Browse Source

Initial commit

This initial commit includes support for Mcrouter, Memcached,
basic CI tests as well as Helm charts for deploying things.

Depends-On: https://review.opendev.org/713107
Depends-On: https://review.opendev.org/713115
Change-Id: I0b1ab6d8e716460e095bc3953614e336620f984e
changes/04/713104/40
Mohammed Naser 1 year ago
parent
commit
6dbb9475f9
74 changed files with 2912 additions and 0 deletions
  1. +24
    -0
      .gitignore
  2. +86
    -0
      .zuul.yaml
  3. +31
    -0
      Dockerfile
  4. +89
    -0
      Makefile
  5. +10
    -0
      PROJECT
  6. +20
    -0
      api/v1alpha1/groupversion_info.go
  7. +46
    -0
      api/v1alpha1/mcrouter_types.go
  8. +40
    -0
      api/v1alpha1/memcached_types.go
  9. +230
    -0
      api/v1alpha1/zz_generated.deepcopy.go
  10. +11
    -0
      chart/Chart.yaml
  11. +75
    -0
      chart/crds/infrastructure.vexxhost.cloud_mcrouters.yaml
  12. +56
    -0
      chart/crds/infrastructure.vexxhost.cloud_memcacheds.yaml
  13. +40
    -0
      chart/templates/_helpers.tpl
  14. +85
    -0
      chart/templates/clusterrole.yaml
  15. +12
    -0
      chart/templates/clusterrolebinding.yaml
  16. +4
    -0
      chart/templates/crds.yaml
  17. +39
    -0
      chart/templates/deployment.yaml
  18. +31
    -0
      chart/templates/role.yaml
  19. +12
    -0
      chart/templates/rolebinding.yaml
  20. +5
    -0
      chart/templates/serviceaccount.yaml
  21. +0
    -0
      chart/values.yaml
  22. +26
    -0
      config/certmanager/certificate.yaml
  23. +5
    -0
      config/certmanager/kustomization.yaml
  24. +16
    -0
      config/certmanager/kustomizeconfig.yaml
  25. +75
    -0
      config/crd/bases/infrastructure.vexxhost.cloud_mcrouters.yaml
  26. +56
    -0
      config/crd/bases/infrastructure.vexxhost.cloud_memcacheds.yaml
  27. +24
    -0
      config/crd/kustomization.yaml
  28. +17
    -0
      config/crd/kustomizeconfig.yaml
  29. +8
    -0
      config/crd/patches/cainjection_in_mcrouters.yaml
  30. +8
    -0
      config/crd/patches/cainjection_in_memcacheds.yaml
  31. +17
    -0
      config/crd/patches/webhook_in_mcrouters.yaml
  32. +17
    -0
      config/crd/patches/webhook_in_memcacheds.yaml
  33. +70
    -0
      config/default/kustomization.yaml
  34. +25
    -0
      config/default/manager_auth_proxy_patch.yaml
  35. +23
    -0
      config/default/manager_webhook_patch.yaml
  36. +15
    -0
      config/default/webhookcainjection_patch.yaml
  37. +2
    -0
      config/manager/kustomization.yaml
  38. +39
    -0
      config/manager/manager.yaml
  39. +2
    -0
      config/prometheus/kustomization.yaml
  40. +16
    -0
      config/prometheus/monitor.yaml
  41. +7
    -0
      config/rbac/auth_proxy_client_clusterrole.yaml
  42. +13
    -0
      config/rbac/auth_proxy_role.yaml
  43. +12
    -0
      config/rbac/auth_proxy_role_binding.yaml
  44. +14
    -0
      config/rbac/auth_proxy_service.yaml
  45. +12
    -0
      config/rbac/kustomization.yaml
  46. +32
    -0
      config/rbac/leader_election_role.yaml
  47. +12
    -0
      config/rbac/leader_election_role_binding.yaml
  48. +24
    -0
      config/rbac/mcrouter_editor_role.yaml
  49. +20
    -0
      config/rbac/mcrouter_viewer_role.yaml
  50. +24
    -0
      config/rbac/memcached_editor_role.yaml
  51. +20
    -0
      config/rbac/memcached_viewer_role.yaml
  52. +85
    -0
      config/rbac/role.yaml
  53. +12
    -0
      config/rbac/role_binding.yaml
  54. +9
    -0
      config/samples/infrastructure_v1alpha1_mcrouter.yaml
  55. +6
    -0
      config/samples/infrastructure_v1alpha1_memcached.yaml
  56. +6
    -0
      config/webhook/kustomization.yaml
  57. +25
    -0
      config/webhook/kustomizeconfig.yaml
  58. +12
    -0
      config/webhook/service.yaml
  59. +186
    -0
      controllers/mcrouter_controller.go
  60. +181
    -0
      controllers/memcached_controller.go
  61. +87
    -0
      controllers/suite_test.go
  62. +35
    -0
      docs/components/mcrouter.md
  63. +26
    -0
      docs/components/memcached.md
  64. +14
    -0
      go.mod
  65. +448
    -0
      go.sum
  66. +15
    -0
      hack/boilerplate.go.txt
  67. +13
    -0
      images/mcrouter/Dockerfile
  68. +9
    -0
      images/mcrouter_exporter/Dockerfile
  69. +1
    -0
      images/memcached/Dockerfile
  70. +1
    -0
      images/memcached_exporter/Dockerfile
  71. +93
    -0
      main.go
  72. +9
    -0
      playbooks/functional/run.yaml
  73. +38
    -0
      playbooks/functional/tests/memcached.yaml
  74. +4
    -0
      version/main.go

