Repository: Rework hack & config. (#176)

* Hack: Simplify `fetch-manifest.sh`.

* Config: Rework deployments.

* Config: Rework webhooks.

* Config: Rework services.

* Config: Rework certificates.

* Config: Rework CRDs.

* Config: Rework namespaces.

* Config: Rework issuers.

* Config: Rework RBAC.

* Config: Rework network policies.

* Config: Rework labels.

* Config: Remove monitoring annotations.

* Config: Rework images.

* Config: Align indentation.

* Repository: Update README.

* Repository: Update CHANGELOG.

.gitignore

@@ -1 +1 @@
-config/helm/input/
+config/helm/bases/cluster-api-components.yaml

CHANGELOG.md

@@ -7,11 +7,15 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+### Changed
+
+- Repository: Rework `hack` & `config`. ([#176](https://github.com/giantswarm/cluster-api-app/pull/176))
+
 ## [1.15.1] - 2024-01-15
 
 ### Changed
 
-- Make: Use `kubectl` integrated `kustomize`
+- Make: Use `kubectl` integrated `kustomize`. ([#171](https://github.com/giantswarm/cluster-api-app/pull/171))
 - Switch to image hosted on gsoci.azurecr.io
 
 ## [1.15.0] - 2023-12-20

Makefile.custom.mk

@@ -4,7 +4,7 @@ generate:
 	rm helm/cluster-api/templates/*.yaml
 	hack/fetch-manifest.sh
 	kubectl kustomize config/helm --output helm/cluster-api/templates
-	rm helm/cluster-api/templates/v1_configmap_watchfilter-patch.yaml
+	rm helm/cluster-api/templates/v1_configmap_watch-filter.yaml
 	hack/move-generated-crds.sh
 	hack/generate-crd-version-patches.sh
 	hack/wrap-with-conditional.sh

README.md

@@ -1,48 +1,48 @@
 [![CircleCI](https://circleci.com/gh/giantswarm/cluster-api-app.svg?style=shield)](https://circleci.com/gh/giantswarm/cluster-api-app)
 
-# cluster-api chart
+# cluster-api-app
 
-This is a meta app that provides deployment packaging for Cluster API core, bootstrap and control-plane controllers.
+This is a meta app that provides deployment packaging for Cluster API components.
 
 ## Prerequisites
 
 To get all the `make` targets running
 
-* `kubectl` ([source](https://github.com/kubernetes/kubectl)) in version `>= v1.27.0` is required
-* `yq` ([source](https://github.com/mikefarah/yq)) is required
+* [`kubectl`](https://github.com/kubernetes/kubectl) in version `>= v1.27.0` is required
+* [`yq`](https://github.com/mikefarah/yq) is required
 
 ## How it works
 
-The `make generate` target transfers the upstream released `cluster-api-components.yaml` into a Giant Swarm specific Helm chart. Besides there are some other changes required to make all the Cluster API components fit into our stack.
+The `make generate` target transfers the upstream Cluster API components into a Giant Swarm specific Helm chart. Besides there are some other changes required to make them fit into our stack.
 
 To make all the changes transparent and reproducible, `kubectl kustomize` is used to apply patches.
 
-The following notable scripts & commands are triggered in `make generate`:
+The following notable commands & scripts are triggered in `make generate`:
 
-1. [`hack/fetch-manifest.sh`](hack/fetch-manifest.sh): Fetches the release manifest with the version specified in `helm/cluster-api/values.yaml`.
-1. `kubectl kustomize config/helm --output helm/cluster-api/templates`: Applies all the changes defined in `kustomization.yaml`.
-1. [`hack/move-generated-crds.sh`](hack/move-generated-crds.sh): Moves all the CRDs into the `helm/cluster-api/files` directory. All files within this directory are later used in `job/cluster-api-crd-install`.
+1. [`hack/fetch-manifest.sh`](hack/fetch-manifest.sh): Fetches the Cluster API components for the version specified in `helm/cluster-api/values.yaml`.
+1. `kubectl kustomize config/helm --output helm/cluster-api/templates`: Generates kustomized Helm templates from upstream Cluster API components.
+1. [`hack/move-generated-crds.sh`](hack/move-generated-crds.sh): Moves all the CRDs into the `helm/cluster-api/files` directory. They are later used in the CRD install job.
 1. [`hack/generate-crd-version-patches.sh`](hack/generate-crd-version-patches.sh): Extracts the upstream Cluster API CRDs into `kustomize` patches in `helm/cluster-api/files`.
 1. [`hack/wrap-with-conditional.sh`](hack/wrap-with-conditional.sh)
     * Wraps all occurrences of the `cluster.x-k8s.io/watch-filter` object selector into a condition:
         ```yaml
-        {{ if .Values.watchfilter }}
+        {{- if .Values.watchfilter }}
         objectSelector:
             matchLabels:
                 cluster.x-k8s.io/watch-filter: '{{ .Values.watchFilter }}'
-        {{ end }}
+        {{- end }}
         ```
     * Wraps all the `*_ciliumnetworkpolicy_*.yaml` manifests into the global `ciliumNetworkPolicy.enabled` condition:
         ```yaml
         {{- if .Values.ciliumNetworkPolicy.enabled }}
         [...]
-        {{ end }}
+        {{- end }}
         ```
 
