From 8a90d8d92450efdc8d53661561028e4f1db749bb Mon Sep 17 00:00:00 2001 From: Anik Bhattacharjee Date: Mon, 2 Oct 2023 08:58:54 -0400 Subject: [PATCH] (cleanup) Kustomization (#183) Closes #155, #160 Signed-off-by: Anik Bhattacharjee --- config/default/kustomization.yaml | 3 +- config/default/manager_auth_proxy_patch.yaml | 56 ------------- config/default/manager_config_patch.yaml | 10 --- config/etcd/etcd.yaml | 83 ------------------- config/etcd/kustomization.yaml | 2 - .../catalogserver_service.yaml | 3 + config/manager/kustomization.yaml | 1 + config/manager/manager.yaml | 63 ++++++++++---- config/prometheus/kustomization.yaml | 2 - config/prometheus/monitor.yaml | 26 ------ .../rbac/auth_proxy_client_clusterrole.yaml | 8 +- config/rbac/auth_proxy_role.yaml | 8 +- config/rbac/auth_proxy_role_binding.yaml | 8 +- config/rbac/auth_proxy_service.yaml | 9 +- config/rbac/kustomization.yaml | 1 - config/rbac/leader_election_role.yaml | 8 +- config/rbac/leader_election_role_binding.yaml | 8 +- config/rbac/role_binding.yaml | 8 +- config/rbac/service_account.yaml | 8 +- 19 files changed, 68 insertions(+), 247 deletions(-) delete mode 100644 config/default/manager_auth_proxy_patch.yaml delete mode 100644 config/default/manager_config_patch.yaml delete mode 100644 config/etcd/etcd.yaml delete mode 100644 config/etcd/kustomization.yaml rename config/{rbac => manager}/catalogserver_service.yaml (71%) delete mode 100644 config/prometheus/kustomization.yaml delete mode 100644 config/prometheus/monitor.yaml diff --git a/config/default/kustomization.yaml b/config/default/kustomization.yaml index 312e99b6..f1c837dd 100644 --- a/config/default/kustomization.yaml +++ b/config/default/kustomization.yaml @@ -15,5 +15,4 @@ resources: - ../crd - ../rbac - ../manager -patches: -- path: manager_auth_proxy_patch.yaml + diff --git a/config/default/manager_auth_proxy_patch.yaml b/config/default/manager_auth_proxy_patch.yaml deleted file mode 100644 index bdd36ec0..00000000 --- a/config/default/manager_auth_proxy_patch.yaml +++ /dev/null @@ -1,56 +0,0 @@ -# This patch inject a sidecar container which is a HTTP proxy for the -# controller manager, it performs RBAC authorization against the Kubernetes API using SubjectAccessReviews. -apiVersion: apps/v1 -kind: Deployment -metadata: - name: controller-manager - namespace: system -spec: - template: - spec: - affinity: - nodeAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - nodeSelectorTerms: - - matchExpressions: - - key: kubernetes.io/arch - operator: In - values: - - amd64 - - arm64 - - ppc64le - - s390x - - key: kubernetes.io/os - operator: In - values: - - linux - containers: - - name: kube-rbac-proxy - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - "ALL" - image: gcr.io/kubebuilder/kube-rbac-proxy:v0.13.0 - args: - - "--secure-listen-address=0.0.0.0:8443" - - "--upstream=http://127.0.0.1:8080/" - - "--logtostderr=true" - - "--v=0" - ports: - - containerPort: 8443 - protocol: TCP - name: https - resources: - requests: - cpu: 5m - memory: 64Mi - - name: manager - args: - - "--health-probe-bind-address=:8081" - - "--metrics-bind-address=127.0.0.1:8080" - - "--leader-elect" - - "--catalogs-storage-dir=/var/cache/catalogs" - - "--feature-gates=HTTPServer=true" - - "--http-external-address=http://catalogd-catalogserver.catalogd-system.svc" - diff --git a/config/default/manager_config_patch.yaml b/config/default/manager_config_patch.yaml deleted file mode 100644 index f6f58916..00000000 --- a/config/default/manager_config_patch.yaml +++ /dev/null @@ -1,10 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: controller-manager - namespace: system -spec: - template: - spec: - containers: - - name: manager diff --git a/config/etcd/etcd.yaml b/config/etcd/etcd.yaml deleted file mode 100644 index 85965ad3..00000000 --- a/config/etcd/etcd.yaml +++ /dev/null @@ -1,83 +0,0 @@ ---- -apiVersion: apps/v1 -kind: StatefulSet -metadata: - name: etcd - namespace: system -spec: - selector: - matchLabels: - app: etcd - serviceName: "etcd" - replicas: 1 - template: - metadata: - labels: - app: etcd - spec: - terminationGracePeriodSeconds: 10 - containers: - - name: etcd - image: quay.io/coreos/etcd:latest - imagePullPolicy: Always - resources: - requests: - cpu: 100m - memory: 20Mi - env: - - name: ETCD_DATA_DIR - value: /etcd-data-dir - command: - - /usr/local/bin/etcd - - --listen-client-urls - - http://0.0.0.0:2379 - - --advertise-client-urls - - http://localhost:2379 - ports: - - containerPort: 2379 - volumeMounts: - - name: etcd-data-dir - mountPath: /etcd-data-dir - readinessProbe: - httpGet: - port: 2379 - path: /health - failureThreshold: 1 - initialDelaySeconds: 10 - periodSeconds: 10 - successThreshold: 1 - timeoutSeconds: 2 - livenessProbe: - httpGet: - port: 2379 - path: /health - failureThreshold: 3 - initialDelaySeconds: 10 - periodSeconds: 10 - successThreshold: 1 - timeoutSeconds: 2 - volumeClaimTemplates: - - metadata: - name: etcd-data-dir - annotations: - volume.beta.kubernetes.io/storage-class: standard - spec: - accessModes: [ "ReadWriteOnce" ] - resources: - requests: - storage: 10Gi ---- -apiVersion: v1 -kind: Service -metadata: - name: etcd-svc - namespace: system - labels: - app: etcd -spec: - ports: - - port: 2379 - name: etcd - targetPort: 2379 - selector: - app: etcd diff --git a/config/etcd/kustomization.yaml b/config/etcd/kustomization.yaml deleted file mode 100644 index 35505723..00000000 --- a/config/etcd/kustomization.yaml +++ /dev/null @@ -1,2 +0,0 @@ -resources: -- etcd.yaml diff --git a/config/rbac/catalogserver_service.yaml b/config/manager/catalogserver_service.yaml similarity index 71% rename from config/rbac/catalogserver_service.yaml rename to config/manager/catalogserver_service.yaml index 96e74b56..872afc15 100644 --- a/config/rbac/catalogserver_service.yaml +++ b/config/manager/catalogserver_service.yaml @@ -1,6 +1,9 @@ apiVersion: v1 kind: Service metadata: + labels: + app.kubernetes.io/part-of: olm + app.kubernetes.io/name: catalogd name: catalogserver namespace: system spec: diff --git a/config/manager/kustomization.yaml b/config/manager/kustomization.yaml index 11dd667d..ecd24268 100644 --- a/config/manager/kustomization.yaml +++ b/config/manager/kustomization.yaml @@ -1,5 +1,6 @@ resources: - manager.yaml +- catalogserver_service.yaml apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization images: diff --git a/config/manager/manager.yaml b/config/manager/manager.yaml index 73eaf271..9bd92f69 100644 --- a/config/manager/manager.yaml +++ b/config/manager/manager.yaml @@ -2,13 +2,8 @@ apiVersion: v1 kind: Namespace metadata: labels: - control-plane: controller-manager - app.kubernetes.io/name: namespace - app.kubernetes.io/instance: system - app.kubernetes.io/component: manager - app.kubernetes.io/created-by: catalogd - app.kubernetes.io/part-of: catalogd - app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/part-of: olm + app.kubernetes.io/name: catalogd pod-security.kubernetes.io/enforce: baseline pod-security.kubernetes.io/enforce-version: latest name: system @@ -19,13 +14,8 @@ metadata: name: controller-manager namespace: system labels: - control-plane: controller-manager - app.kubernetes.io/name: deployment - app.kubernetes.io/instance: controller-manager - app.kubernetes.io/component: manager - app.kubernetes.io/created-by: catalogd - app.kubernetes.io/part-of: catalogd - app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/part-of: olm + app.kubernetes.io/name: catalogd spec: selector: matchLabels: @@ -38,15 +28,56 @@ spec: labels: control-plane: controller-manager spec: + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: kubernetes.io/arch + operator: In + values: + - amd64 + - arm64 + - ppc64le + - s390x + - key: kubernetes.io/os + operator: In + values: + - linux securityContext: runAsNonRoot: true seccompProfile: type: RuntimeDefault containers: + - name: kube-rbac-proxy + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + image: gcr.io/kubebuilder/kube-rbac-proxy:v0.13.0 + args: + - --secure-listen-address=0.0.0.0:8443 + - --upstream=http://127.0.0.1:8080/ + - --logtostderr=true + - --v=0 + ports: + - containerPort: 8443 + protocol: TCP + name: https + resources: + requests: + cpu: 5m + memory: 64Mi - command: - - "./manager" + - ./manager args: - --leader-elect + - --health-probe-bind-address=:8081 + - --metrics-bind-address=127.0.0.1:8080 + - --catalogs-storage-dir=/var/cache/catalogs + - --feature-gates=HTTPServer=true + - --http-external-address=http://catalogd-catalogserver.catalogd-system.svc image: controller:latest name: manager volumeMounts: @@ -56,7 +87,7 @@ spec: allowPrivilegeEscalation: false capabilities: drop: - - "ALL" + - ALL livenessProbe: httpGet: path: /healthz diff --git a/config/prometheus/kustomization.yaml b/config/prometheus/kustomization.yaml deleted file mode 100644 index ed137168..00000000 --- a/config/prometheus/kustomization.yaml +++ /dev/null @@ -1,2 +0,0 @@ -resources: -- monitor.yaml diff --git a/config/prometheus/monitor.yaml b/config/prometheus/monitor.yaml deleted file mode 100644 index 8d96dc19..00000000 --- a/config/prometheus/monitor.yaml +++ /dev/null @@ -1,26 +0,0 @@ - -# Prometheus Monitor Service (Metrics) -apiVersion: monitoring.coreos.com/v1 -kind: ServiceMonitor -metadata: - labels: - control-plane: controller-manager - app.kubernetes.io/name: servicemonitor - app.kubernetes.io/instance: controller-manager-metrics-monitor - app.kubernetes.io/component: metrics - app.kubernetes.io/created-by: catalogd - app.kubernetes.io/part-of: catalogd - app.kubernetes.io/managed-by: kustomize - name: controller-manager-metrics-monitor - namespace: system -spec: - endpoints: - - path: /metrics - port: https - scheme: https - bearerTokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token - tlsConfig: - insecureSkipVerify: true - selector: - matchLabels: - control-plane: controller-manager diff --git a/config/rbac/auth_proxy_client_clusterrole.yaml b/config/rbac/auth_proxy_client_clusterrole.yaml index 42068354..ab8871b2 100644 --- a/config/rbac/auth_proxy_client_clusterrole.yaml +++ b/config/rbac/auth_proxy_client_clusterrole.yaml @@ -2,12 +2,8 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: labels: - app.kubernetes.io/name: clusterrole - app.kubernetes.io/instance: metrics-reader - app.kubernetes.io/component: kube-rbac-proxy - app.kubernetes.io/created-by: catalogd - app.kubernetes.io/part-of: catalogd - app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/part-of: olm + app.kubernetes.io/name: catalogd name: metrics-reader rules: - nonResourceURLs: diff --git a/config/rbac/auth_proxy_role.yaml b/config/rbac/auth_proxy_role.yaml index 86ca3cc0..3edf78f5 100644 --- a/config/rbac/auth_proxy_role.yaml +++ b/config/rbac/auth_proxy_role.yaml @@ -2,12 +2,8 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: labels: - app.kubernetes.io/name: clusterrole - app.kubernetes.io/instance: proxy-role - app.kubernetes.io/component: kube-rbac-proxy - app.kubernetes.io/created-by: catalogd - app.kubernetes.io/part-of: catalogd - app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/part-of: olm + app.kubernetes.io/name: catalogd name: proxy-role rules: - apiGroups: diff --git a/config/rbac/auth_proxy_role_binding.yaml b/config/rbac/auth_proxy_role_binding.yaml index 8c40d628..2efcf8dd 100644 --- a/config/rbac/auth_proxy_role_binding.yaml +++ b/config/rbac/auth_proxy_role_binding.yaml @@ -2,12 +2,8 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: labels: - app.kubernetes.io/name: clusterrolebinding - app.kubernetes.io/instance: proxy-rolebinding - app.kubernetes.io/component: kube-rbac-proxy - app.kubernetes.io/created-by: catalogd - app.kubernetes.io/part-of: catalogd - app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/part-of: olm + app.kubernetes.io/name: catalogd name: proxy-rolebinding roleRef: apiGroup: rbac.authorization.k8s.io diff --git a/config/rbac/auth_proxy_service.yaml b/config/rbac/auth_proxy_service.yaml index fcd6f2ae..c492e923 100644 --- a/config/rbac/auth_proxy_service.yaml +++ b/config/rbac/auth_proxy_service.yaml @@ -2,13 +2,8 @@ apiVersion: v1 kind: Service metadata: labels: - control-plane: controller-manager - app.kubernetes.io/name: service - app.kubernetes.io/instance: controller-manager-metrics-service - app.kubernetes.io/component: kube-rbac-proxy - app.kubernetes.io/created-by: catalogd - app.kubernetes.io/part-of: catalogd - app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/part-of: olm + app.kubernetes.io/name: catalogd name: controller-manager-metrics-service namespace: system spec: diff --git a/config/rbac/kustomization.yaml b/config/rbac/kustomization.yaml index 0ae1b3c1..731832a6 100644 --- a/config/rbac/kustomization.yaml +++ b/config/rbac/kustomization.yaml @@ -9,7 +9,6 @@ resources: - role_binding.yaml - leader_election_role.yaml - leader_election_role_binding.yaml -- catalogserver_service.yaml # Comment the following 4 lines if you want to disable # the auth proxy (https://github.com/brancz/kube-rbac-proxy) # which protects your /metrics endpoint. diff --git a/config/rbac/leader_election_role.yaml b/config/rbac/leader_election_role.yaml index c76dcdca..37564d08 100644 --- a/config/rbac/leader_election_role.yaml +++ b/config/rbac/leader_election_role.yaml @@ -3,12 +3,8 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: labels: - app.kubernetes.io/name: role - app.kubernetes.io/instance: leader-election-role - app.kubernetes.io/component: rbac - app.kubernetes.io/created-by: catalogd - app.kubernetes.io/part-of: catalogd - app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/part-of: olm + app.kubernetes.io/name: catalogd name: leader-election-role rules: - apiGroups: diff --git a/config/rbac/leader_election_role_binding.yaml b/config/rbac/leader_election_role_binding.yaml index b5bee512..6ad0ccf9 100644 --- a/config/rbac/leader_election_role_binding.yaml +++ b/config/rbac/leader_election_role_binding.yaml @@ -2,12 +2,8 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: labels: - app.kubernetes.io/name: rolebinding - app.kubernetes.io/instance: leader-election-rolebinding - app.kubernetes.io/component: rbac - app.kubernetes.io/created-by: catalogd - app.kubernetes.io/part-of: catalogd - app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/part-of: olm + app.kubernetes.io/name: catalogd name: leader-election-rolebinding roleRef: apiGroup: rbac.authorization.k8s.io diff --git a/config/rbac/role_binding.yaml b/config/rbac/role_binding.yaml index da9b5ab5..a618c0e4 100644 --- a/config/rbac/role_binding.yaml +++ b/config/rbac/role_binding.yaml @@ -2,12 +2,8 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: labels: - app.kubernetes.io/name: clusterrolebinding - app.kubernetes.io/instance: manager-rolebinding - app.kubernetes.io/component: rbac - app.kubernetes.io/created-by: catalogd - app.kubernetes.io/part-of: catalogd - app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/part-of: olm + app.kubernetes.io/name: catalogd name: manager-rolebinding roleRef: apiGroup: rbac.authorization.k8s.io diff --git a/config/rbac/service_account.yaml b/config/rbac/service_account.yaml index 755c05ba..3f0e7af7 100644 --- a/config/rbac/service_account.yaml +++ b/config/rbac/service_account.yaml @@ -2,11 +2,7 @@ apiVersion: v1 kind: ServiceAccount metadata: labels: - app.kubernetes.io/name: serviceaccount - app.kuberentes.io/instance: controller-manager - app.kubernetes.io/component: rbac - app.kubernetes.io/created-by: catalogd - app.kubernetes.io/part-of: catalogd - app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/part-of: olm + app.kubernetes.io/name: catalogd name: controller-manager namespace: system