+ 24
- 0
.gitignore View File

@ -0,0 +1,24 @@
# Binaries for programs and plugins
*.exe
*.exe~
*.dll
*.so
*.dylib
bin
# Test binary, build with `go test -c`
*.test
# Output of the go coverage tool, specifically when used with LiteIDE
*.out
# Kubernetes Generated files - skip generated files, except for vendored files
!vendor/**/zz_generated.*
# editor and IDE paraphernalia
.idea
*.swp
*.swo
*~

+ 86
- 0
.zuul.yaml View File

@ -0,0 +1,86 @@
- secret:
name: openstack-operator-dockerhub
data:
username: vexxhostzuul
password: !encrypted/pkcs1-oaep
- JgslylmR4+iQxQBEa05Mx7FJjjjeM+Oqu60N7pxGA32vQkTMRHfGgXz9HXz1A8XAEesQM
ZPSWhpiEBDhzyugOTJBPl4Ha/4xBVv6fL1ikxOPeVNW4PU9tVbi6MMkdsYkF40lGl5ejz
TWprQDWD5ATdwz79IOjgwnEuZFA9Y0+g7jMyGUjg5deoaaubVgtvLHan58LznUZpmGHcM
NjRWvNRJBzb2Siwv+B2phFIYy4yXxMC3HSXbspTklX/oQsmdTGgfTZ+rW7/hwyfyuoxfG
QBsVU3JCjzlLZaxmy64jYoOna2M33+Vibc2C1WCiYtbBzunvrQxT9cvdNJXySTxeTJ6PL
5KGVToep1O5PMuNdk9MonVAmbkWpf/Leg81Az02+9tJUNKOrzUxnf8iwHva2+iPbrNAEe
wVKBqvOkBPKZjBJtY73Db2r6if/MGc7H1wkHd5s1UJoHU5soObJAYgksea6sC7OVv3XYp
UhSE17snurne0HAZRqhQ/JR6c1ipYMKCfj0D4tyJH9ZBW6faB1P/H2A8f22mRJW576aQI
Q9/HpF3PmAJwbmrlZKyE/jBKUlte27JGZZ307i74Yu9pA2/bVKF6ynpT3sRShLLYDpG6A
AyoJYUA7yRyHhNRHcOX7ZrvOhMCbTPJOqiMaDamNRkJAJWw6GW25S1n5onXjxc=
- job:
name: openstack-operator:images:build
parent: opendev-build-docker-image
provides: openstack-operator:image:operator
vars: &openstack_operator_images
docker_images:
- context: images/mcrouter
repository: vexxhost/mcrouter
- context: images/mcrouter_exporter
repository: vexxhost/mcrouter_exporter
- context: images/memcached
repository: vexxhost/memcached
- context: images/memcached_exporter
repository: vexxhost/memcached_exporter
- context: .
repository: vexxhost/openstack-operator
- job:
name: openstack-operator:images:upload
parent: opendev-upload-docker-image
provides: openstack-operator:image:operator
vars: *openstack_operator_images
secrets:
- name: docker_credentials
secret: openstack-operator-dockerhub
pass-to-parent: true
- job:
name: openstack-operator:images:promote
parent: opendev-promote-docker-image
vars: *openstack_operator_images
secrets:
- name: docker_credentials
secret: openstack-operator-dockerhub
pass-to-parent: true
- job:
name: openstack-operator:linters:chart
parent: chart-testing-lint
vars:
zuul_work_dir: "{{ zuul.project.src_dir }}/chart"
- job:
name: openstack-operator:functional
parent: apply-helm-charts
requires:
- openstack-operator:images
run: playbooks/functional/run.yaml
vars:
docker_use_buildset_registry: true
minikube_dns_resolvers: ['1.1.1.1', '8.8.8.8']
- project:
check:
jobs:
- openstack-operator:linters:chart
- openstack-operator:images:build
- openstack-operator:functional:
dependencies:
- openstack-operator:images:build
gate:
jobs:
- openstack-operator:linters:chart
- openstack-operator:images:upload
- openstack-operator:functional:
dependencies:
- openstack-operator:images:upload
promote:
jobs:
- openstack-operator:images:promote

+ 31
- 0
Dockerfile View File

@ -0,0 +1,31 @@
# Build-time arguments
ARG REV=latest
# Build the manager binary
FROM golang:1.13 as builder
WORKDIR /workspace
# Copy the Go Modules manifests
COPY go.mod go.mod
COPY go.sum go.sum
# cache deps before building and copying source so that we don't need to re-download as much
# and so that source changes don't invalidate our downloaded layer
RUN go mod download
# Copy the go source
COPY main.go main.go
COPY api/ api/
COPY controllers/ controllers/
COPY version/ version/
# Build
RUN CGO_ENABLED=0 GOOS=linux GOARCH=amd64 GO111MODULE=on go build -ldflags "-X version.Revision=${REV}" -a -o manager main.go
# Use distroless as minimal base image to package the manager binary
# Refer to https://github.com/GoogleContainerTools/distroless for more details
FROM gcr.io/distroless/static:nonroot
WORKDIR /
COPY --from=builder /workspace/manager .
USER nonroot:nonroot
ENTRYPOINT ["/manager"]

