feat: Add Kustomize profile for StatefulSet resource

Makefile

@@ -104,11 +104,20 @@ uninstall: manifests kustomize ## Uninstall CRDs from the K8s cluster specified
 .PHONY: deploy
 deploy: manifests kustomize ## Deploy controller to the K8s cluster specified in ~/.kube/config.
 	cd config/manager && $(KUSTOMIZE) edit set image controller=${IMG}
-	$(KUSTOMIZE) build config/default | kubectl apply -f -
+	$(KUSTOMIZE) build config/overlays/deployment | kubectl apply -f -
+
+.PHONY: deploy-statefulset
+deploy-statefulset: manifests kustomize ## Deploy controller to the K8s cluster specified in ~/.kube/config.
+	cd config/manager && $(KUSTOMIZE) edit set image controller=${IMG}
+	$(KUSTOMIZE) build config/overlays/statefulset | kubectl apply -f -
 
 .PHONY: undeploy
 undeploy: ## Undeploy controller from the K8s cluster specified in ~/.kube/config. Call with ignore-not-found=true to ignore resource not found errors during deletion.
-	$(KUSTOMIZE) build config/default | kubectl delete --ignore-not-found=$(ignore-not-found) -f -
+	$(KUSTOMIZE) build config/overlays/deployment | kubectl delete --ignore-not-found=$(ignore-not-found) -f -
+
+.PHONY: undeploy-statefulset
+undeploy-statefulset: ## Undeploy controller from the K8s cluster specified in ~/.kube/config. Call with ignore-not-found=true to ignore resource not found errors during deletion.
+	$(KUSTOMIZE) build config/overlays/statefulset | kubectl delete --ignore-not-found=$(ignore-not-found) -f -
 
 ##@ Tools
 
@@ -164,8 +173,12 @@ configure-git-origin:
 		git remote add origin https://github.com/kyma-project/template-operator
 
 .PHONY: build-manifests
-build-manifests: manifests kustomize ## Install CRDs into the K8s cluster specified in ~/.kube/config.
-	$(KUSTOMIZE) build config/default > template-operator.yaml
+build-manifests: manifests kustomize
+	$(KUSTOMIZE) build config/overlays/deployment > template-operator.yaml
+
+.PHONY: build-statefulset-manifests
+build-statefulset-manifests: manifests kustomize
+	$(KUSTOMIZE) build config/overlays/statefulset > template-operator.yaml
 
 DEFAULT_CR ?= $(shell pwd)/config/samples/default-sample-cr.yaml
 .PHONY: build-module

README.md

@@ -155,9 +155,9 @@ Use one of the following options to install kubebuilder:
 #### Optional: Adjust the Default Config Resources
 If the module operator is deployed under the same namespace with other operators, differentiate your resources by adding common labels.
 
-1. Add `commonLabels` to default `kustomization.yaml`. See [reference implementation](config/default/kustomization.yaml).
+1. Add `commonLabels` to default `kustomization.yaml`. See [reference implementation](config/overlays/deployment/kustomization.yaml).
 
-2. Include all resources (for example, [manager.yaml](config/manager/manager.yaml)) that contain label selectors by using `commonLabels`.
+2. Include all resources (for example, [manager.yaml](config/manager/deployment/manager.yaml)) that contain label selectors by using `commonLabels`.
 
 Further reading: [Kustomize Built-In commonLabels](https://github.com/kubernetes-sigs/kustomize/blob/master/api/internal/konfig/builtinpluginconsts/commonlabels.go)
 

config/default/commonlabels_override.yaml → config/base/commonlabels_override.yaml

@@ -5,4 +5,4 @@ commonLabels:
 - path: spec/selector/matchLabels
   create: true
   version: v1
-  kind: ServiceMonitor
+  kind: ServiceMonitor

