diff --git a/Dockerfile b/Dockerfile index bcbd6a9..9ba0967 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,5 +1,5 @@ # Build the manager binary -FROM quay.io/operator-framework/helm-operator:v1.15.0 +FROM quay.io/operator-framework/helm-operator:v1.23.0 ENV HOME=/opt/helm COPY watches.yaml ${HOME}/watches.yaml diff --git a/config/crd/bases/charts.kubealex.com_k8smediaservers.yaml b/config/crd/bases/charts.kubealex.com_k8smediaservers.yaml index 895bfcc..91e8b65 100644 --- a/config/crd/bases/charts.kubealex.com_k8smediaservers.yaml +++ b/config/crd/bases/charts.kubealex.com_k8smediaservers.yaml @@ -2,9 +2,9 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: - name: k8smediaservers.kubealex.com + name: k8smediaservers.charts.kubealex.com spec: - group: kubealex.com + group: charts.kubealex.com names: kind: K8SMediaserver listKind: K8SMediaserverList diff --git a/config/crd/bases/kubealex.com_k8smediaservers.yaml b/config/crd/bases/kubealex.com_k8smediaservers.yaml deleted file mode 100644 index 895bfcc..0000000 --- a/config/crd/bases/kubealex.com_k8smediaservers.yaml +++ /dev/null @@ -1,44 +0,0 @@ ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: k8smediaservers.kubealex.com -spec: - group: kubealex.com - names: - kind: K8SMediaserver - listKind: K8SMediaserverList - plural: k8smediaservers - singular: k8smediaserver - scope: Namespaced - versions: - - name: v1 - schema: - openAPIV3Schema: - description: K8SMediaserver is the Schema for the k8smediaservers API - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: Spec defines the desired state of K8SMediaserver - type: object - x-kubernetes-preserve-unknown-fields: true - status: - description: Status defines the observed state of K8SMediaserver - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: true - subresources: - status: {} diff --git a/config/default/kustomization.yaml b/config/default/kustomization.yaml index 4b7303c..57bd564 100644 --- a/config/default/kustomization.yaml +++ b/config/default/kustomization.yaml @@ -9,10 +9,12 @@ namespace: k8s-mediaserver-operator-system namePrefix: k8s-mediaserver-operator- # Labels to add to all resources and selectors. -#commonLabels: -# someName: someValue +#labels: +#- includeSelectors: true +# pairs: +# someName: someValue -bases: +resources: - ../crd - ../rbac - ../manager diff --git a/config/default/manager_auth_proxy_patch.yaml b/config/default/manager_auth_proxy_patch.yaml index d94376d..f279d10 100644 --- a/config/default/manager_auth_proxy_patch.yaml +++ b/config/default/manager_auth_proxy_patch.yaml @@ -10,15 +10,28 @@ spec: spec: containers: - name: kube-rbac-proxy - image: gcr.io/kubebuilder/kube-rbac-proxy:v0.8.0 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - "ALL" + image: gcr.io/kubebuilder/kube-rbac-proxy:v0.13.0 args: - "--secure-listen-address=0.0.0.0:8443" - "--upstream=http://127.0.0.1:8080/" - "--logtostderr=true" - - "--v=10" + - "--v=0" ports: - containerPort: 8443 + protocol: TCP name: https + resources: + limits: + cpu: 500m + memory: 128Mi + requests: + cpu: 5m + memory: 64Mi - name: manager args: - "--health-probe-bind-address=:8081" diff --git a/config/manager/controller_manager_config.yaml b/config/manager/controller_manager_config.yaml index 50c246a..5d30b8e 100644 --- a/config/manager/controller_manager_config.yaml +++ b/config/manager/controller_manager_config.yaml @@ -8,3 +8,13 @@ metrics: leaderElection: leaderElect: true resourceName: 811c9dc5.kubealex.com +# leaderElectionReleaseOnCancel defines if the leader should step down volume +# when the Manager ends. This requires the binary to immediately end when the +# Manager is stopped, otherwise, this setting is unsafe. Setting this significantly +# speeds up voluntary leader transitions as the new leader don't have to wait +# LeaseDuration time first. +# In the default scaffold provided, the program ends immediately after +# the manager stops, so would be fine to enable this option. However, +# if you