+ 89
- 0
Makefile View File

@ -0,0 +1,89 @@
# Image URL to use all building/pushing image targets
IMG ?= controller:latest
# Produce CRDs that work back to Kubernetes 1.11 (no version conversion)
CRD_OPTIONS ?= "crd:trivialVersions=true"
# Get the currently used golang install path (in GOPATH/bin, unless GOBIN is set)
ifeq (,$(shell go env GOBIN))
GOBIN=$(shell go env GOPATH)/bin
else
GOBIN=$(shell go env GOBIN)
endif
all: manager
# Run tests
test: generate fmt vet manifests
go test ./... -coverprofile cover.out
# Build manager binary
manager: generate fmt vet
go build -o bin/manager main.go
# Run against the configured Kubernetes cluster in ~/.kube/config
run: generate fmt vet manifests
go run ./main.go
# Install CRDs into a cluster
install: manifests
kustomize build config/crd | kubectl apply -f -
# Uninstall CRDs from a cluster
uninstall: manifests
kustomize build config/crd | kubectl delete -f -
# Deploy controller in the configured Kubernetes cluster in ~/.kube/config
deploy: manifests
cd config/manager && kustomize edit set image controller=${IMG}
kustomize build config/default | kubectl apply -f -
# Generate manifests e.g. CRD, RBAC etc.
manifests: controller-gen
$(CONTROLLER_GEN) $(CRD_OPTIONS) rbac:roleName=manager-role webhook paths="./..." output:crd:artifacts:config=config/crd/bases
$(CONTROLLER_GEN) crd paths="./..." output:crd:artifacts:config=chart/crds
$(CONTROLLER_GEN) rbac:roleName=openstack-operator paths="./..." +output:stdout > chart/templates/clusterrole.yaml
# Run go fmt against code
fmt:
go fmt ./...
# Run go vet against code
vet:
go vet ./...
# Generate code
generate: controller-gen
$(CONTROLLER_GEN) object:headerFile="hack/boilerplate.go.txt" paths="./..."
# Build the docker image
docker-build: test
docker build . -t ${IMG}
# Push the docker image
docker-push:
docker push ${IMG}
# find or download controller-gen
# download controller-gen if necessary
controller-gen:
ifeq (, $(shell which controller-gen))
@{ \
set -e ;\
CONTROLLER_GEN_TMP_DIR=$$(mktemp -d) ;\
cd $$CONTROLLER_GEN_TMP_DIR ;\
go mod init tmp ;\
go get sigs.k8s.io/controller-tools/cmd/controller-gen@v0.2.5 ;\
rm -rf $$CONTROLLER_GEN_TMP_DIR ;\
}
CONTROLLER_GEN=$(GOBIN)/controller-gen
else
CONTROLLER_GEN=$(shell which controller-gen)
endif
# run-time images
images:
docker build images/mcrouter -t vexxhost/mcrouter:latest
docker build images/mcrouter_exporter -t vexxhost/mcrouter_exporter:latest
docker build images/memcached -t vexxhost/memcached:latest
docker build images/memcached_exporter -t vexxhost/memcached_exporter:latest

+ 10
- 0
PROJECT View File

@ -0,0 +1,10 @@
domain: vexxhost.cloud
repo: opendev.org/vexxhost/openstack-operator
resources:
- group: infrastructure
kind: Mcrouter
version: v1alpha1
- group: infrastructure
kind: Memcached
version: v1alpha1
version: "2"

+ 20
- 0
api/v1alpha1/groupversion_info.go View File

@ -0,0 +1,20 @@
// Package v1alpha1 contains API Schema definitions for the infrastructure v1alpha1 API group
// +kubebuilder:object:generate=true
// +groupName=infrastructure.vexxhost.cloud
package v1alpha1
import (
"k8s.io/apimachinery/pkg/runtime/schema"
"sigs.k8s.io/controller-runtime/pkg/scheme"
)
var (
// GroupVersion is group version used to register these objects
GroupVersion = schema.GroupVersion{Group: "infrastructure.vexxhost.cloud", Version: "v1alpha1"}
// SchemeBuilder is used to add go types to the GroupVersionKind scheme
SchemeBuilder = &scheme.Builder{GroupVersion: GroupVersion}
// AddToScheme adds the types in this group-version to the given scheme.
AddToScheme = SchemeBuilder.AddToScheme
)

+ 46
- 0
api/v1alpha1/mcrouter_types.go View File

@ -0,0 +1,46 @@
package v1alpha1
import (
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
)
// McrouterPoolSpec defines the desired state of an Mcrouter pool
type McrouterPoolSpec struct {
Servers []string `json:"servers"`
}
// McrouterSpec defines the desired state of Mcrouter
type McrouterSpec struct {
Pools map[string]McrouterPoolSpec `json:"pools"`
Route string `json:"route"`
}
// McrouterStatus defines the observed state of Mcrouter
type McrouterStatus struct {
// +kubebuilder:validation:Default=Pending
Phase string `json:"phase"`
}
// +kubebuilder:object:root=true
// Mcrouter is the Schema for the mcrouters API
type Mcrouter struct {
metav1.TypeMeta `json:",inline"`
metav1.ObjectMeta `json:"metadata,omitempty"`
Spec McrouterSpec `json:"spec,omitempty"`
Status McrouterStatus `json:"status,omitempty"`
}
// +kubebuilder:object:root=true
// McrouterList contains a list of Mcrouter
type McrouterList struct {
metav1.TypeMeta `json:",inline"`
metav1.ListMeta `json:"metadata,omitempty"`
Items []Mcrouter `json:"items"`
}
func init() {
SchemeBuilder.Register(&Mcrouter{}, &McrouterList{})
}

+ 40
- 0
api/v1alpha1/memcached_types.go View File

@ -0,0 +1,40 @@
package v1alpha1
import (
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
)
// MemcachedSpec defines the desired state of Memcached
type MemcachedSpec struct {
// +kubebuilder:validation:Required
// +kubebuilder:validation:Default=64
Megabytes int `json:"megabytes"`
}
// MemcachedStatus defines the observed state of Memcached
type MemcachedStatus struct {
}
// +kubebuilder:object:root=true
// Memcached is the Schema for the memcacheds API
type Memcached struct {
metav1.TypeMeta `json:",inline"`
metav1.ObjectMeta `json:"metadata,omitempty"`
Spec MemcachedSpec `json:"spec,omitempty"`
Status MemcachedStatus `json:"status,omitempty"`
}
// +kubebuilder:object:root=true
// MemcachedList contains a list of Memcached
type MemcachedList struct {
metav1.TypeMeta `json:",inline"`
metav1.ListMeta `json:"metadata,omitempty"`
Items []Memcached `json:"items"`
}
func init() {
SchemeBuilder.Register(&Memcached{}, &MemcachedList{})
}