config/base/kustomization.yaml

@@ -0,0 +1,67 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+# Labels to add to all resources and selectors.
+commonLabels:
+  app.kubernetes.io/component: template-operator.kyma-project.io
+
+configurations:
+- commonlabels_override.yaml
+
+components:
+- ../crd
+- ../managed-resources
+- ../rbac
+# [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix including the one in
+# crd/kustomization.yaml
+#- ../webhook
+# [CERTMANAGER] To enable cert-manager, uncomment all sections with 'CERTMANAGER'. 'WEBHOOK' components are required.
+#- ../certmanager
+# [PROMETHEUS] To enable prometheus monitor, uncomment all sections with 'PROMETHEUS'.
+#- ../prometheus
+
+
+# patchesStrategicMerge:
+# Protect the /metrics endpoint by putting it behind auth.
+# If you want your controller-manager to expose the /metrics
+# endpoint w/o any authn/z, please comment the following line.
+# - manager_auth_proxy_patch.yaml
+
+# [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix including the one in
+# crd/kustomization.yaml
+# - manager_webhook_patch.yaml
+
+# [CERTMANAGER] To enable cert-manager, uncomment all sections with 'CERTMANAGER'.
+# Uncomment 'CERTMANAGER' sections in crd/kustomization.yaml to enable the CA injection in the admission webhooks.
+# 'CERTMANAGER' needs to be enabled to use ca injection
+# - webhookcainjection_patch.yaml
+
+# the following config is for teaching kustomize how to do var substitution
+# vars:
+# [CERTMANAGER] To enable cert-manager, uncomment all sections with 'CERTMANAGER' prefix.
+#- name: CERTIFICATE_NAMESPACE # namespace of the certificate CR
+#  objref:
+#    kind: Certificate
+#    group: cert-manager.io
+#    version: v1
+#    name: serving-cert # this name should match the one in certificate.yaml
+#  fieldref:
+#    fieldpath: metadata.namespace
+#- name: CERTIFICATE_NAME
+#  objref:
+#    kind: Certificate
+#    group: cert-manager.io
+#    version: v1
+#    name: serving-cert # this name should match the one in certificate.yaml
+#- name: SERVICE_NAMESPACE # namespace of the service
+#  objref:
+#    kind: Service
+#    version: v1
+#    name: webhook-service
+#  fieldref:
+#    fieldpath: metadata.namespace
+#- name: SERVICE_NAME
+#  objref:
+#    kind: Service
+#    version: v1
+#    name: webhook-service

config/crd/kustomization.yaml

@@ -3,7 +3,7 @@ kind: Component
 
 # This kustomization.yaml is not intended to be run by itself,
 # since it depends on service name and namespace that are out of this kustomize package.
-# It should be run by config/default
+# It should be run by config/overlays/deployment or config/overlays/statefulset
 resources:
   - bases/operator.kyma-project.io_samples.yaml
   - bases/operator.kyma-project.io_manageds.yaml

config/default/kustomization.yaml

@@ -11,14 +11,9 @@ namespace: template-operator-system
 # field above.
 namePrefix: template-operator-
 
-# Labels to add to all resources and selectors.
-commonLabels:
-  app.kubernetes.io/component: template-operator.kyma-project.io
-
-configurations:
-- commonlabels_override.yaml
 resources:
-- ../manager
+  - ../base
+  - ../manager/deployment
 
 patches:
   - patch: |-
@@ -32,62 +27,4 @@ patches:
         path: /spec/template/spec/containers/0/args/-
         value: --final-deletion-state=Deleting
     target:
-      kind: Deployment
-
-components:
-- ../crd
-- ../managed-resources
-- ../rbac
-# [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix including the one in
-# crd/kustomization.yaml
-#- ../webhook
-# [CERTMANAGER] To enable cert-manager, uncomment all sections with 'CERTMANAGER'. 'WEBHOOK' components are required.
-#- ../certmanager
-# [PROMETHEUS] To enable prometheus monitor, uncomment all sections with 'PROMETHEUS'.
-#- ../prometheus
-
-
-# patchesStrategicMerge:
-# Protect the /metrics endpoint by putting it behind auth.
-# If you want your controller-manager to expose the /metrics
-# endpoint w/o any authn/z, please comment the following line.
-# - manager_auth_proxy_patch.yaml
-
-# [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix including the one in
-# crd/kustomization.yaml
-# - manager_webhook_patch.yaml
-
-# [CERTMANAGER] To enable cert-manager, uncomment all sections with 'CERTMANAGER'.
-# Uncomment 'CERTMANAGER' sections in crd/kustomization.yaml to enable the CA injection in the admission webhooks.
-# 'CERTMANAGER' needs to be enabled to use ca injection
-# - webhookcainjection_patch.yaml
-
-# the following config is for teaching kustomize how to do var substitution
-# vars:
-# [CERTMANAGER] To enable cert-manager, uncomment all sections with 'CERTMANAGER' prefix.
-#- name: CERTIFICATE_NAMESPACE # namespace of the certificate CR
-#  objref:
-#    kind: Certificate
-#    group: cert-manager.io
-#    version: v1
-#    name: serving-cert # this name should match the one in certificate.yaml
-#  fieldref:
-#    fieldpath: metadata.namespace
-#- name: CERTIFICATE_NAME
-#  objref:
-#    kind: Certificate
-#    group: cert-manager.io
-#    version: v1
-#    name: serving-cert # this name should match the one in certificate.yaml
-#- name: SERVICE_NAMESPACE # namespace of the service
-#  objref:
-#    kind: Service
-#    version: v1
-#    name: webhook-service
-#  fieldref:
-#    fieldpath: metadata.namespace
-#- name: SERVICE_NAME
-#  objref:
-#    kind: Service
-#    version: v1
-#    name: webhook-service
+      kind: Deployment