are doing or is intended to do any operation such as perform cleanups +# after the manager stops then its usage might be unsafe. +# leaderElectionReleaseOnCancel: true diff --git a/config/manager/manager.yaml b/config/manager/manager.yaml index fdcc078..4eeefe4 100644 --- a/config/manager/manager.yaml +++ b/config/manager/manager.yaml @@ -19,19 +19,31 @@ spec: replicas: 1 template: metadata: + annotations: + kubectl.kubernetes.io/default-container: manager labels: control-plane: controller-manager spec: securityContext: runAsNonRoot: true + # TODO(user): For common cases that do not require escalating privileges + # it is recommended to ensure that all your Pods/Containers are restrictive. + # More info: https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted + # Please uncomment the following code if your project does NOT have to work on old Kubernetes + # versions < 1.19 or on vendors versions which do NOT support this field by default (i.e. Openshift < 4.11 ). + # seccompProfile: + # type: RuntimeDefault containers: - args: - --leader-elect - --leader-election-id=k8s-mediaserver-operator - image: quay.io/kubealex/k8s-mediaserver-operator:v0.5 + image: controller:latest name: manager securityContext: allowPrivilegeEscalation: false + capabilities: + drop: + - "ALL" livenessProbe: httpGet: path: /healthz @@ -44,12 +56,14 @@ spec: port: 8081 initialDelaySeconds: 5 periodSeconds: 10 + # TODO(user): Configure the resources accordingly based on the project requirements. + # More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ resources: limits: - cpu: 100m - memory: 90Mi + cpu: 500m + memory: 128Mi requests: - cpu: 100m - memory: 60Mi + cpu: 10m + memory: 64Mi serviceAccountName: controller-manager terminationGracePeriodSeconds: 10 diff --git a/config/manifests/bases/k8s-mediaserver-operator.clusterserviceversion.yaml b/config/manifests/bases/k8s-mediaserver-operator.clusterserviceversion.yaml deleted file mode 100644 index a112908..0000000 --- a/config/manifests/bases/k8s-mediaserver-operator.clusterserviceversion.yaml +++ /dev/null @@ -1,48 +0,0 @@ -apiVersion: operators.coreos.com/v1alpha1 -kind: ClusterServiceVersion -metadata: - annotations: - alm-examples: '[]' - capabilities: Basic Install - name: k8s-mediaserver-operator.v0.5 - namespace: placeholder -spec: - apiservicedefinitions: {} - customresourcedefinitions: {} - description: Complete mediaserver for kubernetes - displayName: k8s-mediaserver - icon: - - base64data: "" - mediatype: "" - install: - spec: - deployments: null - strategy: "" - installModes: - - supported: false - type: OwnNamespace - - supported: false - type: SingleNamespace - - supported: false - type: MultiNamespace - - supported: true - type: AllNamespaces - keywords: - - k8s - - mediaserver - - plex - - sonarr - - radarr - - jackett - - transmission - links: - - name: K8s Mediaserver Operator - url: https://github.com/kubealex/k8s-mediaserver-operator - maintainers: - - email: al.rossi87@gmail.com - name: kubealex - maturity: alpha - provider: - name: kubealex - url: github.com/kubealex - version: 0.5 diff --git a/config/manifests/kustomization.yaml b/config/manifests/kustomization.yaml index 9e25d4c..a61e91e 100644 --- a/config/manifests/kustomization.yaml +++ b/config/manifests/kustomization.yaml @@ -1,7 +1,7 @@ # These resources constitute the fully configured set of manifests # used to generate the 'manifests/' directory in a bundle. resources: -#- bases/k8s-mediaserver-operator.clusterserviceversion.yaml +- bases/k8s-mediaserver-operator.clusterserviceversion.yaml - ../default -#- ../samples -#- ../scorecard +- ../samples +- ../scorecard diff --git a/config/rbac/auth_proxy_service.yaml b/config/rbac/auth_proxy_service.yaml index 6cf656b..71f1797 100644 --- a/config/rbac/auth_proxy_service.yaml +++ b/config/rbac/auth_proxy_service.yaml @@ -9,6 +9,7 @@ spec: ports: - name: https port: 8443 + protocol: TCP targetPort: https selector: control-plane: controller-manager diff --git a/config/rbac/k8smediaserver_editor_role.yaml b/config/rbac/k8smediaserver_editor_role.yaml index 6d1300f..acb668a 100644 --- a/config/rbac/k8smediaserver_editor_role.yaml +++ b/config/rbac/k8smediaserver_editor_role.yaml @@ -5,7 +5,7 @@ metadata: name: k8smediaserver-editor-role rules: - apiGroups: - - kubealex.com + - charts.kubealex.com resources: - k8smediaservers verbs: @@ -17,7 +17,7 @@ rules: - update - watch - apiGroups: - - kubealex.com + - charts.kubealex.com resources: - k8smediaservers/status verbs: diff --git a/config/rbac/k8smediaserver_viewer_role.yaml b/config/rbac/k8smediaserver_viewer_role.yaml index b932ff0..95c77ae 100644 --- a/config/rbac/k8smediaserver_viewer_role.yaml +++ b/config/rbac/k8smediaserver_viewer_role.yaml @@ -5,7 +5,7 @@ metadata: name: k8smediaserver-viewer-role rules: - apiGroups: - - kubealex.com + - charts.kubealex.com resources: - k8smediaservers verbs: @@ -13,7 +13,7 @@ rules: - list - watch - apiGroups: - - kubealex.com + - charts.kubealex.com resources: - k8smediaservers/status verbs: diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml index faf17b0..4fbb389 100644 --- a/config/rbac/role.yaml +++ b/config/rbac/role.yaml @@ -32,7 +32,7 @@ rules: ## Rules for charts.kubealex.com/v1, Kind: K8SMediaserver ## - apiGroups: - - kubealex.com + - charts.kubealex.com resources: - k8smediaservers - k8smediaservers/status @@ -45,25 +45,39 @@ rules: - patch - update - watch -- verbs: - - "*" - apiGroups: +- apiGroups: - "" resources: - - "configmaps" - - "persistentvolumeclaims" - - "services" -- verbs: - - "*" - apiGroups: - - "apps" - resources: - - "deployments" -- verbs: - - "*" - apiGroups: - - "networking.k8s.io" + - pods + - services + - services/finalizers + - endpoints + - persistentvolumeclaims + - events + - configmaps + - secrets + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - apps resources: - - "ingresses" + - deployments + - daemonsets + - replicasets + - statefulsets + verbs: + - create + - delete + - get + - list + - patch + - update + - watch #+kubebuilder:scaffold:rules diff --git a/config/samples/charts_v1_k8smediaserver.yaml b/config/samples/charts_v1_k8smediaserver.yaml index fecf3f5..3d5ed8f 100644 --- a/config/samples/charts_v1_k8smediaserver.yaml +++ b/config/samples/charts_v1_k8smediaserver.yaml @@ -1,149 +1,160 @@ -apiVersion: kubealex.com/v1 +apiVersion: charts.kubealex.com/v1 kind: K8SMediaserver metadata: name: k8smediaserver-sample spec: # Default values copied from /helm-charts/k8s-mediaserver/values.yaml - general: - ingress_host: k8s-test-loadbalancer.k8s.test - plex_ingress_host: k8s-plex.k8s.test + general: image_tag: latest - puid: 1000 + ingress: + ingressClassName: "" + ingress_host: k8s-mediaserver.k8s.test pgid: 1000 + plex_ingress_host: k8s-plex.k8s.test + puid: 1000 storage: + customVolume: false pvcName: mediaserver-pvc - size: 5Gi pvcStorageClass: [] - nfs: false - nfsServer: - nfsPath: - - sonarr: - enabled: true - container: + size: 5Gi + subPaths: + config: config + downloads: downloads + movies: media/movies + sabnzbd: sabnzbd + transmission: transmission + tv: media/tv + volumes: {} + jackett: + container: nodeSelector: {} - port: 8989 + port: 9117 + enabled: true + ingress: + annotations: {} + enabled: true + path: /jackett + tls: + enabled: false + secretName: "" + resources: {} service: + extraLBService: false + nodePort: null + port: 9117 type: ClusterIP - port: 8989 - nodePort: - extraLBService: false + plex: + claim: CHANGEME + container: + nodeSelector: {} + port: 32400 + enabled: true ingress: - enabled: true annotations: {} - path: /sonarr + enabled: true tls: enabled: false secretName: "" - - radarr: - enabled: true - container: - nodeSelector: {} - port: 7878 + replicaCount: 1 + resources: {} service: + extraLBService: false + nodePort: null + port: 32400 type: ClusterIP + radarr: + container: + nodeSelector: {} port: 7878 - nodePort: - extraLBService: false + enabled: true ingress: - enabled: true