From 0b46a6aafd5d623a55916b434fd2ea654b174bf3 Mon Sep 17 00:00:00 2001 From: Razvan-Daniel Mihai <84674+razvan@users.noreply.github.com> Date: Tue, 7 Jan 2025 14:35:01 +0100 Subject: [PATCH] feat(kustomize): experiment --- deploy/kustomize/base/authentication.crd.yaml | 168 ++++++++++++++++++ deploy/kustomize/base/configmap.yaml | 8 + deploy/kustomize/base/deployment.yaml | 52 ++++++ deploy/kustomize/base/kustomization.yaml | 11 ++ deploy/kustomize/base/roles.yaml | 43 +++++ deploy/kustomize/base/serviceaccount.yaml | 29 +++ .../charts/commons-operator/Chart.yaml | 10 ++ .../overlays/helm/kustomization.yaml | 27 +++ deploy/kustomize/overlays/helm/values.yaml | 47 +++++ 9 files changed, 395 insertions(+) create mode 100644 deploy/kustomize/base/authentication.crd.yaml create mode 100644 deploy/kustomize/base/configmap.yaml create mode 100644 deploy/kustomize/base/deployment.yaml create mode 100644 deploy/kustomize/base/kustomization.yaml create mode 100644 deploy/kustomize/base/roles.yaml create mode 100644 deploy/kustomize/base/serviceaccount.yaml create mode 100644 deploy/kustomize/charts/commons-operator/Chart.yaml create mode 100644 deploy/kustomize/overlays/helm/kustomization.yaml create mode 100644 deploy/kustomize/overlays/helm/values.yaml diff --git a/deploy/kustomize/base/authentication.crd.yaml b/deploy/kustomize/base/authentication.crd.yaml new file mode 100644 index 0000000..796f20f --- /dev/null +++ b/deploy/kustomize/base/authentication.crd.yaml @@ -0,0 +1,168 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: authenticationclasses.authentication.stackable.tech +spec: + group: authentication.stackable.tech + names: + categories: [] + kind: AuthenticationClass + plural: authenticationclasses + shortNames: [] + singular: authenticationclass + scope: Cluster + versions: + - additionalPrinterColumns: [] + name: v1alpha1 + schema: + openAPIV3Schema: + description: "Auto-generated derived type for AuthenticationClassSpec via `CustomResource`" + properties: + spec: + properties: + protocol: + description: Protocol used for authentication + oneOf: + - required: + - ldap + properties: + ldap: + properties: + bindCredentials: + description: In case you need a special account for searching the LDAP server you can specify it here + nullable: true + properties: + scope: + description: "[Scope](https://docs.stackable.tech/secret-operator/scope.html) of the [SecretClass](https://docs.stackable.tech/secret-operator/secretclass.html)" + nullable: true + properties: + node: + default: false + type: boolean + pod: + default: false + type: boolean + services: + default: [] + items: + type: string + type: array + type: object + secretClass: + description: "[SecretClass](https://docs.stackable.tech/secret-operator/secretclass.html) containing the LDAP bind credentials" + type: string + required: + - secretClass + type: object + emailField: + default: mail + description: The name of the email field + type: string + firstnameField: + default: givenName + description: The name of the firstname field + type: string + groupField: + default: memberof + description: The name of the group field + type: string + hostname: + description: Hostname of the LDAP server + type: string + lastnameField: + default: sn + description: The name of the lastname field + type: string + port: + default: 389 + description: Port of the LDAP server + format: uint16 + minimum: 0.0 + type: integer + searchBase: + default: "" + description: LDAP search base + type: string + searchFilter: + default: "" + description: LDAP query to filter users + type: string + tls: + description: Use a TLS connection. If not specified no TLS will be used + nullable: true + oneOf: + - required: + - insecure + - required: + - systemProvided + - required: + - serverVerification + - required: + - mutualVerification + properties: + insecure: + description: "Use TLS but don't verify certificates. We have to use an empty struct instead of an empty Enum because of limitations of [kube-rs](https://github.com/kube-rs/kube-rs/)" + type: object + mutualVerification: + description: Use TLS and ca certificate to verify the server and the client + properties: + secretClass: + description: "[SecretClass](https://docs.stackable.tech/secret-operator/secretclass.html) which will provide ca.crt, tls.crt