feat: add semantic-release and Helm chart; push Docker image and Helm…

… chart to ghcr.io

BREAKING CHANGE: not really a breaking change, just bumping to v1.0.0

.github/workflows/branches.yaml

@@ -1,24 +1,18 @@
-name: Build Container (branches)
+name: Build docker image on branches
 on: 
   push:
-    branches:
-    - /refs/heads/*
-    - !master
+    branches-ignore:
+    - main
 jobs:
   build:
     name: Docker Build and Publish
     runs-on: ubuntu-latest
     steps:
-    - name: Check out code into the Go module directory
-      uses: actions/checkout@v2
+    - name: Check out code
+      uses: actions/checkout@v3
 
-    - name: Docker build and publish
-      uses: docker/build-push-action@v1
+    - name: Docker build
+      uses: docker/build-push-action@ad44023a93711e3deb337508980b4b5e9bcdc5dc
       with:
-        username: ${{ secrets.DOCKERHUB_USER }}
-        password: ${{ secrets.DOCKERHUB_PASSWORD }}
-        repository: logmein/k8s-aws-operator
-        tag_with_ref: false
-        tag_with_sha: false
+        context: .
         push: false
-

.github/workflows/publish.yaml

@@ -0,0 +1,71 @@
+name: Publish Docker image and Helm chart
+
+on:
+  release:
+    types: [published]
+
+env:
+  REGISTRY: ghcr.io
+  IMAGE_NAME: ${{ github.repository }}
+
+jobs:
+  build-and-push-image:
+    name: Buld and push Docker image
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@v3
+
+    - name: Log in to the Container registry
+      uses: docker/login-action@f054a8b539a109f9f41c372932f1ae047eff08c9
+      with:
+        registry: ${{ env.REGISTRY }}
+        username: ${{ github.actor }}
+        password: ${{ secrets.GITHUB_TOKEN }}
+
+    - name: Extract metadata (tags, labels) for Docker
+      id: meta
+      uses: docker/metadata-action@98669ae865ea3cffbcbaa878cf57c20bbf1c6c38
+      with:
+        images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+
+    - name: Build and push Docker image
+      id: build-and-push
+      uses: docker/build-push-action@ad44023a93711e3deb337508980b4b5e9bcdc5dc
+      with:
+        context: .
+        push: true
+        tags: ${{ steps.meta.outputs.tags }}
+        labels: ${{ steps.meta.outputs.labels }}
+    outputs:
+      imageDigest: ${{ steps.build-and-push.outputs.digest }}
+
+  build-and-push-chart:
+    name: Buld and push Helm chart
+    needs: build-and-push-image
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      packages: write
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@v3
+
+    - name: Helm login
+      shell: bash
+      run: echo ${{ secrets.GITHUB_TOKEN }} | helm registry login -u ${{ github.actor }} --password-stdin ghcr.io
+
+    - name: Helm package
+      shell: bash
+      run: helm package charts/${{ github.event.repository.name }} --app-version ${{ github.event.release.tag_name }}@${{needs.build-and-push-image.outputs.imageDigest}} --version ${{ github.event.release.tag_name }}-chart
+
+    - name: Helm push
+      shell: bash
+      run: helm push ${{ github.event.repository.name }}-${{ github.event.release.tag_name }}-chart.tgz oci://ghcr.io/${{ github.repository_owner }}
+
+    - name: Helm logout
+      shell: bash
+      run: helm registry logout ghcr.io

.github/workflows/release.yaml

@@ -0,0 +1,29 @@
+name: Release
+
+on:
+  push:
+    branches:
+    - 'main'
+
+jobs:
+  semantic-release:
+    name: Run semantic-release
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      packages: write
+      issues: write
+      pull-requests: write
+    steps:
+    - name: Checkout
+      uses: actions/checkout@v3
+
+    - name: Semantic Release
+      uses: cycjimmy/semantic-release-action@071ef4c9640be3700de2aa7f39e8f4038e0269ed
+      with:
+        extra_plugins: |
+          [email protected]
+          @semantic-release/[email protected]
+          @semantic-release/[email protected]
+      env:
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.releaserc.yaml

