chore: split deploy-manifests

Signed-off-by: Christian Kotzbauer <[email protected]>
ckotzbauer · Apr 26, 2022 · a502a2e · a502a2e
1 parent cb42f10
commit a502a2e
Show file tree

Hide file tree

Showing 4 changed files with 135 additions and 0 deletions.
diff --git a/deploy/job-image/deployment.yaml b/deploy/job-image/deployment.yaml
@@ -0,0 +1,74 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app.kubernetes.io/name: sbom-operator
+  name: sbom-operator
+  namespace: default
+spec:
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: sbom-operator
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: sbom-operator
+    spec:
+      containers:
+      - image: ghcr.io/ckotzbauer/sbom-operator:latest
+        name: operator
+        env:
+        - name: POD_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        - name: POD_NAME
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.name
+        - name: POD_UID
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.uid
+        # Free account
+        - name: SBOM_JOB_CAS_API_KEY
+          value: ""
+        args:
+          # example values
+          - --cron="0 6 * * * *"
+          - --job-image=ghcr.io/ckotzbauer/sbom-operator/cas:0.10.0
+          - --pod-label-selector=sbom-operator\=true
+        ports:
+        - containerPort: 8080
+          name: http
+          protocol: TCP
+        securityContext:
+          capabilities:
+            drop:
+            - ALL
+          privileged: false
+          readOnlyRootFilesystem: true
+          runAsNonRoot: true
+          runAsUser: 101
+          seccompProfile:
+            type: RuntimeDefault
+        resources:
+          limits:
+            cpu: 500m
+            memory: 500Mi
+          requests:
+            cpu: 100m
+            memory: 100Mi
+        livenessProbe:
+          timeoutSeconds: 3
+          httpGet:
+            path: "/health"
+            port: 8080
+        readinessProbe:
+          timeoutSeconds: 3
+          httpGet:
+            path: "/health"
+            port: 8080
+      securityContext:
+        fsGroup: 101
+      serviceAccountName: sbom-operator
diff --git a/deploy/job-image/rbac.yaml b/deploy/job-image/rbac.yaml
@@ -0,0 +1,59 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: sbom-operator
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: sbom-operator
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - pods
+  - namespaces
+  verbs:
+  - list
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - get
+- apiGroups:
+  - ""
+  resources:
+  - pods
+  verbs:
+  - get
+  - update
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - get
+  - create
+  - delete
+- apiGroups:
+  - batch
+  resources:
+  - jobs
+  verbs:
+  - get
+  - create
+  - delete
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: sbom-operator
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: sbom-operator
+subjects:
+- kind: ServiceAccount
+  name: sbom-operator
+  namespace: default
diff --git a/deploy/deployment.yaml → deploy/standard/deployment.yaml b/deploy/deployment.yaml → deploy/standard/deployment.yaml
@@ -43,6 +43,8 @@ spec:
           readOnlyRootFilesystem: true
           runAsNonRoot: true
           runAsUser: 101
+          seccompProfile:
+            type: RuntimeDefault
         volumeMounts:
           - mountPath: /work
             name: work

diff --git a/deploy/rbac.yaml → deploy/standard/rbac.yaml b/deploy/rbac.yaml → deploy/standard/rbac.yaml