From 5ef6c3efb7908c4be524d29b4ac7042d16a62d18 Mon Sep 17 00:00:00 2001 From: Alfred Krohmer Date: Wed, 5 Apr 2023 10:33:52 +0200 Subject: [PATCH] feat: add semantic-release and Helm chart; push Docker image and Helm chart to ghcr.io BREAKING CHANGE: not really a breaking change, just bumping to v1.0.0 --- .github/workflows/branches.yaml | 22 ++---- .github/workflows/master.yaml | 25 ------- .github/workflows/publish.yaml | 71 ++++++++++++++++++ .github/workflows/release.yaml | 29 +++++++ .releaserc.yaml | 13 ++++ Makefile | 2 +- README.md | 9 +-- charts/k8s-aws-operator/Chart.yaml | 11 +++ .../crds}/aws.k8s.logmein.com_eips.yaml | 0 .../crds}/aws.k8s.logmein.com_enis.yaml | 0 .../templates/deployment.yaml | 42 +++++++++++ charts/k8s-aws-operator/templates/rbac.yaml | 75 +++++++++++++++++++ .../k8s-aws-operator/templates/service.yaml | 19 +++++ .../templates/servicemonitor.yaml | 16 ++++ charts/k8s-aws-operator/values.yaml | 34 +++++++++ config/certmanager/certificate.yaml | 24 ------ config/certmanager/kustomization.yaml | 22 ------ config/certmanager/kustomizeconfig.yaml | 16 ---- config/crd/kustomization.yaml | 15 ---- config/crd/kustomizeconfig.yaml | 14 ---- config/crd/patches/webhook_in_eip.yaml | 18 ----- config/default/kustomization.yaml | 42 ----------- config/default/manager_auth_proxy_patch.yaml | 24 ------ config/default/manager_image_patch.yaml | 12 --- .../manager_prometheus_metrics_patch.yaml | 19 ----- config/default/manager_webhook_patch.yaml | 23 ------ config/default/webhookcainjection_patch.yaml | 15 ---- config/manager/kustomization.yaml | 2 - config/manager/manager.yaml | 59 --------------- config/rbac/auth_proxy_role.yaml | 13 ---- config/rbac/auth_proxy_role_binding.yaml | 12 --- config/rbac/auth_proxy_service.yaml | 20 ----- config/rbac/kustomization.yaml | 9 --- config/rbac/role_binding.yaml | 12 --- config/webhook/kustomization.yaml | 21 ------ config/webhook/kustomizeconfig.yaml | 25 ------- config/webhook/manifests.yaml | 0 config/webhook/service.yaml | 13 ---- deploy/deployment.yaml | 34 --------- deploy/rbac.yaml | 73 ------------------ main.go | 8 +- 41 files changed, 324 insertions(+), 589 deletions(-) delete mode 100644 .github/workflows/master.yaml create mode 100644 .github/workflows/publish.yaml create mode 100644 .github/workflows/release.yaml create mode 100644 .releaserc.yaml create mode 100644 charts/k8s-aws-operator/Chart.yaml rename {config/crd/bases => charts/k8s-aws-operator/crds}/aws.k8s.logmein.com_eips.yaml (100%) rename {config/crd/bases => charts/k8s-aws-operator/crds}/aws.k8s.logmein.com_enis.yaml (100%) create mode 100644 charts/k8s-aws-operator/templates/deployment.yaml create mode 100644 charts/k8s-aws-operator/templates/rbac.yaml create mode 100644 charts/k8s-aws-operator/templates/service.yaml create mode 100644 charts/k8s-aws-operator/templates/servicemonitor.yaml create mode 100644 charts/k8s-aws-operator/values.yaml delete mode 100644 config/certmanager/certificate.yaml delete mode 100644 config/certmanager/kustomization.yaml delete mode 100644 config/certmanager/kustomizeconfig.yaml delete mode 100644 config/crd/kustomization.yaml delete mode 100644 config/crd/kustomizeconfig.yaml delete mode 100644 config/crd/patches/webhook_in_eip.yaml delete mode 100644 config/default/kustomization.yaml delete mode 100644 config/default/manager_auth_proxy_patch.yaml delete mode 100644 config/default/manager_image_patch.yaml delete mode 100644 config/default/manager_prometheus_metrics_patch.yaml delete mode 100644 config/default/manager_webhook_patch.yaml delete mode 100644 config/default/webhookcainjection_patch.yaml delete mode 100644 config/manager/kustomization.yaml delete mode 100644 config/manager/manager.yaml delete mode 100644 config/rbac/auth_proxy_role.yaml delete mode 100644 config/rbac/auth_proxy_role_binding.yaml delete mode 100644 config/rbac/auth_proxy_service.yaml delete mode 100644 config/rbac/kustomization.yaml delete mode 100644 config/rbac/role_binding.yaml delete mode 100644 config/webhook/kustomization.yaml delete mode 100644 config/webhook/kustomizeconfig.yaml delete mode 100644 config/webhook/manifests.yaml delete mode 100644 config/webhook/service.yaml delete mode 100644 deploy/deployment.yaml delete mode 100644 deploy/rbac.yaml diff --git a/.github/workflows/branches.yaml b/.github/workflows/branches.yaml index 37d1bd1..b1e7528 100644 --- a/.github/workflows/branches.yaml +++ b/.github/workflows/branches.yaml @@ -1,24 +1,18 @@ -name: Build Container (branches) +name: Build docker image on branches on: push: - branches: - - /refs/heads/* - - !master + branches-ignore: + - main