From 6035fadce546531c06d803487873c3970be4fc2d Mon Sep 17 00:00:00 2001 From: Elie CHARRA Date: Thu, 9 Jan 2025 16:00:39 +0100 Subject: [PATCH] feat(CU-8695egu2z)!: update workerpool controller This is basically a port of changes generated by https://github.com/spacelift-io/kube-workerpool-controller/pull/128 to the Helm chart. To help the review, here is below the plain k8s manifest diff that I "Helmified". ```diff --- build/manifests/manifests.yaml 2025-01-09 14:51:37 +++ build/manifests/manifests.new.yaml 2025-01-09 15:54:16 @@ -2,12 +2,8 @@ kind: Namespace metadata: labels: - app.kubernetes.io/component: manager - app.kubernetes.io/created-by: spacelift-workerpool-controller - app.kubernetes.io/instance: system app.kubernetes.io/managed-by: kustomize - app.kubernetes.io/name: namespace - app.kubernetes.io/part-of: spacelift-workerpool-controller + app.kubernetes.io/name: spacelift-workerpool-controller control-plane: controller-manager name: spacelift-worker-controller-system --- @@ -5215,12 +5211,8 @@ kind: ServiceAccount metadata: labels: - app.kubernetes.io/component: rbac - app.kubernetes.io/created-by: spacelift-workerpool-controller - app.kubernetes.io/instance: controller-manager-sa app.kubernetes.io/managed-by: kustomize - app.kubernetes.io/name: serviceaccount - app.kubernetes.io/part-of: spacelift-workerpool-controller + app.kubernetes.io/name: spacelift-workerpool-controller name: spacelift-worker-controllercontroller-manager namespace: spacelift-worker-controller-system --- @@ -5228,12 +5220,8 @@ kind: Role metadata: labels: - app.kubernetes.io/component: rbac - app.kubernetes.io/created-by: spacelift-workerpool-controller - app.kubernetes.io/instance: leader-election-role - app.kubernetes.io/managed-by: kustomize - app.kubernetes.io/name: role - app.kubernetes.io/part-of: spacelift-workerpool-controller + app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/name: spacelift-workerpool-controller name: spacelift-worker-controllerleader-election-role namespace: spacelift-worker-controller-system rules: @@ -5325,13 +5313,24 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: - labels: - app.kubernetes.io/component: kube-rbac-proxy - app.kubernetes.io/created-by: spacelift-workerpool-controller - app.kubernetes.io/instance: metrics-reader - app.kubernetes.io/managed-by: kustomize - app.kubernetes.io/name: clusterrole - app.kubernetes.io/part-of: spacelift-workerpool-controller + name: spacelift-worker-controllermetrics-auth-role +rules: +- apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create +- apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: name: spacelift-worker-controllermetrics-reader rules: - nonResourceURLs: @@ -5343,37 +5342,108 @@ kind: ClusterRole metadata: labels: - app.kubernetes.io/component: kube-rbac-proxy - app.kubernetes.io/created-by: spacelift-workerpool-controller - app.kubernetes.io/instance: proxy-role app.kubernetes.io/managed-by: kustomize - app.kubernetes.io/name: clusterrole - app.kubernetes.io/part-of: spacelift-workerpool-controller - name: spacelift-worker-controllerproxy-role + app.kubernetes.io/name: spacelift-workerpool-controller + name: spacelift-worker-controllerworker-editor-role rules: - apiGroups: - - authentication.k8s.io + - workers.spacelift.io resources: - - tokenreviews + - workers verbs: - create + - delete + - get + - list + - patch + - update + - watch - apiGroups: - - authorization.k8s.io + - workers.spacelift.io resources: - - subjectaccessreviews + - workers/status verbs: + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/name: spacelift-workerpool-controller + name: spacelift-worker-controllerworker-viewer-role +rules: +- apiGroups: + - workers.spacelift.io + resources: + - workers + verbs: + - get + - list + - watch +- apiGroups: + - workers.spacelift.io + resources: + - workers/status + verbs: + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/name: spacelift-workerpool-controller + name: spacelift-worker-controllerworkerpool-editor-role +rules: +- apiGroups: + - workers.spacelift.io + resources: + - workerpools + verbs: - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - workers.spacelift.io + resources: + - workerpools/status + verbs: + - get --- apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/name: spacelift-workerpool-controller + name: spacelift-worker-controllerworkerpool-viewer-role +rules: +- apiGroups: + - workers.spacelift.io + resources: + - workerpools + verbs: + - get + - list + - watch +- apiGroups: + - workers.spacelift.io + resources: + - workerpools/status + verbs: + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: labels: - app.kubernetes.io/component: rbac - app.kubernetes.io/created-by: spacelift-workerpool-controller - app.kubernetes.io/instance: leader-election-rolebinding app.kubernetes.io/managed-by: kustomize - app.kubernetes.io/name: rolebinding - app.kubernetes.io/part-of: spacelift-workerpool-controller + app.kubernetes.io/name: spacelift-workerpool-controller name: spacelift-worker-controllerleader-election-rolebinding namespace: spacelift-worker-controller-system roleRef: @@ -5389,12 +5459,8 @@ kind: ClusterRoleBinding metadata: labels: - app.kubernetes.io/component: rbac - app.kubernetes.io/created-by: spacelift-workerpool-controller - app.kubernetes.io/instance: manager-rolebinding app.kubernetes.io/managed-by: kustomize - app.kubernetes.io/name: clusterrolebinding - app.kubernetes.io/part-of: spacelift-workerpool-controller + app.kubernetes.io/name: spacelift-workerpool-controller name: spacelift-worker-controllermanager-rolebinding roleRef: apiGroup: rbac.authorization.k8s.io @@ -5408,18 +5474,11 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: - labels: - app.kubernetes.io/component: kube-rbac-proxy - app.kubernetes.io/created-by: spacelift-workerpool-controller - app.kubernetes.io/instance: proxy-rolebinding - app.kubernetes.io/managed-by: kustomize - app.kubernetes.io/name: clusterrolebinding - app.kubernetes.io/part-of: spacelift-workerpool-controller - name: spacelift-worker-controllerproxy-rolebinding + name: spacelift-worker-controllermetrics-auth-rolebinding roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: spacelift-worker-controllerproxy-role + name: spacelift-worker-controllermetrics-auth-role subjects: - kind: ServiceAccount name: spacelift-worker-controllercontroller-manager @@ -5429,12 +5488,8 @@ kind: Service metadata: labels: - app.kubernetes.io/component: kube-rbac-proxy - app.kubernetes.io/created-by: spacelift-workerpool-controller - app.kubernetes.io/instance: controller-manager-metrics-service app.kubernetes.io/managed-by: kustomize - app.kubernetes.io/name: service - app.kubernetes.io/part-of: spacelift-workerpool-controller + app.kubernetes.io/name: spacelift-workerpool-controller control-plane: