Merge branch 'openyurtio:master' into feat/set-yurthub-namespace

.github/workflows/sonarcloud.yaml

@@ -34,7 +34,7 @@ jobs:
           persist-credentials: false
 
       - name: "Run analysis"
-        uses: ossf/scorecard-action@e38b1902ae4f44df626f11ba0734b14fb91f8f86 # v2.1.2
+        uses: ossf/scorecard-action@80e868c13c90f172d68d1f4501dee99e2479f7af # v2.1.3
         with:
           results_file: results.sarif
           results_format: sarif

charts/openyurt/templates/pool-coordinator.yaml

@@ -146,7 +146,7 @@ spec:
                   - --listen-metrics-urls=http://0.0.0.0:{{ .Values.poolCoordinator.etcdMetricPort }}
                   - --snapshot-count=10000
                   - --trusted-ca-file=/etc/kubernetes/pki/ca.crt
-                image: "{{ .Values.poolCoordinator.etcdImage.repository }}:{{ .Values.poolCoordinator.etcdImage.tag }}"
+                image: "{{ .Values.poolCoordinator.etcdImage.registry }}/{{ .Values.poolCoordinator.etcdImage.repository }}:{{ .Values.poolCoordinator.etcdImage.tag }}"
                 imagePullPolicy: {{ .Values.imagePullPolicy }}
                 name: etcd
                 {{- if .Values.poolCoordinator.etcdResources}}

charts/openyurt/templates/yurt-manager-auto-generated.yaml

@@ -497,6 +497,130 @@ status:
   conditions: []
   storedVersions: []
 ---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.7.0
+  creationTimestamp: null
+  name: staticpods.apps.openyurt.io
+spec:
+  group: apps.openyurt.io
+  names:
+    kind: StaticPod
+    listKind: StaticPodList
+    plural: staticpods
+    shortNames:
+    - sp
+    singular: staticpod
+  scope: Namespaced
+  versions:
+  - additionalPrinterColumns:
+    - description: CreationTimestamp is a timestamp representing the server time when
+        this object was created. It is not guaranteed to be set in happens-before
+        order across separate operations. Clients may not set this value. It is represented
+        in RFC3339 form and is in UTC.
+      jsonPath: .metadata.creationTimestamp
+      name: AGE
+      type: date
+    - description: The total number of static pods
+      jsonPath: .status.totalNumber
+      name: TotalNumber
+      type: integer
+    - description: The number of ready static pods
+      jsonPath: .status.readyNumber
+      name: ReadyNumber
+      type: integer
+    - description: The number of static pods that have been upgraded
+      jsonPath: .status.upgradedNumber
+      name: UpgradedNumber
+      type: integer
+    name: v1alpha1
+    schema:
+      openAPIV3Schema:
+        description: StaticPod is the Schema for the staticpods API
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: StaticPodSpec defines the desired state of StaticPod
+            properties:
+              revisionHistoryLimit:
+                description: The number of old history to retain to allow rollback.
+                  Defaults to 10.
+                format: int32
+                type: integer
+              staticPodManifest:
+                description: StaticPodManifest indicates the Static Pod desired to
+                  be upgraded. The corresponding manifest file name is `StaticPodManifest.yaml`.
+                type: string
+              template:
+                description: An object that describes the desired upgrade static pod.
+                x-kubernetes-preserve-unknown-fields: true
+              upgradeStrategy:
+                description: An upgrade strategy to replace existing static pods with
+                  new ones.
+                properties:
+                  maxUnavailable:
+                    anyOf:
+                    - type: integer
+                    - type: string
+                    description: Auto upgrade config params. Present only if type
+                      = "auto".
+                    x-kubernetes-int-or-string: true
+                  type:
+                    description: Type of Static Pod upgrade. Can be "auto" or "ota".
+                    type: string
+                type: object
+            type: object
+          status:
+            description: StaticPodStatus defines the observed state of StaticPod
+            properties:
+              observedGeneration:
+                description: The most recent generation observed by the static pod
+                  controller.
+                format: int64
+                type: integer
+              readyNumber:
+                description: The number of ready static pods.
+                format: int32
+                type: integer
+              totalNumber:
+                description: The total number of nodes that are running the static
+                  pod.
+                format: int32
+                type: integer
+              upgradedNumber:
+                description: The number of nodes that are running updated static pod.
+                format: int32
+                type: integer
+            required:
+            - readyNumber
+            - totalNumber
+            - upgradedNumber
+            type: object
+        type: object
+    served: true
+    storage: true
+    subresources:
+      status: {}
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: []
+  storedVersions: []
+---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
@@ -551,6 +675,15 @@ rules:
   - patch
   - update
   - watch
+- apiGroups:
+  - apps
+  resources:
+  - daemonsets
+  verbs:
+  - get
+  - list
+  - update
+  - watch
 - apiGroups:
   - apps.openyurt.io
   resources:
@@ -571,6 +704,32 @@ rules:
   - get
   - patch
   - update
+- apiGroups:
+  - apps.openyurt.io
+  resources:
+  - staticpods
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - apps.openyurt.io
+  resources:
+  - staticpods/finalizers
+  verbs:
+  - update
+- apiGroups:
+  - apps.openyurt.io
+  resources:
+  - staticpods/status
+  verbs:
+  - get
+  - patch
+  - update
 - apiGroups:
   - certificates.k8s.io
   resources:
@@ -607,6 +766,18 @@ rules:
   - patch
   - update
   - watch
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
 - apiGroups:
   - ""
   resources:
@@ -721,7 +892,7 @@ webhooks:
     service:
       name: webhook-service
       namespace: kube-system
-      path: /mutate-raven-openyurt-io-gateway
+      path: /mutate-raven-openyurt-io-v1alpha1-gateway
   failurePolicy: Fail
   name: mutate.raven.v1alpha1.gateway.openyurt.io
   rules:
@@ -755,6 +926,27 @@ webhooks:
     resources:
     - nodepools
   sideEffects: None
+- admissionReviewVersions:
+  - v1
+  - v1beta1
+  clientConfig:
+    service:
+      name: webhook-service
+      namespace: kube-system
+      path: /mutate-apps-openyurt-io-v1alpha1-staticpod
+  failurePolicy: Fail
+  name: mutate.apps.v1alpha1.staticpod.openyurt.io
+  rules:
+  - apiGroups:
+    - apps.openyurt.io
+    apiVersions:
+    - v1alpha1
+    operations:
+    - CREATE
+    - UPDATE
+    resources:
+    - staticpods
+  sideEffects: None
 ---
 apiVersion: admissionregistration.k8s.io/v1
 kind: ValidatingWebhookConfiguration
@@ -769,7 +961,7 @@ webhooks:
     service:
       name: webhook-service
       namespace: kube-system
-      path: /validate-raven-openyurt-io-gateway
+      path: /validate-raven-openyurt-io-v1alpha1-gateway
   failurePolicy: Fail
   name: validate.raven.v1alpha1.gateway.openyurt.io
   rules:
@@ -804,3 +996,44 @@ webhooks:
     resources:
     - nodepools
   sideEffects: None
+- admissionReviewVersions:
+  - v1
+  - v1beta1
+  clientConfig:
+    service:
+      name: webhook-service
+      namespace: kube-system
+      path: /validate-apps-openyurt-io-v1alpha1-staticpod
+  failurePolicy: Fail
+  name: validate.apps.v1alpha1.staticpod.openyurt.io
+  rules:
+  - apiGroups:
+    - apps.openyurt.io
+    apiVersions:
+    - v1alpha1
+    operations:
+    - CREATE
+    - UPDATE
+    resources:
+    - staticpods
+  sideEffects: None
+- admissionReviewVersions:
+  - v1
+  - v1beta1
+  clientConfig:
+    service:
+      name: webhook-service
+      namespace: kube-system
+      path: /validate-core-openyurt-io-v1-pod
+  failurePolicy: Fail
+  name: validate.core.v1.pod.openyurt.io
+  rules:
+  - apiGroups:
+    - ""
+    apiVersions:
+    - v1
+    operations:
+    - DELETE
+    resources:
+    - pods
+  sideEffects: None