-## Upgrading CAPI
+## Upgrading Cluster API
 
 See the [`README.md`](https://github.com/giantswarm/cluster-api/blob/main/README.md) of our Cluster API fork for testing and releasing changes.
 
-It is important to run `make generate` so that the templates, CRDs and patches are regenerated using the new version of CAPI.
+It is important to run `make generate` so that the templates, CRDs and patches are regenerated using the new version of Cluster API.
 
-**NOTE:** When new webhooks are added upstream, we need to manually add them to the relevant patches (`config/helm/certificate*.yaml`).
+**NOTE:** When new webhooks are added upstream, we need to manually add them to the relevant patches.

config/helm/ciliumnetworkpolicy_capi-controller-manager.yaml → config/helm/bases/ciliumnetworkpolicies/capi-controller-manager.yaml

@@ -1,20 +1,21 @@
 apiVersion: cilium.io/v2
 kind: CiliumNetworkPolicy
 metadata:
+  name: capi-controller-manager
+  namespace: capi-system
   labels:
     app.kubernetes.io/component: cluster-api
     cluster.x-k8s.io/provider: cluster-api
     control-plane: controller-manager
-  name: capi-controller-manager
 spec:
   endpointSelector:
     matchLabels:
       cluster.x-k8s.io/provider: cluster-api
       control-plane: controller-manager
-  ingress:  # for webhooks
-    - fromEntities:
-      - cluster  # even though it's a kube-apiserver pod running in host network it doesn't work without "cluster"
-      - kube-apiserver
+  ingress:
+  - fromEntities:
+    - cluster
+    - kube-apiserver
   egress:
-    - toEntities:
-        - kube-apiserver
+  - toEntities:
+    - kube-apiserver

config/helm/ciliumnetworkpolicy_capi-kubeadm-bootstrap-controller-manager.yaml → config/helm/bases/ciliumnetworkpolicies/capi-kubeadm-bootstrap-controller-manager.yaml

@@ -1,20 +1,21 @@
 apiVersion: cilium.io/v2
 kind: CiliumNetworkPolicy
 metadata:
+  name: capi-kubeadm-bootstrap-controller-manager
+  namespace: capi-kubeadm-bootstrap-system
   labels:
     app.kubernetes.io/component: bootstrap-kubeadm
     cluster.x-k8s.io/provider: bootstrap-kubeadm
     control-plane: controller-manager
-  name: capi-kubeadm-bootstrap-controller-manager
 spec:
   endpointSelector:
     matchLabels:
       cluster.x-k8s.io/provider: bootstrap-kubeadm
       control-plane: controller-manager
-  ingress:  # for webhooks
-    - fromEntities:
-      - cluster  # even though it's a kube-apiserver pod running in host network it doesn't work without "cluster"
-      - kube-apiserver
+  ingress:
+  - fromEntities:
+    - cluster
+    - kube-apiserver
   egress:
-    - toEntities:
-        - kube-apiserver
+  - toEntities:
+    - kube-apiserver

config/helm/ciliumnetworkpolicy_capi-kubeadm-control-plane-controller-manager.yaml → config/helm/bases/ciliumnetworkpolicies/capi-kubeadm-control-plane-controller-manager.yaml