@@ -0,0 +1,13 @@
+verifyConditions: []
+branches:
+- main
+plugins:
+- '@semantic-release/commit-analyzer'
+- - '@semantic-release/release-notes-generator'
+  - preset: conventionalcommits
+- - '@semantic-release/changelog'
+  - changelogFile: CHANGELOG.md
+- - '@semantic-release/git'
+  - assets:
+    - CHANGELOG.md
+    message: "chore(release): ${nextRelease.version}\n\n${nextRelease.notes}"

Makefile

@@ -47,7 +47,7 @@ deploy: manifests
 
 # Generate manifests e.g. CRD, RBAC etc.
 manifests: controller-gen
-	$(CONTROLLER_GEN) $(CRD_OPTIONS) rbac:roleName=manager-role webhook paths="./..." output:crd:artifacts:config=config/crd/bases
+	$(CONTROLLER_GEN) $(CRD_OPTIONS) rbac:roleName=manager-role webhook paths="./..." output:crd:artifacts:config=charts/k8s-aws-operator/crds
 
 # Run go fmt against code
 fmt:

README.md

@@ -2,8 +2,6 @@
 
 Manage AWS Elastic IPs (EIPs) and Elastic Network Interfaces (ENIs) as Custom Resources in your Kubernetes cluster and assign them your pods.
 
-**Warning:** This project is still work in progress. There might be breaking API changes in the future. Use at your own risk.
-
 ## Requirements
 
 * Your pod IPs must be allocated from your VPC subnets. This is the default setup on AWS EKS by using the [AWS VPC CNI plugin](https://github.com/aws/amazon-vpc-cni-k8s).
@@ -18,13 +16,14 @@ Create an IAM role with the policy [here](iam/policy.json).
 
 ### Install the operator
 
-Ensure that the k8s-aws-operator uses this role, e.g. using [»IAM Roles for Service Accounts« (IRSA)](https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html) or [kube2iam](https://github.com/jtblin/kube2iam)/[kiam](https://github.com/uswitch/kiam). Modify the manifests [here](deploy) accordingly, then run:
+Run:
 
 ```bash
-$ kubectl apply -f config/crd/bases/ # install Custom Resource Definition (CRD) for EIP Custom Resource
-$ kubectl apply -f deploy/          # install the operator
+$ helm install --namespace kube-system --set aws.region=us-east-1 oci://ghcr.io/goto-opensource/k8s-aws-operator --version v1.0.0 # adjust version
 ```
 
+If you want to use [IAM roles for service accounts](https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html), add the required trust relationship with your cluster to the IAM role and add the corresponding annotation on the service account (e.g. by setting the Helm value `serviceAccount.annotations."eks.amazonaws.com/role-arn"` accordingly).
+
 ## Usage
 
 ### EIPs

charts/k8s-aws-operator/Chart.yaml

@@ -0,0 +1,11 @@
+apiVersion: v1
+type: application
+name: k8s-aws-operator
+version: 0.0.0-placeholder
+appVersion: v0.0.0-placeholder
+description: Operator for managing ENIs and EIPs in AWS from within Kubernetes
+home: https://github.com/goto-opensource/k8s-aws-operator
+maintainers:
+- name: Alfred Krohmer
+  email: [email protected]
+  url: https://github.com/alfredkrohmer

