From 1a7b65a9aed45a3a53cc096df63f4e69a173840c Mon Sep 17 00:00:00 2001 From: Anik Bhattacharjee Date: Thu, 28 Sep 2023 10:17:40 -0400 Subject: [PATCH] (cleanup) Kustomization Closes #155, #160 --- config/default/kustomization.yaml | 3 +- config/default/manager_auth_proxy_patch.yaml | 56 ------------- config/default/manager_config_patch.yaml | 10 --- config/etcd/etcd.yaml | 83 ------------------- config/etcd/kustomization.yaml | 2 - .../catalogserver_service.yaml | 0 config/manager/kustomization.yaml | 1 + config/manager/manager.yaml | 42 ++++++++++ config/rbac/kustomization.yaml | 1 - 9 files changed, 44 insertions(+), 154 deletions(-) delete mode 100644 config/default/manager_auth_proxy_patch.yaml delete mode 100644 config/default/manager_config_patch.yaml delete mode 100644 config/etcd/etcd.yaml delete mode 100644 config/etcd/kustomization.yaml rename config/{rbac => manager}/catalogserver_service.yaml (100%) diff --git a/config/default/kustomization.yaml b/config/default/kustomization.yaml index 312e99b6..f1c837dd 100644 --- a/config/default/kustomization.yaml +++ b/config/default/kustomization.yaml @@ -15,5 +15,4 @@ resources: - ../crd - ../rbac - ../manager -patches: -- path: manager_auth_proxy_patch.yaml + diff --git a/config/default/manager_auth_proxy_patch.yaml b/config/default/manager_auth_proxy_patch.yaml deleted file mode 100644 index bdd36ec0..00000000 --- a/config/default/manager_auth_proxy_patch.yaml +++ /dev/null @@ -1,56 +0,0 @@ -# This patch inject a sidecar container which is a HTTP proxy for the -# controller manager, it performs RBAC authorization against the Kubernetes API using SubjectAccessReviews. -apiVersion: apps/v1 -kind: Deployment -metadata: - name: controller-manager - namespace: system -spec: - template: - spec: - affinity: - nodeAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - nodeSelectorTerms: - - matchExpressions: - - key: kubernetes.io/arch - operator: In - values: - - amd64 - - arm64 - - ppc64le - - s390x - - key: kubernetes.io/os - operator: In - values: - - linux - containers: - - name: kube-rbac-proxy - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - "ALL" - image: gcr.io/kubebuilder/kube-rbac-proxy:v0.13.0 - args: - - "--secure-listen-address=0.0.0.0:8443" - - "--upstream=http://127.0.0.1:8080/" - - "--logtostderr=true" - - "--v=0" - ports: - - containerPort: 8443 - protocol: TCP - name: https - resources: - requests: - cpu: 5m - memory: 64Mi - - name: manager - args: - - "--health-probe-bind-address=:8081" - - "--metrics-bind-address=127.0.0.1:8080" - - "--leader-elect" - - "--catalogs-storage-dir=/var/cache/catalogs" - - "--feature-gates=HTTPServer=true" - - "--http-external-address=http://catalogd-catalogserver.catalogd-system.svc" - diff --git a/config/default/manager_config_patch.yaml b/config/default/manager_config_patch.yaml deleted file mode 100644 index f6f58916..00000000 --- a/config/default/manager_config_patch.yaml +++ /dev/null @@ -1,10 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: controller-manager - namespace: system -spec: - template: - spec: - containers: - - name: manager diff --git a/config/etcd/etcd.yaml b/config/etcd/etcd.yaml deleted file mode 100644 index 85965ad3..00000000 --- a/config/etcd/etcd.yaml +++ /dev/null @@ -1,83 +0,0 @@ ---- -apiVersion: apps/v1 -kind: StatefulSet -metadata: - name: etcd - namespace: system -spec: - selector: - matchLabels: - app: etcd - serviceName: "etcd" - replicas: 1 - template: - metadata: - labels: - app: etcd - spec: - terminationGracePeriodSeconds: 10 - containers: - - name: etcd - image: quay.io/coreos/etcd:latest - imagePullPolicy: Always - resources: - requests: - cpu: 100m - memory: 20Mi - env: - - name: ETCD_DATA_DIR - value: /etcd-data-dir - command: - - /usr/local/bin/etcd - - --listen-client-urls - - http://0.0.0.0:2379 - - --advertise-client-urls - - http://localhost:2379 - ports: - - containerPort: 2379 - volumeMounts: - - name: etcd-data-dir - mountPath: /etcd-data-dir - readinessProbe: - httpGet: - port: 2379 - path: /health - failureThreshold: 1 - initialDelaySeconds: 10 - periodSeconds: 10 - successThreshold: 1 - timeoutSeconds: 2 - livenessProbe: - httpGet: - port: 2379 - path: /health - failureThreshold: 3 - initialDelaySeconds: 10 - periodSeconds: 10 - successThreshold: 1 - timeoutSeconds: 2 - volumeClaimTemplates: - - metadata: - name: etcd-data-dir - annotations: - volume.beta.kubernetes.io/storage-class: standard - spec: - accessModes: [ "ReadWriteOnce" ] - resources: - requests: - storage: 10Gi ---- -apiVersion: v1 -kind: Service -metadata: - name: etcd-svc - namespace: system - labels: - app: etcd -spec: - ports: - - port: 2379 - name: etcd - targetPort: 2379 - selector: - app: etcd diff --git a/config/etcd/kustomization.yaml b/config/etcd/kustomization.yaml deleted file mode 100644 index 35505723..00000000 --- a/config/etcd/kustomization.yaml +++ /dev/null @@ -1,2 +0,0 @@ -resources: -- etcd.yaml diff --git a/config/rbac/catalogserver_service.yaml b/config/manager/catalogserver_service.yaml similarity index 100% rename from config/rbac/catalogserver_service.yaml rename to config/manager/catalogserver_service.yaml diff --git a/config/manager/kustomization.yaml b/config/manager/kustomization.yaml index 11dd667d..ecd24268 100644 --- a/config/manager/kustomization.yaml +++ b/config/manager/kustomization.yaml @@ -1,5 +1,6 @@ resources: - manager.yaml +- catalogserver_service.yaml apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization images: diff --git a/config/manager/manager.yaml b/config/manager/manager.yaml index 73eaf271..ef62f0e2 100644 --- a/config/manager/manager.yaml +++ b/config/manager/manager.yaml @@ -38,15 +38,57 @@ spec: labels: control-plane: controller-manager spec: + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: kubernetes.io/arch + operator: In + values: + - amd64 + - arm64 + - ppc64le + - s390x + - key: kubernetes.io/os + operator: In + values: + - linux securityContext: runAsNonRoot: true seccompProfile: type: RuntimeDefault containers: + - name: kube-rbac-proxy + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - "ALL" + image: gcr.io/kubebuilder/kube-rbac-proxy:v0.13.0 + args: + - "--secure-listen-address=0.0.0.0:8443" + - "--upstream=http://127.0.0.1:8080/" + - "--logtostderr=true" + - "--v=0" + ports: + - containerPort: 8443 + protocol: TCP + name: https + resources: + requests: + cpu: 5m + memory: 64Mi - command: - "./manager" args: - --leader-elect + - "--health-probe-bind-address=:8081" + - "--metrics-bind-address=127.0.0.1:8080" + - "--leader-elect" + - "--catalogs-storage-dir=/var/cache/catalogs" + - "--feature-gates=HTTPServer=true" + - "--http-external-address=http://catalogd-catalogserver.catalogd-system.svc" image: controller:latest name: manager volumeMounts: diff --git a/config/rbac/kustomization.yaml b/config/rbac/kustomization.yaml index 0ae1b3c1..731832a6 100644 --- a/config/rbac/kustomization.yaml +++ b/config/rbac/kustomization.yaml @@ -9,7 +9,6 @@ resources: - role_binding.yaml - leader_election_role.yaml - leader_election_role_binding.yaml -- catalogserver_service.yaml # Comment the following 4 lines if you want to disable # the auth proxy (https://github.com/brancz/kube-rbac-proxy) # which protects your /metrics endpoint.