jobs: build: name: Docker Build and Publish runs-on: ubuntu-latest steps: - - name: Check out code into the Go module directory - uses: actions/checkout@v2 + - name: Check out code + uses: actions/checkout@v3 - - name: Docker build and publish - uses: docker/build-push-action@v1 + - name: Docker build + uses: docker/build-push-action@ad44023a93711e3deb337508980b4b5e9bcdc5dc with: - username: ${{ secrets.DOCKERHUB_USER }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} - repository: logmein/k8s-aws-operator - tag_with_ref: false - tag_with_sha: false + context: . push: false - diff --git a/.github/workflows/master.yaml b/.github/workflows/master.yaml deleted file mode 100644 index 0053872..0000000 --- a/.github/workflows/master.yaml +++ /dev/null @@ -1,25 +0,0 @@ -name: Build Container (master) -on: - push: - branches: - - master - tags: - - 'v*' -jobs: - build: - name: Docker Build and Publish - runs-on: ubuntu-latest - steps: - - name: Check out code into the Go module directory - uses: actions/checkout@v2 - - - name: Docker build and publish - uses: docker/build-push-action@v1 - with: - username: ${{ secrets.DOCKERHUB_USER }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} - repository: logmein/k8s-aws-operator - tag_with_ref: true - tag_with_sha: false - push: true - diff --git a/.github/workflows/publish.yaml b/.github/workflows/publish.yaml new file mode 100644 index 0000000..8863d42 --- /dev/null +++ b/.github/workflows/publish.yaml @@ -0,0 +1,71 @@ +name: Publish Docker image and Helm chart + +on: + release: + types: [published] + +env: + REGISTRY: ghcr.io + IMAGE_NAME: ${{ github.repository }} + +jobs: + build-and-push-image: + name: Buld and push Docker image + runs-on: ubuntu-latest + permissions: + contents: read + packages: write + steps: + - name: Checkout repository + uses: actions/checkout@v3 + + - name: Log in to the Container registry + uses: docker/login-action@f054a8b539a109f9f41c372932f1ae047eff08c9 + with: + registry: ${{ env.REGISTRY }} + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: Extract metadata (tags, labels) for Docker + id: meta + uses: docker/metadata-action@98669ae865ea3cffbcbaa878cf57c20bbf1c6c38 + with: + images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} + + - name: Build and push Docker image + id: build-and-push + uses: docker/build-push-action@ad44023a93711e3deb337508980b4b5e9bcdc5dc + with: + context: . + push: true + tags: ${{ steps.meta.outputs.tags }} + labels: ${{ steps.meta.outputs.labels }} + outputs: + imageDigest: ${{ steps.build-and-push.outputs.digest }} + + build-and-push-chart: + name: Buld and push Helm chart + needs: build-and-push-image + runs-on: ubuntu-latest + permissions: + contents: write + packages: write + steps: + - name: Checkout repository + uses: actions/checkout@v3 + + - name: Helm login + shell: bash + run: echo ${{ secrets.GITHUB_TOKEN }} | helm registry login -u ${{ github.actor }} --password-stdin ghcr.io + + - name: Helm package + shell: bash + run: helm package charts/${{ github.event.repository.name }} --app-version ${{ github.event.release.tag_name }}@${{needs.build-and-push-image.outputs.imageDigest}} --version ${{ github.event.release.tag_name }}-chart + + - name: Helm push + shell: bash + run: helm push ${{ github.event.repository.name }}-${{ github.event.release.tag_name }}-chart.tgz oci://ghcr.io/${{ github.repository_owner }} + + - name: Helm logout + shell: bash + run: helm registry logout ghcr.io diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml new file mode 100644 index 0000000..9938e26 --- /dev/null +++ b/.github/workflows/release.yaml @@ -0,0 +1,29 @@ +name: Release + +on: + push: + branches: + - 'main' + +jobs: + semantic-release: + name: Run semantic-release + runs-on: ubuntu-latest + permissions: + contents: write + packages: write + issues: write + pull-requests: write + steps: + - name: Checkout + uses: actions/checkout@v3 + + - name: Semantic Release + uses: cycjimmy/semantic-release-action@071ef4c9640be3700de2aa7f39e8f4038e0269ed + with: + extra_plugins: | + conventional-changelog-conventionalcommits@5.0.0 + @semantic-release/changelog@6.0.1 + @semantic-release/git@10.0.1 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.releaserc.yaml b/.releaserc.yaml new file mode 100644 index 0000000..f216dd4 --- /dev/null +++ b/.releaserc.yaml @@ -0,0 +1,13 @@ +verifyConditions: [] +branches: +- main +plugins: +- '@semantic-release/commit-analyzer' +- - '@semantic-release/release-notes-generator' + - preset: conventionalcommits +- - '@semantic-release/changelog' + - changelogFile: CHANGELOG.md +- - '@semantic-release/git' + - assets: + - CHANGELOG.md + message: "chore(release): ${nextRelease.version}\n\n${nextRelease.notes}" diff --git a/Makefile b/Makefile index 08de919..e6ab49b 100644 --- a/Makefile +++ b/Makefile @@ -47,7 +47,7 @@ deploy: manifests # Generate manifests e.g. CRD, RBAC etc. manifests: controller-gen - $(CONTROLLER_GEN) $(CRD_OPTIONS) rbac:roleName=manager-role webhook paths="./..." output:crd:artifacts:config=config/crd/bases + $(CONTROLLER_GEN) $(CRD_OPTIONS) rbac:roleName=manager-role webhook paths="./..." output:crd:artifacts:config=charts/k8s-aws-operator/crds # Run go fmt against code fmt: diff --git a/README.md b/README.md index 39a0e56..f33094b 100644 --- a/README.md +++ b/README.md @@ -2,8 +2,6 @@ Manage AWS Elastic IPs (EIPs) and Elastic Network Interfaces (ENIs) as Custom Resources in your Kubernetes cluster and assign them your pods. -**Warning:** This project is still work in progress. There might be breaking API changes in the future. Use at your own risk. - ## Requirements * Your pod IPs must be allocated from your VPC subnets. This is the default setup on AWS EKS by using the [AWS VPC CNI plugin](https://github.com/aws/amazon-vpc-cni-k8s). @@ -18,13 +16,14 @@ Create an IAM role with the policy [here](iam/policy.json). ### Install the operator -Ensure that the k8s-aws-operator uses this role, e.g. using [»IAM Roles for Service Accounts« (IRSA)](https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html) or [kube2iam](https://github.com/jtblin/kube2iam)/[kiam](https://github.com/uswitch/kiam). Modify the manifests [here](deploy) accordingly, then run: +Run: ```bash -$ kubectl apply -f config/crd/bases/ # install Custom Resource Definition (CRD) for EIP Custom Resource -$ kubectl apply -f deploy/ # install the operator +$ helm install --namespace kube-system --set aws.region=us-east-1 oci://ghcr.io/goto-opensource/k8s-aws-operator --version v1.0.0 # adjust version ``` +If you want to use [IAM roles for service accounts](https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html), add the required trust relationship with your cluster to the IAM role and add the corresponding annotation on the service account (e.g. by setting the Helm value `serviceAccount.annotations."eks.amazonaws.com/role-arn"` accordingly). + ## Usage ### EIPs diff --git a/charts/k8s-aws-operator/Chart.yaml b/charts/k8s-aws-operator/Chart.yaml new file mode 100644 index 0000000..703b65d --- /dev/null +++ b/charts/k8s-aws-operator/Chart.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +type: application +name: k8s-aws-operator +version: 0.0.0-placeholder +appVersion: v0.0.0-placeholder +description: Operator for managing ENIs and EIPs in AWS from within Kubernetes +home: https://github.com/goto-opensource/k8s-aws-operator +maintainers: +- name: Alfred Krohmer + email: alfred.krohmer@goto.com + url: https://github.com/alfredkrohmer diff --git a/config/crd/bases/aws.k8s.logmein.com_eips.yaml b/charts/k8s-aws-operator/crds/aws.k8s.logmein.com_eips.yaml similarity index 100% rename from config/crd/bases/aws.k8s.logmein.com_eips.yaml rename to charts/k8s-aws-operator/crds/aws.k8s.logmein.com_eips.yaml diff --git a/config/crd/bases/aws.k8s.logmein.com_enis.yaml b/charts/k8s-aws-operator/crds/aws.k8s.logmein.com_enis.yaml similarity index 100% rename from config/crd/bases/aws.k8s.logmein.com_enis.yaml rename to charts/k8s-aws-operator/crds/aws.k8s.logmein.com_enis.yaml diff --git a/charts/k8s-aws-operator/templates/deployment.yaml b/charts/k8s-aws-operator/templates/deployment.yaml new file mode 100644 index 0000000..0d86363 --- /dev/null +++ b/charts/k8s-aws-operator/templates/deployment.yaml @@ -0,0 +1,42 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ .Chart.Name }} + labels: + app.kubernetes.io/name: {{ .Chart.Name }} +spec: + replicas: {{ .Values.replicas }} + selector: + matchLabels: + app.kubernetes.io/name: {{ .Chart.Name }} + template: + metadata: + labels: + app.kubernetes.io/name: {{ .Chart.Name }} + spec: + serviceAccountName: {{ .Chart.Name }} + {{- with .Values.nodeSelector }} + nodeSelector: {{ . | toYaml | nindent 6 }} + {{- end }} + {{- with .Values.tolerations }} + tolerations: {{ . | toYaml | nindent 6 }} + {{- end }} + {{- with .Values.affinity }} + affinity: {{ . | toYaml | nindent 6 }} + {{- end }} + {{- with .Values.topologySpreadConstraints }} + topologySpreadConstraints: {{ . | toYaml | nindent 6 }} + {{- end }} + containers: + - name: k8s-aws-operator + image: {{ .Values.image.registry }}/{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }} + resources: {{ .Values.resources | toYaml | nindent 10 }} + args: + - -region={{ required "aws.region is required" .Values.aws.region }} + {{- if or .Values.leaderElection.enabled (gt (.Values.replicas | int) 1) }} + - -leader-election-namespace={{ .Release.Namespace }} + {{- end }} + ports: + - name: metrics + containerPort: 8080 + protocol: TCP diff --git a/charts/k8s-aws-operator/templates/rbac.yaml b/charts/k8s-aws-operator/templates/rbac.yaml new file mode 100644 index 0000000..a933446 --- /dev/null +++ b/charts/k8s-aws-operator/templates/rbac.yaml @@ -0,0 +1,75 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ .Chart.Name }} + labels: + app.kubernetes.io/name: {{ .Chart.Name }} + {{- with .Values.serviceAccount.annotations }} + annotations: + {{ . | toYaml | nindent 4 }} + {{- end }} + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ .Chart.Name }} + labels: + app.kubernetes.io/name: {{ .Chart.Name }} +rules: +- apiGroups: [""] + resources: ["pods"] + verbs: ["get"] +- apiGroups: ["aws.k8s.logmein.com"] + resources: ["eips", "enis"] + verbs: ["*"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ .Chart.Name }} + labels: + app.kubernetes.io/name: {{ .Chart.Name }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ .Chart.Name }} +subjects: +- kind: ServiceAccount + name: {{ .Chart.Name }} + namespace: {{ .Release.Namespace }} + +# for leader election: +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ .Chart.Name }} + labels: + app.kubernetes.io/name: {{ .Chart.Name }} +rules: +- apiGroups: ["coordination.k8s.io"] + resources: ["leases"] + verbs: ["create"] +- apiGroups: ["coordination.k8s.io"] + resources: ["leases"] + resourceNames: ["k8s-aws-operator"] + verbs: ["delete","get","update","watch"] +- apiGroups: [""] + resources: ["events"] + verbs: ["create"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ .Chart.Name }} + labels: + app.kubernetes.io/name: {{ .Chart.Name }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ .Chart.Name }} +subjects: +- kind: ServiceAccount + name: {{ .Chart.Name }} + namespace: {{ .Release.Namespace }} diff --git a/charts/k8s-aws-operator/templates/service.yaml b/charts/k8s-aws-operator/templates/service.yaml new file mode 100644 index 0000000..21ec2a1 --- /dev/null +++ b/charts/k8s-aws-operator/templates/service.yaml @@ -0,0 +1,19 @@ +{{- if .Values.metrics.serviceMonitor.enable }} +apiVersion: v1 +kind: Service +metadata: + name: {{ .Chart.Name }}-metrics + labels: + app.kubernetes.io/name: {{ .Chart.Name }} +spec: + {{- with .Values.metrics.service.clusterIP }} + clusterIP: {{ . | quote }} + {{- end }} + ports: + - name: metrics + port: 8080 + protocol: TCP + targetPort: 8080 + selector: + app.kubernetes.io/name: {{ .Chart.Name }} +{{- end }} diff --git a/charts/k8s-aws-operator/templates/servicemonitor.yaml b/charts/k8s-aws-operator/templates/servicemonitor.yaml new file mode 100644 index 0000000..3b3b9f2 --- /dev/null +++ b/charts/k8s-aws-operator/templates/servicemonitor.yaml @@ -0,0 +1,16 @@ +{{- if .Values.metrics.serviceMonitor.enabled }} +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: {{ .Chart.Name }} + labels: + app.kubernetes.io/name: {{ .Chart.Name }} +spec: + selector: + matchLabels: + app.kubernetes.io/name: {{ .Chart.Name }} + endpoints: + {{- with .Values.metrics.serviceMonitor.endpoints }} + {{ . | toYaml | nindent 2 }} + {{- end}} +{{- end }} diff --git a/charts/k8s-aws-operator/values.yaml b/charts/k8s-aws-operator/values.yaml new file mode 100644 index 0000000..debaac4 --- /dev/null +++ b/charts/k8s-aws-operator/values.yaml @@ -0,0 +1,34 @@ +image: + registry: ghcr.io + repository: goto-opensource/k8s-aws-operator + tag: # coming from appVersion + +resources: + requests: + cpu: 20m + memory: 300Mi + limits: + memory: 300Mi + +aws: + region: + +serviceAccount: + annotations: {} + +replicas: 1 +leaderElection: + enabled: false + +nodeSelector: {} +tolerations: [] +affinity: {} +topologySpreadConstraints: [] + +metrics: + serviceMonitor: + enabled: false + endpoints: + - port: metrics + service: + clusterIP: diff --git a/config/certmanager/certificate.yaml b/config/certmanager/certificate.yaml deleted file mode 100644 index 9d6bad1..0000000 --- a/config/certmanager/certificate.yaml +++ /dev/null @@ -1,24 +0,0 @@ -# The following manifests contain a self-signed issuer CR and a certificate CR. -# More document can be found at https://docs.cert-manager.io -apiVersion: certmanager.k8s.io/v1alpha1 -kind: Issuer -metadata: - name: selfsigned-issuer - namespace: system -spec: - selfSigned: {} ---- -apiVersion: certmanager.k8s.io/v1alpha1 -kind: Certificate -metadata: - name: serving-cert # this name should match the one appeared in kustomizeconfig.yaml - namespace: system -spec: - # $(SERVICENAME) and $(NAMESPACE) will be substituted by kustomize - commonName: $(SERVICENAME).