git a/build/Dockerfile b/build/Dockerfile index fd6d1bd..aed6eeb 100644 --- a/build/Dockerfile +++ b/build/Dockerfile @@ -13,6 +13,7 @@ # https://access.redhat.com/containers/?tab=tags#/registry.access.redhat.com/ubi8/go-toolset FROM registry.access.redhat.com/ubi8/go-toolset:1.20.10-3 as builder ENV GOPATH=/go/ +ARG SKIP_TESTS="false" USER root WORKDIR /workspace @@ -30,9 +31,10 @@ COPY api/ api/ COPY controllers/ controllers/ COPY pkg/ pkg/ COPY hack/ hack/ +COPY config/webhook/ config/webhook/ # Test -RUN make test +RUN if [[ ${SKIP_TESTS} == "false" ]]; then make test; fi # Build RUN CGO_ENABLED=0 GOOS=linux GOARCH=amd64 GO111MODULE=on go build -a -o manager main.go diff --git a/build/make/deploy.mk b/build/make/deploy.mk new file mode 100644 index 0000000..451e073 --- /dev/null +++ b/build/make/deploy.mk @@ -0,0 +1,27 @@ +ifeq (,$(shell which kubectl)$(shell which oc)) + $(error oc or kubectl is required to proceed) +endif + +ifneq (,$(shell which kubectl)) + K8S_CLI := kubectl +else + K8S_CLI := oc +endif + +ifeq ($(shell $(K8S_CLI) api-resources --api-group='route.openshift.io' 2>&1 | grep -o routes),routes) + PLATFORM := openshift +else + PLATFORM := kubernetes +endif + +install: manifests download-kustomize ## Install CRDs into the K8s cluster specified in ~/.kube/config. + $(KUSTOMIZE) build config/crd | $(K8S_CLI) apply -f - + +uninstall: download-kustomize ## Uninstall CRDs from the K8s cluster specified in ~/.kube/config. + $(KUSTOMIZE) build config/crd | $(K8S_CLI) delete -f - + +deploy: manifests kustomize-operator-image gen-deployment ## Deploy controller to the K8s cluster specified in ~/.kube/config. + $(K8S_CLI) apply -f $(DEPLOYMENT_DIR)/$(PLATFORM)/combined.yaml + +undeploy: ## Undeploy controller from the K8s cluster specified in ~/.kube/config. + $(K8S_CLI) delete -f $(DEPLOYMENT_DIR)/$(PLATFORM)/combined.yaml diff --git a/bundle/test-bundle.sh b/bundle/test-bundle.sh index 9954366..9b582c9 100755 --- a/bundle/test-bundle.sh +++ b/bundle/test-bundle.sh @@ -96,7 +96,7 @@ buildBundleFromSources() { mv ${BUNDLE_DIR}/bundle.Dockerfile ${BUNDLE_DIR}/Dockerfile # Set operator image from the registry - yq -rYi '.spec.install.spec.deployments[0].spec.template.spec.containers[1].image = "'${OPERATOR_IMAGE}'"' ${BUNDLE_DIR}/manifests/kubernetes-imagepuller-operator.clusterserviceversion.yaml + yq -riY '.spec.install.spec.deployments[0].spec.template.spec.containers[] |= (select(.name == "kubernetes-image-puller-operator") .image |= "'${OPERATOR_IMAGE}'")' ${BUNDLE_DIR}/manifests/kubernetes-imagepuller-operator.clusterserviceversion.yaml oc delete buildconfigs ${REGISTRY_BUNDLE_IMAGE_NAME} --ignore-not-found=true -n "${NAMESPACE}" oc delete imagestreamtag ${REGISTRY_BUNDLE_IMAGE_NAME}:latest --ignore-not-found=true -n "${NAMESPACE}" diff --git a/config/certmanager/certificate.yaml b/config/certmanager/certificate.yaml new file mode 100644 index 0000000..8885c18 --- /dev/null +++ b/config/certmanager/certificate.yaml @@ -0,0 +1,25 @@ +# The following manifests contain a self-signed issuer CR and a certificate CR. +# More document can be found at https://docs.cert-manager.io +# WARNING: Targets CertManager v1.0. Check https://cert-manager.io/docs/installation/upgrading/ for breaking changes. +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + name: selfsigned-issuer + namespace: kubernetes-image-puller-operator +spec: + selfSigned: {} +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: serving-cert # this name should match the one appeared in kustomizeconfig.yaml + namespace: kubernetes-image-puller-operator +spec: + # $(SERVICE_NAME) and $(SERVICE_NAMESPACE) will be substituted by kustomize + dnsNames: + - $(SERVICE_NAME).$(SERVICE_NAMESPACE).svc + - $(SERVICE_NAME).$(SERVICE_NAMESPACE).svc.cluster.local + issuerRef: + kind: Issuer + name: selfsigned-issuer + secretName: kubernetes-image-puller-operator-service-cert # this secret will not be prefixed, since it's not managed by kustomize diff --git a/config/certmanager/kustomization.yaml b/config/certmanager/kustomization.yaml new file mode 100644 index 0000000..bebea5a --- /dev/null +++ b/config/certmanager/kustomization.yaml @@ -0,0 +1,5 @@ +resources: +- certificate.yaml + +configurations: +- kustomizeconfig.yaml diff --git a/config/certmanager/kustomizeconfig.yaml b/config/certmanager/kustomizeconfig.yaml new file mode 100644 index 0000000..90d7c31 --- /dev/null +++ b/config/certmanager/kustomizeconfig.yaml @@ -0,0 +1,16 @@ +# This configuration is for teaching kustomize how to update name ref and var substitution +nameReference: +- kind: Issuer + group: cert-manager.io + fieldSpecs: + - kind: Certificate + group: cert-manager.io + path: spec/issuerRef/name + +varReference: +- kind: Certificate + group: cert-manager.io + path: spec/commonName +- kind: Certificate + group: cert-manager.io + path: spec/dnsNames diff --git a/config/crd/patches/webhook_in_kubernetesimagepullers.yaml b/config/crd/patches/webhook_in_kubernetesimagepullers.yaml index d2335d8..f4955ac 100644 --- a/config/crd/patches/webhook_in_kubernetesimagepullers.yaml +++ b/config/crd/patches/webhook_in_kubernetesimagepullers.yaml @@ -22,5 +22,5 @@ spec: clientConfig: service: namespace: system - name: webhook-service + name: service path: /convert diff --git a/config/default/kustomization.yaml b/config/default/kustomization.yaml index fb831d8..88a1e60 100644 --- a/config/default/kustomization.yaml +++ b/config/default/kustomization.yaml @@ -10,77 +10,14 @@ # Red Hat, Inc. - initial API and implementation # -# Adds namespace to all resources. namespace: kubernetes-image-puller-operator -# Value of this field is prepended to the -# names of all resources, e.g. a deployment named -# "wordpress" becomes "alices-wordpress". -# Note that it should also match with the prefix (text before '-') of the namespace -# field above. -# namePrefix: kubernetes-image-puller-operator- - -# Labels to add to all resources and selectors. -#commonLabels: -# someName: someValue - bases: - ../crd - ../rbac - ../manager -# [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix including the one in -# crd/kustomization.yaml -#- ../webhook -# [CERTMANAGER] To enable cert-manager, uncomment all sections with 'CERTMANAGER'. 'WEBHOOK' components are required. -#- ../certmanager -# [PROMETHEUS] To enable prometheus monitor, uncomment all sections with 'PROMETHEUS'. -# - ../prometheus +- ../webhook patchesStrategicMerge: -# Protect the /metrics endpoint by putting it behind auth. -# If you want your controller-manager to expose the /metrics -# endpoint w/o any authn/z, please comment the following line. - manager_auth_proxy_patch.yaml - -# Mount the controller config file for loading manager configurations -# through a ComponentConfig type -#- manager_config_patch.yaml - -# [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix including the one in -# crd/kustomization.yaml -#- manager_webhook_patch.yaml - -# [CERTMANAGER] To enable cert-manager, uncomment all sections with 'CERTMANAGER'. -# Uncomment 'CERTMANAGER' sections in crd/kustomization.yaml to enable the CA injection in the admission webhooks. -# 'CERTMANAGER' needs to be enabled to use ca injection -#- webhookcainjection_patch.yaml - -# the following config is for teaching kustomize how to do var substitution -vars: -# [CERTMANAGER] To enable cert-manager, uncomment all sections with 'CERTMANAGER' prefix. -#- name: CERTIFICATE_NAMESPACE # namespace of the certificate CR -# objref: -# kind: Certificate -# group: cert-manager.io -# version: v1 -# name: serving-cert # this name should match the one in certificate.yaml -# fieldref: -# fieldpath: metadata.namespace -#- name: CERTIFICATE_NAME -# objref: -# kind: Certificate -# group: cert-manager.io -# version: v1 -# name: serving-cert # this name should match the one in certificate.yaml -#- name: SERVICE_NAMESPACE # namespace of the service -# objref: -# kind: Service -# version: v1 -# name: webhook-service -# fieldref: -# fieldpath: metadata.namespace -#- name: SERVICE_NAME -# objref: -# kind: Service -# version: v1 -# name: webhook-service +- manager_webhook_patch.yaml diff --git a/config/default/manager_auth_proxy_patch.yaml b/config/default/manager_auth_proxy_patch.yaml index ece3b79..73e34e5 100644 --- a/config/default/manager_auth_proxy_patch.yaml +++ b/config/default/manager_auth_proxy_patch.yaml @@ -15,7 +15,7 @@ apiVersion: apps/v1 kind: Deployment metadata: - name: kubernetes-image-puller-operator + name: manager spec: template: spec: diff --git a/config/default/manager_config_patch.yaml b/config/default/manager_config_patch.yaml index 509e9bd..10930a2 100644 --- a/config/default/manager_config_patch.yaml +++ b/config/default/manager_config_patch.yaml @@ -13,7 +13,7 @@ apiVersion: apps/v1 kind: Deployment metadata: - name: kubernetes-image-puller-operator + name: manager spec: template: spec: diff --git a/config/default/manager_webhook_patch.yaml b/config/default/manager_webhook_patch.yaml new file mode 100644 index 0000000..4d81552 --- /dev/null +++ b/config/default/manager_webhook_patch.yaml @@ -0,0 +1,22 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: manager +spec: + template: + spec: + containers: + - name: kubernetes-image-puller-operator + ports: + - containerPort: 9443 + name: webhook-server + protocol: TCP + volumeMounts: + - mountPath: /tmp/k8s-webhook-server/serving-certs + name: cert + readOnly: true + volumes: + - name: cert + secret: + defaultMode: 420 + secretName: kubernetes-image-puller-operator-service-cert diff --git a/config/kubernetes/kustomization.yaml b/config/kubernetes/kustomization.yaml new file mode 100644 index 0000000..6c068cd --- /dev/null +++ b/config/kubernetes/kustomization.yaml @@ -0,0 +1,50 @@ +# +# Copyright (c) 2019-2023 Red Hat, Inc. +# This program and the accompanying materials are made +# available under the terms of the Eclipse Public License 2.0 +# which is available at https://www.eclipse.org/legal/epl-2.0/ +# +# SPDX-License-Identifier: EPL-2.0 +# +# Contributors: +# Red Hat, Inc. - initial API and implementation +# + +namePrefix: kubernetes-image-puller-operator- + +resources: + - ../default + - ../certmanager + +patchesStrategicMerge: + - patches/cainjection_in_kubernetesimagepullers.yaml + - patches/cainjection_in_webhook.yaml + +vars: +# [CERTMANAGER] To enable cert-manager, uncomment all sections with 'CERTMANAGER' prefix. +- name: CERTIFICATE_NAMESPACE # namespace of the certificate CR + objref: + kind: Certificate + group: cert-manager.io + version: v1 + name: kubernetes-image-puller-operator-serving-cert # this name should match the one in certificate.yaml + fieldref: + fieldpath: metadata.namespace +- name: CERTIFICATE_NAME + objref: + kind: Certificate + group: cert-manager.io + version: v1 + name: kubernetes-image-puller-operator-serving-cert # this name should match the one in certificate.yaml +- name: SERVICE_NAMESPACE # namespace of the service + objref: + kind: Service + version: v1 + name: kubernetes-image-puller-operator-manager-service + fieldref: + fieldpath: metadata.namespace +- name: SERVICE_NAME + objref: + kind: Service + version: v1 + name: kubernetes-image-puller-operator-manager-service diff --git a/config/kubernetes/patches/cainjection_in_kubernetesimagepullers.yaml b/config/kubernetes/patches/cainjection_in_kubernetesimagepullers.yaml new file mode 100644 index 0000000..7d16757 --- /dev/null +++ b/config/kubernetes/patches/cainjection_in_kubernetesimagepullers.yaml @@ -0,0 +1,18 @@ +# +# Copyright (c) 2019-2021 Red Hat, Inc. +# This program and the accompanying materials are made +# available under the terms of the Eclipse Public License 2.0 +# which is available at https://www.eclipse.org/legal/epl-2.0/ +# +# SPDX-License-Identifier: EPL-2.0 +# +# Contributors: +# Red Hat, Inc. - initial API and implementation +# + +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: kubernetesimagepullers.che.eclipse.org + annotations: + cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME) diff --git a/config/kubernetes/patches/cainjection_in_webhook.yaml b/config/kubernetes/patches/cainjection_in_webhook.yaml new file mode 100644 index 0000000..4526872 --- /dev/null +++ b/config/kubernetes/patches/cainjection_in_webhook.yaml @@ -0,0 +1,18 @@ +# +# Copyright (c) 2019-2021 Red Hat, Inc. +# This program and the accompanying materials are made +# available under the terms of the Eclipse Public License 2.0 +# which is available at https://www.eclipse.org/legal/epl-2.0/ +# +# SPDX-License-Identifier: EPL-2.0 +# +# Contributors: +# Red Hat, Inc. - initial API and implementation +# +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + name: validating-webhook-configuration + annotations: + cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME) diff --git a/config/manager/kustomization.yaml b/config/manager/kustomization.yaml index 4e695a0..47a56ed 100644 --- a/config/manager/kustomization.yaml +++ b/config/manager/kustomization.yaml @@ -11,6 +11,7 @@ # resources: +- service_account.yaml - manager.yaml - controller-namespace.yaml @@ -27,3 +28,14 @@ images: - name: quay.io/eclipse/kubernetes-image-puller-operator:next newName: quay.io/eclipse/kubernetes-image-puller-operator newTag: 1.0.4 + +vars: +- fieldref: {} + name: CONTROLLER_SERVICE_ACCOUNT + objref: + kind: ServiceAccount + name: sa + version: v1 + +configurations: +- kustomizeconfig.yaml diff --git a/config/manager/kustomizeconfig.yaml b/config/manager/kustomizeconfig.yaml new file mode 100644 index 0000000..f7664b5 --- /dev/null +++ b/config/manager/kustomizeconfig.yaml @@ -0,0 +1,16 @@ +# +# Copyright (c) 2019-2023 Red Hat, Inc. +# This program and the accompanying materials are made +# available under the terms of the Eclipse Public License 2.0 +# which is available at https://www.eclipse.org/legal/epl-2.0/ +# +# SPDX-License-Identifier: EPL-2.0 +# +# Contributors: +# Red Hat, Inc. - initial API and implementation +# + +varReference: +- kind: Deployment + group: apps + path: spec/template/spec/serviceAccountName diff --git a/config/manager/manager.yaml b/config/manager/manager.yaml index 6732187..610750f 100644 --- a/config/manager/manager.yaml +++ b/config/manager/manager.yaml @@ -13,7 +13,7 @@ apiVersion: apps/v1 kind: Deployment metadata: - name: kubernetes-image-puller-operator + name: manager labels: name: kubernetes-image-puller-operator spec: @@ -26,7 +26,7 @@ spec: labels: name: kubernetes-image-puller-operator spec: - serviceAccountName: kubernetes-image-puller-operator + serviceAccountName: $(CONTROLLER_SERVICE_ACCOUNT) containers: - name: kubernetes-image-puller-operator image: quay.io/eclipse/kubernetes-image-puller-operator:next diff --git a/config/rbac/service_account.yaml b/config/manager/service_account.yaml similarity index 90% rename from config/rbac/service_account.yaml rename to config/manager/service_account.yaml index e32c3b7..f5aeea2 100644 --- a/config/rbac/service_account.yaml +++ b/config/manager/service_account.yaml @@ -13,4 +13,4 @@ apiVersion: v1 kind: ServiceAccount metadata: - name: kubernetes-image-puller-operator + name: sa diff --git a/config/manifests/kustomization.yaml b/config/manifests/kustomization.yaml index a164cdb..c57606f 100644 --- a/config/manifests/kustomization.yaml +++ b/config/manifests/kustomization.yaml @@ -12,27 +12,6 @@ # These resources constitute the fully configured set of manifests # used to generate the 'manifests/' directory in a bundle. + resources: - bases/kubernetes-image-puller-operator.clusterserviceversion.yaml -- ../default -- ../samples -- ../scorecard - -# [WEBHOOK] To enable webhooks, uncomment all the sections with [WEBHOOK] prefix. -# Do NOT uncomment sections with prefix [CERTMANAGER], as OLM does not support cert-manager. -# These patches remove the unnecessary "cert" volume and its manager container volumeMount. -#patchesJson6902: -#- target: -# group: apps -# version: v1 -# kind: Deployment -# name: kubernetes-image-puller-operator -# patch: |- -# # Remove the manager container's "cert" volumeMount, since OLM will create and mount a set of certs. -# # Update the indices in this path if adding or removing containers/volumeMounts in the manager's Deployment. -# - op: remove -# path: /spec/template/spec/containers/1/volumeMounts/0 -# # Remove the "cert" volume, since OLM will create and mount a set of certs. -# # Update the indices in this path if adding or removing volumes in the manager's Deployment. -# - op: remove -# path: /spec/template/spec/volumes/0 diff --git a/config/openshift/kustomization.yaml b/config/openshift/kustomization.yaml new file mode 100644 index 0000000..29aeb6b --- /dev/null +++ b/config/openshift/kustomization.yaml @@ -0,0 +1,21 @@ +# +# Copyright (c) 2019-2023 Red Hat, Inc. +# This program and the accompanying materials are made +# available under the terms of the Eclipse Public License 2.0 +# which is available at https://www.eclipse.org/legal/epl-2.0/ +# +# SPDX-License-Identifier: EPL-2.0 +# +# Contributors: +# Red Hat, Inc. - initial API and implementation +# + +namePrefix: kubernetes-image-puller-operator- + +resources: + - ../default + +patchesStrategicMerge: + - patches/cainjection_in_kubernetesimagepullers.yaml + - patches/cainjection_in_webhook.yaml + - patches/service_cert_patch.yaml diff --git a/config/openshift/olm/kustomization.yaml b/config/openshift/olm/kustomization.yaml new file mode 100644 index 0000000..27f0492 --- /dev/null +++ b/config/openshift/olm/kustomization.yaml @@ -0,0 +1,20 @@ +# +# Copyright (c) 2019-2023 Red Hat, Inc. +# This program and the accompanying materials are made +# available under the terms of the Eclipse Public License 2.0 +# which is available at https://www.eclipse.org/legal/epl-2.0/ +# +# SPDX-License-Identifier: EPL-2.0 +# +# Contributors: +# Red Hat, Inc. - initial API and implementation +# + +# These resources constitute the fully configured set of manifests +# used to generate the 'manifests/' directory in a bundle. + +resources: +- ../../manifests +- ../../samples +- ../../scorecard +- prefixed diff --git a/config/openshift/olm/prefixed/kustomization.yaml b/config/openshift/olm/prefixed/kustomization.yaml new file mode 100644 index 0000000..8f545aa --- /dev/null +++ b/config/openshift/olm/prefixed/kustomization.yaml @@ -0,0 +1,24 @@ +# This has to be a separate kustomize file, since namePrefix below cannot be +# disabled for specific types, and