controller-manager name: spacelift-worker-controllercontroller-manager-metrics-service namespace: spacelift-worker-controller-system @@ -5443,7 +5498,7 @@ - name: https port: 8443 protocol: TCP - targetPort: https + targetPort: 8443 selector: control-plane: controller-manager --- @@ -5451,12 +5506,8 @@ kind: Deployment metadata: labels: - app.kubernetes.io/component: manager - app.kubernetes.io/created-by: spacelift-workerpool-controller - app.kubernetes.io/instance: controller-manager app.kubernetes.io/managed-by: kustomize - app.kubernetes.io/name: deployment - app.kubernetes.io/part-of: spacelift-workerpool-controller + app.kubernetes.io/name: spacelift-workerpool-controller control-plane: controller-manager name: spacelift-worker-controllercontroller-manager namespace: spacelift-worker-controller-system @@ -5488,32 +5539,7 @@ - linux containers: - args: - - --secure-listen-address=0.0.0.0:8443 - - --upstream=http://127.0.0.1:8080/ - - --logtostderr=true - - --v=0 - image: gcr.io/kubebuilder/kube-rbac-proxy:v0.14.1 - name: kube-rbac-proxy - ports: - - containerPort: 8443 - name: https - protocol: TCP - resources: - limits: - cpu: 500m - memory: 128Mi - requests: - cpu: 5m - memory: 64Mi - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - - args: - - --health-probe-bind-address=:8081 - - --metrics-bind-address=127.0.0.1:8080 + - --metrics-bind-address=:8443 - --leader-elect command: - /spacelift-workerpool-controller @@ -5526,7 +5552,7 @@ periodSeconds: 20 name: manager ports: - - containerPort: 8080 + - containerPort: 8443 name: metrics - containerPort: 8081 name: health ``` --- .../crds/worker-crd.yaml | 2 +- .../crds/workerpool-crd.yaml | 562 ++++++++++++++++-- .../templates/deployment.yaml | 28 +- .../templates/leader-election-rbac.yaml | 8 +- .../templates/manager-rbac.yaml | 65 +- .../templates/metrics-rbac.yaml | 33 + .../templates/metrics-reader-rbac.yaml | 16 - .../templates/metrics-service.yaml | 3 - .../templates/proxy-rbac.yaml | 42 -- .../templates/serviceaccount.yaml | 5 +- spacelift-workerpool-controller/values.yaml | 40 +- 11 files changed, 600 insertions(+), 204 deletions(-) create mode 100644 spacelift-workerpool-controller/templates/metrics-rbac.yaml delete mode 100644 spacelift-workerpool-controller/templates/metrics-reader-rbac.yaml delete mode 100644 spacelift-workerpool-controller/templates/proxy-rbac.yaml diff --git a/spacelift-workerpool-controller/crds/worker-crd.yaml b/spacelift-workerpool-controller/crds/worker-crd.yaml index fa036ee..1fd818e 100644 --- a/spacelift-workerpool-controller/crds/worker-crd.yaml +++ b/spacelift-workerpool-controller/crds/worker-crd.yaml @@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.16.5 name: workers.workers.spacelift.io spec: group: workers.spacelift.io diff --git a/spacelift-workerpool-controller/crds/workerpool-crd.yaml b/spacelift-workerpool-controller/crds/workerpool-crd.yaml index 747de35..d07bc3e 100644 --- a/spacelift-workerpool-controller/crds/workerpool-crd.yaml +++ b/spacelift-workerpool-controller/crds/workerpool-crd.yaml @@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.16.5 name: workerpools.workers.spacelift.io spec: group: workers.spacelift.io @@ -38,6 +38,9 @@ spec: type: array keepSuccessfulPods: type: boolean + mqttReconnectRetryCount: + default: 5 + type: integer pod: properties: activeDeadlineSeconds: @@ -50,10 +53,12 @@ spec: items: type: string type: array + x-kubernetes-list-type: atomic command: items: type: string type: array + x-kubernetes-list-type: atomic env: items: properties: @@ -68,6 +73,7 @@ spec: key: type: string name: + default: "" type: string optional: type: boolean @@ -106,6 +112,7 @@ spec: key: type: string name: + default: "" type: string optional: type: boolean @@ -118,12 +125,16 @@ spec: - name type: object type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map envFrom: items: properties: configMapRef: properties: name: + default: "" type: string optional: type: boolean @@ -134,6 +145,7 @@ spec: secretRef: properties: name: + default: "" type: string optional: type: boolean @@ -141,6 +153,7 @@ spec: x-kubernetes-map-type: atomic type: object type: array + x-kubernetes-list-type: atomic image: type: string imagePullPolicy: @@ -155,6 +168,7 @@ spec: items: type: string type: array + x-kubernetes-list-type: atomic type: object httpGet: properties: @@ -172,6 +186,7 @@ spec: - value type: object type: array + x-kubernetes-list-type: atomic path: type: string port: @@ -184,6 +199,14 @@ spec: required: - port type: object + sleep: + properties: + seconds: + format: int64 + type: integer + required: + - seconds + type: object tcpSocket: properties: host: @@ -205,6 +228,7 @@ spec: items: type: string type: array + x-kubernetes-list-type: atomic type: object httpGet: properties: @@ -222,6 +246,7 @@ spec: - value type: object type: array + x-kubernetes-list-type: atomic path: type: string port: @@ -234,6 +259,14 @@ spec: required: - port type: object + sleep: + properties: + seconds: + format: int64 + type: integer + required: + - seconds + type: object tcpSocket: properties: host: @@ -256,6 +289,7 @@ spec: items: type: string type: array + x-kubernetes-list-type: atomic type: object failureThreshold: format: int32 @@ -266,6 +300,7 @@ spec: format: int32 type: integer service: + default: "" type: string required: - port @@ -286,6 +321,7 @@ spec: - value type: object type: array + x-kubernetes-list-type: atomic path: type: string port: @@ -360,6 +396,7 @@ spec: items: type: string type: array + x-kubernetes-list-type: atomic type: object failureThreshold: format: int32 @@ -370,6 +407,7 @@ spec: format: int32 type: integer service: + default: "" type: string required: - port @@ -390,6 +428,7 @@ spec: - value type: object type: array + x-kubernetes-list-type: atomic path: type: string port: @@ -450,6 +489,8 @@ spec: properties: name: type: string + request: + type: string required: - name type: object @@ -480,16 +521,27 @@ spec: properties: allowPrivilegeEscalation: type: boolean + appArmorProfile: + properties: + localhostProfile: + type: string + type: + type: string + required: + - type + type: object capabilities: properties: add: items: type: string type: array + x-kubernetes-list-type: atomic drop: items: type: string type: array + x-kubernetes-list-type: atomic type: object privileged: type: boolean @@ -545,6 +597,7 @@ spec: items: type: string type: array + x-kubernetes-list-type: atomic type: object failureThreshold: format: int32 @@ -555,6 +608,7 @@ spec: format: int32 type: integer service: + default: "" type: string required: - port @@ -575,6 +629,7 @@ spec: - value type: object type: array + x-kubernetes-list-type: atomic path: type: string port: @@ -637,6 +692,9 @@ spec: - name type: object type: array + x-kubernetes-list-map-keys: + - devicePath + x-kubernetes-list-type: map volumeMounts: items: properties: @@ -648,6 +706,8 @@ spec: type: string readOnly: type: boolean + recursiveReadOnly: + type: string subPath: type: string subPathExpr: @@ -657,6 +717,9 @@ spec: - name type: object type: array + x-kubernetes-list-map-keys: + - mountPath + x-kubernetes-list-type: map workingDir: type: string required: @@ -683,11 +746,13 @@ spec: items: type: string type: array + x-kubernetes-list-type: atomic required: - key - operator type: object type: array + x-kubernetes-list-type: atomic matchFields: items: properties: @@ -699,11 +764,13 @@ spec: items: type: string type: array + x-kubernetes-list-type: atomic required: - key - operator type: object type: array + x-kubernetes-list-type: atomic type: object x-kubernetes-map-type: atomic weight: @@ -714,6 +781,7 @@ spec: - weight type: object type: array + x-kubernetes-list-type: atomic requiredDuringSchedulingIgnoredDuringExecution: properties: nodeSelectorTerms: @@ -730,11 +798,13 @@ spec: items: type: string type: array + x-kubernetes-list-type: atomic required: - key - operator type: object type: array + x-kubernetes-list-type: atomic matchFields: items: properties: @@ -746,14 +816,17 @@ spec: items: type: string type: array + x-kubernetes-list-type: atomic required: - key - operator type: object type: array + x-kubernetes-list-type: atomic type: object x-kubernetes-map-type: atomic type: array + x-kubernetes-list-type: atomic required: - nodeSelectorTerms type: object @@ -779,17 +852,29 @@ spec: items: type: string type: array + x-kubernetes-list-type: atomic required: - key - operator type: object type: array + x-kubernetes-list-type: atomic matchLabels: additionalProperties: type: string type: object type: object x-kubernetes-map-type: atomic + matchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic namespaceSelector: properties: matchExpressions: @@ -803,11 +888,13 @@ spec: items: type: string type: array + x-kubernetes-list-type: atomic required: - key - operator type: object type: array + x-kubernetes-list-type: atomic matchLabels: additionalProperties: type: string @@ -818,6 +905,7 @@ spec: items: type: string type: array + x-kubernetes-list-type: atomic topologyKey: type: string required: @@ -831,6 +919,7 @@ spec: - weight type: object type: array + x-kubernetes-list-type: atomic requiredDuringSchedulingIgnoredDuringExecution: items: properties: @@ -847,17 +936,29 @@ spec: items: type: string type: array + x-kubernetes-list-type: atomic required: - key - operator type: object type: array + x-kubernetes-list-type: atomic matchLabels: additionalProperties: type: string type: object type: object x-kubernetes-map-type: atomic + matchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic namespaceSelector: properties: matchExpressions: @@ -871,11 +972,13 @@ spec: items: type: string type: array + x-kubernetes-list-type: atomic required: - key - operator type: object type: array + x-kubernetes-list-type: atomic matchLabels: additionalProperties: type: string @@ -886,12 +989,14 @@ spec: items: type: string type: array + x-kubernetes-list-type: atomic topologyKey: type: string required: - topologyKey type: object type: array + x-kubernetes-list-type: atomic type: object podAntiAffinity: properties: @@ -913,17 +1018,29 @@ spec: items: type: string type: array + x-kubernetes-list-type: atomic required: - key - operator type: object type: array + x-kubernetes-list-type: atomic matchLabels: additionalProperties: type: string type: object type: object x-kubernetes-map-type: atomic + matchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic namespaceSelector: properties: matchExpressions: @@ -937,11 +1054,13 @@ spec: items: type: string type: array + x-kubernetes-list-type: atomic required: - key - operator type: object type: array + x-kubernetes-list-type: atomic matchLabels: additionalProperties: type: string @@ -952,6 +1071,7 @@ spec: items: type: string type: array + x-kubernetes-list-type: atomic topologyKey: type: string required: @@ -965,6 +1085,7 @@ spec: - weight type: object type: array + x-kubernetes-list-type: atomic requiredDuringSchedulingIgnoredDuringExecution: items: properties: @@ -981,17 +1102,29 @@ spec: items: type: string type: array + x-kubernetes-list-type: atomic required: - key - operator type: object type: array + x-kubernetes-list-type: atomic matchLabels: additionalProperties: type: string type: object type: object x-kubernetes-map-type: atomic + matchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic namespaceSelector: properties: matchExpressions: @@ -1005,11 +1138,13 @@ spec: items: type: string type: array + x-kubernetes-list-type: atomic required: - key - operator type: object type: array + x-kubernetes-list-type: atomic matchLabels: additionalProperties: type: string @@ -1020,12 +1155,14 @@ spec: items: type: string type: array + x-kubernetes-list-type: atomic topologyKey: type: string required: - topologyKey type: object type: array + x-kubernetes-list-type: atomic type: object type: object annotations: @@ -1059,10 +1196,12 @@ spec: diskURI: type: string fsType: + default: ext4 type: string kind: type: string readOnly: + default: false type: boolean required: - diskName @@ -1086,6 +1225,7 @@ spec: items: type: string type: array + x-kubernetes-list-type: atomic path: type: string readOnly: @@ -1095,6 +1235,7 @@ spec: secretRef: properties: name: + default: "" type: string type: object x-kubernetes-map-type: atomic @@ -1112,6 +1253,7 @@ spec: secretRef: properties: name: + default: "" type: string type: object x-kubernetes-map-type: atomic @@ -1140,7 +1282,9 @@ spec: - path type: object type: array + x-kubernetes-list-type: atomic name: + default: "" type: string optional: type: boolean @@ -1155,6 +1299,7 @@ spec: nodePublishSecretRef: properties: name: + default: "" type: string type: object x-kubernetes-map-type: atomic @@ -1210,6 +1355,7 @@ spec: - path type: object type: array + x-kubernetes-list-type: atomic type: object emptyDir: properties: @@ -1234,6 +1380,7 @@ spec: items: type: string type: array + x-kubernetes-list-type: atomic dataSource: properties: apiGroup: @@ -1263,18 +1410,6 @@ spec: type: object resources: properties: - claims: - items: - properties: - name: - type: string - required: - - name - type: object - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map limits: additionalProperties: anyOf: @@ -1305,11 +1440,13 @@ spec: items: type: string type: array + x-kubernetes-list-type: atomic required: - key - operator type: object type: array + x-kubernetes-list-type: atomic matchLabels: additionalProperties: type: string @@ -1318,6 +1455,8 @@ spec: x-kubernetes-map-type: atomic storageClassName: type: string + volumeAttributesClassName: + type: string volumeMode: type: string volumeName: @@ -1340,10 +1479,12 @@ spec: items: type: string type: array + x-kubernetes-list-type: atomic wwids: items: type: string type: array + x-kubernetes-list-type: atomic type: object flexVolume: properties: @@ -1360,6 +1501,7 @@ spec: secretRef: properties: name: + default: "" type: string type: object x-kubernetes-map-type: atomic @@ -1419,6 +1561,13 @@ spec: required: - path type: object + image: + properties: + pullPolicy: + type: string + reference: + type: string + type: object iscsi: properties: chapAuthDiscovery: @@ -1432,6 +1581,7 @@ spec: iqn: type: string iscsiInterface: + default: default type: string lun: format: int32 @@ -1440,11 +1590,13 @@ spec: items: type: string type: array + x-kubernetes-list-type: atomic readOnly: type: boolean secretRef: properties: name: + default: "" type: string type: object x-kubernetes-map-type: atomic @@ -1506,6 +1658,45 @@ spec: sources: items: properties: + clusterTrustBundle: + properties: + labelSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + name: + type: string + optional: + type: boolean + path: + type: string + signerName: + type: string + required: + - path + type: object configMap: properties: items: @@ -1523,7 +1714,9 @@ spec: - path type: object type: array + x-kubernetes-list-type: atomic name: + default: "" type: string optional: type: boolean @@ -1569,6 +1762,7 @@ spec: - path type: object type: array + x-kubernetes-list-type: atomic type: object secret: properties: @@ -1587,7 +1781,9 @@ spec: - path type: object type: array + x-kubernetes-list-type: atomic name: + default: "" type: string optional: type: boolean @@ -1607,6 +1803,7 @@ spec: type: object type: object type: array + x-kubernetes-list-type: atomic type: object quobyte: properties: @@ -1633,22 +1830,27 @@ spec: image: type: string keyring: + default: /etc/ceph/keyring type: string monitors: items: type: string type: array + x-kubernetes-list-type: atomic pool: + default: rbd type: string readOnly: type: boolean secretRef: properties: name: + default: "" type: string type: object x-kubernetes-map-type: atomic user: + default: admin type: string required: - image @@ -1657,6 +1859,7 @@ spec: scaleIO: properties: fsType: + default: xfs type: string gateway: type: string @@ -1667,12 +1870,14 @@ spec: secretRef: properties: name: + default: "" type: string type: object x-kubernetes-map-type: atomic sslEnabled: type: boolean storageMode: + default: ThinProvisioned type: string storagePool: type: string @@ -1705,6 +1910,7 @@ spec: - path type: object type: array + x-kubernetes-list-type: atomic optional: type: boolean secretName: @@ -1719,6 +1925,7 @@ spec: secretRef: properties: name: + default: "" type: string type: object x-kubernetes-map-type: atomic @@ -1750,10 +1957,12 @@ spec: items: type: string type: array + x-kubernetes-list-type: atomic command: items: type: string type: array + x-kubernetes-list-type: atomic env: items: properties: @@ -1768,6 +1977,7 @@ spec: key: type: string name: + default: "" type: string optional: type: boolean @@ -1806,6 +2016,7 @@ spec: key: type: string name: + default: "" type: string optional: type: boolean @@ -1818,12 +2029,16 @@ spec: - name type: object type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map envFrom: items: properties: configMapRef: properties: name: + default: "" type: string optional: type: boolean @@ -1834,6 +2049,7 @@ spec: secretRef: properties: name: + default: "" type: string optional: type: boolean @@ -1841,6 +2057,7 @@ spec: x-kubernetes-map-type: atomic type: object type: array + x-kubernetes-list-type: atomic image: type: string imagePullPolicy: @@ -1855,6 +2072,7 @@ spec: items: type: string type: array + x-kubernetes-list-type: atomic type: object httpGet: properties: @@ -1872,6 +2090,7 @@ spec: - value type: object type: array + x-kubernetes-list-type: atomic path: type: string port: @@ -1884,6 +2103,14 @@ spec: required: - port type: object + sleep: + properties: + seconds: + format: int64 + type: integer + required: + - seconds + type: object tcpSocket: properties: host: @@ -1905,6 +2132,7 @@ spec: items: type: string type: array + x-kubernetes-list-type: atomic type: object httpGet: properties: @@ -1922,6 +2150,7 @@ spec: - value type: object type: array + x-kubernetes-list-type: atomic path: type: string port: @@ -1934,6 +2163,14 @@ spec: required: - port type: object + sleep: + properties: + seconds: + format: int64 + type: integer + required: + - seconds + type: object tcpSocket: properties: host: @@ -1956,6 +2193,7 @@ spec: items: type: string type: array + x-kubernetes-list-type: atomic type: object failureThreshold: format: int32 @@ -1966,6 +2204,7 @@ spec: format: int32 type: integer service: + default: "" type: string required: - port @@ -1986,6 +2225,7 @@ spec: - value type: object type: array + x-kubernetes-list-type: atomic path: type: string port: @@ -2060,6 +2300,7 @@ spec: items: type: string type: array + x-kubernetes-list-type: atomic type: object failureThreshold: format: int32 @@ -2070,6 +2311,7 @@ spec: format: int32 type: integer service: + default: "" type: string required: - port @@ -2090,6 +2332,7 @@ spec: - value type: object type: array + x-kubernetes-list-type: atomic path: type: string port: @@ -2150,6 +2393,8 @@ spec: properties: name: type: string + request: + type: string required: - name type: object @@ -2180,16 +2425,27 @@ spec: properties: allowPrivilegeEscalation: type: boolean + appArmorProfile: + properties: + localhostProfile: + type: string + type: + type: string + required: + - type + type: object capabilities: properties: add: items: type: string type: array + x-kubernetes-list-type: atomic drop: items: type: string type: array + x-kubernetes-list-type: atomic type: object privileged: type: boolean @@ -2245,6 +2501,7 @@ spec: items: type: string type: array + x-kubernetes-list-type: atomic type: object failureThreshold: format: int32 @@ -2255,6 +2512,7 @@ spec: format: int32 type: integer service: + default: "" type: string required: - port @@ -2275,6 +2533,7 @@ spec: - value type: object type: array + x-kubernetes-list-type: atomic path: type: string port: @@ -2337,6 +2596,9 @@ spec: - name type: object type: array + x-kubernetes-list-map-keys: + - devicePath + x-kubernetes-list-type: map volumeMounts: items: properties: @@ -2348,6 +2610,8 @@ spec: type: string readOnly: type: boolean + recursiveReadOnly: + type: string subPath: type: string subPathExpr: @@ -2357,6 +2621,9 @@ spec: - name type: object type: array + x-kubernetes-list-map-keys: + - mountPath + x-kubernetes-list-type: map workingDir: type: string required: @@ -2369,6 +2636,7 @@ spec: items: type: string type: array + x-kubernetes-list-type: atomic options: items: properties: @@ -2378,10 +2646,12 @@ spec: type: string type: object type: array + x-kubernetes-list-type: atomic searches: items: type: string type: array + x-kubernetes-list-type: atomic type: object grpcServerContainer: properties: @@ -2399,6 +2669,7 @@ spec: key: type: string name: + default: "" type: string optional: type: boolean @@ -2437,6 +2708,7 @@ spec: key: type: string name: + default: "" type: string optional: type: boolean @@ -2455,6 +2727,7 @@ spec: configMapRef: properties: name: + default: "" type: string optional: type: boolean @@ -2465,6 +2738,7 @@ spec: secretRef: properties: name: + default: "" type: string optional: type: boolean @@ -2481,6 +2755,8 @@ spec: properties: name: type: string + request: + type: string required: - name type: object @@ -2509,16 +2785,27 @@ spec: properties: allowPrivilegeEscalation: type: boolean + appArmorProfile: + properties: + localhostProfile: + type: string + type: + type: string + required: + - type + type: object capabilities: properties: add: items: type: string type: array + x-kubernetes-list-type: atomic drop: items: type: string type: array + x-kubernetes-list-type: atomic type: object privileged: type: boolean @@ -2577,6 +2864,8 @@ spec: type: string readOnly: type: boolean + recursiveReadOnly: + type: string subPath: type: string subPathExpr: @@ -2594,14 +2883,18 @@ spec: items: type: string type: array + x-kubernetes-list-type: atomic ip: type: string + required: + - ip type: object type: array imagePullSecrets: items: properties: name: + default: "" type: string type: object x-kubernetes-map-type: atomic @@ -2622,6 +2915,7 @@ spec: key: type: string name: + default: "" type: string optional: type: boolean @@ -2660,6 +2954,7 @@ spec: key: type: string name: + default: "" type: string optional: type: boolean @@ -2678,6 +2973,7 @@ spec: configMapRef: properties: name: + default: "" type: string optional: type: boolean @@ -2688,6 +2984,7 @@ spec: secretRef: properties: name: + default: "" type: string optional: type: boolean @@ -2704,6 +3001,8 @@ spec: properties: name: type: string + request: + type: string required: - name type: object @@ -2732,16 +3031,27 @@ spec: properties: allowPrivilegeEscalation: type: boolean + appArmorProfile: + properties: + localhostProfile: + type: string + type: + type: string + required: + - type + type: object capabilities: properties: add: items: type: string type: array + x-kubernetes-list-type: atomic drop: items: type: string type: array + x-kubernetes-list-type: atomic type: object privileged: type: boolean @@ -2800,6 +3110,8 @@ spec: type: string readOnly: type: boolean + recursiveReadOnly: + type: string subPath: type: string subPathExpr: @@ -2829,6 +3141,15 @@ spec: type: string securityContext: properties: + appArmorProfile: + properties: + localhostProfile: + type: string + type: + type: string + required: + - type + type: object fsGroup: format: int64 type: integer @@ -2867,6 +3188,9 @@ spec: format: int64 type: integer type: array + x-kubernetes-list-type: atomic + supplementalGroupsPolicy: + type: string sysctls: items: properties: @@ -2879,6 +3203,7 @@ spec: - value type: object type: array + x-kubernetes-list-type: atomic windowsOptions: properties: gmsaCredentialSpec: @@ -2928,11 +3253,13 @@ spec: items: type: string type: array + x-kubernetes-list-type: atomic required: - key - operator type: object type: array + x-kubernetes-list-type: atomic matchLabels: additionalProperties: type: string @@ -2990,10 +3317,12 @@ spec: diskURI: type: string fsType: + default: ext4 type: string kind: type: string readOnly: + default: false type: boolean required: - diskName @@ -3017,6 +3346,7 @@ spec: items: type: string type: array + x-kubernetes-list-type: atomic path: type: string readOnly: @@ -3026,6 +3356,7 @@ spec: secretRef: properties: name: + default: "" type: string type: object x-kubernetes-map-type: atomic @@ -3043,6 +3374,7 @@ spec: secretRef: properties: name: + default: "" type: string type: object x-kubernetes-map-type: atomic @@ -3071,7 +3403,9 @@ spec: - path type: object type: array + x-kubernetes-list-type: atomic name: + default: "" type: string optional: type: boolean @@ -3086,6 +3420,7 @@ spec: nodePublishSecretRef: properties: name: + default: "" type: string type: object x-kubernetes-map-type: atomic @@ -3141,6 +3476,7 @@ spec: - path type: object type: array + x-kubernetes-list-type: atomic type: object emptyDir: properties: @@ -3165,6 +3501,7 @@ spec: items: type: string type: array + x-kubernetes-list-type: atomic dataSource: properties: apiGroup: @@ -3194,18 +3531,6 @@ spec: type: object resources: properties: - claims: - items: - properties: - name: - type: string - required: - - name - type: object - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map limits: additionalProperties: anyOf: @@ -3236,11 +3561,13 @@ spec: items: type: string type: array + x-kubernetes-list-type: atomic required: - key - operator type: object type: array + x-kubernetes-list-type: atomic matchLabels: additionalProperties: type: string @@ -3249,6 +3576,8 @@ spec: x-kubernetes-map-type: atomic storageClassName: type: string + volumeAttributesClassName: + type: string volumeMode: type: string volumeName: @@ -3271,10 +3600,12 @@ spec: items: type: string type: array + x-kubernetes-list-type: atomic wwids: items: type: string type: array + x-kubernetes-list-type: atomic type: object flexVolume: properties: @@ -3291,6 +3622,7 @@ spec: secretRef: properties: name: + default: "" type: string type: object x-kubernetes-map-type: atomic @@ -3350,6 +3682,13 @@ spec: required: - path type: object + image: + properties: + pullPolicy: + type: string + reference: + type: string + type: object iscsi: properties: chapAuthDiscovery: @@ -3363,6 +3702,7 @@ spec: iqn: type: string iscsiInterface: + default: default type: string lun: format: int32 @@ -3371,11 +3711,13 @@ spec: items: type: string type: array + x-kubernetes-list-type: atomic readOnly: type: boolean secretRef: properties: name: + default: "" type: string type: object x-kubernetes-map-type: atomic @@ -3437,6 +3779,45 @@ spec: sources: items: properties: + clusterTrustBundle: + properties: + labelSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + name: + type: string + optional: + type: boolean + path: + type: string + signerName: + type: string + required: + - path + type: object configMap: properties: items: @@ -3454,7 +3835,9 @@ spec: - path type: object type: array + x-kubernetes-list-type: atomic name: + default: "" type: string optional: type: boolean @@ -3500,6 +3883,7 @@ spec: - path type: object type: array + x-kubernetes-list-type: atomic type: object secret: properties: @@ -3518,7 +3902,9 @@ spec: - path type: object type: array + x-kubernetes-list-type: atomic name: + default: "" type: string optional: type: boolean @@ -3538,6 +3924,7 @@ spec: type: object type: object type: array + x-kubernetes-list-type: atomic type: object quobyte: properties: @@ -3564,22 +3951,27 @@ spec: image: type: string keyring: + default: /etc/ceph/keyring type: string monitors: items: type: string type: array + x-kubernetes-list-type: atomic pool: + default: rbd type: string readOnly: type: boolean secretRef: properties: name: + default: "" type: string type: object x-kubernetes-map-type: atomic user: + default: admin type: string required: - image @@ -3588,6 +3980,7 @@ spec: scaleIO: properties: fsType: + default: xfs type: string gateway: type: string @@ -3598,12 +3991,14 @@ spec: secretRef: properties: name: + default: "" type: string type: object x-kubernetes-map-type: atomic sslEnabled: type: boolean storageMode: + default: ThinProvisioned type: string storagePool: type: string @@ -3636,6 +4031,7 @@ spec: - path type: object type: array + x-kubernetes-list-type: atomic optional: type: boolean secretName: @@ -3650,6 +4046,7 @@ spec: secretRef: properties: name: + default: "" type: string type: object x-kubernetes-map-type: atomic @@ -3691,6 +4088,7 @@ spec: key: type: string name: + default: "" type: string optional: type: boolean @@ -3729,6 +4127,7 @@ spec: key: type: string name: + default: "" type: string optional: type: boolean @@ -3747,6 +4146,7 @@ spec: configMapRef: properties: name: + default: "" type: string optional: type: boolean @@ -3757,6 +4157,7 @@ spec: secretRef: properties: name: + default: "" type: string optional: type: boolean @@ -3773,6 +4174,8 @@ spec: properties: name: type: string + request: + type: string required: - name type: object @@ -3801,16 +4204,27 @@ spec: properties: allowPrivilegeEscalation: type: boolean + appArmorProfile: + properties: + localhostProfile: + type: string + type: + type: string + required: + - type + type: object capabilities: properties: add: items: type: string type: array + x-kubernetes-list-type: atomic drop: items: type: string type: array + x-kubernetes-list-type: atomic type: object privileged: type: boolean @@ -3869,6 +4283,8 @@ spec: type: string readOnly: type: boolean + recursiveReadOnly: + type: string subPath: type: string subPathExpr: @@ -3904,10 +4320,12 @@ spec: diskURI: type: string fsType: + default: ext4 type: string kind: type: string readOnly: + default: false type: boolean required: - diskName @@ -3931,6 +4349,7 @@ spec: items: type: string type: array + x-kubernetes-list-type: atomic path: type: string readOnly: @@ -3940,6 +4359,7 @@ spec: secretRef: properties: name: + default: "" type: string type: object x-kubernetes-map-type: atomic @@ -3957,6 +4377,7 @@ spec: secretRef: properties: name: + default: "" type: string type: object x-kubernetes-map-type: atomic @@ -3985,7 +4406,9 @@ spec: - path type: object type: array + x-kubernetes-list-type: atomic name: + default: "" type: string optional: type: boolean @@ -4000,6 +4423,7 @@ spec: nodePublishSecretRef: properties: name: + default: "" type: string type: object x-kubernetes-map-type: atomic @@ -4055,6 +4479,7 @@ spec: - path type: object type: array + x-kubernetes-list-type: atomic type: object emptyDir: properties: @@ -4079,6 +4504,7 @@ spec: items: type: string type: array + x-kubernetes-list-type: atomic dataSource: properties: apiGroup: @@ -4108,18 +4534,6 @@ spec: type: object resources: properties: - claims: - items: - properties: - name: - type: string - required: - - name - type: object - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map limits: additionalProperties: anyOf: @@ -4150,11 +4564,13 @@ spec: items: type: string type: array + x-kubernetes-list-type: atomic required: - key - operator type: object type: array + x-kubernetes-list-type: atomic matchLabels: additionalProperties: type: string @@ -4163,6 +4579,8 @@ spec: x-kubernetes-map-type: atomic storageClassName: type: string + volumeAttributesClassName: + type: string volumeMode: type: string volumeName: @@ -4185,10 +4603,12 @@ spec: items: type: string type: array + x-kubernetes-list-type: atomic wwids: items: type: string type: array + x-kubernetes-list-type: atomic type: object flexVolume: properties: @@ -4205,6 +4625,7 @@ spec: secretRef: properties: name: + default: "" type: string type: object x-kubernetes-map-type: atomic @@ -4264,6 +4685,13 @@ spec: required: - path type: object + image: + properties: + pullPolicy: + type: string + reference: + type: string + type: object iscsi: properties: chapAuthDiscovery: @@ -4277,6 +4705,7 @@ spec: iqn: type: string iscsiInterface: + default: default type: string lun: format: int32 @@ -4285,11 +4714,13 @@ spec: items: type: string type: array + x-kubernetes-list-type: atomic readOnly: type: boolean secretRef: properties: name: + default: "" type: string type: object x-kubernetes-map-type: atomic @@ -4351,6 +4782,45 @@ spec: sources: items: properties: + clusterTrustBundle: + properties: + labelSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + name: + type: string + optional: + type: boolean + path: + type: string + signerName: + type: string + required: + - path + type: object configMap: properties: items: @@ -4368,7 +4838,9 @@ spec: - path type: object type: array + x-kubernetes-list-type: atomic name: + default: "" type: string optional: type: boolean @@ -4414,6 +4886,7 @@ spec: - path type: object type: array + x-kubernetes-list-type: atomic type: object secret: properties: @@ -4432,7 +4905,9 @@ spec: - path type: object type: array + x-kubernetes-list-type: atomic name: + default: "" type: string optional: type: boolean @@ -4452,6 +4927,7 @@ spec: type: object type: object type: array + x-kubernetes-list-type: atomic type: object quobyte: properties: @@ -4478,22 +4954,27 @@ spec: image: type: string keyring: + default: /etc/ceph/keyring type: string monitors: items: type: string type: array + x-kubernetes-list-type: atomic pool: + default: rbd type: string readOnly: type: boolean secretRef: properties: name: + default: "" type: string type: object x-kubernetes-map-type: atomic user: + default: admin type: string required: - image @@ -4502,6 +4983,7 @@ spec: scaleIO: properties: fsType: + default: xfs type: string gateway: type: string @@ -4512,12 +4994,14 @@ spec: secretRef: properties: name: + default: "" type: string type: object x-kubernetes-map-type: atomic sslEnabled: type: boolean storageMode: + default: ThinProvisioned type: string storagePool: type: string @@ -4550,6 +5034,7 @@ spec: - path type: object type: array + x-kubernetes-list-type: atomic optional: type: boolean secretName: @@ -4564,6 +5049,7 @@ spec: secretRef: properties: name: + default: "" type: string type: object x-kubernetes-map-type: atomic @@ -4600,6 +5086,7 @@ spec: key: type: string name: + default: "" type: string optional: type: boolean @@ -4617,6 +5104,7 @@ spec: key: type: string name: + default: "" type: string optional: type: boolean diff --git a/spacelift-workerpool-controller/templates/deployment.yaml