+ 230
- 0
api/v1alpha1/zz_generated.deepcopy.go View File

@ -0,0 +1,230 @@
// +build !ignore_autogenerated
/*
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
// Code generated by controller-gen. DO NOT EDIT.
package v1alpha1
import (
runtime "k8s.io/apimachinery/pkg/runtime"
)
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *Mcrouter) DeepCopyInto(out *Mcrouter) {
*out = *in
out.TypeMeta = in.TypeMeta
in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
in.Spec.DeepCopyInto(&out.Spec)
out.Status = in.Status
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Mcrouter.
func (in *Mcrouter) DeepCopy() *Mcrouter {
if in == nil {
return nil
}
out := new(Mcrouter)
in.DeepCopyInto(out)
return out
}
// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
func (in *Mcrouter) DeepCopyObject() runtime.Object {
if c := in.DeepCopy(); c != nil {
return c
}
return nil
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *McrouterList) DeepCopyInto(out *McrouterList) {
*out = *in
out.TypeMeta = in.TypeMeta
in.ListMeta.DeepCopyInto(&out.ListMeta)
if in.Items != nil {
in, out := &in.Items, &out.Items
*out = make([]Mcrouter, len(*in))
for i := range *in {
(*in)[i].DeepCopyInto(&(*out)[i])
}
}
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new McrouterList.
func (in *McrouterList) DeepCopy() *McrouterList {
if in == nil {
return nil
}
out := new(McrouterList)
in.DeepCopyInto(out)
return out
}
// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
func (in *McrouterList) DeepCopyObject() runtime.Object {
if c := in.DeepCopy(); c != nil {
return c
}
return nil
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *McrouterPoolSpec) DeepCopyInto(out *McrouterPoolSpec) {
*out = *in
if in.Servers != nil {
in, out := &in.Servers, &out.Servers
*out = make([]string, len(*in))
copy(*out, *in)
}
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new McrouterPoolSpec.
func (in *McrouterPoolSpec) DeepCopy() *McrouterPoolSpec {
if in == nil {
return nil
}
out := new(McrouterPoolSpec)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *McrouterSpec) DeepCopyInto(out *McrouterSpec) {
*out = *in
if in.Pools != nil {
in, out := &in.Pools, &out.Pools
*out = make(map[string]McrouterPoolSpec, len(*in))
for key, val := range *in {
(*out)[key] = *val.DeepCopy()
}
}
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new McrouterSpec.
func (in *McrouterSpec) DeepCopy() *McrouterSpec {
if in == nil {
return nil
}
out := new(McrouterSpec)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *McrouterStatus) DeepCopyInto(out *McrouterStatus) {
*out = *in
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new McrouterStatus.
func (in *McrouterStatus) DeepCopy() *McrouterStatus {
if in == nil {
return nil
}
out := new(McrouterStatus)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *Memcached) DeepCopyInto(out *Memcached) {
*out = *in
out.TypeMeta = in.TypeMeta
in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
out.Spec = in.Spec
out.Status = in.Status
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Memcached.
func (in *Memcached) DeepCopy() *Memcached {
if in == nil {
return nil
}
out := new(Memcached)
in.DeepCopyInto(out)
return out
}
// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
func (in *Memcached) DeepCopyObject() runtime.Object {
if c := in.DeepCopy(); c != nil {
return c
}
return nil
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *MemcachedList) DeepCopyInto(out *MemcachedList) {
*out = *in
out.TypeMeta = in.TypeMeta
in.ListMeta.DeepCopyInto(&out.ListMeta)
if in.Items != nil {
in, out := &in.Items, &out.Items
*out = make([]Memcached, len(*in))
for i := range *in {
(*in)[i].DeepCopyInto(&(*out)[i])
}
}
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MemcachedList.
func (in *MemcachedList) DeepCopy() *MemcachedList {
if in == nil {
return nil
}
out := new(MemcachedList)
in.DeepCopyInto(out)
return out
}
// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
func (in *MemcachedList) DeepCopyObject() runtime.Object {
if c := in.DeepCopy(); c != nil {
return c
}
return nil
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *MemcachedSpec) DeepCopyInto(out *MemcachedSpec) {
*out = *in
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MemcachedSpec.
func (in *MemcachedSpec) DeepCopy() *MemcachedSpec {
if in == nil {
return nil
}
out := new(MemcachedSpec)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *MemcachedStatus) DeepCopyInto(out *MemcachedStatus) {
*out = *in
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MemcachedStatus.
func (in *MemcachedStatus) DeepCopy() *MemcachedStatus {
if in == nil {
return nil
}
out := new(MemcachedStatus)
in.DeepCopyInto(out)
return out
}

+ 11
- 0
chart/Chart.yaml View File

@ -0,0 +1,11 @@
---
apiVersion: v1
name: openstack-operator
version: 0.0.0
description: Operator for deploying OpenStack
home: https://opendev.org/vexxhost/openstack-operator
maintainers:
- name: Mohammed Naser
email: mnaser@vexxhost.com
url: https://github.com/mnaser

+ 75
- 0
chart/crds/infrastructure.vexxhost.cloud_mcrouters.yaml View File

@ -0,0 +1,75 @@
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.2.5
creationTimestamp: null
name: mcrouters.infrastructure.vexxhost.cloud
spec:
group: infrastructure.vexxhost.cloud
names:
kind: Mcrouter
listKind: McrouterList
plural: mcrouters
singular: mcrouter
scope: Namespaced
validation:
openAPIV3Schema:
description: Mcrouter is the Schema for the mcrouters API
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: McrouterSpec defines the desired state of Mcrouter
properties:
pools:
additionalProperties:
description: McrouterPoolSpec defines the desired state of an Mcrouter
pool
properties:
servers:
items:
type: string
type: array
required:
- servers
type: object
type: object
route:
type: string
required:
- pools
- route
type: object
status:
description: McrouterStatus defines the observed state of Mcrouter
properties:
phase:
type: string
required:
- phase
type: object
type: object
version: v1alpha1
versions:
- name: v1alpha1
served: true
storage: true
status:
acceptedNames:
kind: ""
plural: ""
conditions: []
storedVersions: []