annotations: {} + enabled: true path: /radarr tls: enabled: false secretName: "" - jackett: - enabled: true - container: - nodeSelector: {} - port: 9117 + resources: {} service: + extraLBService: false + nodePort: null + port: 7878 type: ClusterIP - port: 9117 - nodePort: - extraLBService: false + sabnzbd: + container: + nodeSelector: {} + port: + http: 8080 + https: 9090 + enabled: true ingress: - enabled: true annotations: {} - path: /jackett + enabled: true + path: /sabnzbd tls: enabled: false secretName: "" - - transmission: - enabled: true - container: - nodeSelector: {} - port: - utp: 9091 - peer: 51413 + resources: {} service: - utp: - type: ClusterIP - port: 9091 - nodePort: + http: extraLBService: false - peer: + nodePort: null + port: 8080 type: ClusterIP - port: 51413 - nodePort: - nodePortUDP: + https: extraLBService: false + nodePort: null + port: 9090 + type: ClusterIP + sonarr: + container: + nodeSelector: {} + port: 8989 + enabled: true ingress: - enabled: true annotations: {} - path: /transmission + enabled: true + path: /sonarr tls: enabled: false secretName: "" + resources: {} + service: + extraLBService: false + nodePort: null + port: 8989 + type: ClusterIP + transmission: config: - auth: + auth: enabled: false - username: "" password: "" - - sabnzbd: - enabled: true - container: + username: "" + container: nodeSelector: {} - port: - http: 8080 - https: 9090 - service: - http: - type: ClusterIP - port: 8080 - nodePort: - extraLBService: false - https: - type: ClusterIP - port: 9090 - nodePort: - extraLBService: false + port: + peer: 51413 + utp: 9091 + enabled: true ingress: - enabled: true annotations: {} - path: /sabnzbd + enabled: true + path: /transmission tls: enabled: false secretName: "" - - plex: - enabled: true - claim: "CHANGEME" - replicaCount: 1 - container: - nodeSelector: {} - port: 32400 + resources: {} service: - type: ClusterIP - port: 32400 - nodePort: - extraLBService: false - ingress: - enabled: true - annotations: {} - tls: - enabled: false - secretName: "" \ No newline at end of file + peer: + extraLBService: false + nodePort: null + nodePortUDP: null + port: 51413 + type: ClusterIP + utp: + extraLBService: false + nodePort: null + port: 9091 + type: ClusterIP + + diff --git a/config/scorecard/patches/basic.config.yaml b/config/scorecard/patches/basic.config.yaml index 80e03d5..90f7ef7 100644 --- a/config/scorecard/patches/basic.config.yaml +++ b/config/scorecard/patches/basic.config.yaml @@ -4,7 +4,7 @@ entrypoint: - scorecard-test - basic-check-spec - image: quay.io/operator-framework/scorecard-test:v1.8.0 + image: quay.io/operator-framework/scorecard-test:v1.23.0 labels: suite: basic test: basic-check-spec-test diff --git a/config/scorecard/patches/olm.config.yaml b/config/scorecard/patches/olm.config.yaml index 2bc9691..b55840e 100644 --- a/config/scorecard/patches/olm.config.yaml +++ b/config/scorecard/patches/olm.config.yaml @@ -4,7 +4,7 @@ entrypoint: - scorecard-test - olm-bundle-validation - image: quay.io/operator-framework/scorecard-test:v1.8.0 + image: quay.io/operator-framework/scorecard-test:v1.23.0 labels: suite: olm test: olm-bundle-validation-test @@ -14,7 +14,7 @@ entrypoint: - scorecard-test - olm-crds-have-validation - image: quay.io/operator-framework/scorecard-test:v1.8.0 + image: quay.io/operator-framework/scorecard-test:v1.23.0 labels: suite: olm test: olm-crds-have-validation-test @@ -24,7 +24,7 @@ entrypoint: - scorecard-test - olm-crds-have-resources - image: quay.io/operator-framework/scorecard-test:v1.8.0 + image: quay.io/operator-framework/scorecard-test:v1.23.0 labels: suite: olm test: olm-crds-have-resources-test @@ -34,7 +34,7 @@ entrypoint: - scorecard-test - olm-spec-descriptors - image: quay.io/operator-framework/scorecard-test:v1.8.0 + image: quay.io/operator-framework/scorecard-test:v1.23.0 labels: suite: olm test: olm-spec-descriptors-test @@ -44,7 +44,7 @@ entrypoint: - scorecard-test - olm-status-descriptors - image: quay.io/operator-framework/scorecard-test:v1.8.0 + image: quay.io/operator-framework/scorecard-test:v1.23.0 labels: suite: olm test: olm-status-descriptors-test diff --git a/helm-charts/k8s-mediaserver/Chart.yaml b/helm-charts/k8s-mediaserver/Chart.yaml index 30f19fa..4b61f48 100644 --- a/helm-charts/k8s-mediaserver/Chart.yaml +++ b/helm-charts/k8s-mediaserver/Chart.yaml @@ -3,4 +3,4 @@ appVersion: 1.16.0 description: A Helm chart for Kubernetes mediaserver name: k8s-mediaserver type: application -version: 0.5 +version: 0.6.1 diff --git a/k8s-mediaserver-operator-arm64.yml b/k8s-mediaserver-operator-arm64.yml index faccb23..012212f 100644 --- a/k8s-mediaserver-operator-arm64.yml +++ b/k8s-mediaserver-operator-arm64.yml @@ -8,9 +8,9 @@ metadata: apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: - name: k8smediaservers.kubealex.com + name: k8smediaservers.charts.kubealex.com spec: - group: kubealex.com + group: charts.kubealex.com names: kind: K8SMediaserver listKind: K8SMediaserverList @@ -117,7 +117,7 @@ rules: verbs: - create - apiGroups: - - kubealex.com + - charts.kubealex.com resources: - k8smediaservers - k8smediaservers/status @@ -133,24 +133,37 @@ rules: - apiGroups: - "" resources: - - configmaps - - persistentvolumeclaims + - pods - services - - persistentvolumes + - services/finalizers + - endpoints + - persistentvolumeclaims + - events + - configmaps + - secrets verbs: - - '*' + - create + - delete + - get + - list + - patch + - update + - watch - apiGroups: - apps resources: - deployments + - daemonsets + - replicasets + - statefulsets verbs: - - '*' -- apiGroups: - - networking.k8s.io - resources: - - ingresses - verbs: - - '*' + - create + - delete + - get + - list + - patch + - update + - watch --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole @@ -233,6 +246,16 @@ data: leaderElection: leaderElect: true resourceName: 811c9dc5.kubealex.com + # leaderElectionReleaseOnCancel defines if the leader should step down volume + # when the Manager ends. This requires the binary to immediately end when the + # Manager is stopped, otherwise, this setting is unsafe. Setting this significantly + # speeds up voluntary leader transitions as the new leader don't have to wait + # LeaseDuration time first. + # In the default scaffold provided, the program ends immediately after + # the manager stops, so would be fine to enable this option. However, + # if you are doing or is intended to do any operation such as perform cleanups + # after the manager stops then its usage might be unsafe. + # leaderElectionReleaseOnCancel: true kind: ConfigMap metadata: name: k8s-mediaserver-operator-manager-config @@ -249,6 +272,7 @@ spec: ports: - name: https port: 8443 + protocol: TCP targetPort: https selector: control-plane: controller-manager @@ -267,6 +291,8 @@ spec: control-plane: controller-manager template: metadata: + annotations: + kubectl.kubernetes.io/default-container: manager labels: control-plane: controller-manager spec: @@ -275,18 +301,31 @@ spec: - --secure-listen-address=0.0.0.0:8443 - --upstream=http://127.0.0.1:8080/ - --logtostderr=true - - --v=10 - image: gcr.io/kubebuilder/kube-rbac-proxy:v0.8.0-arm64 + - --v=0 + image: gcr.io/kubebuilder/kube-rbac-proxy:v0.13.0-arm64 name: kube-rbac-proxy ports: - containerPort: 8443 name: https + protocol: TCP + resources: + limits: + cpu: 500m + memory: 128Mi + requests: + cpu: 5m + memory: 64Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL - args: - --health-probe-bind-address=:8081 - - --metrics-addr=127.0.0.1:8080 + - --metrics-bind-address=127.0.0.1:8080 + - --leader-elect - --leader-election-id=k8s-mediaserver-operator image: quay.io/kubealex/k8s-mediaserver-operator:v0.6-arm64 - imagePullPolicy: Always livenessProbe: httpGet: path: /healthz @@ -303,12 +342,15 @@ spec: resources: limits: cpu: 500m - memory: 512Mi - requests: - cpu: 100m memory: 128Mi + requests: + cpu: 10m + memory: 64Mi securityContext: allowPrivilegeEscalation: false + capabilities: + drop: + - ALL securityContext: runAsNonRoot: true serviceAccountName: k8s-mediaserver-operator-controller-manager diff --git a/k8s-mediaserver-operator.yml b/k8s-mediaserver-operator.yml index d591a81..2334ee2 100644 --- a/k8s-mediaserver-operator.yml +++ b/k8s-mediaserver-operator.yml @@ -8,9 +8,9 @@ metadata: apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: - name: k8smediaservers.kubealex.com + name: k8smediaservers.charts.kubealex.com spec: - group: kubealex.com + group: charts.kubealex.com names: kind: K8SMediaserver listKind: K8SMediaserverList @@ -117,7 +117,7 @@ rules: verbs: - create - apiGroups: - - kubealex.com + - charts.kubealex.com resources: - k8smediaservers - k8smediaservers/status @@ -133,23 +133,37 @@ rules: - apiGroups: - "" resources: - - configmaps - - persistentvolumeclaims + - pods - services + - services/finalizers + - endpoints + - persistentvolumeclaims + - events + - configmaps + - secrets verbs: - - '*' + - create + - delete + - get + - list + - patch + - update + - watch - apiGroups: - apps resources: - deployments + - daemonsets + - replicasets + - statefulsets verbs: - - '*' -- apiGroups: - - networking.k8s.io - resources: - - ingresses - verbs: - - '*' + - create + - delete + - get + - list + - patch + - update + - watch --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole @@ -232,6 +246,16 @@ data: leaderElection: leaderElect: true resourceName: 811c9dc5.kubealex.com + # leaderElectionReleaseOnCancel defines if the leader should step down volume + # when the Manager ends. This requires the binary to immediately end when the + # Manager is stopped, otherwise, this setting is unsafe. Setting this significantly + # speeds up voluntary leader transitions as the new leader don't have to wait + # LeaseDuration time first. + # In the default scaffold provided, the program ends immediately after + # the manager stops, so would be fine to enable this option. However, + # if you are doing or is intended to do any operation such as perform cleanups + # after the manager stops then its usage might be unsafe. + # leaderElectionReleaseOnCancel: true kind: ConfigMap metadata: name: k8s-mediaserver-operator-manager-config @@ -248,6 +272,7 @@ spec: ports: - name: https port: 8443 + protocol: TCP targetPort: https selector: control-plane: controller-manager @@ -266,6 +291,8 @@ spec: control-plane: controller-manager template: metadata: + annotations: + kubectl.kubernetes.io/default-container: manager labels: control-plane: controller-manager spec: @@ -274,19 +301,31 @@ spec: - --secure-listen-address=0.0.0.0:8443 - --upstream=http://127.0.0.1:8080/ - --logtostderr=true - - --v=10 - image: gcr.io/kubebuilder/kube-rbac-proxy:v0.8.0 + - --v=0 + image: gcr.io/kubebuilder/kube-rbac-proxy:v0.13.0 name: kube-rbac-proxy ports: - containerPort: 8443 name: https + protocol: TCP + resources: + limits: + cpu: 500m + memory: 128Mi + requests: + cpu: 5m + memory: 64Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL - args: - --health-probe-bind-address=:8081 - --metrics-bind-address=127.0.0.1:8080 - --leader-elect - --leader-election-id=k8s-mediaserver-operator - image: quay.io/kubealex/k8s-mediaserver-operator:v0.6 - imagePullPolicy: Always + image: quay.io/kubealex/k8s-mediaserver-operator:v0.6.1 livenessProbe: httpGet: path: /healthz @@ -303,12 +342,15 @@ spec: resources: limits: cpu: 500m - memory: 512Mi - requests: - cpu: 100m memory: 128Mi + requests: + cpu: 10m + memory: 64Mi securityContext: allowPrivilegeEscalation: false + capabilities: + drop: + - ALL securityContext: runAsNonRoot: true serviceAccountName: k8s-mediaserver-operator-controller-manager diff --git a/k8s-mediaserver.yml b/k8s-mediaserver.yml index 3afb34a..3d5ed8f 100644 --- a/k8s-mediaserver.yml +++ b/k8s-mediaserver.yml @@ -1,160 +1,160 @@ -apiVersion: kubealex.com/v1 +apiVersion: charts.kubealex.com/v1 kind: K8SMediaserver metadata: name: k8smediaserver-sample spec: - general: + # Default values copied from /helm-charts/k8s-mediaserver/values.yaml + general: + image_tag: latest + ingress: + ingressClassName: "" ingress_host: k8s-mediaserver.k8s.test + pgid: 1000 plex_ingress_host: k8s-plex.k8s.test - image_tag: latest puid: 1000 - pgid: 1000 storage: customVolume: false pvcName: mediaserver-pvc + pvcStorageClass: [] size: 5Gi - pvcStorageClass: "" subPaths: - tv: media/tv + config: config + downloads: downloads movies: media/movies - downloads: downloads - transmission: transmission sabnzbd: sabnzbd - config: config + transmission: transmission + tv: media/tv volumes: {} - sonarr: - enabled: true - container: + jackett: + container: nodeSelector: {} - port: 8989 - service: - type: ClusterIP - port: 8989 - nodePort: - extraLBService: false + port: 9117 + enabled: true ingress: - enabled: true annotations: {} - path: /sonarr + enabled: true + path: /jackett tls: enabled: false secretName: "" resources: {} - - radarr: - enabled: true - container: - nodeSelector: {} - port: 7878 service: + extraLBService: false + nodePort: null + port: 9117 type: ClusterIP - port: 7878 - nodePort: - extraLBService: false + plex: + claim: CHANGEME + container: + nodeSelector: {} + port: 32400 + enabled: true ingress: - enabled: true annotations: {} - path: /radarr + enabled: true tls: enabled: false secretName: "" + replicaCount: 1 resources: {} - - jackett: - enabled: true - container: - nodeSelector: {} - port: 9117 service: + extraLBService: false + nodePort: null + port: 32400 type: ClusterIP - port: 9117 - nodePort: - extraLBService: false + radarr: + container: + nodeSelector: {} + port: 7878 + enabled: true ingress: - enabled: true annotations: {} - path: /jackett + enabled: true + path: /radarr tls: enabled: false secretName: "" resources: {} - - transmission: - enabled: true - container: - nodeSelector: {} - port: - utp: 9091 - peer: 51413 service: - utp: - type: ClusterIP - port: 9091 - nodePort: - extraLBService: false - peer: - type: ClusterIP - port: 51413 - nodePort: - nodePortUDP: - extraLBService: false + extraLBService: false + nodePort: null + port: 7878 + type: ClusterIP + sabnzbd: + container: + nodeSelector: {} + port: + http: 8080 + https: 9090 + enabled: true ingress: - enabled: true annotations: {} - path: /transmission + enabled: true + path: /sabnzbd tls: enabled: false secretName: "" - config: - auth: - enabled: false - username: "" - password: "" resources: {} - - sabnzbd: - enabled: true - container: - nodeSelector: {} - port: - http: 8080 - https: 9090 service: http: - type: ClusterIP - port: 8080 - nodePort: extraLBService: false - https: + nodePort: null + port: 8080 type: ClusterIP - port: 9090 - nodePort: + https: extraLBService: false + nodePort: null + port: 9090 + type: ClusterIP + sonarr: + container: + nodeSelector: {} + port: 8989 + enabled: true ingress: - enabled: true annotations: {} - path: /sabnzbd + enabled: true + path: /sonarr tls: enabled: false secretName: "" resources: {} - - plex: - enabled: true - claim: "CHANGEME" - replicaCount: 1 - container: - nodeSelector: {} - port: 32400 service: + extraLBService: false + nodePort: null + port: 8989 type: ClusterIP - port: 32400 - nodePort: - extraLBService: false + transmission: + config: + auth: + enabled: false + password: "" + username: "" + container: + nodeSelector: {} + port: + peer: 51413 + utp: 9091 + enabled: true ingress: - enabled: true annotations: {} + enabled: true + path: /transmission tls: enabled: false secretName: "" resources: {} + service: + peer: + extraLBService: false + nodePort: null + nodePortUDP: null + port: 51413 + type: ClusterIP + utp: + extraLBService: false + nodePort: null + port: 9091 + type: ClusterIP + + diff --git a/watches.yaml b/watches.yaml index 38d47cc..df7d7a2 100644 --- a/watches.yaml +++ b/watches.yaml @@ -1,5 +1,5 @@ # Use the 'create api' subcommand to add watches to this file. -- group: kubealex.com +- group: charts.kubealex.com version: v1 kind: K8SMediaserver chart: helm-charts/k8s-mediaserver