and tls.key" + type: string + required: + - secretClass + type: object + serverVerification: + description: Use TLS and ca certificate to verify the server + properties: + serverCaCert: + description: Ca cert to verify the server + oneOf: + - required: + - configmap + - required: + - secret + - required: + - path + - required: + - secretClass + properties: + configmap: + description: "Name of the ConfigMap containing the ca cert. Key must be \"ca.crt\"." + type: string + path: + description: Path to the ca cert + type: string + secret: + description: "Name of the Secret containing the ca cert. Key must be \"ca.crt\"." + type: string + secretClass: + description: Name of the SecretClass which will provide the ca cert + type: string + type: object + required: + - serverCaCert + type: object + systemProvided: + description: Use TLS and the ca certificates provided by the system - in this case the Docker image - to verify the server. This can be useful when you e.g. use public AWS S3 or other public available services. + type: object + type: object + uidField: + default: uid + description: The name of the username field + type: string + required: + - hostname + type: object + type: object + required: + - protocol + type: object + required: + - spec + title: AuthenticationClass + type: object + served: true + storage: true + subresources: {} diff --git a/deploy/kustomize/base/configmap.yaml b/deploy/kustomize/base/configmap.yaml new file mode 100644 index 0000000..7d53d60 --- /dev/null +++ b/deploy/kustomize/base/configmap.yaml @@ -0,0 +1,8 @@ +--- +apiVersion: v1 +data: +kind: ConfigMap +metadata: + name: commons-operator-configmap + labels: + stackable.tech/vendor: Stackable diff --git a/deploy/kustomize/base/deployment.yaml b/deploy/kustomize/base/deployment.yaml new file mode 100644 index 0000000..49dbcc7 --- /dev/null +++ b/deploy/kustomize/base/deployment.yaml @@ -0,0 +1,52 @@ +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: commons-operator-deployment + labels: + stackable.tech/vendor: Stackable +spec: + replicas: 1 + strategy: + type: Recreate + selector: + matchLabels: + app.kubernetes.io/name: commons-operator + app.kubernetes.io/instance: commons-operator + stackable.tech/vendor: Stackable + template: + metadata: + annotations: + internal.stackable.tech/image: docker.stackable.tech/stackable/commons-operator:0.0.0-dev + labels: + app.kubernetes.io/name: commons-operator + app.kubernetes.io/instance: commons-operator + stackable.tech/vendor: Stackable + spec: + serviceAccountName: commons-operator-serviceaccount + containers: + - name: commons-operator + image: docker.stackable.tech/stackable/commons-operator:0.0.0-dev + imagePullPolicy: IfNotPresent + resources: + limits: + cpu: 200m + memory: 1024Mi + requests: + cpu: 200m + memory: 1024Mi + volumeMounts: + - mountPath: /etc/stackable/commons-operator/config-spec + name: config-spec + env: + - name: OPERATOR_IMAGE + # Tilt can use annotations as image paths, but not env variables + valueFrom: + fieldRef: + fieldPath: metadata.annotations['internal.stackable.tech/image'] + - name: KUBERNETES_CLUSTER_DOMAIN + value: cluster.local + volumes: + - name: config-spec + configMap: + name: commons-operator-configmap diff --git a/deploy/kustomize/base/kustomization.yaml b/deploy/kustomize/base/kustomization.yaml new file mode 100644 index 0000000..8acfb54 --- /dev/null +++ b/deploy/kustomize/base/kustomization.yaml @@ -0,0 +1,11 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +metadata: + name: commons-operator + +resources: + - configmap.yaml + - deployment.yaml + - roles.yaml + - serviceaccount.yaml + - authentication.crd.yaml diff --git a/deploy/kustomize/base/roles.yaml b/deploy/kustomize/base/roles.yaml new file mode 100644 index 0000000..4ea2df2 --- /dev/null +++ b/deploy/kustomize/base/roles.yaml @@ -0,0 +1,43 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: commons-operator-clusterrole + labels: + app.kubernetes.io/instance: commons-operator + app.kubernetes.io/name: commons-operator + app.kubernetes.io/version: 0.0.0-dev + stackable.tech/vendor: Stackable +rules: + - apiGroups: + - "" + resources: + - pods + - configmaps + - secrets + - nodes + verbs: + - get + - list + - watch + - apiGroups: + - apps + resources: + - statefulsets + verbs: + - get + - list + - watch + - patch # We need to add a label to the StatefulSet + - apiGroups: + - events.k8s.io + resources: + - events + verbs: + - create + - apiGroups: + - "" + resources: + - pods/eviction + verbs: + - create diff --git a/deploy/kustomize/base/serviceaccount.yaml b/deploy/kustomize/base/serviceaccount.yaml new file mode 100644 index 0000000..f63e59c --- /dev/null +++ b/deploy/kustomize/base/serviceaccount.yaml @@ -0,0 +1,29 @@ +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: commons-operator-serviceaccount + labels: + app.kubernetes.io/instance: commons-operator + app.kubernetes.io/name: commons-operator + app.kubernetes.io/version: 0.0.0-dev + stackable.tech/vendor: Stackable +--- +apiVersion: rbac.authorization.k8s.io/v1 +# This cluster role binding allows anyone in the "manager" group to read secrets in any namespace. +kind: ClusterRoleBinding +metadata: + name: commons-operator-clusterrolebinding + labels: + app.kubernetes.io/instance: commons-operator + app.kubernetes.io/name: commons-operator + app.kubernetes.io/version: 0.0.0-dev + stackable.tech/vendor: Stackable +subjects: + - kind: ServiceAccount + name: commons-operator-serviceaccount + namespace: stackable-operators +roleRef: + kind: ClusterRole + name: commons-operator-clusterrole + apiGroup: rbac.authorization.k8s.io diff --git a/deploy/kustomize/charts/commons-operator/Chart.yaml b/deploy/kustomize/charts/commons-operator/Chart.yaml new file mode 100644 index 0000000..21e303f --- /dev/null +++ b/deploy/kustomize/charts/commons-operator/Chart.yaml @@ -0,0 +1,10 @@ +--- +apiVersion: v2 +name: commons-operator +version: "0.0.0-dev" +appVersion: "0.0.0-dev" +description: The Stackable Operator for Stackable Commons +home: https://github.com/stackabletech/commons-operator +maintainers: + - name: Stackable + url: https://www.stackable.tech diff --git a/deploy/kustomize/overlays/helm/kustomization.yaml b/deploy/kustomize/overlays/helm/kustomization.yaml new file mode 100644 index 0000000..8f224fe --- /dev/null +++ b/deploy/kustomize/overlays/helm/kustomization.yaml @@ -0,0 +1,27 @@ +--- +# This was an attempt to assemble the Helm chart from a local chart file and +# the base manifests. +# +# Unfortunately it only generates a flat file list of rendered resources and +# skips the Chart.yaml in the output altogether. +# +#resources: +# - ../../base/ +#helmGlobals: +# chartHome: ../../charts +#helmCharts: +# - name: commons-operator +# releaseName: commons-operator +# namespace: stackable-operators +# valuesFile: values.yaml + +# This is a working example on how to use Helm charts as input (generator) resources. +# This is not what we want because it still requires a published Helm chart to be available, +# but this is exactly what we are trying to produce. +helmCharts: + - name: commons-operator + version: 0.0.0-dev + releaseName: commons-operator + namespace: stackable-operators + valuesFile: values.yaml + repo: https://repo.stackable.tech/repository/helm-dev/ diff --git a/deploy/kustomize/overlays/helm/values.yaml b/deploy/kustomize/overlays/helm/values.yaml new file mode 100644 index 0000000..12153c1 --- /dev/null +++ b/deploy/kustomize/overlays/helm/values.yaml @@ -0,0 +1,47 @@ +# Default values for commons-operator. +--- +image: + repository: docker.stackable.tech/stackable/commons-operator + pullPolicy: IfNotPresent + pullSecrets: [] + +nameOverride: "" +fullnameOverride: "" + +serviceAccount: + # Specifies whether a service account should be created + create: true + # Annotations to add to the service account + annotations: {} + # The name of the service account to use. + # If not set and create is true, a name is generated using the fullname template + name: "" + +podAnnotations: {} + +# Provide additional labels which get attached to all deployed resources +labels: + stackable.tech/vendor: Stackable + +podSecurityContext: {} + # fsGroup: 2000 + +securityContext: {} + +resources: + limits: + cpu: 200m + memory: 1024Mi + requests: + cpu: 200m + memory: 1024Mi + +nodeSelector: {} + +tolerations: [] + +affinity: {} + +# When running on a non-default Kubernetes cluster domain, the cluster domain can be configured here. +# See the https://docs.stackable.tech/home/stable/guides/kubernetes-cluster-domain guide for details. +# kubernetesClusterDomain: my-cluster.local