charts/k8s-aws-operator/templates/deployment.yaml

@@ -0,0 +1,42 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ .Chart.Name }}
+  labels:
+    app.kubernetes.io/name: {{ .Chart.Name }}
+spec:
+  replicas: {{ .Values.replicas }}
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: {{ .Chart.Name }}
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: {{ .Chart.Name }}
+    spec:
+      serviceAccountName: {{ .Chart.Name }}
+      {{- with .Values.nodeSelector }}
+      nodeSelector: {{ . | toYaml | nindent 6 }}
+      {{- end }}
+      {{- with .Values.tolerations }}
+      tolerations: {{ . | toYaml | nindent 6 }}
+      {{- end }}
+      {{- with .Values.affinity }}
+      affinity: {{ . | toYaml | nindent 6 }}
+      {{- end }}
+      {{- with .Values.topologySpreadConstraints }}
+      topologySpreadConstraints: {{ . | toYaml | nindent 6 }}
+      {{- end }}
+      containers:
+      - name: k8s-aws-operator
+        image: {{ .Values.image.registry }}/{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}
+        resources: {{ .Values.resources | toYaml | nindent 10 }}
+        args:
+        - -region={{ required "aws.region is required" .Values.aws.region }}
+        {{- if or .Values.leaderElection.enabled (gt (.Values.replicas | int) 1) }}
+        - -leader-election-namespace={{ .Release.Namespace }}
+        {{- end }}
+        ports:
+        - name: metrics
+          containerPort: 8080
+          protocol: TCP

charts/k8s-aws-operator/templates/rbac.yaml

@@ -0,0 +1,75 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ .Chart.Name }}
+  labels:
+    app.kubernetes.io/name: {{ .Chart.Name }}
+  {{- with .Values.serviceAccount.annotations }}
+  annotations:
+    {{ . | toYaml | nindent 4 }}
+  {{- end }}
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ .Chart.Name }}
+  labels:
+    app.kubernetes.io/name: {{ .Chart.Name }}
+rules:
+- apiGroups: [""]
+  resources: ["pods"]
+  verbs: ["get"]
+- apiGroups: ["aws.k8s.logmein.com"]
+  resources: ["eips", "enis"]
+  verbs: ["*"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ .Chart.Name }}
+  labels:
+    app.kubernetes.io/name: {{ .Chart.Name }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ .Chart.Name }}
+subjects:
+- kind: ServiceAccount
+  name: {{ .Chart.Name }}
+  namespace: {{ .Release.Namespace }}
+
+# for leader election:
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ .Chart.Name }}
+  labels:
+    app.kubernetes.io/name: {{ .Chart.Name }}
+rules:
+- apiGroups: ["coordination.k8s.io"]
+  resources: ["leases"]
+  verbs: ["create"]
+- apiGroups: ["coordination.k8s.io"]
+  resources: ["leases"]
+  resourceNames: ["k8s-aws-operator"]
+  verbs: ["delete","get","update","watch"]
+- apiGroups: [""]
+  resources: ["events"]
+  verbs: ["create"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ .Chart.Name }}
+  labels:
+    app.kubernetes.io/name: {{ .Chart.Name }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ .Chart.Name }}
+subjects:
+- kind: ServiceAccount
+  name: {{ .Chart.Name }}
+  namespace: {{ .Release.Namespace }}

charts/k8s-aws-operator/templates/service.yaml

@@ -0,0 +1,19 @@
+{{- if .Values.metrics.serviceMonitor.enable }}
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ .Chart.Name }}-metrics
+  labels:
+    app.kubernetes.io/name: {{ .Chart.Name }}
+spec:
+  {{- with .Values.metrics.service.clusterIP }}
+  clusterIP: {{ . | quote }}
+  {{- end }}
+  ports:
+  - name: metrics
+    port: 8080
+    protocol: TCP
+    targetPort: 8080
+  selector:
+    app.kubernetes.io/name: {{ .Chart.Name }}
+{{- end }}

charts/k8s-aws-operator/templates/servicemonitor.yaml

@@ -0,0 +1,16 @@
+{{- if .Values.metrics.serviceMonitor.enabled }}
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+  name: {{ .Chart.Name }}
+  labels:
+    app.kubernetes.io/name: {{ .Chart.Name }}
+spec:
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: {{ .Chart.Name }}
+  endpoints:
+  {{- with .Values.metrics.serviceMonitor.endpoints }}
+  {{ . | toYaml | nindent 2 }}
+  {{- end}}
+{{- end }}