+ 56
- 0
chart/crds/infrastructure.vexxhost.cloud_memcacheds.yaml View File

@ -0,0 +1,56 @@
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.2.5
creationTimestamp: null
name: memcacheds.infrastructure.vexxhost.cloud
spec:
group: infrastructure.vexxhost.cloud
names:
kind: Memcached
listKind: MemcachedList
plural: memcacheds
singular: memcached
scope: Namespaced
validation:
openAPIV3Schema:
description: Memcached is the Schema for the memcacheds API
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: MemcachedSpec defines the desired state of Memcached
properties:
megabytes:
type: integer
required:
- megabytes
type: object
status:
description: MemcachedStatus defines the observed state of Memcached
type: object
type: object
version: v1alpha1
versions:
- name: v1alpha1
served: true
storage: true
status:
acceptedNames:
kind: ""
plural: ""
conditions: []
storedVersions: []

+ 40
- 0
chart/templates/_helpers.tpl View File

@ -0,0 +1,40 @@
{{/* vim: set filetype=mustache: */}}
{{/*
Expand the name of the chart.
*/}}
{{- define "openstack-operator.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
If release name contains chart name it will be used as a full name.
*/}}
{{- define "openstack-operator.fullname" -}}
{{- if .Values.fullnameOverride -}}
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- $name := default .Chart.Name .Values.nameOverride -}}
{{- if contains $name .Release.Name -}}
{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{- end -}}
{{- end -}}
{{/*
Generate basic labels
*/}}
{{- define "openstack-operator.labels" }}
app.kubernetes.io/name: {{ .Chart.Name }}
app.kubernetes.io/instance: {{ .Release.Name }}
{{- end }}
{{/*
Create chart name and version as used by the chart label.
*/}}
{{- define "openstack-operator.chart" -}}
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
{{- end -}}

+ 85
- 0
chart/templates/clusterrole.yaml View File

@ -0,0 +1,85 @@
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
creationTimestamp: null
name: openstack-operator
rules:
- apiGroups:
- apps
resources:
- deployments
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- ""
resources:
- configmaps
- services
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- ""
resources:
- pods
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- infrastructure.vexxhost.cloud
resources:
- mcrouters
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- infrastructure.vexxhost.cloud
resources:
- mcrouters/status
verbs:
- get
- patch
- update
- apiGroups:
- infrastructure.vexxhost.cloud
resources:
- memcacheds
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- infrastructure.vexxhost.cloud
resources:
- memcacheds/status
verbs:
- get
- patch
- update

+ 12
- 0
chart/templates/clusterrolebinding.yaml View File

@ -0,0 +1,12 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: {{ .Release.Name }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: openstack-operator
subjects:
- kind: ServiceAccount
name: {{ include "openstack-operator.fullname" . }}
namespace: {{ .Release.Namespace }}

+ 4
- 0
chart/templates/crds.yaml View File

@ -0,0 +1,4 @@
{{- range $path, $bytes := .Files.Glob "crds/*.yaml" }}
{{ $.Files.Get $path }}
---
{{- end }}

+ 39
- 0
chart/templates/deployment.yaml View File

@ -0,0 +1,39 @@
---
apiVersion: apps/v1
kind: Deployment
metadata:
namespace: {{ .Release.Namespace }}
name: {{ include "openstack-operator.fullname" . }}
labels:
{{ include "openstack-operator.labels" . | indent 4 }}
spec:
selector:
matchLabels:
{{ include "openstack-operator.labels" . | indent 6 }}
template:
metadata:
labels:
{{ include "openstack-operator.labels" $ | indent 8 }}
spec:
serviceAccountName: {{ include "openstack-operator.fullname" . }}
terminationGracePeriodSeconds: 10
containers:
- name: operator
image: vexxhost/openstack-operator:latest
args:
- --enable-leader-election
resources:
limits:
cpu: 100m
memory: 30Mi
requests:
cpu: 100m
memory: 20Mi
{{- with .Values.tolerations }}
tolerations:
{{ toYaml . | indent 8 }}
{{- end }}
{{- with .Values.nodeSelector }}
nodeSelector:
{{ toYaml . | indent 8 }}
{{- end }}

+ 31
- 0
chart/templates/role.yaml View File

@ -0,0 +1,31 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: {{ include "openstack-operator.fullname" . }}
rules:
- apiGroups:
- ""
resources:
- configmaps
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
- apiGroups:
- ""
resources:
- configmaps/status
verbs:
- get
- update
- patch
- apiGroups:
- ""
resources:
- events
verbs:
- create

+ 12
- 0
chart/templates/rolebinding.yaml View File

@ -0,0 +1,12 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: {{ include "openstack-operator.fullname" . }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: {{ include "openstack-operator.fullname" . }}
subjects:
- kind: ServiceAccount
name: {{ include "openstack-operator.fullname" . }}
namespace: {{ .Release.Namespace }}

+ 5
- 0
chart/templates/serviceaccount.yaml View File

@ -0,0 +1,5 @@
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ include "openstack-operator.fullname" . }}