$(NAMESPACE).svc - dnsNames: - - $(SERVICENAME).$(NAMESPACE).svc.cluster.local - issuerRef: - kind: Issuer - name: selfsigned-issuer - secretName: webhook-server-cert # this secret will not be prefixed, since it's not managed by kustomize diff --git a/config/certmanager/kustomization.yaml b/config/certmanager/kustomization.yaml deleted file mode 100644 index 50236e8..0000000 --- a/config/certmanager/kustomization.yaml +++ /dev/null @@ -1,22 +0,0 @@ -resources: -- certificate.yaml - -# the following config is for teaching kustomize how to do var substitution -vars: -- name: CERTIFICATENAME - objref: - kind: Certificate - group: certmanager.k8s.io - version: v1alpha1 - name: serving-cert # this name should match the one in certificate.yaml -- name: CERTIFICATENAMESPACE - objref: - kind: Certificate - group: certmanager.k8s.io - version: v1alpha1 - name: serving-cert # this name should match the one in certificate.yaml - fieldref: - fieldpath: metadata.namespace - -configurations: -- kustomizeconfig.yaml diff --git a/config/certmanager/kustomizeconfig.yaml b/config/certmanager/kustomizeconfig.yaml deleted file mode 100644 index 49e0b1e..0000000 --- a/config/certmanager/kustomizeconfig.yaml +++ /dev/null @@ -1,16 +0,0 @@ -# This configuration is for teaching kustomize how to update name ref and var substitution -nameReference: -- kind: Issuer - group: certmanager.k8s.io - fieldSpecs: - - kind: Certificate - group: certmanager.k8s.io - path: spec/issuerRef/name - -varReference: -- kind: Certificate - group: certmanager.k8s.io - path: spec/commonName -- kind: Certificate - group: certmanager.k8s.io - path: spec/dnsNames diff --git a/config/crd/kustomization.yaml b/config/crd/kustomization.yaml deleted file mode 100644 index c6026fe..0000000 --- a/config/crd/kustomization.yaml +++ /dev/null @@ -1,15 +0,0 @@ -# This kustomization.yaml is not intended to be run by itself, -# since it depends on service name and namespace that are out of this kustomize package. -# It should be run by config/default -resources: -- bases/aws.k8s.logmein.com_eips.yaml -# +kubebuilder:scaffold:kustomizeresource - -patches: -# patches here are for enabling the conversion webhook for each CRD -#- patches/webhook_in_eips.yaml -# +kubebuilder:scaffold:kustomizepatch - -# the following config is for teaching kustomize how to do kustomization for CRDs. -configurations: -- kustomizeconfig.yaml diff --git a/config/crd/kustomizeconfig.yaml b/config/crd/kustomizeconfig.yaml deleted file mode 100644 index 373f8cf..0000000 --- a/config/crd/kustomizeconfig.yaml +++ /dev/null @@ -1,14 +0,0 @@ -# This file is for teaching kustomize how to substitute name and namespace reference in CRD -nameReference: -- kind: Service - version: v1 - fieldSpecs: - - kind: CustomResourceDefinition - group: apiextensions.k8s.io - path: spec/conversion/webhookClientConfig/service/name - -varReference: -- path: metadata/annotations -- kind: CustomResourceDefinition - group: apiextensions.k8s.io - path: spec/conversion/webhookClientConfig/service/namespace diff --git a/config/crd/patches/webhook_in_eip.yaml b/config/crd/patches/webhook_in_eip.yaml deleted file mode 100644 index ec58511..0000000 --- a/config/crd/patches/webhook_in_eip.yaml +++ /dev/null @@ -1,18 +0,0 @@ -# The following patch enables conversion webhook for CRDw -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - annotations: - certmanager.k8s.io/inject-ca-from: $(NAMESPACE)/$(CERTIFICATENAME) - name: eips.aws.k8s.logmein.com -spec: - conversion: - strategy: Webhook - webhookClientConfig: - # this is "\n" used as a placeholder, otherwise it will be rejected by the apiserver for being blank, - # but we're going to set it later using the cert-manager (or potentially a patch if not using cert-manager) - caBundle: Cg== - service: - namespace: $(NAMESPACE) - name: webhook-service - path: /convert-eip diff --git a/config/default/kustomization.yaml b/config/default/kustomization.yaml deleted file mode 100644 index cda1b1e..0000000 --- a/config/default/kustomization.yaml +++ /dev/null @@ -1,42 +0,0 @@ -# Adds namespace to all resources. -namespace: k8s-aws-operator-system - -# Value of this field is prepended to the -# names of all resources, e.g. a deployment named -# "wordpress" becomes "alices-wordpress". -# Note that it should also match with the prefix (text before '-') of the namespace -# field above. -namePrefix: k8s-aws-operator- - -# Labels to add to all resources and selectors. -#commonLabels: -# someName: someValue - -bases: -- ../crd -- ../rbac -- ../manager -# [WEBHOOK] Uncomment all the sections with [WEBHOOK] prefix to enable webhook. -#- ../webhook -# [CERTMANAGER] Uncomment next line to enable cert-manager -#- ../certmanager - -patches: -- manager_image_patch.yaml - # Protect the /metrics endpoint by putting it behind auth. - # Only one of manager_auth_proxy_patch.yaml and - # manager_prometheus_metrics_patch.yaml should be enabled. -- manager_auth_proxy_patch.yaml - # If you want your controller-manager to expose the /metrics - # endpoint w/o any authn/z, uncomment the following line and - # comment manager_auth_proxy_patch.yaml. - # Only one of manager_auth_proxy_patch.yaml and - # manager_prometheus_metrics_patch.yaml should be enabled. -#- manager_prometheus_metrics_patch.yaml - -# [WEBHOOK] Uncomment all the sections with [WEBHOOK] prefix to enable webhook. -#- manager_webhook_patch.yaml - -# [CAINJECTION] Uncomment next line to enable the CA injection in the admission webhooks. [CERTMANAGER] needs to be -# enabled to use ca injection -#- webhookcainjection_patch.yaml diff --git a/config/default/manager_auth_proxy_patch.yaml b/config/default/manager_auth_proxy_patch.yaml deleted file mode 100644 index cbcc6d0..0000000 --- a/config/default/manager_auth_proxy_patch.yaml +++ /dev/null @@ -1,24 +0,0 @@ -# This patch inject a sidecar container which is a HTTP proxy for the controller manager, -# it performs RBAC authorization against the Kubernetes API using SubjectAccessReviews. -apiVersion: apps/v1 -kind: StatefulSet -metadata: - name: controller-manager - namespace: system -spec: - template: - spec: - containers: - - name: kube-rbac-proxy - image: gcr.io/kubebuilder/kube-rbac-proxy:v0.4.0 - args: - - "--secure-listen-address=0.0.0.0:8443" - - "--upstream=http://127.0.0.1:8080/" - - "--logtostderr=true" - - "--v=10" - ports: - - containerPort: 8443 - name: https - - name: manager - args: - - "--metrics-addr=127.0.0.1:8080" diff --git a/config/default/manager_image_patch.yaml b/config/default/manager_image_patch.yaml deleted file mode 100644 index fcbf39d..0000000 --- a/config/default/manager_image_patch.yaml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: apps/v1 -kind: StatefulSet -metadata: - name: controller-manager - namespace: system -spec: - template: - spec: - containers: - # Change the value of image field below to your controller image URL - - image: IMAGE_URL - name: manager diff --git a/config/default/manager_prometheus_metrics_patch.yaml b/config/default/manager_prometheus_metrics_patch.yaml deleted file mode 100644 index 96fdcda..0000000 --- a/config/default/manager_prometheus_metrics_patch.yaml +++ /dev/null @@ -1,19 +0,0 @@ -# This patch enables Prometheus scraping for the manager pod. -apiVersion: apps/v1 -kind: StatefulSet -metadata: - name: controller-manager - namespace: system -spec: - template: - metadata: - annotations: - prometheus.io/scrape: 'true' - spec: - containers: - # Expose the prometheus metrics on default port - - name: manager - ports: - - containerPort: 8080 - name: metrics - protocol: TCP diff --git a/config/default/manager_webhook_patch.yaml b/config/default/manager_webhook_patch.yaml deleted file mode 100644 index ecb90f4..0000000 --- a/config/default/manager_webhook_patch.yaml +++ /dev/null @@ -1,23 +0,0 @@ -apiVersion: apps/v1 -kind: StatefulSet -metadata: - name: controller-manager - namespace: system -spec: - template: - spec: - containers: - - name: manager - ports: - - containerPort: 443 - name: webhook-server - protocol: TCP - volumeMounts: - - mountPath: /tmp/k8s-webhook-server/serving-certs - name: cert - readOnly: true - volumes: - - name: cert - secret: - defaultMode: 420 - secretName: webhook-server-cert diff --git a/config/default/webhookcainjection_patch.yaml b/config/default/webhookcainjection_patch.yaml deleted file mode 100644 index c2d2a3c..0000000 --- a/config/default/webhookcainjection_patch.yaml +++ /dev/null @@ -1,15 +0,0 @@ -# This patch add annotation to admission webhook config and -# the variables $(NAMESPACE) and $(CERTIFICATENAME) will be substituted by kustomize. -apiVersion: admissionregistration.k8s.io/v1beta1 -kind: MutatingWebhookConfiguration -metadata: - name: mutating-webhook-configuration - annotations: - certmanager.k8s.io/inject-ca-from: $(CERTIFICATENAMESPACE)/$(CERTIFICATENAME) ---- -apiVersion: admissionregistration.k8s.io/v1beta1 -kind: ValidatingWebhookConfiguration -metadata: - name: validating-webhook-configuration - annotations: - certmanager.k8s.io/inject-ca-from: $(CERTIFICATENAMESPACE)/$(CERTIFICATENAME) diff --git a/config/manager/kustomization.yaml