charts/openyurt/templates/yurt-manager.yaml

@@ -2,27 +2,27 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: yurt-manager
-  namespace: kube-system
+  namespace: {{ .Release.Namespace | quote }}
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
-  name: manager-rolebinding
+  name: yurt-manager-rolebinding
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
   name: yurt-manager-role
 subjects:
 - kind: ServiceAccount
   name: yurt-manager
-  namespace: kube-system
+  namespace: {{ .Release.Namespace | quote }}
 ---
 
 apiVersion: v1
 kind: Service
 metadata:
   name: yurt-manager-webhook-service
-  namespace: kube-system
+  namespace: {{ .Release.Namespace | quote }}
 spec:
   ports:
     - port: 443
@@ -37,7 +37,7 @@ metadata:
   labels:
     {{- include "yurt-manager.labels" . | nindent 4 }}
   name: yurt-manager
-  namespace: "kube-system"
+  namespace: {{ .Release.Namespace | quote }}
 spec:
   replicas: {{ .Values.yurtManager.replicas }}
   selector:
@@ -57,6 +57,7 @@ spec:
             - --health-probe-addr=:{{ .Values.yurtManager.healthProbe.port }}
             - --logtostderr=true
             - --v={{ .Values.yurtManager.log.level }}
+            - --working-namespace={{ .Release.Namespace | quote }}
           command:
             - /usr/local/bin/yurt-manager
           image: {{ .Values.yurtManager.image.repository }}:{{ .Values.yurtManager.image.tag }}

charts/openyurt/values.yaml

@@ -11,7 +11,8 @@ yurtControllerManager:
 poolCoordinator:
   apiserverSecurePort: 10270
   apiserverImage:
-    repository: registry.k8s.io/kube-apiserver
+    registry: registry.k8s.io
+    repository: kube-apiserver
     tag: v1.22.0
   apiserverResources:
     requests:
@@ -20,7 +21,8 @@ poolCoordinator:
   etcdPort: 12379
   etcdMetricPort: 12381
   etcdImage:
-    repository: registry.k8s.io/etcd
+    registry: registry.k8s.io
+    repository: etcd
     tag: 3.5.0-0
   etcdResources:
     limits:

cmd/yurt-controller-manager/app/controllermanager.go

@@ -310,7 +310,6 @@ var ControllersDisabledByDefault = sets.NewString()
 func NewControllerInitializers() map[string]InitFunc {
 	controllers := map[string]InitFunc{}
 	controllers["poolcoordinator"] = startPoolCoordinatorController
-	controllers["daemonpodupdater"] = startDaemonPodUpdaterController
 	controllers["servicetopologycontroller"] = startServiceTopologyController
 	controllers["podbinding"] = startPodBindingController
 	return controllers