+ 0
- 0
chart/values.yaml View File


+ 26
- 0
config/certmanager/certificate.yaml View File

@ -0,0 +1,26 @@
# The following manifests contain a self-signed issuer CR and a certificate CR.
# More document can be found at https://docs.cert-manager.io
# WARNING: Targets CertManager 0.11 check https://docs.cert-manager.io/en/latest/tasks/upgrading/index.html for
# breaking changes
apiVersion: cert-manager.io/v1alpha2
kind: Issuer
metadata:
name: selfsigned-issuer
namespace: system
spec:
selfSigned: {}
---
apiVersion: cert-manager.io/v1alpha2
kind: Certificate
metadata:
name: serving-cert # this name should match the one appeared in kustomizeconfig.yaml
namespace: system
spec:
# $(SERVICE_NAME) and $(SERVICE_NAMESPACE) will be substituted by kustomize
dnsNames:
- $(SERVICE_NAME).$(SERVICE_NAMESPACE).svc
- $(SERVICE_NAME).$(SERVICE_NAMESPACE).svc.cluster.local
issuerRef:
kind: Issuer
name: selfsigned-issuer
secretName: webhook-server-cert # this secret will not be prefixed, since it's not managed by kustomize

+ 5
- 0
config/certmanager/kustomization.yaml View File

@ -0,0 +1,5 @@
resources:
- certificate.yaml
configurations:
- kustomizeconfig.yaml

+ 16
- 0
config/certmanager/kustomizeconfig.yaml View File

@ -0,0 +1,16 @@
# This configuration is for teaching kustomize how to update name ref and var substitution
nameReference:
- kind: Issuer
group: cert-manager.io
fieldSpecs:
- kind: Certificate
group: cert-manager.io
path: spec/issuerRef/name
varReference:
- kind: Certificate
group: cert-manager.io
path: spec/commonName
- kind: Certificate
group: cert-manager.io
path: spec/dnsNames

+ 75
- 0
config/crd/bases/infrastructure.vexxhost.cloud_mcrouters.yaml View File

@ -0,0 +1,75 @@
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.2.5
creationTimestamp: null
name: mcrouters.infrastructure.vexxhost.cloud
spec:
group: infrastructure.vexxhost.cloud
names:
kind: Mcrouter
listKind: McrouterList
plural: mcrouters
singular: mcrouter
scope: Namespaced
validation:
openAPIV3Schema:
description: Mcrouter is the Schema for the mcrouters API
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: McrouterSpec defines the desired state of Mcrouter
properties:
pools:
additionalProperties:
description: McrouterPoolSpec defines the desired state of an Mcrouter
pool
properties:
servers:
items:
type: string
type: array
required:
- servers
type: object
type: object
route:
type: string
required:
- pools
- route
type: object
status:
description: McrouterStatus defines the observed state of Mcrouter
properties:
phase:
type: string
required:
- phase
type: object
type: object
version: v1alpha1
versions:
- name: v1alpha1
served: true
storage: true
status:
acceptedNames:
kind: ""
plural: ""
conditions: []
storedVersions: []

+ 56
- 0
config/crd/bases/infrastructure.vexxhost.cloud_memcacheds.yaml View File

@ -0,0 +1,56 @@
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.2.5
creationTimestamp: null
name: memcacheds.infrastructure.vexxhost.cloud
spec:
group: infrastructure.vexxhost.cloud
names:
kind: Memcached
listKind: MemcachedList
plural: memcacheds
singular: memcached
scope: Namespaced
validation:
openAPIV3Schema:
description: Memcached is the Schema for the memcacheds API
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: MemcachedSpec defines the desired state of Memcached
properties:
megabytes:
type: integer
required:
- megabytes
type: object
status:
description: MemcachedStatus defines the observed state of Memcached
type: object
type: object
version: v1alpha1
versions:
- name: v1alpha1
served: true
storage: true
status:
acceptedNames:
kind: ""
plural: ""
conditions: []
storedVersions: []

+ 24
- 0
config/crd/kustomization.yaml View File

@ -0,0 +1,24 @@
# This kustomization.yaml is not intended to be run by itself,
# since it depends on service name and namespace that are out of this kustomize package.
# It should be run by config/default
resources:
- bases/infrastructure.vexxhost.cloud_mcrouters.yaml
- bases/infrastructure.vexxhost.cloud_memcacheds.yaml
# +kubebuilder:scaffold:crdkustomizeresource
patchesStrategicMerge:
# [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix.
# patches here are for enabling the conversion webhook for each CRD
#- patches/webhook_in_mcrouters.yaml
#- patches/webhook_in_memcacheds.yaml
# +kubebuilder:scaffold:crdkustomizewebhookpatch
# [CERTMANAGER] To enable webhook, uncomment all the sections with [CERTMANAGER] prefix.
# patches here are for enabling the CA injection for each CRD
#- patches/cainjection_in_mcrouters.yaml
#- patches/cainjection_in_memcacheds.yaml
# +kubebuilder:scaffold:crdkustomizecainjectionpatch
# the following config is for teaching kustomize how to do kustomization for CRDs.
configurations:
- kustomizeconfig.yaml

+ 17
- 0
config/crd/kustomizeconfig.yaml View File

@ -0,0 +1,17 @@
# This file is for teaching kustomize how to substitute name and namespace reference in CRD
nameReference:
- kind: Service
version: v1
fieldSpecs:
- kind: CustomResourceDefinition
group: apiextensions.k8s.io
path: spec/conversion/webhookClientConfig/service/name
namespace:
- kind: CustomResourceDefinition
group: apiextensions.k8s.io
path: spec/conversion/webhookClientConfig/service/namespace
create: false
varReference:
- path: metadata/annotations

+ 8
- 0
config/crd/patches/cainjection_in_mcrouters.yaml View File

@ -0,0 +1,8 @@
# The following patch adds a directive for certmanager to inject CA into the CRD
# CRD conversion requires k8s 1.13 or later.
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
annotations:
cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME)
name: mcrouters.infrastructure.vexxhost.cloud

