components: Add istio-operator

assets/charts/components/istio-operator/Chart.yaml

@@ -0,0 +1,11 @@
+apiVersion: v2
+name: istio-operator
+version: 1.6.0
+description: Helm chart for deploying Istio operator
+keywords:
+- istio
+- operator
+sources:
+- http://github.com/istio/istio/operator
+engine: gotpl
+icon: https://istio.io/favicons/android-192x192.png

assets/charts/components/istio-operator/crds/crd-operator.yaml

@@ -0,0 +1,46 @@
+# SYNC WITH manifests/charts/base/files
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+  name: istiooperators.install.istio.io
+spec:
+  group: install.istio.io
+  names:
+    kind: IstioOperator
+    plural: istiooperators
+    singular: istiooperator
+    shortNames:
+    - iop
+  scope: Namespaced
+  subresources:
+    status: {}
+  validation:
+    openAPIV3Schema:
+      properties:
+        apiVersion:
+          description: 'APIVersion defines the versioned schema of this representation
+            of an object. Servers should convert recognized schemas to the latest
+            internal value, and may reject unrecognized values.
+            More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#resources'
+          type: string
+        kind:
+          description: 'Kind is a string value representing the REST resource this
+            object represents. Servers may infer this from the endpoint the client
+            submits requests to. Cannot be updated. In CamelCase.
+            More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+          type: string
+        spec:
+          description: 'Specification of the desired state of the istio control plane resource.
+            More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#spec-and-status'
+          type: object
+        status:
+          description: 'Status describes each of istio control plane component status at the current time.
+            0 means NONE, 1 means UPDATING, 2 means HEALTHY, 3 means ERROR, 4 means RECONCILING.
+            More info: https://github.com/istio/api/blob/master/operator/v1alpha1/istio.operator.v1alpha1.pb.html &
+            https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#spec-and-status'
+          type: object
+  versions:
+  - name: v1alpha1
+    served: true
+    storage: true
+---

assets/charts/components/istio-operator/templates/clusterrole.yaml

@@ -0,0 +1,113 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  creationTimestamp: null
+  name: istio-operator
+rules:
+# istio groups
+- apiGroups:
+  - authentication.istio.io
+  resources:
+  - '*'
+  verbs:
+  - '*'
+- apiGroups:
+  - config.istio.io
+  resources:
+  - '*'
+  verbs:
+  - '*'
+- apiGroups:
+  - install.istio.io
+  resources:
+  - '*'
+  verbs:
+  - '*'
+- apiGroups:
+  - networking.istio.io
+  resources:
+  - '*'
+  verbs:
+  - '*'
+- apiGroups:
+  - rbac.istio.io
+  resources:
+  - '*'
+  verbs:
+  - '*'
+- apiGroups:
+  - security.istio.io
+  resources:
+  - '*'
+  verbs:
+  - '*'
+# k8s groups
+- apiGroups:
+  - admissionregistration.k8s.io
+  resources:
+  - mutatingwebhookconfigurations
+  - validatingwebhookconfigurations
+  verbs:
+  - '*'
+- apiGroups:
+  - apiextensions.k8s.io
+  resources:
+  - customresourcedefinitions.apiextensions.k8s.io
+  - customresourcedefinitions
+  verbs:
+  - '*'
+- apiGroups:
+  - apps
+  - extensions
+  resources:
+  - daemonsets
+  - deployments
+  - deployments/finalizers
+  - ingresses
+  - replicasets
+  - statefulsets
+  verbs:
+  - '*'
+- apiGroups:
+  - autoscaling
+  resources:
+  - horizontalpodautoscalers
+  verbs:
+  - '*'
+- apiGroups:
+  - monitoring.coreos.com
+  resources:
+  - servicemonitors
+  verbs:
+  - get
+  - create
+- apiGroups:
+  - policy
+  resources:
+  - poddisruptionbudgets
+  verbs:
+  - '*'
+- apiGroups:
+  - rbac.authorization.k8s.io
+  resources:
+  - clusterrolebindings
+  - clusterroles
+  - roles
+  - rolebindings
+  verbs:
+  - '*'
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  - endpoints
+  - events
+  - namespaces
+  - pods
+  - persistentvolumeclaims
+  - secrets
+  - services
+  - serviceaccounts
+  verbs:
+  - '*'
+---

assets/charts/components/istio-operator/templates/clusterrole_binding.yaml

@@ -0,0 +1,13 @@
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: istio-operator
+subjects:
+- kind: ServiceAccount
+  name: istio-operator
+  namespace: {{.Values.operatorNamespace}}
+roleRef:
+  kind: ClusterRole
+  name: istio-operator
+  apiGroup: rbac.authorization.k8s.io
+---