we need the CSV's .metadata.name to be unchanged + +namePrefix: kubernetes-image-puller-operator- + +bases: +- ../../../default + +# These patches remove the unnecessary "cert" volume and its manager container volumeMount. +patchesJson6902: +- target: + group: apps + version: v1 + kind: Deployment + name: manager + patch: |- + # Remove the manager container's "cert" volumeMount, since OLM will create and mount a set of certs. + # Update the indices in this path if adding or removing containers/volumeMounts in the manager's Deployment. + - op: remove + path: /spec/template/spec/containers/0/volumeMounts/0 + # Remove the "cert" volume, since OLM will create and mount a set of certs. + # Update the indices in this path if adding or removing volumes in the manager's Deployment. + - op: remove + path: /spec/template/spec/volumes/0 diff --git a/config/openshift/patches/cainjection_in_kubernetesimagepullers.yaml b/config/openshift/patches/cainjection_in_kubernetesimagepullers.yaml new file mode 100644 index 0000000..bf7e00e --- /dev/null +++ b/config/openshift/patches/cainjection_in_kubernetesimagepullers.yaml @@ -0,0 +1,17 @@ +# +# Copyright (c) 2019-2023 Red Hat, Inc. +# This program and the accompanying materials are made +# available under the terms of the Eclipse Public License 2.0 +# which is available at https://www.eclipse.org/legal/epl-2.0/ +# +# SPDX-License-Identifier: EPL-2.0 +# +# Contributors: +# Red Hat, Inc. - initial API and implementation +# +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + service.beta.openshift.io/inject-cabundle: "true" + name: kubernetesimagepullers.che.eclipse.org diff --git a/config/openshift/patches/cainjection_in_webhook.yaml b/config/openshift/patches/cainjection_in_webhook.yaml new file mode 100644 index 0000000..635aa36 --- /dev/null +++ b/config/openshift/patches/cainjection_in_webhook.yaml @@ -0,0 +1,17 @@ +# +# Copyright (c) 2019-2023 Red Hat, Inc. +# This program and the accompanying materials are made +# available under the terms of the Eclipse Public License 2.0 +# which is available at https://www.eclipse.org/legal/epl-2.0/ +# +# SPDX-License-Identifier: EPL-2.0 +# +# Contributors: +# Red Hat, Inc. - initial API and implementation +# +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + name: validating-webhook-configuration + annotations: + service.beta.openshift.io/inject-cabundle: "true" diff --git a/config/openshift/patches/service_cert_patch.yaml b/config/openshift/patches/service_cert_patch.yaml new file mode 100644 index 0000000..a451933 --- /dev/null +++ b/config/openshift/patches/service_cert_patch.yaml @@ -0,0 +1,18 @@ +# +# Copyright (c) 2019-2023 Red Hat, Inc. +# This program and the accompanying materials are made +# available under the terms of the Eclipse Public License 2.0 +# which is available at https://www.eclipse.org/legal/epl-2.0/ +# +# SPDX-License-Identifier: EPL-2.0 +# +# Contributors: +# Red Hat, Inc. - initial API and implementation +# +apiVersion: v1 +kind: Service +metadata: + name: manager-service + namespace: kubernetes-image-puller-operator + annotations: + service.beta.openshift.io/serving-cert-secret-name: kubernetes-image-puller-operator-service-cert diff --git a/config/prometheus/monitor.yaml b/config/prometheus/monitor.yaml index 5ed75c3..b189940 100644 --- a/config/prometheus/monitor.yaml +++ b/config/prometheus/monitor.yaml @@ -18,7 +18,7 @@ metadata: labels: name: kubernetes-image-puller-operator name: controller-manager-metrics-monitor - namespace: system + namespace: kubernetes-image-puller-operator spec: endpoints: - path: /metrics diff --git a/config/rbac/auth_proxy_role_binding.yaml b/config/rbac/auth_proxy_role_binding.yaml index 022d3e6..b561771 100644 --- a/config/rbac/auth_proxy_role_binding.yaml +++ b/config/rbac/auth_proxy_role_binding.yaml @@ -20,4 +20,5 @@ roleRef: name: proxy-role subjects: - kind: ServiceAccount - name: kubernetes-image-puller-operator + name: $(CONTROLLER_SERVICE_ACCOUNT) + namespace: kubernetes-image-puller-operator diff --git a/config/rbac/auth_proxy_service.yaml b/config/rbac/auth_proxy_service.yaml index 143b9fa..6a62703 100644 --- a/config/rbac/auth_proxy_service.yaml +++ b/config/rbac/auth_proxy_service.yaml @@ -15,8 +15,8 @@ kind: Service metadata: labels: name: kubernetes-image-puller-operator - name: controller-manager-metrics-service - namespace: system + name: manager-metrics-service + namespace: kubernetes-image-puller-operator spec: ports: - name: https diff --git a/config/rbac/kustomization.yaml b/config/rbac/kustomization.yaml index b545876..a2c2df6 100644 --- a/config/rbac/kustomization.yaml +++ b/config/rbac/kustomization.yaml @@ -16,7 +16,6 @@ resources: # if your manager will use a service account that exists at # runtime. Be sure to update RoleBinding and ClusterRoleBinding # subjects if changing service account names. -- service_account.yaml - role.yaml - role_binding.yaml - leader_election_role.yaml @@ -28,3 +27,6 @@ resources: - auth_proxy_role.yaml - auth_proxy_role_binding.yaml - auth_proxy_client_clusterrole.yaml + +configurations: +- kustomizeconfig.yaml diff --git a/config/rbac/kustomizeconfig.yaml b/config/rbac/kustomizeconfig.yaml new file mode 100644 index 0000000..dedd021 --- /dev/null +++ b/config/rbac/kustomizeconfig.yaml @@ -0,0 +1,19 @@ +# +# Copyright (c) 2019-2023 Red Hat, Inc. +# This program and the accompanying materials are made +# available under the terms of the Eclipse Public License 2.0 +# which is available at https://www.eclipse.org/legal/epl-2.0/ +# +# SPDX-License-Identifier: EPL-2.0 +# +# Contributors: +# Red Hat, Inc. - initial API and implementation +# + +varReference: +- kind: ClusterRoleBinding + group: rbac.authorization.k8s.io + path: subjects/name +- kind: RoleBinding + group: rbac.authorization.k8s.io + path: subjects/name diff --git a/config/rbac/leader_election_role_binding.yaml b/config/rbac/leader_election_role_binding.yaml index 1f0d179..03bfef5 100644 --- a/config/rbac/leader_election_role_binding.yaml +++ b/config/rbac/leader_election_role_binding.yaml @@ -20,4 +20,5 @@ roleRef: name: leader-election-role subjects: - kind: ServiceAccount - name: kubernetes-image-puller-operator + name: $(CONTROLLER_SERVICE_ACCOUNT) + namespace: kubernetes-image-puller-operator diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml index 458688c..377f820 100644 --- a/config/rbac/role.yaml +++ b/config/rbac/role.yaml @@ -14,7 +14,7 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: creationTimestamp: null - name: kubernetes-image-puller-operator + name: role rules: - apiGroups: - "" diff --git a/config/rbac/role_binding.yaml b/config/rbac/role_binding.yaml index 5a7f667..c2d1b20 100644 --- a/config/rbac/role_binding.yaml +++ b/config/rbac/role_binding.yaml @@ -13,11 +13,12 @@ kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: - name: kubernetes-image-puller-operator + name: role-binding subjects: - kind: ServiceAccount - name: kubernetes-image-puller-operator + name: $(CONTROLLER_SERVICE_ACCOUNT) + namespace: kubernetes-image-puller-operator roleRef: kind: Role - name: kubernetes-image-puller-operator + name: role apiGroup: rbac.authorization.k8s.io diff --git a/config/webhook/kustomization.yaml b/config/webhook/kustomization.yaml new file mode 100644 index 0000000..9cf2613 --- /dev/null +++ b/config/webhook/kustomization.yaml @@ -0,0 +1,6 @@ +resources: +- manifests.yaml +- service.yaml + +configurations: +- kustomizeconfig.yaml diff --git a/config/webhook/kustomizeconfig.yaml b/config/webhook/kustomizeconfig.yaml new file mode 100644 index 0000000..5659500 --- /dev/null +++ b/config/webhook/kustomizeconfig.yaml @@ -0,0 +1,25 @@ +# the following config is for teaching kustomize where to look at when substituting vars. +# It requires kustomize v2.1.0 or newer to work properly. +nameReference: +- kind: Service + version: v1 + fieldSpecs: + # - kind: MutatingWebhookConfiguration + # group: admissionregistration.k8s.io + # path: webhooks/clientConfig/service/name + - kind: ValidatingWebhookConfiguration + group: admissionregistration.k8s.io + path: webhooks/clientConfig/service/name + +namespace: +# - kind: MutatingWebhookConfiguration +# group: admissionregistration.k8s.io +# path: webhooks/clientConfig/service/namespace +# create: true +- kind: ValidatingWebhookConfiguration + group: admissionregistration.k8s.io + path: webhooks/clientConfig/service/namespace + create: true + +varReference: +- path: metadata/annotations diff --git a/config/webhook/manifests.yaml b/config/webhook/manifests.yaml new file mode 100644 index 0000000..a173e14 --- /dev/null +++ b/config/webhook/manifests.yaml @@ -0,0 +1,28 @@ + +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + creationTimestamp: null + name: validating-webhook-configuration +webhooks: +- admissionReviewVersions: + - v1 + - v1beta1 + clientConfig: + service: + name: manager-service + namespace: kubernetes-image-puller-operator + path: /validate-che-eclipse-org-v1alpha1-kubernetesimagepuller + failurePolicy: Fail + name: vkubernetesimagepuller.kb.io + rules: + - apiGroups: + - che.eclipse.org + apiVersions: + - v1alpha1 + operations: + - CREATE + resources: + - kubernetesimagepullers + sideEffects: None diff --git a/config/webhook/service.yaml b/config/webhook/service.yaml new file mode 100644 index 0000000..642bab2 --- /dev/null +++ b/config/webhook/service.yaml @@ -0,0 +1,12 @@ + +apiVersion: v1 +kind: Service +metadata: + name: manager-service + namespace: kubernetes-image-puller-operator +spec: + ports: + - port: 443 + targetPort: 9443 + selector: + name: kubernetes-image-puller-operator diff --git a/controllers/kubernetesimagepuller_controller.go b/controllers/kubernetesimagepuller_controller.go index 508d245..37f49a9 100644 --- a/controllers/kubernetesimagepuller_controller.go +++ b/controllers/kubernetesimagepuller_controller.go @@ -24,6 +24,7 @@ import ( rbacv1 "k8s.io/api/rbac/v1" "k8s.io/apimachinery/pkg/api/errors" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/labels" "k8s.io/apimachinery/pkg/runtime" "k8s.io/apimachinery/pkg/types" ctrl "sigs.k8s.io/controller-runtime" @@ -244,7 +245,11 @@ func (r *KubernetesImagePullerReconciler) Reconcile(ctx context.Context, req ctr // If DeploymentName has changed, delete the old deployment and create a new one deployments := &appsv1.DeploymentList{} - err = r.List(context.TODO(), deployments, client.MatchingLabels{"app": "kubernetes-image-puller"}) + listOptions := &client.ListOptions{ + Namespace: instance.Namespace, + LabelSelector: labels.SelectorFromValidatedSet(map[string]string{"app": "kubernetes-image-puller"}), + } + err = r.List(context.TODO(), deployments, listOptions) if err != nil { r.Log.Error(err, "Error listing deployments") return ctrl.Result{}, err diff --git a/deploy/deployment/kubernetes/combined.yaml b/deploy/deployment/kubernetes/combined.yaml new file mode 100644 index 0000000..95b403b --- /dev/null +++ b/deploy/deployment/kubernetes/combined.yaml @@ -0,0 +1,448 @@ +apiVersion: v1 +kind: Namespace +metadata: + labels: + name: kubernetes-image-puller-operator + name: kubernetes-image-puller-operator +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + cert-manager.io/inject-ca-from: kubernetes-image-puller-operator/kubernetes-image-puller-operator-serving-cert + controller-gen.kubebuilder.io/version: v0.7.0 + name: kubernetesimagepullers.che.eclipse.org +spec: + group: che.eclipse.org + names: + kind: KubernetesImagePuller + listKind: KubernetesImagePullerList + plural: kubernetesimagepullers + singular: kubernetesimagepuller + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: KubernetesImagePuller is the Schema for the kubernetesimagepullers + API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: KubernetesImagePullerSpec defines the desired state of KubernetesImagePuller + properties: + affinity: + type: string + cachingCPULimit: + type: string + cachingCPURequest: + type: string + cachingIntervalHours: + type: string + cachingMemoryLimit: + type: string + cachingMemoryRequest: + type: string + configMapName: + type: string + daemonsetName: + type: string + deploymentName: + type: string + imagePullSecrets: + type: string + imagePullerImage: + type: string + images: + type: string + nodeSelector: + type: string + type: object + status: + description: KubernetesImagePullerStatus defines the observed state of + KubernetesImagePuller + properties: + imagePullerImage: + description: KubernetesImagePuller image in use. + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: kubernetes-image-puller-operator-sa + namespace: kubernetes-image-puller-operator +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: kubernetes-image-puller-operator-leader-election-role + namespace: kubernetes-image-puller-operator +rules: +- apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + creationTimestamp: null + name: kubernetes-image-puller-operator-role + namespace: kubernetes-image-puller-operator +rules: +- apiGroups: + - "" + resources: + - pods + - services + - services/finalizers + - endpoints + - persistentvolumeclaims + - events + - configmaps + - secrets + - serviceaccounts + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - rbac.authorization.k8s.io + resources: + - roles + - rolebindings + verbs: + - get + - list + - watch + - create + - delete +- apiGroups: + - apps + resources: + - deployments + - daemonsets + - replicasets + - statefulsets + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - apps + resources: + - deployments/finalizers + verbs: + - update +- apiGroups: + - monitoring.coreos.com + resources: + - servicemonitors + verbs: + - get + - create +- apiGroups: + - "" + resources: + - pods + verbs: + - get +- apiGroups: + - che.eclipse.org + resources: + - '*' + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kubernetes-image-puller-operator-metrics-reader +rules: +- nonResourceURLs: + - /metrics + verbs: + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kubernetes-image-puller-operator-proxy-role +rules: +- apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create +- apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: kubernetes-image-puller-operator-leader-election-rolebinding + namespace: kubernetes-image-puller-operator +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: kubernetes-image-puller-operator-leader-election-role +subjects: +- kind: ServiceAccount + name: kubernetes-image-puller-operator-sa + namespace: kubernetes-image-puller-operator +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: kubernetes-image-puller-operator-role-binding + namespace: kubernetes-image-puller-operator +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: kubernetes-image-puller-operator-role +subjects: +- kind: ServiceAccount + name: kubernetes-image-puller-operator-sa + namespace: kubernetes-image-puller-operator +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: kubernetes-image-puller-operator-proxy-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: kubernetes-image-puller-operator-proxy-role +subjects: +- kind: ServiceAccount + name: kubernetes-image-puller-operator-sa + namespace: kubernetes-image-puller-operator +--- +apiVersion: v1 +kind: Service +metadata: + labels: + name: kubernetes-image-puller-operator + name: kubernetes-image-puller-operator-manager-metrics-service + namespace: kubernetes-image-puller-operator +spec: + ports: + - name: https + port: 8443 + targetPort: https + selector: + name: kubernetes-image-puller-operator +--- +apiVersion: v1 +kind: Service +metadata: + name: kubernetes-image-puller-operator-service + namespace: kubernetes-image-puller-operator +spec: + ports: + - port: 443 + targetPort: 9443 + selector: + name: kubernetes-image-puller-operator +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + name: kubernetes-image-puller-operator + name: kubernetes-image-puller-operator-manager + namespace: kubernetes-image-puller-operator +spec: + replicas: 1 + selector: + matchLabels: + name: kubernetes-image-puller-operator + template: + metadata: + labels: + name: kubernetes-image-puller-operator + spec: + containers: + - args: + - --health-probe-bind-address=:8081 + - --metrics-bind-address=127.0.0.1:8080 + - --leader-elect + command: + - /manager + env: + - name: WATCH_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: OPERATOR_NAME + value: kubernetes-image-puller-operator + image: quay.io/eclipse/kubernetes-image-puller-operator:1.0.4 + imagePullPolicy: Always + livenessProbe: + httpGet: + path: /healthz + port: 8081 + initialDelaySeconds: 15 + periodSeconds: 20 + name: kubernetes-image-puller-operator + ports: + - containerPort: 9443 + name: webhook-server + protocol: TCP + readinessProbe: + httpGet: + path: /readyz + port: 8081 + initialDelaySeconds: 5 + periodSeconds: 10 + resources: + limits: + cpu: 100m + memory: 1Gi + requests: + cpu: 100m + memory: 64Mi + volumeMounts: + - mountPath: /tmp/k8s-webhook-server/serving-certs + name: cert + readOnly: true + - args: + - --secure-listen-address=0.0.0.0:8443 + - --upstream=http://127.0.0.1:8080/ + - --logtostderr=true + - --v=10 + image: quay.io/brancz/kube-rbac-proxy:v0.11.0 + name: kube-rbac-proxy + ports: + - containerPort: 8443 + name: https + serviceAccountName: kubernetes-image-puller-operator-sa + terminationGracePeriodSeconds: 10 + volumes: + - name: cert + secret: + defaultMode: 420 + secretName: kubernetes-image-puller-operator-service-cert +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: kubernetes-image-puller-operator-serving-cert + namespace: kubernetes-image-puller-operator +spec: + dnsNames: + - kubernetes-image-puller-operator-service.kubernetes-image-puller-operator.svc + - kubernetes-image-puller-operator-service.kubernetes-image-puller-operator.svc.cluster.local + issuerRef: + kind: Issuer + name: kubernetes-image-puller-operator-selfsigned-issuer + secretName: kubernetes-image-puller-operator-service-cert +--- +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + name: kubernetes-image-puller-operator-selfsigned-issuer + namespace: kubernetes-image-puller-operator +spec: + selfSigned: {} +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + annotations: + cert-manager.io/inject-ca-from: kubernetes-image-puller-operator/kubernetes-image-puller-operator-serving-cert + name: kubernetes-image-puller-operator-validating-webhook-configuration +webhooks: +- admissionReviewVersions: + - v1 + - v1beta1 + clientConfig: + service: + name: kubernetes-image-puller-operator-service + namespace: kubernetes-image-puller-operator + path: /validate-che-eclipse-org-v1alpha1-kubernetesimagepuller + failurePolicy: Fail + name: vkubernetesimagepuller.kb.io + rules: + - apiGroups: + - che.eclipse.org + apiVersions: + - v1alpha1 + operations: + - CREATE + resources: + - kubernetesimagepullers + sideEffects: None diff --git a/deploy/deployment/kubernetes/objects/kubernetes-image-puller-operator-leader-election-role.Role.yaml b/deploy/deployment/kubernetes/objects/kubernetes-image-puller-operator-leader-election-role.Role.yaml new file mode 100644 index 0000000..ba02c36 --- /dev/null +++ b/deploy/deployment/kubernetes/objects/kubernetes-image-puller-operator-leader-election-role.Role.yaml @@ -0,0 +1,37 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: kubernetes-image-puller-operator-leader-election-role + namespace: kubernetes-image-puller-operator +rules: +- apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch diff --git a/deploy/deployment/kubernetes/objects/kubernetes-image-puller-operator-leader-election-rolebinding.RoleBinding.yaml b/deploy/deployment/kubernetes/objects/kubernetes-image-puller-operator-leader-election-rolebinding.RoleBinding.yaml new file mode 100644 index 0000000..7b50612 --- /dev/null +++ b/deploy/deployment/kubernetes/objects/kubernetes-image-puller-operator-leader-election-rolebinding.RoleBinding.yaml @@ -0,0 +1,13 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: kubernetes-image-puller-operator-leader-election-rolebinding + namespace: kubernetes-image-puller-operator +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: kubernetes-image-puller-operator-leader-election-role +subjects: +- kind: ServiceAccount + name: kubernetes-image-puller-operator-sa + namespace: kubernetes-image-puller-operator diff --git a/deploy/deployment/kubernetes/objects/kubernetes-image-puller-operator-manager-metrics-service.Service.yaml b/deploy/deployment/kubernetes/objects/kubernetes-image-puller-operator-manager-metrics-service.Service.yaml new file mode 100644 index 0000000..110f69b --- /dev/null +++ b/deploy/deployment/kubernetes/objects/kubernetes-image-puller-operator-manager-metrics-service.Service.yaml @@ -0,0 +1,14 @@ +apiVersion: v1 +kind: Service +metadata: + labels: + name: kubernetes-image-puller-operator + name: kubernetes-image-puller-operator-manager-metrics-service + namespace: kubernetes-image-puller-operator +spec: + ports: + - name: https + port: 8443 + targetPort: https + selector: + name: kubernetes-image-puller-operator diff --git a/deploy/deployment/kubernetes/objects/kubernetes-image-puller-operator-manager.Deployment.yaml b/deploy/deployment/kubernetes/objects/kubernetes-image-puller-operator-manager.Deployment.yaml new file mode 100644 index 0000000..72e0eaa --- /dev/null +++ b/deploy/deployment/kubernetes/objects/kubernetes-image-puller-operator-manager.Deployment.yaml @@ -0,0 +1,82 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + name: kubernetes-image-puller-operator + name: kubernetes-image-puller-operator-manager + namespace: kubernetes-image-puller-operator +spec: + replicas: 1 + selector: + matchLabels: + name: kubernetes-image-puller-operator + template: + metadata: + labels: + name: kubernetes-image-puller-operator + spec: + containers: + - args: + - --health-probe-bind-address=:8081 + - --metrics-bind-address=127.0.0.1:8080 + - --leader-elect + command: + - /manager + env: + - name: WATCH_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: OPERATOR_NAME + value: kubernetes-image-puller-operator + image: quay.io/eclipse/kubernetes-image-puller-operator:1.0.4 + imagePullPolicy: Always + livenessProbe: + httpGet: + path: /healthz + port: 8081 + initialDelaySeconds: 15 + periodSeconds: 20 + name: kubernetes-image-puller-operator + ports: + - containerPort: 9443 + name: webhook-server + protocol: TCP + readinessProbe: + httpGet: + path: /readyz + port: 8081 + initialDelaySeconds: 5 + periodSeconds: 10 + resources: + limits: + cpu: 100m + memory: 1Gi + requests: + cpu: 100m + memory: 64Mi + volumeMounts: + - mountPath: /tmp/k8s-webhook-server/serving-certs + name: cert + readOnly: true + - args: + - --secure-listen-address=0.0.0.0:8443 + - --upstream=http://127.0.0.1:8080/ + - --logtostderr=true + - --v=10 + image: quay.io/brancz/kube-rbac-proxy:v0.11.0 + name: kube-rbac-proxy + ports: + - containerPort: 8443 + name: https + serviceAccountName: kubernetes-image-puller-operator-sa + terminationGracePeriodSeconds: 10 + volumes: + - name: cert + secret: + defaultMode: 420 + secretName: kubernetes-image-puller-operator-service-cert diff --git a/deploy/deployment/kubernetes/objects/kubernetes-image-puller-operator-metrics-reader.ClusterRole.yaml b/deploy/deployment/kubernetes/objects/kubernetes-image-puller-operator-metrics-reader.ClusterRole.yaml new file mode 100644 index 0000000..0814029 --- /dev/null +++ b/deploy/deployment/kubernetes/objects/kubernetes-image-puller-operator-metrics-reader.ClusterRole.yaml @@ -0,0 +1,9 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kubernetes-image-puller-operator-metrics-reader +rules: +- nonResourceURLs: + - /metrics + verbs: + - get diff --git a/deploy/deployment/kubernetes/objects/kubernetes-image-puller-operator-proxy-role.ClusterRole.yaml b/deploy/deployment/kubernetes/objects/kubernetes-image-puller-operator-proxy-role.ClusterRole.yaml new file mode 100644 index 0000000..6e9aa90 --- /dev/null +++ b/deploy/deployment/kubernetes/objects/kubernetes-image-puller-operator-proxy-role.ClusterRole.yaml @@ -0,0 +1,17 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kubernetes-image-puller-operator-proxy-role +rules: +- apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create +- apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create diff --git a/deploy/deployment/kubernetes/objects/kubernetes-image-puller-operator-proxy-rolebinding.ClusterRoleBinding.yaml b/deploy/deployment/kubernetes/objects/kubernetes-image-puller-operator-proxy-rolebinding.ClusterRoleBinding.yaml new file mode 100644 index 0000000..360ebe6 --- /dev/null +++ b/deploy/deployment/kubernetes/objects/kubernetes-image-puller-operator-proxy-rolebinding.ClusterRoleBinding.yaml @@ -0,0 +1,12 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: kubernetes-image-puller-operator-proxy-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: kubernetes-image-puller-operator-proxy-role +subjects: +- kind: ServiceAccount + name: kubernetes-image-puller-operator-sa + namespace: kubernetes-image-puller-operator diff --git a/deploy/deployment/kubernetes/objects/kubernetes-image-puller-operator-role-binding.RoleBinding.yaml b/deploy/deployment/kubernetes/objects/kubernetes-image-puller-operator-role-binding.RoleBinding.yaml new file mode 100644 index 0000000..ee7bfad --- /dev/null +++ b/deploy/deployment/kubernetes/objects/kubernetes-image-puller-operator-role-binding.RoleBinding.yaml @@ -0,0 +1,13 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: kubernetes-image-puller-operator-role-binding + namespace: kubernetes-image-puller-operator +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: kubernetes-image-puller-operator-role +subjects: +- kind: ServiceAccount + name: kubernetes-image-puller-operator-sa + namespace: kubernetes-image-puller-operator diff --git a/deploy/deployment/kubernetes/objects/kubernetes-image-puller-operator-role.Role.yaml b/deploy/deployment/kubernetes/objects/kubernetes-image-puller-operator-role.Role.yaml new file mode 100644 index 0000000..b42c8d8 --- /dev/null +++ b/deploy/deployment/kubernetes/objects/kubernetes-image-puller-operator-role.Role.yaml @@ -0,0 +1,84 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + creationTimestamp: null + name: kubernetes-image-puller-operator-role + namespace: kubernetes-image-puller-operator +rules: +- apiGroups: + - "" + resources: + - pods + - services + - services/finalizers + - endpoints + - persistentvolumeclaims + - events + - configmaps + - secrets + - serviceaccounts + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - rbac.authorization.k8s.io + resources: + - roles + - rolebindings + verbs: + - get + - list + - watch + - create + - delete +- apiGroups: + - apps + resources: + - deployments + - daemonsets + - replicasets + - statefulsets + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - apps + resources: + - deployments/finalizers + verbs: + - update +- apiGroups: + - monitoring.coreos.com + resources: + - servicemonitors + verbs: + - get + - create +- apiGroups: + - "" + resources: + - pods + verbs: + - get +- apiGroups: + - che.eclipse.org + resources: + - '*' + verbs: + - create + - delete + - get + - list + - patch + - update + - watch diff --git a/deploy/deployment/kubernetes/objects/kubernetes-image-puller-operator-sa.ServiceAccount.yaml b/deploy/deployment/kubernetes/objects/kubernetes-image-puller-operator-sa.ServiceAccount.yaml new file mode 100644 index 0000000..d0c1d81 --- /dev/null +++ b/deploy/deployment/kubernetes/objects/kubernetes-image-puller-operator-sa.ServiceAccount.yaml @@ -0,0 +1,5 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: kubernetes-image-puller-operator-sa + namespace: kubernetes-image-puller-operator diff --git a/deploy/deployment/kubernetes/objects/kubernetes-image-puller-operator-selfsigned-issuer.Issuer.yaml b/deploy/deployment/kubernetes/objects/kubernetes-image-puller-operator-selfsigned-issuer.Issuer.yaml new file mode 100644 index 0000000..f07c043 --- /dev/null +++ b/deploy/deployment/kubernetes/objects/kubernetes-image-puller-operator-selfsigned-issuer.Issuer.yaml @@ -0,0 +1,7 @@ +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + name: kubernetes-image-puller-operator-selfsigned-issuer + namespace: kubernetes-image-puller-operator +spec: + selfSigned: {} diff --git a/deploy/deployment/kubernetes/objects/kubernetes-image-puller-operator-service.Service.yaml b/deploy/deployment/kubernetes/objects/kubernetes-image-puller-operator-service.Service.yaml new file mode 100644 index 0000000..ed7186d --- /dev/null +++ b/deploy/deployment/kubernetes/objects/kubernetes-image-puller-operator-service.Service.