+ 8
- 0
config/crd/patches/cainjection_in_memcacheds.yaml View File

@ -0,0 +1,8 @@
# The following patch adds a directive for certmanager to inject CA into the CRD
# CRD conversion requires k8s 1.13 or later.
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
annotations:
cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME)
name: memcacheds.infrastructure.vexxhost.cloud

+ 17
- 0
config/crd/patches/webhook_in_mcrouters.yaml View File

@ -0,0 +1,17 @@
# The following patch enables conversion webhook for CRD
# CRD conversion requires k8s 1.13 or later.
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: mcrouters.infrastructure.vexxhost.cloud
spec:
conversion:
strategy: Webhook
webhookClientConfig:
# this is "\n" used as a placeholder, otherwise it will be rejected by the apiserver for being blank,
# but we're going to set it later using the cert-manager (or potentially a patch if not using cert-manager)
caBundle: Cg==
service:
namespace: system
name: webhook-service
path: /convert

+ 17
- 0
config/crd/patches/webhook_in_memcacheds.yaml View File

@ -0,0 +1,17 @@
# The following patch enables conversion webhook for CRD
# CRD conversion requires k8s 1.13 or later.
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: memcacheds.infrastructure.vexxhost.cloud
spec:
conversion:
strategy: Webhook
webhookClientConfig:
# this is "\n" used as a placeholder, otherwise it will be rejected by the apiserver for being blank,
# but we're going to set it later using the cert-manager (or potentially a patch if not using cert-manager)
caBundle: Cg==
service:
namespace: system
name: webhook-service
path: /convert

+ 70
- 0
config/default/kustomization.yaml View File

@ -0,0 +1,70 @@
# Adds namespace to all resources.
namespace: openstack-operator-system
# Value of this field is prepended to the
# names of all resources, e.g. a deployment named
# "wordpress" becomes "alices-wordpress".
# Note that it should also match with the prefix (text before '-') of the namespace
# field above.
namePrefix: openstack-operator-
# Labels to add to all resources and selectors.
#commonLabels:
# someName: someValue
bases:
- ../crd
- ../rbac
- ../manager
# [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix including the one in
# crd/kustomization.yaml
#- ../webhook
# [CERTMANAGER] To enable cert-manager, uncomment all sections with 'CERTMANAGER'. 'WEBHOOK' components are required.
#- ../certmanager
# [PROMETHEUS] To enable prometheus monitor, uncomment all sections with 'PROMETHEUS'.
#- ../prometheus
patchesStrategicMerge:
# Protect the /metrics endpoint by putting it behind auth.
# If you want your controller-manager to expose the /metrics
# endpoint w/o any authn/z, please comment the following line.
- manager_auth_proxy_patch.yaml
# [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix including the one in
# crd/kustomization.yaml
#- manager_webhook_patch.yaml
# [CERTMANAGER] To enable cert-manager, uncomment all sections with 'CERTMANAGER'.
# Uncomment 'CERTMANAGER' sections in crd/kustomization.yaml to enable the CA injection in the admission webhooks.
# 'CERTMANAGER' needs to be enabled to use ca injection
#- webhookcainjection_patch.yaml
# the following config is for teaching kustomize how to do var substitution
vars:
# [CERTMANAGER] To enable cert-manager, uncomment all sections with 'CERTMANAGER' prefix.
#- name: CERTIFICATE_NAMESPACE # namespace of the certificate CR
# objref:
# kind: Certificate
# group: cert-manager.io
# version: v1alpha2
# name: serving-cert # this name should match the one in certificate.yaml
# fieldref:
# fieldpath: metadata.namespace
#- name: CERTIFICATE_NAME
# objref:
# kind: Certificate
# group: cert-manager.io
# version: v1alpha2
# name: serving-cert # this name should match the one in certificate.yaml
#- name: SERVICE_NAMESPACE # namespace of the service
# objref:
# kind: Service
# version: v1
# name: webhook-service
# fieldref:
# fieldpath: metadata.namespace
#- name: SERVICE_NAME
# objref:
# kind: Service
# version: v1
# name: webhook-service

+ 25
- 0
config/default/manager_auth_proxy_patch.yaml View File

@ -0,0 +1,25 @@
# This patch inject a sidecar container which is a HTTP proxy for the
# controller manager, it performs RBAC authorization against the Kubernetes API using SubjectAccessReviews.
apiVersion: apps/v1
kind: Deployment
metadata:
name: controller-manager
namespace: system
spec:
template:
spec:
containers:
- name: kube-rbac-proxy
image: gcr.io/kubebuilder/kube-rbac-proxy:v0.4.1
args:
- "--secure-listen-address=0.0.0.0:8443"
- "--upstream=http://127.0.0.1:8080/"
- "--logtostderr=true"
- "--v=10"
ports:
- containerPort: 8443
name: https
- name: manager
args:
- "--metrics-addr=127.0.0.1:8080"
- "--enable-leader-election"

+ 23
- 0
config/default/manager_webhook_patch.yaml View File

@ -0,0 +1,23 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: controller-manager
namespace: system
spec:
template:
spec:
containers:
- name: manager
ports:
- containerPort: 9443
name: webhook-server
protocol: TCP
volumeMounts:
- mountPath: /tmp/k8s-webhook-server/serving-certs
name: cert
readOnly: true
volumes:
- name: cert
secret:
defaultMode: 420
secretName: webhook-server-cert

+ 15
- 0
config/default/webhookcainjection_patch.yaml View File

@ -0,0 +1,15 @@
# This patch add annotation to admission webhook config and
# the variables $(CERTIFICATE_NAMESPACE) and $(CERTIFICATE_NAME) will be substituted by kustomize.
apiVersion: admissionregistration.k8s.io/v1beta1
kind: MutatingWebhookConfiguration
metadata:
name: mutating-webhook-configuration
annotations:
cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME)
---
apiVersion: admissionregistration.k8s.io/v1beta1
kind: ValidatingWebhookConfiguration
metadata:
name: validating-webhook-configuration
annotations:
cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME)