assets/charts/components/istio-operator/templates/deployment.yaml

@@ -0,0 +1,46 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  namespace: {{.Values.operatorNamespace}}
+  name: istio-operator
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      name: istio-operator
+  template:
+    metadata:
+      labels:
+        name: istio-operator
+    spec:
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 65534
+        runAsGroup: 65534
+      serviceAccountName: istio-operator
+      containers:
+        - name: istio-operator
+          image: {{.Values.hub}}/operator:{{.Values.tag}}
+          command:
+          - operator
+          - server
+          imagePullPolicy: IfNotPresent
+          resources:
+            limits:
+              cpu: 200m
+              memory: 256Mi
+            requests:
+              cpu: 50m
+              memory: 128Mi
+          env:
+            - name: WATCH_NAMESPACE
+              value: {{.Values.istioNamespace}}
+            - name: LEADER_ELECTION_NAMESPACE
+              value: {{.Values.operatorNamespace}}
+            - name: POD_NAME
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.name
+            - name: OPERATOR_NAME
+              value: {{.Values.operatorNamespace}}
+---

assets/charts/components/istio-operator/templates/istio-operator-cr.yaml

@@ -0,0 +1,17 @@
+---
+# XXX: Lokomotive specific config
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: {{.Values.istioNamespace}}
+  labels:
+    lokomotive.kinvolk.io/name: {{.Values.istioNamespace}}
+---
+# XXX: Lokomotive specific config
+apiVersion: install.istio.io/v1alpha1
+kind: IstioOperator
+metadata:
+  namespace: {{.Values.istioNamespace}}
+  name: istiocontrolplane
+spec:
+  profile: {{ .Values.istioOperator.profile }}

assets/charts/components/istio-operator/templates/service.yaml

@@ -0,0 +1,15 @@
+apiVersion: v1
+kind: Service
+metadata:
+  namespace: {{.Values.operatorNamespace}}
+  labels:
+    name: istio-operator
+  name: istio-operator
+spec:
+  ports:
+  - name: http-metrics
+    port: 8383
+    targetPort: 8383
+  selector:
+    name: istio-operator
+---

assets/charts/components/istio-operator/templates/service_account.yaml

@@ -0,0 +1,6 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  namespace: {{.Values.operatorNamespace}}
+  name: istio-operator
+---

assets/charts/components/istio-operator/values.yaml

@@ -0,0 +1,8 @@
+hub: docker.io/istio
+tag: 1.6.3
+operatorNamespace: istio-operator
+istioNamespace: istio-system
+
+# XXX: Lokomotive specific changes
+istioOperator:
+  profile: minimal

cli/cmd/component.go

@@ -27,6 +27,7 @@ import (
 	_ "github.com/kinvolk/lokomotive/pkg/components/flatcar-linux-update-operator"
 	_ "github.com/kinvolk/lokomotive/pkg/components/gangway"
 	_ "github.com/kinvolk/lokomotive/pkg/components/httpbin"
+	_ "github.com/kinvolk/lokomotive/pkg/components/istio-operator"
 	_ "github.com/kinvolk/lokomotive/pkg/components/linkerd"
 	_ "github.com/kinvolk/lokomotive/pkg/components/metallb"
 	_ "github.com/kinvolk/lokomotive/pkg/components/metrics-server"

pkg/components/istio-operator/component.go

@@ -0,0 +1,91 @@
+// Copyright 2020 The Lokomotive Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package istiooperator
+
+import (
+	"fmt"
+
+	"github.com/hashicorp/hcl/v2"
+	"github.com/hashicorp/hcl/v2/gohcl"
+
+	internaltemplate "github.com/kinvolk/lokomotive/internal/template"
+	"github.com/kinvolk/lokomotive/pkg/components"
+	"github.com/kinvolk/lokomotive/pkg/components/util"
+	"github.com/kinvolk/lokomotive/pkg/k8sutil"
+)
+
+const (
+	name      = "experimental-istio-operator"
+	namespace = "istio-operator"
+)
+
+// nolint:gochecknoinits
+func init() {
+	components.Register(name, newComponent())
+}
+
+type component struct {
+	Profile string `hcl:"profile,optional"`
+}
+
+func newComponent() *component {
+	return &component{
+		Profile: "minimal",
+	}
+}
+
+func (c *component) LoadConfig(configBody *hcl.Body, evalContext *hcl.EvalContext) hcl.Diagnostics {
+	diagnostics := hcl.Diagnostics{}
+
+	if configBody == nil {
+		return hcl.Diagnostics{}
+	}
+
+	d := gohcl.DecodeBody(*configBody, evalContext, c)
+	if d.HasErrors() {
+		return append(diagnostics, d...)
+	}
+
+	return diagnostics
+}
+
+func (c *component) RenderManifests() (map[string]string, error) {
+	helmChart, err := components.Chart("istio-operator")
+	if err != nil {
+		return nil, fmt.Errorf("loading chart from assets: %w", err)
+	}
+
+	values, err := internaltemplate.Render(chartValuesTmpl, c)
+	if err != nil {
+		return nil, fmt.Errorf("rendering values template failed: %w", err)
+	}
+
+	// Generate YAML for the istio deployment.
+	renderedFiles, err := util.RenderChart(helmChart, name, namespace, values)
+	if err != nil {
+		return nil, fmt.Errorf("rendering chart failed: %w", err)
+	}
+
+	return renderedFiles, nil
+}
+
+func (c *component) Metadata() components.Metadata {
+	return components.Metadata{
+		Name: name,
+		Namespace: k8sutil.Namespace{
+			Name: namespace,
+		},
+	}
+}