b/spacelift-workerpool-controller/templates/deployment.yaml index 6493831..2f30832 100644 --- a/spacelift-workerpool-controller/templates/deployment.yaml +++ b/spacelift-workerpool-controller/templates/deployment.yaml @@ -3,9 +3,6 @@ kind: Deployment metadata: name: {{ include "spacelift-workerpool-controller.fullname" . }}-controller-manager labels: - app.kubernetes.io/component: manager - app.kubernetes.io/created-by: spacelift-workerpool-controller - app.kubernetes.io/part-of: spacelift-workerpool-controller control-plane: controller-manager {{- include "spacelift-workerpool-controller.labels" . | nindent 4 }} spec: @@ -40,25 +37,12 @@ spec: values: - linux containers: - {{- if .Values.metricsService.enabled }} - - args: {{- toYaml .Values.controllerManager.kubeRbacProxy.args | nindent 8 }} - env: - - name: KUBERNETES_CLUSTER_DOMAIN - value: {{ quote .Values.kubernetesClusterDomain }} - image: {{ .Values.controllerManager.kubeRbacProxy.image.repository }}:{{ .Values.controllerManager.kubeRbacProxy.image.tag - | default .Chart.AppVersion }} - name: kube-rbac-proxy - ports: - - containerPort: 8443 - name: https - protocol: TCP - resources: {{- toYaml .Values.controllerManager.kubeRbacProxy.resources | nindent - 10 }} - securityContext: {{- toYaml .Values.controllerManager.kubeRbacProxy.containerSecurityContext - | nindent 10 }} - {{- end }} - args: {{- toYaml .Values.controllerManager.manager.args | nindent 8 }} - - --metrics-bind-address={{ if .Values.metricsService.enabled }}127.0.0.1:8080{{ else }}0{{ end }} + {{- if .Values.metricsService.enabled }} + - --metrics-bind-address=:8443 + - --metrics-secure={{ .Values.metricsService.secure | toYaml}} + - --enable-http2={{ .Values.metricsService.enableHTTP2 | toYaml}} + {{- end }} {{- range .Values.controllerManager.namespaces }} - --namespaces={{ . }} {{- end }} @@ -73,7 +57,7 @@ spec: - containerPort: 8081 name: health {{- if .Values.metricsService.enabled }} - - containerPort: 8080 + - containerPort: 8443 name: metrics {{- end }} livenessProbe: diff --git a/spacelift-workerpool-controller/templates/leader-election-rbac.yaml b/spacelift-workerpool-controller/templates/leader-election-rbac.yaml index e2825fd..c73060e 100644 --- a/spacelift-workerpool-controller/templates/leader-election-rbac.yaml +++ b/spacelift-workerpool-controller/templates/leader-election-rbac.yaml @@ -3,9 +3,6 @@ kind: Role metadata: name: {{ include "spacelift-workerpool-controller.fullname" . }}-leader-election-role labels: - app.kubernetes.io/component: rbac - app.kubernetes.io/created-by: spacelift-workerpool-controller - app.kubernetes.io/part-of: spacelift-workerpool-controller {{- include "spacelift-workerpool-controller.labels" . | nindent 4 }} rules: - apiGroups: @@ -45,9 +42,6 @@ kind: RoleBinding metadata: name: {{ include "spacelift-workerpool-controller.fullname" . }}-leader-election-rolebinding labels: - app.kubernetes.io/component: rbac - app.kubernetes.io/created-by: spacelift-workerpool-controller - app.kubernetes.io/part-of: spacelift-workerpool-controller {{- include "spacelift-workerpool-controller.labels" . | nindent 4 }} roleRef: apiGroup: rbac.authorization.k8s.io @@ -56,4 +50,4 @@ roleRef: subjects: - kind: ServiceAccount name: '{{ include "spacelift-workerpool-controller.fullname" . }}-controller-manager' - namespace: '{{ .Release.Namespace }}' \ No newline at end of file + namespace: '{{ .Release.Namespace }}' diff --git a/spacelift-workerpool-controller/templates/manager-rbac.yaml b/spacelift-workerpool-controller/templates/manager-rbac.yaml index cdba370..19ad18b 100644 --- a/spacelift-workerpool-controller/templates/manager-rbac.yaml +++ b/spacelift-workerpool-controller/templates/manager-rbac.yaml @@ -2,16 +2,14 @@ - apiGroups: - "" resources: - - pods + - events verbs: - create - - delete - - get - - list - - watch + - patch - apiGroups: - "" resources: + - pods - secrets verbs: - create @@ -19,42 +17,10 @@ - get - list - watch -- apiGroups: - - "" - resources: - - events - verbs: - - create - - patch - apiGroups: - workers.spacelift.io resources: - workerpools - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - workers.spacelift.io - resources: - - workerpools/finalizers - verbs: - - update -- apiGroups: - - workers.spacelift.io - resources: - - workerpools/status - verbs: - - get - - patch - - update -- apiGroups: - - workers.spacelift.io - resources: - workers verbs: - create @@ -67,12 +33,14 @@ - apiGroups: - workers.spacelift.io resources: + - workerpools/finalizers - workers/finalizers verbs: - update - apiGroups: - workers.spacelift.io resources: + - workerpools/status - workers/status verbs: - get @@ -95,9 +63,6 @@ kind: ClusterRoleBinding metadata: name: {{ include "spacelift-workerpool-controller.fullname" . }}-manager-rolebinding labels: - app.kubernetes.io/component: rbac - app.kubernetes.io/created-by: spacelift-workerpool-controller - app.kubernetes.io/part-of: spacelift-workerpool-controller {{- include "spacelift-workerpool-controller.labels" . | nindent 4 }} roleRef: apiGroup: rbac.authorization.k8s.io @@ -126,9 +91,6 @@ metadata: name: {{ include "spacelift-workerpool-controller.fullname" $ }}-manager-rolebinding namespace: '{{ $namespace }}' labels: - app.kubernetes.io/component: rbac - app.kubernetes.io/created-by: spacelift-workerpool-controller - app.kubernetes.io/part-of: spacelift-workerpool-controller {{- include "spacelift-workerpool-controller.labels" $ | nindent 4 }} roleRef: apiGroup: rbac.authorization.k8s.io @@ -140,3 +102,20 @@ subjects: namespace: '{{ $.Release.Namespace }}' {{ end }} {{ end }} +{{ if and .Values.metricsService.enabled .Values.metricsService.secure }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ include "spacelift-workerpool-controller.fullname" . }}-metrics-auth-rolebinding + labels: + {{- include "spacelift-workerpool-controller.