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: Service +metadata: + name: kubernetes-image-puller-operator-service + namespace: kubernetes-image-puller-operator +spec: + ports: + - port: 443 + targetPort: 9443 + selector: + name: kubernetes-image-puller-operator diff --git a/deploy/deployment/kubernetes/objects/kubernetes-image-puller-operator-serving-cert.Certificate.yaml b/deploy/deployment/kubernetes/objects/kubernetes-image-puller-operator-serving-cert.Certificate.yaml new file mode 100644 index 0000000..92fb39d --- /dev/null +++ b/deploy/deployment/kubernetes/objects/kubernetes-image-puller-operator-serving-cert.Certificate.yaml @@ -0,0 +1,13 @@ +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: kubernetes-image-puller-operator-serving-cert + namespace: kubernetes-image-puller-operator +spec: + dnsNames: + - kubernetes-image-puller-operator-service.kubernetes-image-puller-operator.svc + - kubernetes-image-puller-operator-service.kubernetes-image-puller-operator.svc.cluster.local + issuerRef: + kind: Issuer + name: kubernetes-image-puller-operator-selfsigned-issuer + secretName: kubernetes-image-puller-operator-service-cert diff --git a/deploy/deployment/kubernetes/objects/kubernetes-image-puller-operator-validating-webhook-configuration.ValidatingWebhookConfiguration.yaml b/deploy/deployment/kubernetes/objects/kubernetes-image-puller-operator-validating-webhook-configuration.ValidatingWebhookConfiguration.yaml new file mode 100644 index 0000000..8b232c2 --- /dev/null +++ b/deploy/deployment/kubernetes/objects/kubernetes-image-puller-operator-validating-webhook-configuration.ValidatingWebhookConfiguration.yaml @@ -0,0 +1,27 @@ +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + annotations: + cert-manager.io/inject-ca-from: kubernetes-image-puller-operator/kubernetes-image-puller-operator-serving-cert + name: kubernetes-image-puller-operator-validating-webhook-configuration +webhooks: +- admissionReviewVersions: + - v1 + - v1beta1 + clientConfig: + service: + name: kubernetes-image-puller-operator-service + namespace: kubernetes-image-puller-operator + path: /validate-che-eclipse-org-v1alpha1-kubernetesimagepuller + failurePolicy: Fail + name: vkubernetesimagepuller.kb.io + rules: + - apiGroups: + - che.eclipse.org + apiVersions: + - v1alpha1 + operations: + - CREATE + resources: + - kubernetesimagepullers + sideEffects: None diff --git a/deploy/deployment/kubernetes/objects/kubernetes-image-puller-operator.Namespace.yaml b/deploy/deployment/kubernetes/objects/kubernetes-image-puller-operator.Namespace.yaml new file mode 100644 index 0000000..26bacd4 --- /dev/null +++ b/deploy/deployment/kubernetes/objects/kubernetes-image-puller-operator.Namespace.yaml @@ -0,0 +1,6 @@ +apiVersion: v1 +kind: Namespace +metadata: + labels: + name: kubernetes-image-puller-operator + name: kubernetes-image-puller-operator diff --git a/deploy/deployment/kubernetes/objects/kubernetesimagepullers.che.eclipse.org.CustomResourceDefinition.yaml b/deploy/deployment/kubernetes/objects/kubernetesimagepullers.che.eclipse.org.CustomResourceDefinition.yaml new file mode 100644 index 0000000..db092cf --- /dev/null +++ b/deploy/deployment/kubernetes/objects/kubernetesimagepullers.che.eclipse.org.CustomResourceDefinition.yaml @@ -0,0 +1,83 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + cert-manager.io/inject-ca-from: kubernetes-image-puller-operator/kubernetes-image-puller-operator-serving-cert + controller-gen.kubebuilder.io/version: v0.7.0 + name: kubernetesimagepullers.che.eclipse.org +spec: + group: che.eclipse.org + names: + kind: KubernetesImagePuller + listKind: KubernetesImagePullerList + plural: kubernetesimagepullers + singular: kubernetesimagepuller + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: KubernetesImagePuller is the Schema for the kubernetesimagepullers + API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: KubernetesImagePullerSpec defines the desired state of KubernetesImagePuller + properties: + affinity: + type: string + cachingCPULimit: + type: string + cachingCPURequest: + type: string + cachingIntervalHours: + type: string + cachingMemoryLimit: + type: string + cachingMemoryRequest: + type: string + configMapName: + type: string + daemonsetName: + type: string + deploymentName: + type: string + imagePullSecrets: + type: string + imagePullerImage: + type: string + images: + type: string + nodeSelector: + type: string + type: object + status: + description: KubernetesImagePullerStatus defines the observed state of + KubernetesImagePuller + properties: + imagePullerImage: + description: KubernetesImagePuller image in use. + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] diff --git a/deploy/deployment/openshift/combined.yaml b/deploy/deployment/openshift/combined.yaml new file mode 100644 index 0000000..b6887c5 --- /dev/null +++ b/deploy/deployment/openshift/combined.yaml @@ -0,0 +1,428 @@ +apiVersion: v1 +kind: Namespace +metadata: + labels: + name: kubernetes-image-puller-operator + name: kubernetes-image-puller-operator +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.7.0 + service.beta.openshift.io/inject-cabundle: "true" + name: kubernetesimagepullers.che.eclipse.org +spec: + group: che.eclipse.org + names: + kind: KubernetesImagePuller + listKind: KubernetesImagePullerList + plural: kubernetesimagepullers + singular: kubernetesimagepuller + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: KubernetesImagePuller is the Schema for the kubernetesimagepullers + API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: KubernetesImagePullerSpec defines the desired state of KubernetesImagePuller + properties: + affinity: + type: string + cachingCPULimit: + type: string + cachingCPURequest: + type: string + cachingIntervalHours: + type: string + cachingMemoryLimit: + type: string + cachingMemoryRequest: + type: string + configMapName: + type: string + daemonsetName: + type: string + deploymentName: + type: string + imagePullSecrets: + type: string + imagePullerImage: + type: string + images: + type: string + nodeSelector: + type: string + type: object + status: + description: KubernetesImagePullerStatus defines the observed state of + KubernetesImagePuller + properties: + imagePullerImage: + description: KubernetesImagePuller image in use. + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: kubernetes-image-puller-operator-sa + namespace: kubernetes-image-puller-operator +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: kubernetes-image-puller-operator-leader-election-role + namespace: kubernetes-image-puller-operator +rules: +- apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + creationTimestamp: null + name: kubernetes-image-puller-operator-role + namespace: kubernetes-image-puller-operator +rules: +- apiGroups: + - "" + resources: + - pods + - services + - services/finalizers + - endpoints + - persistentvolumeclaims + - events + - configmaps + - secrets + - serviceaccounts + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - rbac.authorization.k8s.io + resources: + - roles + - rolebindings + verbs: + - get + - list + - watch + - create + - delete +- apiGroups: + - apps + resources: + - deployments + - daemonsets + - replicasets + - statefulsets + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - apps + resources: + - deployments/finalizers + verbs: + - update +- apiGroups: + - monitoring.coreos.com + resources: + - servicemonitors + verbs: + - get + - create +- apiGroups: + - "" + resources: + - pods + verbs: + - get +- apiGroups: + - che.eclipse.org + resources: + - '*' + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kubernetes-image-puller-operator-metrics-reader +rules: +- nonResourceURLs: + - /metrics + verbs: + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kubernetes-image-puller-operator-proxy-role +rules: +- apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create +- apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: kubernetes-image-puller-operator-leader-election-rolebinding + namespace: kubernetes-image-puller-operator +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: kubernetes-image-puller-operator-leader-election-role +subjects: +- kind: ServiceAccount + name: kubernetes-image-puller-operator-sa + namespace: kubernetes-image-puller-operator +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: kubernetes-image-puller-operator-role-binding + namespace: kubernetes-image-puller-operator +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: kubernetes-image-puller-operator-role +subjects: +- kind: ServiceAccount + name: kubernetes-image-puller-operator-sa + namespace: kubernetes-image-puller-operator +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: kubernetes-image-puller-operator-proxy-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: kubernetes-image-puller-operator-proxy-role +subjects: +- kind: ServiceAccount + name: kubernetes-image-puller-operator-sa + namespace: kubernetes-image-puller-operator +--- +apiVersion: v1 +kind: Service +metadata: + labels: + name: kubernetes-image-puller-operator + name: kubernetes-image-puller-operator-manager-metrics-service + namespace: kubernetes-image-puller-operator +spec: + ports: + - name: https + port: 8443 + targetPort: https + selector: + name: kubernetes-image-puller-operator +--- +apiVersion: v1 +kind: Service +metadata: + annotations: + service.beta.openshift.io/serving-cert-secret-name: kubernetes-image-puller-operator-service-cert + name: kubernetes-image-puller-operator-service + namespace: kubernetes-image-puller-operator +spec: + ports: + - port: 443 + targetPort: 9443 + selector: + name: kubernetes-image-puller-operator +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + name: kubernetes-image-puller-operator + name: kubernetes-image-puller-operator-manager + namespace: kubernetes-image-puller-operator +spec: + replicas: 1 + selector: + matchLabels: + name: kubernetes-image-puller-operator + template: + metadata: + labels: + name: kubernetes-image-puller-operator + spec: + containers: + - args: + - --health-probe-bind-address=:8081 + - --metrics-bind-address=127.0.0.1:8080 + - --leader-elect + command: + - /manager + env: + - name: WATCH_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: OPERATOR_NAME + value: kubernetes-image-puller-operator + image: quay.io/eclipse/kubernetes-image-puller-operator:1.0.4 + imagePullPolicy: Always + livenessProbe: + httpGet: + path: /healthz + port: 8081 + initialDelaySeconds: 15 + periodSeconds: 20 + name: kubernetes-image-puller-operator + ports: + - containerPort: 9443 + name: webhook-server + protocol: TCP + readinessProbe: + httpGet: + path: /readyz + port: 8081 + initialDelaySeconds: 5 + periodSeconds: 10 + resources: + limits: + cpu: 100m + memory: 1Gi + requests: + cpu: 100m + memory: 64Mi + volumeMounts: + - mountPath: /tmp/k8s-webhook-server/serving-certs + name: cert + readOnly: true + - args: + - --secure-listen-address=0.0.0.0:8443 + - --upstream=http://127.0.0.1:8080/ + - --logtostderr=true + - --v=10 + image: quay.io/brancz/kube-rbac-proxy:v0.11.0 + name: kube-rbac-proxy + ports: + - containerPort: 8443 + name: https + serviceAccountName: kubernetes-image-puller-operator-sa + terminationGracePeriodSeconds: 10 + volumes: + - name: cert + secret: + defaultMode: 420 + secretName: kubernetes-image-puller-operator-service-cert +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + annotations: + service.beta.openshift.io/inject-cabundle: "true" + name: kubernetes-image-puller-operator-validating-webhook-configuration +webhooks: +- admissionReviewVersions: + - v1 + - v1beta1 + clientConfig: + service: + name: kubernetes-image-puller-operator-service + namespace: kubernetes-image-puller-operator + path: /validate-che-eclipse-org-v1alpha1-kubernetesimagepuller + failurePolicy: Fail + name: vkubernetesimagepuller.kb.io + rules: + - apiGroups: + - che.eclipse.org + apiVersions: + - v1alpha1 + operations: + - CREATE + resources: + - kubernetesimagepullers + sideEffects: None diff --git a/deploy/deployment/openshift/objects/kubernetes-image-puller-operator-leader-election-role.Role.yaml b/deploy/deployment/openshift/objects/kubernetes-image-puller-operator-leader-election-role.Role.yaml new file mode 100644 index 0000000..ba02c36 --- /dev/null +++ b/deploy/deployment/openshift/objects/kubernetes-image-puller-operator-leader-election-role.Role.yaml @@ -0,0 +1,37 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: kubernetes-image-puller-operator-leader-election-role + namespace: kubernetes-image-puller-operator +rules: +- apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch diff --git a/deploy/deployment/openshift/objects/kubernetes-image-puller-operator-leader-election-rolebinding.RoleBinding.yaml b/deploy/deployment/openshift/objects/kubernetes-image-puller-operator-leader-election-rolebinding.RoleBinding.yaml new file mode 100644 index 0000000..7b50612 --- /dev/null +++ b/deploy/deployment/openshift/objects/kubernetes-image-puller-operator-leader-election-rolebinding.RoleBinding.yaml @@ -0,0 +1,13 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: kubernetes-image-puller-operator-leader-election-rolebinding + namespace: kubernetes-image-puller-operator +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: kubernetes-image-puller-operator-leader-election-role +subjects: +- kind: ServiceAccount + name: kubernetes-image-puller-operator-sa + namespace: kubernetes-image-puller-operator diff --git a/deploy/deployment/openshift/objects/kubernetes-image-puller-operator-manager-metrics-service.Service.yaml b/deploy/deployment/openshift/objects/kubernetes-image-puller-operator-manager-metrics-service.Service.yaml new file mode 100644 index 0000000..110f69b --- /dev/null +++ b/deploy/deployment/openshift/objects/kubernetes-image-puller-operator-manager-metrics-service.Service.yaml @@ -0,0 +1,14 @@ +apiVersion: v1 +kind: Service +metadata: + labels: + name: kubernetes-image-puller-operator + name: kubernetes-image-puller-operator-manager-metrics-service + namespace: kubernetes-image-puller-operator +spec: + ports: + - name: https + port: 8443 + targetPort: https + selector: + name: kubernetes-image-puller-operator diff --git a/deploy/deployment/openshift/objects/kubernetes-image-puller-operator-manager.Deployment.yaml b/deploy/deployment/openshift/objects/kubernetes-image-puller-operator-manager.Deployment.yaml new file mode 100644 index 0000000..72e0eaa --- /dev/null +++ b/deploy/deployment/openshift/objects/kubernetes-image-puller-operator-manager.Deployment.yaml @@ -0,0 +1,82 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + name: kubernetes-image-puller-operator + name: kubernetes-image-puller-operator-manager + namespace: kubernetes-image-puller-operator +spec: + replicas: 1 + selector: + matchLabels: + name: kubernetes-image-puller-operator + template: + metadata: + labels: + name: kubernetes-image-puller-operator + spec: + containers: + - args: + - --health-probe-bind-address=:8081 + - --metrics-bind-address=127.0.0.1:8080 + - --leader-elect + command: + - /manager + env: + - name: WATCH_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: OPERATOR_NAME + value: kubernetes-image-puller-operator + image: quay.io/eclipse/kubernetes-image-puller-operator:1.0.4 + imagePullPolicy: Always + livenessProbe: + httpGet: + path: /healthz + port: 8081 + initialDelaySeconds: 15 + periodSeconds: 20 + name: kubernetes-image-puller-operator + ports: + - containerPort: 9443 + name: webhook-server + protocol: TCP + readinessProbe: + httpGet: + path: /readyz + port: 8081 + initialDelaySeconds: 5 + periodSeconds: 10 + resources: + limits: + cpu: 100m + memory: 1Gi + requests: + cpu: 100m + memory: 64Mi + volumeMounts: + - mountPath: /tmp/k8s-webhook-server/serving-certs + name: cert + readOnly: true + - args: + - --secure-listen-address=0.0.0.0:8443 + - --upstream=http://127.0.0.1:8080/ + - --logtostderr=true + - --v=10 + image: quay.io/brancz/kube-rbac-proxy:v0.11.0 + name: kube-rbac-proxy + ports: + - containerPort: 8443 + name: https + serviceAccountName: kubernetes-image-puller-operator-sa + terminationGracePeriodSeconds: 10 + volumes: + - name: cert + secret: + defaultMode: 420 + secretName: kubernetes-image-puller-operator-service-cert diff --git a/deploy/deployment/openshift/objects/kubernetes-image-puller-operator-metrics-reader.ClusterRole.yaml b/deploy/deployment/openshift/objects/kubernetes-image-puller-operator-metrics-reader.ClusterRole.yaml new file mode 100644 index 0000000..0814029 --- /dev/null +++ b/deploy/deployment/openshift/objects/kubernetes-image-puller-operator-metrics-reader.ClusterRole.yaml @@ -0,0 +1,9 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kubernetes-image-puller-operator-metrics-reader +rules: +- nonResourceURLs: + - /metrics + verbs: + - get diff --git a/deploy/deployment/openshift/objects/kubernetes-image-puller-operator-proxy-role.ClusterRole.yaml b/deploy/deployment/openshift/objects/kubernetes-image-puller-operator-proxy-role.ClusterRole.yaml new file mode 100644 index 0000000..6e9aa90 --- /dev/null +++ b/deploy/deployment/openshift/objects/kubernetes-image-puller-operator-proxy-role.ClusterRole.yaml @@ -0,0 +1,17 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kubernetes-image-puller-operator-proxy-role +rules: +- apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create +- apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create diff --git a/deploy/deployment/openshift/objects/kubernetes-image-puller-operator-proxy-rolebinding.ClusterRoleBinding.yaml b/deploy/deployment/openshift/objects/kubernetes-image-puller-operator-proxy-rolebinding.ClusterRoleBinding.yaml new file mode 100644 index 0000000..360ebe6 --- /dev/null +++ b/deploy/deployment/openshift/objects/kubernetes-image-puller-operator-proxy-rolebinding.ClusterRoleBinding.yaml @@ -0,0 +1,12 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: kubernetes-image-puller-operator-proxy-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: kubernetes-image-puller-operator-proxy-role +subjects: +- kind: ServiceAccount + name: kubernetes-image-puller-operator-sa + namespace: kubernetes-image-puller-operator diff --git a/deploy/deployment/openshift/objects/kubernetes-image-puller-operator-role-binding.RoleBinding.yaml b/deploy/deployment/openshift/objects/kubernetes-image-puller-operator-role-binding.RoleBinding.yaml new file mode 100644 index 0000000..ee7bfad --- /dev/null +++ b/deploy/deployment/openshift/objects/kubernetes-image-puller-operator-role-binding.RoleBinding.yaml @@ -0,0 +1,13 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: kubernetes-image-puller-operator-role-binding + namespace: kubernetes-image-puller-operator +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: kubernetes-image-puller-operator-role +subjects: +- kind: ServiceAccount + name: kubernetes-image-puller-operator-sa + namespace: kubernetes-image-puller-operator diff --git a/deploy/deployment/openshift/objects/kubernetes-image-puller-operator-role.Role.yaml b/deploy/deployment/openshift/objects/kubernetes-image-puller-operator-role.Role.yaml new file mode 100644 index 0000000..b42c8d8 --- /dev/null +++ b/deploy/deployment/openshift/objects/kubernetes-image-puller-operator-role.Role.yaml @@ -0,0 +1,84 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + creationTimestamp: null + name: kubernetes-image-puller-operator-role + namespace: kubernetes-image-puller-operator +rules: +- apiGroups: + - "" + resources: + - pods + - services + - services/finalizers + - endpoints + - persistentvolumeclaims + - events + - configmaps + - secrets + - serviceaccounts + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - rbac.authorization.k8s.io + resources: + - roles + - rolebindings + verbs: + - get + - list + - watch + - create + - delete +- apiGroups: + - apps + resources: + - deployments + - daemonsets + - replicasets + - statefulsets + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - apps + resources: + - deployments/finalizers + verbs: + - update +- apiGroups: + - monitoring.coreos.com + resources: + - servicemonitors + verbs: + - get + - create +- apiGroups: + - "" + resources: + - pods + verbs: + - get +- apiGroups: + - che.eclipse.org + resources: + - '*' + verbs: + - create + - delete + - get + - list + - patch + - update + - watch diff --git a/deploy/deployment/openshift/objects/kubernetes-image-puller-operator-sa.ServiceAccount.yaml b/deploy/deployment/openshift/objects/kubernetes-image-puller-operator-sa.ServiceAccount.yaml new file mode 100644 index 0000000..d0c1d81 --- /dev/null +++ b/deploy/deployment/openshift/objects/kubernetes-image-puller-operator-sa.ServiceAccount.yaml @@ -0,0 +1,5 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: kubernetes-image-puller-operator-sa + namespace: kubernetes-image-puller-operator diff --git a/deploy/deployment/openshift/objects/kubernetes-image-puller-operator-service.Service.yaml b/deploy/deployment/openshift/objects/kubernetes-image-puller-operator-service.Service.yaml new file mode 100644 index 0000000..445e45e --- /dev/null +++ b/deploy/deployment/openshift/objects/kubernetes-image-puller-operator-service.Service.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: Service +metadata: + annotations: + service.beta.openshift.io/serving-cert-secret-name: kubernetes-image-puller-operator-service-cert + name: kubernetes-image-puller-operator-service + namespace: kubernetes-image-puller-operator +spec: + ports: + - port: 443 + targetPort: 9443 + selector: + name: kubernetes-image-puller-operator diff --git a/deploy/deployment/openshift/objects/kubernetes-image-puller-operator-validating-webhook-configuration.ValidatingWebhookConfiguration.yaml b/deploy/deployment/openshift/objects/kubernetes-image-puller-operator-validating-webhook-configuration.ValidatingWebhookConfiguration.yaml new file mode 100644 index 0000000..4b67339 --- /dev/null +++ b/deploy/deployment/openshift/objects/kubernetes-image-puller-operator-validating-webhook-configuration.ValidatingWebhookConfiguration.yaml @@ -0,0 +1,27 @@ +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + annotations: + service.beta.openshift.io/inject-cabundle: "true" + name: kubernetes-image-puller-operator-validating-webhook-configuration +webhooks: +- admissionReviewVersions: + - v1 + - v1beta1 + clientConfig: + service: + name: kubernetes-image-puller-operator-service + namespace: kubernetes-image-puller-operator + path: /validate-che-eclipse-org-v1alpha1-kubernetesimagepuller + failurePolicy: Fail + name: vkubernetesimagepuller.kb.io + rules: + - apiGroups: + - che.eclipse.org + apiVersions: + - v1alpha1 + operations: + - CREATE + resources: + - kubernetesimagepullers + sideEffects: None diff --git a/deploy/deployment/openshift/objects/kubernetes-image-puller-operator.Namespace.yaml b/deploy/deployment/openshift/objects/kubernetes-image-puller-operator.Namespace.yaml new file mode 100644 index 0000000..26bacd4 --- /dev/null +++ b/deploy/deployment/openshift/objects/kubernetes-image-puller-operator.Namespace.yaml @@ -0,0 +1,6 @@ +apiVersion: v1 +kind: Namespace +metadata: + labels: + name: kubernetes-image-puller-operator + name: kubernetes-image-puller-operator diff --git a/deploy/deployment/openshift/objects/kubernetesimagepullers.che.eclipse.org.CustomResourceDefinition.yaml b/deploy/deployment/openshift/objects/kubernetesimagepullers.che.eclipse.org.CustomResourceDefinition.yaml new file mode 100644 index 0000000..fe5906a --- /dev/null +++ b/deploy/deployment/openshift/objects/kubernetesimagepullers.che.eclipse.org.CustomResourceDefinition.yaml @@ -0,0 +1,83 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.7.0 + service.beta.openshift.io/inject-cabundle: "true" + name: kubernetesimagepullers.che.eclipse.org +spec: + group: che.eclipse.org + names: + kind: KubernetesImagePuller + listKind: KubernetesImagePullerList + plural: kubernetesimagepullers + singular: kubernetesimagepuller + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: KubernetesImagePuller is the Schema for the kubernetesimagepullers + API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: KubernetesImagePullerSpec defines the desired state of KubernetesImagePuller + properties: + affinity: + type: string + cachingCPULimit: + type: string + cachingCPURequest: + type: string + cachingIntervalHours: + type: string + cachingMemoryLimit: + type: string + cachingMemoryRequest: + type: string + configMapName: + type: string + daemonsetName: + type: string + deploymentName: + type: string + imagePullSecrets: + type: string + imagePullerImage: + type: string + images: + type: string + nodeSelector: + type: string + type: object + status: + description: KubernetesImagePullerStatus defines the observed state of + KubernetesImagePuller + properties: + imagePullerImage: + description: KubernetesImagePuller image in use. + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] diff --git a/go.mod b/go.mod index d5d7bc7..facc491 100644 --- a/go.mod +++ b/go.mod @@ -5,6 +5,9 @@ go 1.15 require ( github.com/go-logr/logr v0.4.0 github.com/google/go-cmp v0.5.5 + github.com/onsi/ginkgo v1.16.4 // indirect + github.com/onsi/gomega v1.14.0 // indirect + github.com/pkg/errors v0.9.1 // indirect k8s.io/api v0.21.3 k8s.io/apimachinery v0.21.3 k8s.io/client-go v0.21.3 diff --git a/main.go b/main.go index e123c34..033608d 100644 --- a/main.go +++ b/main.go @@ -15,20 +15,23 @@ package main import ( "flag" "fmt" + "os" + appsv1 "k8s.io/api/apps/v1" corev1 "k8s.io/api/core/v1" "k8s.io/apimachinery/pkg/labels" "k8s.io/apimachinery/pkg/selection" - "os" "sigs.k8s.io/controller-runtime/pkg/cache" + // Import all Kubernetes client auth plugins (e.g. Azure, GCP, OIDC, etc.) // to ensure that exec-entrypoint and run can make use of them. _ "k8s.io/client-go/plugin/pkg/client/auth" + go_runtime "runtime" + "k8s.io/apimachinery/pkg/runtime" utilruntime "k8s.io/apimachinery/pkg/util/runtime" clientgoscheme "k8s.io/client-go/kubernetes/scheme" - go_runtime "runtime" ctrl "sigs.k8s.io/controller-runtime" "sigs.k8s.io/controller-runtime/pkg/healthz" "sigs.k8s.io/controller-runtime/pkg/log/zap" @@ -125,6 +128,12 @@ func main() { setupLog.Error(err, "unable to create controller", "controller", "KubernetesImagePuller") os.Exit(1) } + + if err = (&orgv1alpha1.KubernetesImagePuller{}).SetupWebhookWithManager(mgr); err != nil { + setupLog.Error(err, "unable to create webhook", "webhook", "KubernetesImagePuller") + os.Exit(1) + } + //+kubebuilder:scaffold:builder if err := mgr.AddHealthzCheck("healthz", healthz.Ping); err != nil {