diff --git a/Makefile b/Makefile index 48291105..115301c3 100644 --- a/Makefile +++ b/Makefile @@ -24,19 +24,25 @@ BUNDLE_DEFAULT_CHANNEL := --default-channel=$(DEFAULT_CHANNEL) endif BUNDLE_METADATA_OPTS ?= $(BUNDLE_CHANNELS) $(BUNDLE_DEFAULT_CHANNEL) +# Address of the container registry +REGISTRY = quay.io + +# Organization in container resgistry +ORG ?= kuadrant + # IMAGE_TAG_BASE defines the docker.io namespace and part of the image name for remote images. # This variable is used to construct full image tags for bundle and catalog images. # # For example, running 'make bundle-build bundle-push catalog-build catalog-push' will build and push both # quay.io/kuadrant/limitador-operator-bundle:$VERSION and quay.io/kuadrant/limitador-operator-catalog:$VERSION. -IMAGE_TAG_BASE ?= quay.io/kuadrant/limitador-operator +IMAGE_TAG_BASE ?= $(REGISTRY)/$(ORG)/limitador-operator # BUNDLE_IMG defines the image:tag used for the bundle. # You can use it as an arg. (E.g make bundle-build BUNDLE_IMG=/:) BUNDLE_IMG ?= $(IMAGE_TAG_BASE)-bundle:v$(VERSION) # Image URL to use all building/pushing image targets -IMG ?= quay.io/kuadrant/limitador-operator:latest +IMG ?= $(IMAGE_TAG_BASE):latest # ENVTEST_K8S_VERSION refers to the version of kubebuilder assets to be downloaded by envtest binary. ENVTEST_K8S_VERSION = 1.22 @@ -150,6 +156,13 @@ rm -rf $$TMP_DIR ;\ } endef +DEPLOYMENT_DIR = $(PROJECT_DIR)/config/deploy +.PHONY: deploy-manifest +deploy-manifest: + mkdir -p $(DEPLOYMENT_DIR) + cd $(PROJECT_DIR)/config/manager && $(KUSTOMIZE) edit set image controller=$(IMG) ;\ + cd $(PROJECT_DIR) && $(KUSTOMIZE) build config/default >> $(DEPLOYMENT_DIR)/manfiests.yaml + OPERATOR_SDK = $(shell pwd)/bin/operator-sdk OPERATOR_SDK_VERSION = v1.15.0 operator-sdk: ## Download operator-sdk locally if necessary. diff --git a/config/deploy/manfiests.yaml b/config/deploy/manfiests.yaml new file mode 100644 index 00000000..e1167743 --- /dev/null +++ b/config/deploy/manfiests.yaml @@ -0,0 +1,810 @@ +apiVersion: v1 +kind: Namespace +metadata: + labels: + control-plane: controller-manager + name: limitador-operator-system +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.4.1 + creationTimestamp: null + name: limitadors.limitador.kuadrant.io +spec: + group: limitador.kuadrant.io + names: + kind: Limitador + listKind: LimitadorList + plural: limitadors + singular: limitador + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: Limitador is the Schema for the limitadors API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: LimitadorSpec defines the desired state of Limitador + properties: + replicas: + type: integer + version: + type: string + type: object + status: + description: LimitadorStatus defines the observed state of Limitador + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.4.1 + creationTimestamp: null + name: ratelimits.limitador.kuadrant.io +spec: + group: limitador.kuadrant.io + names: + kind: RateLimit + listKind: RateLimitList + plural: ratelimits + singular: ratelimit + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: RateLimit is the Schema for the ratelimits API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: RateLimitSpec defines the desired state of RateLimit + properties: + conditions: + items: + type: string + type: array + max_value: + type: integer + namespace: + type: string + seconds: + type: integer + variables: + items: + type: string + type: array + required: + - conditions + - max_value + - namespace + - seconds + - variables + type: object + status: + description: RateLimitStatus defines the observed state of RateLimit + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: limitador-operator-controller-manager + namespace: limitador-operator-system +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: limitador-operator-leader-election-role + namespace: limitador-operator-system +rules: +- apiGroups: + - "" + - coordination.k8s.io + resources: + - configmaps + - leases + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + creationTimestamp: null + name: limitador-operator-manager-role +rules: +- apiGroups: + - apps + resources: + - deployments + verbs: + - create + - delete + - get + - list + - update + - watch +- apiGroups: + - "" + resources: + - services + verbs: + - create + - delete + - get + - list + - update + - watch +- apiGroups: + - limitador.kuadrant.io + resources: + - limitadors + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - limitador.kuadrant.io + resources: + - limitadors/finalizers + verbs: + - update +- apiGroups: + - limitador.kuadrant.io + resources: + - limitadors/status + verbs: + - get + - patch + - update +- apiGroups: + - limitador.kuadrant.io + resources: + - ratelimits + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - limitador.kuadrant.io + resources: + - ratelimits/finalizers + verbs: + - update +- apiGroups: + - limitador.kuadrant.io + resources: + - ratelimits/status + verbs: + - get + - patch + - update +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: limitador-operator-metrics-reader +rules: +- nonResourceURLs: + - /metrics + verbs: + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: limitador-operator-proxy-role +rules: +- apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create +- apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: limitador-operator-leader-election-rolebinding + namespace: limitador-operator-system +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: limitador-operator-leader-election-role +subjects: +- kind: ServiceAccount + name: limitador-operator-controller-manager + namespace: limitador-operator-system +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: limitador-operator-manager-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: limitador-operator-manager-role +subjects: +- kind: ServiceAccount + name: limitador-operator-controller-manager + namespace: limitador-operator-system +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: limitador-operator-proxy-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: limitador-operator-proxy-role +subjects: +- kind: ServiceAccount + name: limitador-operator-controller-manager + namespace: limitador-operator-system +--- +apiVersion: v1 +data: + controller_manager_config.yaml: | + apiVersion: controller-runtime.sigs.k8s.io/v1alpha1 + kind: ControllerManagerConfig + health: + healthProbeBindAddress: :8081 + metrics: + bindAddress: 127.0.0.1:8080 + webhook: + port: 9443 + leaderElection: + leaderElect: true + resourceName: 3745a16e.kuadrant.io +kind: ConfigMap +metadata: + name: limitador-operator-manager-config + namespace: limitador-operator-system +--- +apiVersion: v1 +kind: Service +metadata: + labels: + control-plane: controller-manager + name: limitador-operator-controller-manager-metrics-service + namespace: limitador-operator-system +spec: + ports: + - name: https + port: 8443 + targetPort: https + selector: + control-plane: controller-manager +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + control-plane: controller-manager + name: limitador-operator-controller-manager + namespace: limitador-operator-system +spec: + replicas: 1 + selector: + matchLabels: + control-plane: controller-manager + template: + metadata: + labels: + control-plane: controller-manager + spec: + containers: + - args: + - --secure-listen-address=0.0.0.0:8443 + - --upstream=http://127.0.0.1:8080/ + - --logtostderr=true + - --v=10 + image: gcr.io/kubebuilder/kube-rbac-proxy:v0.8.0 + name: kube-rbac-proxy + ports: + - containerPort: 8443 + name: https + - args: + - --health-probe-bind-address=:8081 + - --metrics-bind-address=127.0.0.1:8080 + - --leader-elect + command: + - /manager + image: quay.io/3scale/limitador-operator:latest + livenessProbe: + httpGet: + path: /healthz + port: 8081 + initialDelaySeconds: 15 + periodSeconds: 20 + name: manager + readinessProbe: + httpGet: + path: /readyz + port: 8081 + initialDelaySeconds: 5 + periodSeconds: 10 + resources: + limits: + cpu: 100m + memory: 30Mi + requests: + cpu: 100m + memory: 20Mi + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + serviceAccountName: limitador-operator-controller-manager + terminationGracePeriodSeconds: 10 +apiVersion: v1 +kind: Namespace +metadata: + labels: + control-plane: controller-manager + name: limitador-operator-system +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.4.1 + creationTimestamp: null + name: limitadors.limitador.kuadrant.io +spec: + group: limitador.kuadrant.io + names: + kind: Limitador + listKind: LimitadorList + plural: limitadors + singular: limitador + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: Limitador is the Schema for the limitadors API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: LimitadorSpec defines the desired state of Limitador + properties: + replicas: + type: integer + version: + type: string + type: object + status: + description: LimitadorStatus defines the observed state of Limitador + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.4.1 + creationTimestamp: null + name: ratelimits.limitador.kuadrant.io +spec: + group: limitador.kuadrant.io + names: + kind: RateLimit + listKind: RateLimitList + plural: ratelimits + singular: ratelimit + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: RateLimit is the Schema for the ratelimits API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: RateLimitSpec defines the desired state of RateLimit + properties: + conditions: + items: + type: string + type: array + max_value: + type: integer + namespace: + type: string + seconds: + type: integer + variables: + items: + type: string + type: array + required: + - conditions + - max_value + - namespace + - seconds + - variables + type: object + status: + description: RateLimitStatus defines the observed state of RateLimit + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: limitador-operator-controller-manager + namespace: limitador-operator-system +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: limitador-operator-leader-election-role + namespace: limitador-operator-system +rules: +- apiGroups: + - "" + - coordination.k8s.io + resources: + - configmaps + - leases + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + creationTimestamp: null + name: limitador-operator-manager-role +rules: +- apiGroups: + - apps + resources: + - deployments + verbs: + - create + - delete + - get + - list + - update + - watch +- apiGroups: + - "" + resources: + - services + verbs: + - create + - delete + - get + - list + - update + - watch +- apiGroups: + - limitador.kuadrant.io + resources: + - limitadors + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - limitador.kuadrant.io + resources: + - limitadors/finalizers + verbs: + - update +- apiGroups: + - limitador.kuadrant.io + resources: + - limitadors/status + verbs: + - get + - patch + - update +- apiGroups: + - limitador.kuadrant.io + resources: + - ratelimits + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - limitador.kuadrant.io + resources: + - ratelimits/finalizers + verbs: + - update +- apiGroups: + - limitador.kuadrant.io + resources: + - ratelimits/status + verbs: + - get + - patch + - update +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: limitador-operator-metrics-reader +rules: +- nonResourceURLs: + - /metrics + verbs: + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: limitador-operator-proxy-role +rules: +- apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create +- apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: limitador-operator-leader-election-rolebinding + namespace: limitador-operator-system +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: limitador-operator-leader-election-role +subjects: +- kind: ServiceAccount + name: limitador-operator-controller-manager + namespace: limitador-operator-system +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: limitador-operator-manager-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: limitador-operator-manager-role +subjects: +- kind: ServiceAccount + name: limitador-operator-controller-manager + namespace: limitador-operator-system +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: limitador-operator-proxy-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: limitador-operator-proxy-role +subjects: +- kind: ServiceAccount + name: limitador-operator-controller-manager + namespace: limitador-operator-system +--- +apiVersion: v1 +data: + controller_manager_config.yaml: | + apiVersion: controller-runtime.sigs.k8s.io/v1alpha1 + kind: ControllerManagerConfig + health: + healthProbeBindAddress: :8081 + metrics: + bindAddress: 127.0.0.1:8080 + webhook: + port: 9443 + leaderElection: + leaderElect: true + resourceName: 3745a16e.kuadrant.io +kind: ConfigMap +metadata: + name: limitador-operator-manager-config + namespace: limitador-operator-system +--- +apiVersion: v1 +kind: Service +metadata: + labels: + control-plane: controller-manager + name: limitador-operator-controller-manager-metrics-service + namespace: limitador-operator-system +spec: + ports: + - name: https + port: 8443 + targetPort: https + selector: + control-plane: controller-manager +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + control-plane: controller-manager + name: limitador-operator-controller-manager + namespace: limitador-operator-system +spec: + replicas: 1 + selector: + matchLabels: + control-plane: controller-manager + template: + metadata: + labels: + control-plane: controller-manager + spec: + containers: + - args: + - --secure-listen-address=0.0.0.0:8443 + - --upstream=http://127.0.0.1:8080/ + - --logtostderr=true + - --v=10 + image: gcr.io/kubebuilder/kube-rbac-proxy:v0.8.0 + name: kube-rbac-proxy + ports: + - containerPort: 8443 + name: https + - args: + - --health-probe-bind-address=:8081 + - --metrics-bind-address=127.0.0.1:8080 + - --leader-elect + command: + - /manager + image: quay.io/kuadrant/limitador-operator:latest + livenessProbe: + httpGet: + path: /healthz + port: 8081 + initialDelaySeconds: 15 + periodSeconds: 20 + name: manager + readinessProbe: + httpGet: + path: /readyz + port: 8081 + initialDelaySeconds: 5 + periodSeconds: 10 + resources: + limits: + cpu: 100m + memory: 30Mi + requests: + cpu: 100m + memory: 20Mi + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + serviceAccountName: limitador-operator-controller-manager + terminationGracePeriodSeconds: 10