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: '{{ include "spacelift-workerpool-controller.fullname" . }}-metrics-auth-role' +subjects: + - kind: ServiceAccount + name: '{{ include "spacelift-workerpool-controller.fullname" . }}-controller-manager' + namespace: '{{ .Release.Namespace }}' +{{ end }} diff --git a/spacelift-workerpool-controller/templates/metrics-rbac.yaml b/spacelift-workerpool-controller/templates/metrics-rbac.yaml new file mode 100644 index 0000000..f789356 --- /dev/null +++ b/spacelift-workerpool-controller/templates/metrics-rbac.yaml @@ -0,0 +1,33 @@ +{{ if and .Values.metricsService.enabled .Values.metricsService.secure }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ include "spacelift-workerpool-controller.fullname" . }}-metrics-auth-role + labels: + {{- include "spacelift-workerpool-controller.labels" . | nindent 4 }} +rules: + - apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create + - apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ include "spacelift-workerpool-controller.fullname" . }}-metrics-reader + labels: + {{- include "spacelift-workerpool-controller.labels" . | nindent 4 }} +rules: + - nonResourceURLs: + - /metrics + verbs: + - get +{{ end }} diff --git a/spacelift-workerpool-controller/templates/metrics-reader-rbac.yaml b/spacelift-workerpool-controller/templates/metrics-reader-rbac.yaml deleted file mode 100644 index 1c218c0..0000000 --- a/spacelift-workerpool-controller/templates/metrics-reader-rbac.yaml +++ /dev/null @@ -1,16 +0,0 @@ -{{ if .Values.metricsService.enabled }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: {{ include "spacelift-workerpool-controller.fullname" . }}-metrics-reader - labels: - app.kubernetes.io/component: kube-rbac-proxy - app.kubernetes.io/created-by: spacelift-workerpool-controller - app.kubernetes.io/part-of: spacelift-workerpool-controller - {{- include "spacelift-workerpool-controller.labels" . | nindent 4 }} -rules: -- nonResourceURLs: - - /metrics - verbs: - - get -{{ end }} diff --git a/spacelift-workerpool-controller/templates/metrics-service.yaml b/spacelift-workerpool-controller/templates/metrics-service.yaml index 677e659..620c5da 100644 --- a/spacelift-workerpool-controller/templates/metrics-service.yaml +++ b/spacelift-workerpool-controller/templates/metrics-service.yaml @@ -4,9 +4,6 @@ kind: Service metadata: name: {{ include "spacelift-workerpool-controller.fullname" . }}-metrics-service labels: - app.kubernetes.io/component: kube-rbac-proxy - app.kubernetes.io/created-by: spacelift-workerpool-controller - app.kubernetes.io/part-of: spacelift-workerpool-controller control-plane: controller-manager {{- include "spacelift-workerpool-controller.labels" . | nindent 4 }} spec: diff --git a/spacelift-workerpool-controller/templates/proxy-rbac.yaml b/spacelift-workerpool-controller/templates/proxy-rbac.yaml deleted file mode 100644 index 93b6496..0000000 --- a/spacelift-workerpool-controller/templates/proxy-rbac.yaml +++ /dev/null @@ -1,42 +0,0 @@ -{{ if .Values.metricsService.enabled }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: {{ include "spacelift-workerpool-controller.fullname" . }}-proxy-role - labels: - app.kubernetes.io/component: kube-rbac-proxy - app.kubernetes.io/created-by: spacelift-workerpool-controller - app.kubernetes.io/part-of: spacelift-workerpool-controller - {{- include "spacelift-workerpool-controller.labels" . | nindent 4 }} -rules: -- apiGroups: - - authentication.k8s.io - resources: - - tokenreviews - verbs: - - create -- apiGroups: - - authorization.k8s.io - resources: - - subjectaccessreviews - verbs: - - create ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: {{ include "spacelift-workerpool-controller.fullname" . }}-proxy-rolebinding - labels: - app.kubernetes.io/component: kube-rbac-proxy - app.kubernetes.io/created-by: spacelift-workerpool-controller - app.kubernetes.io/part-of: spacelift-workerpool-controller - {{- include "spacelift-workerpool-controller.labels" . | nindent 4 }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: '{{ include "spacelift-workerpool-controller.fullname" . }}-proxy-role' -subjects: -- kind: ServiceAccount - name: '{{ include "spacelift-workerpool-controller.fullname" . }}-controller-manager' - namespace: '{{ .Release.Namespace }}' -{{ end }} diff --git a/spacelift-workerpool-controller/templates/serviceaccount.yaml b/spacelift-workerpool-controller/templates/serviceaccount.yaml index 385a008..f1d9164 100644 --- a/spacelift-workerpool-controller/templates/serviceaccount.yaml +++ b/spacelift-workerpool-controller/templates/serviceaccount.yaml @@ -3,12 +3,9 @@ kind: ServiceAccount metadata: name: {{ include "spacelift-workerpool-controller.fullname" . }}-controller-manager labels: - app.kubernetes.io/component: rbac - app.kubernetes.io/created-by: spacelift-workerpool-controller - app.kubernetes.io/part-of: spacelift-workerpool-controller {{- include "spacelift-workerpool-controller.labels" . | nindent 4 }} {{- with .Values.controllerManager.serviceAccount.labels }} {{- toYaml . | nindent 4 }} {{- end }} annotations: - {{- toYaml .Values.controllerManager.serviceAccount.annotations | nindent 4 }} \ No newline at end of file + {{- toYaml .Values.controllerManager.serviceAccount.annotations | nindent 4 }} diff --git a/spacelift-workerpool-controller/values.yaml b/spacelift-workerpool-controller/values.yaml index eb61c5e..fd2d898 100644 --- a/spacelift-workerpool-controller/values.yaml +++ b/spacelift-workerpool-controller/values.yaml @@ -3,33 +3,7 @@ controllerManager: # and will be able to manage WorkerPools across all namespaces in your cluster. # If you do not want to grant cluster wide permissions to the controller, you can specify a list # of namespaces. That will create a Role per namespace and bind it to the service account used by the controller. - # - # PLEASE NOTE: currently the metrics service requires a ClusterRole in order to function, so - # if `metricsService.enabled` is set to true, a ClusterRole will be created even if you - # specify namespaces. namespaces: [] - kubeRbacProxy: - args: - - --secure-listen-address=0.0.0.0:8443 - - --upstream=http://127.0.0.1:8080/ - - --logtostderr=true - - --v=0 - containerSecurityContext: - readOnlyRootFilesystem: true - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - image: - repository: gcr.io/kubebuilder/kube-rbac-proxy - tag: v0.14.1 - resources: - limits: - cpu: 500m - memory: 128Mi - requests: - cpu: 5m - memory: 64Mi manager: args: - --health-probe-bind-address=:8081 @@ -42,7 +16,7 @@ controllerManager: - ALL image: repository: public.ecr.aws/spacelift/kube-workerpool-controller - tag: v0.0.14 + tag: v0.0.17 resources: limits: memory: 128Mi @@ -62,12 +36,20 @@ kubernetesClusterDomain: cluster.local # This is disabled by default, enable this if you want to enable controller observability. metricsService: enabled: false + # Enabling secure will also create ClusterRole to enable authn/authz to the metrics endpoint through RBAC. + # More details here https://book.kubebuilder.io/reference/metrics#by-using-authnauthz-enabled-by-default + # Secure is enabled by default to be consistent with Kubebuilder defaults. + # + # If you want to avoid cluster roles, you can keep this set to false and configure a NetworkPolicu instead. + # An example can be found in Kubebuilder docs here https://github.com/kubernetes-sigs/kubebuilder/blob/d063d5af162a772379a761fae5aaea8c91b877d4/docs/book/src/getting-started/testdata/project/config/network-policy/allow-metrics-traffic.yaml#L2 + secure: true + enableHTTP2: false ports: - name: https port: 8443 protocol: TCP - targetPort: https + targetPort: metrics type: ClusterIP spacelift-promex: - enabled: false \ No newline at end of file + enabled: false