config/manager/statefulset/kustomization.yaml

@@ -0,0 +1,12 @@
+resources:
+- manager.yaml
+
+generatorOptions:
+  disableNameSuffixHash: true
+
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+images:
+- name: controller
+  newName: europe-docker.pkg.dev/kyma-project/prod/template-operator
+  newTag: latest

config/manager/statefulset/manager.yaml

@@ -0,0 +1,58 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  labels:
+    app.kubernetes.io/component: template-operator.kyma-project.io
+  name: system
+---
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  name: controller-manager
+  namespace: system
+  labels:
+    app.kubernetes.io/component: template-operator.kyma-project.io
+spec:
+  selector:
+    matchLabels:
+      app.kubernetes.io/component: template-operator.kyma-project.io
+  replicas: 1
+  template:
+    metadata:
+      annotations:
+        kubectl.kubernetes.io/default-container: manager
+      labels:
+        app.kubernetes.io/component: template-operator.kyma-project.io
+    spec:
+      securityContext:
+        runAsNonRoot: true
+      containers:
+      - args:
+        - --leader-elect
+        ports:
+        - containerPort: 40000
+        image: controller:latest
+        name: manager
+        securityContext:
+          allowPrivilegeEscalation: false
+        livenessProbe:
+          httpGet:
+            path: /healthz
+            port: 8081
+          initialDelaySeconds: 15
+          periodSeconds: 20
+        readinessProbe:
+          httpGet:
+            path: /readyz
+            port: 8081
+          initialDelaySeconds: 5
+          periodSeconds: 10
+        resources:
+          limits:
+            cpu: 500m
+            memory: 128Mi
+          requests:
+            cpu: 10m
+            memory: 64Mi
+      serviceAccountName: controller-manager
+      terminationGracePeriodSeconds: 10

config/overlays/deployment/kustomization.yaml

@@ -0,0 +1,30 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+# Adds namespace to all resources.
+namespace: template-operator-system
+
+# Value of this field is prepended to the
+# names of all resources, e.g. a deployment named
+# "wordpress" becomes "alices-wordpress".
+# Note that it should also match with the prefix (text before '-') of the namespace
+# field above.
+namePrefix: template-operator-
+
+resources:
+  - ../../base
+  - ../../manager/deployment
+
+patches:
+  - patch: |-
+      - op: add
+        path: /spec/template/spec/containers/0/args/-
+        value: --final-state=Ready
+    target:
+      kind: Deployment
+  - patch: |-
+      - op: add
+        path: /spec/template/spec/containers/0/args/-
+        value: --final-deletion-state=Deleting
+    target:
+      kind: Deployment

config/overlays/deployment/manager_auth_proxy_patch.yaml

@@ -0,0 +1,34 @@
+# This patch inject a sidecar container which is a HTTP proxy for the
+# controller manager, it performs RBAC authorization against the Kubernetes API using SubjectAccessReviews.
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: controller-manager
+  namespace: system
+spec:
+  template:
+    spec:
+      containers:
+      - name: kube-rbac-proxy
+        image: gcr.io/kubebuilder/kube-rbac-proxy:v0.8.0
+        args:
+        - "--secure-listen-address=0.0.0.0:8443"
+        - "--upstream=http://127.0.0.1:8080/"
+        - "--logtostderr=true"
+        - "--v=0"
+        ports:
+        - containerPort: 8443
+          protocol: TCP
+          name: https
+        resources:
+          limits:
+            cpu: 500m
+            memory: 128Mi
+          requests:
+            cpu: 5m
+            memory: 64Mi
+      - name: manager
+        args:
+        - "--health-probe-bind-address=:8081"
+        - "--metrics-bind-address=127.0.0.1:8080"
+        - "--leader-elect"

config/overlays/statefulset/kustomization.yaml

@@ -0,0 +1,30 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+# Adds namespace to all resources.
+namespace: template-operator-system
+
+# Value of this field is prepended to the
+# names of all resources, e.g. a deployment named
+# "wordpress" becomes "alices-wordpress".
+# Note that it should also match with the prefix (text before '-') of the namespace
+# field above.
+namePrefix: template-operator-
+
+resources:
+  - ../../base
+  - ../../manager/statefulset
+
+patches:
+  - patch: |-
+      - op: add
+        path: /spec/template/spec/containers/0/args/-
+        value: --final-state=Ready
+    target:
+      kind: StatefulSet
+  - patch: |-
+      - op: add
+        path: /spec/template/spec/containers/0/args/-
+        value: --final-deletion-state=Deleting
+    target:
+      kind: StatefulSet