@@ -1,20 +1,21 @@
 apiVersion: cilium.io/v2
 kind: CiliumNetworkPolicy
 metadata:
+  name: capi-kubeadm-control-plane-controller-manager
+  namespace: capi-kubeadm-control-plane-system
   labels:
     app.kubernetes.io/component: control-plane-kubeadm
     cluster.x-k8s.io/provider: control-plane-kubeadm
     control-plane: controller-manager
-  name: capi-kubeadm-control-plane-controller-manager
 spec:
   endpointSelector:
     matchLabels:
       cluster.x-k8s.io/provider: control-plane-kubeadm
       control-plane: controller-manager
-  ingress:  # for webhooks
-    - fromEntities:
-      - cluster  # even though it's a kube-apiserver pod running in host network it doesn't work without "cluster"
-      - kube-apiserver
+  ingress:
+  - fromEntities:
+    - cluster
+    - kube-apiserver
   egress:
-    - toEntities:
-        - kube-apiserver
+  - toEntities:
+    - kube-apiserver

config/helm/bases/configmaps/watch-filter.yaml

@@ -0,0 +1,7 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: watch-filter
+  namespace: watch-filter
+data:
+  cluster.x-k8s.io/watch-filter: "{{ .Values.watchFilter }}"

config/helm/networkpolicy_capi-controller-manager.yaml → config/helm/bases/networkpolicies/capi-controller-manager.yaml

@@ -1,25 +1,25 @@
 apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy
 metadata:
+  name: capi-controller-manager
+  namespace: capi-system
   labels:
     app.kubernetes.io/component: cluster-api
     cluster.x-k8s.io/provider: cluster-api
     control-plane: controller-manager
-  name: capi-controller-manager
 spec:
   podSelector:
     matchLabels:
       cluster.x-k8s.io/provider: cluster-api
       control-plane: controller-manager
-  egress:
-    - ports:
-        # Access to workload clusters' Kubernetes API
-        - port: 443
-          protocol: TCP
-        - port: 6443
-          protocol: TCP
-      to:
-        - ipBlock:
-            cidr: 0.0.0.0/0
   policyTypes:
-    - Egress
+  - Egress
+  egress:
+  - to:
+    - ipBlock:
+        cidr: 0.0.0.0/0
+    ports:
+    - protocol: TCP
+      port: 443
+    - protocol: TCP
+      port: 6443

config/helm/networkpolicy_capi-kubeadm-bootstrap-controller-manager.yaml → config/helm/bases/networkpolicies/capi-kubeadm-bootstrap-controller-manager.yaml

@@ -1,24 +1,25 @@
 apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy
 metadata:
+  name: capi-kubeadm-bootstrap-controller-manager
+  namespace: capi-kubeadm-bootstrap-system
   labels:
     app.kubernetes.io/component: bootstrap-kubeadm
     cluster.x-k8s.io/provider: bootstrap-kubeadm
     control-plane: controller-manager
-  name: capi-kubeadm-bootstrap-controller-manager
 spec:
-  egress:
-  - ports:
-    - port: 443
-      protocol: TCP
-    - port: 6443
-      protocol: TCP
-    to:
-    - ipBlock:
-        cidr: 0.0.0.0/0
   podSelector:
     matchLabels:
       cluster.x-k8s.io/provider: bootstrap-kubeadm
       control-plane: controller-manager
   policyTypes:
   - Egress
+  egress:
+  - to:
+    - ipBlock:
+        cidr: 0.0.0.0/0
+    ports:
+    - protocol: TCP
+      port: 443
+    - protocol: TCP
+      port: 6443

config/helm/networkpolicy_capi-kubeadm-control-plane-controller-manager.yaml → config/helm/bases/networkpolicies/capi-kubeadm-control-plane-controller-manager.yaml

@@ -1,24 +1,25 @@
 apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy
 metadata:
+  name: capi-kubeadm-control-plane-controller-manager
+  namespace: capi-kubeadm-control-plane-system
   labels:
     app.kubernetes.io/component: control-plane-kubeadm
     cluster.x-k8s.io/provider: control-plane-kubeadm
     control-plane: controller-manager
-  name: capi-kubeadm-control-plane-controller-manager
 spec:
   podSelector:
     matchLabels:
       cluster.x-k8s.io/provider: control-plane-kubeadm
       control-plane: controller-manager
-  egress:
-    - ports:
-        - port: 443
-          protocol: TCP
-        - port: 6443
-          protocol: TCP
-      to:
-        - ipBlock:
-            cidr: 0.0.0.0/0
   policyTypes:
-    - Egress
+  - Egress
+  egress:
+  - to:
+    - ipBlock:
+        cidr: 0.0.0.0/0
+    ports:
+    - protocol: TCP
+      port: 443
+    - protocol: TCP
+      port: 6443