b/config/manager/kustomization.yaml deleted file mode 100644 index 5c5f0b8..0000000 --- a/config/manager/kustomization.yaml +++ /dev/null @@ -1,2 +0,0 @@ -resources: -- manager.yaml diff --git a/config/manager/manager.yaml b/config/manager/manager.yaml deleted file mode 100644 index fe765f5..0000000 --- a/config/manager/manager.yaml +++ /dev/null @@ -1,59 +0,0 @@ -apiVersion: v1 -kind: Namespace -metadata: - labels: - control-plane: controller-manager - controller-tools.k8s.io: "1.0" - name: system ---- -apiVersion: v1 -kind: Service -metadata: - name: controller-manager-service - namespace: system - labels: - control-plane: controller-manager - controller-tools.k8s.io: "1.0" -spec: - selector: - control-plane: controller-manager - controller-tools.k8s.io: "1.0" - ports: - - port: 443 ---- -apiVersion: apps/v1 -kind: StatefulSet -metadata: - name: controller-manager - namespace: system - labels: - control-plane: controller-manager - controller-tools.k8s.io: "1.0" -spec: - selector: - matchLabels: - control-plane: controller-manager - controller-tools.k8s.io: "1.0" - serviceName: controller-manager-service - replicas: 1 - podManagementPolicy: Parallel - template: - metadata: - labels: - control-plane: controller-manager - controller-tools.k8s.io: "1.0" - spec: - containers: - - command: - - /manager - image: controller:latest - imagePullPolicy: Always - name: manager - resources: - limits: - cpu: 100m - memory: 30Mi - requests: - cpu: 100m - memory: 20Mi - terminationGracePeriodSeconds: 10 diff --git a/config/rbac/auth_proxy_role.yaml b/config/rbac/auth_proxy_role.yaml deleted file mode 100644 index 618f5e4..0000000 --- a/config/rbac/auth_proxy_role.yaml +++ /dev/null @@ -1,13 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: proxy-role -rules: -- apiGroups: ["authentication.k8s.io"] - resources: - - tokenreviews - verbs: ["create"] -- apiGroups: ["authorization.k8s.io"] - resources: - - subjectaccessreviews - verbs: ["create"] diff --git a/config/rbac/auth_proxy_role_binding.yaml b/config/rbac/auth_proxy_role_binding.yaml deleted file mode 100644 index 48ed1e4..0000000 --- a/config/rbac/auth_proxy_role_binding.yaml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: proxy-rolebinding -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: proxy-role -subjects: -- kind: ServiceAccount - name: default - namespace: system diff --git a/config/rbac/auth_proxy_service.yaml b/config/rbac/auth_proxy_service.yaml deleted file mode 100644 index 027073f..0000000 --- a/config/rbac/auth_proxy_service.yaml +++ /dev/null @@ -1,20 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - annotations: - prometheus.io/port: "8443" - prometheus.io/scheme: https - prometheus.io/scrape: "true" - labels: - control-plane: controller-manager - controller-tools.k8s.io: "1.0" - name: controller-manager-metrics-service - namespace: system -spec: - ports: - - name: https - port: 8443 - targetPort: https - selector: - control-plane: controller-manager - controller-tools.k8s.io: "1.0" diff --git a/config/rbac/kustomization.yaml b/config/rbac/kustomization.yaml deleted file mode 100644 index 1694b72..0000000 --- a/config/rbac/kustomization.yaml +++ /dev/null @@ -1,9 +0,0 @@ -resources: -- role.yaml -- role_binding.yaml -# Comment the following 3 lines if you want to disable -# the auth proxy (https://github.com/brancz/kube-rbac-proxy) -# which protects your /metrics endpoint. -- auth_proxy_service.yaml -- auth_proxy_role.yaml -- auth_proxy_role_binding.yaml diff --git a/config/rbac/role_binding.yaml b/config/rbac/role_binding.yaml deleted file mode 100644 index 8f26587..0000000 --- a/config/rbac/role_binding.yaml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: manager-rolebinding -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: manager-role -subjects: -- kind: ServiceAccount - name: default - namespace: system diff --git a/config/webhook/kustomization.yaml b/config/webhook/kustomization.yaml deleted file mode 100644 index 9e2bcac..0000000 --- a/config/webhook/kustomization.yaml +++ /dev/null @@ -1,21 +0,0 @@ -resources: -- manifests.yaml -- service.yaml - -configurations: -- kustomizeconfig.yaml - -# the following config is for teaching kustomize how to do var substitution -vars: -- name: NAMESPACE - objref: - kind: Service - version: v1 - name: webhook-service - fieldref: - fieldpath: metadata.namespace -- name: SERVICENAME - objref: - kind: Service - version: v1 - name: webhook-service diff --git a/config/webhook/kustomizeconfig.yaml b/config/webhook/kustomizeconfig.yaml deleted file mode 100644 index 25e21e3..0000000 --- a/config/webhook/kustomizeconfig.yaml +++ /dev/null @@ -1,25 +0,0 @@ -# the following config is for teaching kustomize where to look at when substituting vars. -# It requires kustomize v2.1.0 or newer to work properly. -nameReference: -- kind: Service - version: v1 - fieldSpecs: - - kind: MutatingWebhookConfiguration - group: admissionregistration.k8s.io - path: webhooks/clientConfig/service/name - - kind: ValidatingWebhookConfiguration - group: admissionregistration.k8s.io - path: webhooks/clientConfig/service/name - -namespace: -- kind: MutatingWebhookConfiguration - group: admissionregistration.k8s.io - path: webhooks/clientConfig/service/namespace - create: true -- kind: ValidatingWebhookConfiguration - group: admissionregistration.k8s.io - path: webhooks/clientConfig/service/namespace - create: true - -varReference: -- path: metadata/annotations diff --git a/config/webhook/manifests.yaml b/config/webhook/manifests.yaml deleted file mode 100644 index e69de29..0000000 diff --git a/config/webhook/service.yaml b/config/webhook/service.yaml deleted file mode 100644 index 4653ddf..0000000 --- a/config/webhook/service.yaml +++ /dev/null @@ -1,13 +0,0 @@ - -apiVersion: v1 -kind: Service -metadata: - name: webhook-service - namespace: system -spec: - ports: - - port: 443 - targetPort: 443 - selector: - control-plane: controller-manager - controller-tools.k8s.io: "1.0" diff --git a/deploy/deployment.yaml b/deploy/deployment.yaml deleted file mode 100644 index 5f659bb..0000000 --- a/deploy/deployment.yaml +++ /dev/null @@ -1,34 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: k8s-aws-operator - namespace: kube-system - labels: - app.kubernetes.io/name: k8s-aws-operator -spec: - replicas: 2 - selector: - matchLabels: - app.kubernetes.io/name: k8s-aws-operator - template: - metadata: - labels: - app.kubernetes.io/name: k8s-aws-operator - spec: - serviceAccountName: k8s-aws-operator - containers: - - image: logmein/k8s-aws-operator - name: k8s-aws-operator - resources: - requests: - cpu: 20m - memory: 50Mi - limits: - memory: 100Mi - args: - - -region=us-east-1 - - -leader-election-namespace=kube-system - ports: - - name: metrics - containerPort: 8080 - protocol: TCP diff --git a/deploy/rbac.yaml b/deploy/rbac.yaml deleted file mode 100644 index e56b3f8..0000000 --- a/deploy/rbac.yaml +++ /dev/null @@ -1,73 +0,0 @@ -apiVersion: v1 -kind: ServiceAccount -metadata: - name: k8s-aws-operator - namespace: kube-system - labels: - app.kubernetes.io/name: k8s-aws-operator - #annotations: - # eks.amazonaws.com/role-arn: arn:aws:iam::1234567890:role/k8s-aws-operator - ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: k8s-aws-operator - labels: - app.kubernetes.io/name: k8s-aws-operator -rules: -- apiGroups: [""] - resources: ["pods"] - verbs: ["get", "list", "watch"] -- apiGroups: ["aws.k8s.logmein.com"] - resources: ["eips", "enis"] - verbs: ["*"] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: k8s-aws-operator - labels: - app.kubernetes.io/name: k8s-aws-operator -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: k8s-aws-operator -subjects: -- kind: ServiceAccount - name: k8s-aws-operator - namespace: kube-system - -# for leader election: ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: k8s-aws-operator - namespace: kube-system - labels: - app.kubernetes.io/name: k8s-aws-operator -rules: -- apiGroups: [""] - resources: ["configmaps"] - verbs: ["create"] -- apiGroups: [""] - resources: ["configmaps"] - resourceNames: ["k8s-aws-operator"] - verbs: ["delete","get","update"] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: k8s-aws-operator - namespace: kube-system - labels: - app.kubernetes.io/name: k8s-aws-operator -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: k8s-aws-operator -subjects: - - kind: ServiceAccount - name: k8s-aws-operator - namespace: kube-system diff --git a/main.go b/main.go index 80cf58c..2860647 100644 --- a/main.go +++ b/main.go @@ -16,7 +16,6 @@ limitations under the License. package main import ( - "errors" "flag" "os" @@ -60,11 +59,6 @@ func main() { awsConfig := aws.NewConfig() - if leaderElectionNamespace == "" { - setupLog.Error(errors.New("-leader-election-namespace flag is required"), "command line flag validation failed") - os.Exit(1) - } - if region != "" { awsConfig = awsConfig.WithRegion(region) } @@ -79,7 +73,7 @@ func main() { mgr, err := ctrl.NewManager(ctrl.GetConfigOrDie(), ctrl.Options{ Scheme: scheme, MetricsBindAddress: metricsAddr, - LeaderElection: true, + LeaderElection: leaderElectionNamespace != "" && leaderElectionID != "", LeaderElectionNamespace: leaderElectionNamespace, LeaderElectionID: leaderElectionID, })