+ 2
- 0
config/manager/kustomization.yaml View File

@ -0,0 +1,2 @@
resources:
- manager.yaml

+ 39
- 0
config/manager/manager.yaml View File

@ -0,0 +1,39 @@
apiVersion: v1
kind: Namespace
metadata:
labels:
control-plane: controller-manager
name: system
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: controller-manager
namespace: system
labels:
control-plane: controller-manager
spec:
selector:
matchLabels:
control-plane: controller-manager
replicas: 1
template:
metadata:
labels:
control-plane: controller-manager
spec:
containers:
- command:
- /manager
args:
- --enable-leader-election
image: controller:latest
name: manager
resources:
limits:
cpu: 100m
memory: 30Mi
requests:
cpu: 100m
memory: 20Mi
terminationGracePeriodSeconds: 10

+ 2
- 0
config/prometheus/kustomization.yaml View File

@ -0,0 +1,2 @@
resources:
- monitor.yaml

+ 16
- 0
config/prometheus/monitor.yaml View File

@ -0,0 +1,16 @@
# Prometheus Monitor Service (Metrics)
apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
labels:
control-plane: controller-manager
name: controller-manager-metrics-monitor
namespace: system
spec:
endpoints:
- path: /metrics
port: https
selector:
matchLabels:
control-plane: controller-manager

+ 7
- 0
config/rbac/auth_proxy_client_clusterrole.yaml View File

@ -0,0 +1,7 @@
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
name: metrics-reader
rules:
- nonResourceURLs: ["/metrics"]
verbs: ["get"]

+ 13
- 0
config/rbac/auth_proxy_role.yaml View File

@ -0,0 +1,13 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: proxy-role
rules:
- apiGroups: ["authentication.k8s.io"]
resources:
- tokenreviews
verbs: ["create"]
- apiGroups: ["authorization.k8s.io"]
resources:
- subjectaccessreviews
verbs: ["create"]

+ 12
- 0
config/rbac/auth_proxy_role_binding.yaml View File

@ -0,0 +1,12 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: proxy-rolebinding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: proxy-role
subjects:
- kind: ServiceAccount
name: default
namespace: system

+ 14
- 0
config/rbac/auth_proxy_service.yaml View File

@ -0,0 +1,14 @@
apiVersion: v1
kind: Service
metadata:
labels:
control-plane: controller-manager
name: controller-manager-metrics-service
namespace: system
spec:
ports:
- name: https
port: 8443
targetPort: https
selector:
control-plane: controller-manager

+ 12
- 0
config/rbac/kustomization.yaml View File

@ -0,0 +1,12 @@
resources:
- role.yaml
- role_binding.yaml
- leader_election_role.yaml
- leader_election_role_binding.yaml
# Comment the following 4 lines if you want to disable
# the auth proxy (https://github.com/brancz/kube-rbac-proxy)
# which protects your /metrics endpoint.
- auth_proxy_service.yaml
- auth_proxy_role.yaml
- auth_proxy_role_binding.yaml
- auth_proxy_client_clusterrole.yaml

+ 32
- 0
config/rbac/leader_election_role.yaml View File

@ -0,0 +1,32 @@
# permissions to do leader election.
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: leader-election-role
rules:
- apiGroups:
- ""
resources:
- configmaps
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
- apiGroups:
- ""
resources:
- configmaps/status
verbs:
- get
- update
- patch
- apiGroups:
- ""
resources:
- events
verbs:
- create

+ 12
- 0
config/rbac/leader_election_role_binding.yaml View File

@ -0,0 +1,12 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: leader-election-rolebinding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: leader-election-role
subjects:
- kind: ServiceAccount
name: default
namespace: system

+ 24
- 0
config/rbac/mcrouter_editor_role.yaml View File

@ -0,0 +1,24 @@
# permissions for end users to edit mcrouters.
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: mcrouter-editor-role
rules:
- apiGroups:
- infrastructure.vexxhost.cloud
resources:
- mcrouters
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- infrastructure.vexxhost.cloud
resources:
- mcrouters/status
verbs:
- get

+ 20
- 0
config/rbac/mcrouter_viewer_role.yaml View File

@ -0,0 +1,20 @@
# permissions for end users to view mcrouters.
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: mcrouter-viewer-role
rules:
- apiGroups:
- infrastructure.vexxhost.cloud
resources:
- mcrouters
verbs:
- get
- list
- watch
- apiGroups:
- infrastructure.vexxhost.cloud
resources:
- mcrouters/status
verbs:
- get

+ 24
- 0
config/rbac/memcached_editor_role.yaml View File

@ -0,0 +1,24 @@
# permissions for end users to edit memcacheds.
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: memcached-editor-role
rules:
- apiGroups:
- infrastructure.vexxhost.cloud
resources:
- memcacheds
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- infrastructure.vexxhost.cloud
resources:
- memcacheds/status
verbs:
- get

+ 20
- 0
config/rbac/memcached_viewer_role.yaml View File

@ -0,0 +1,20 @@
# permissions for end users to view memcacheds.
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: memcached-viewer-role
rules:
- apiGroups:
- infrastructure.vexxhost.cloud
resources:
- memcacheds
verbs:
- get
- list
- watch
- apiGroups:
- infrastructure.vexxhost.cloud
resources:
- memcacheds/status
verbs:
- get

+ 85
- 0
config/rbac/role.yaml View File

@ -0,0 +1,85 @@
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
creationTimestamp: null
name: manager-role
rules:
- apiGroups:
- apps
resources:
- deployments
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- ""
resources:
- configmaps
- services
verbs:
- create
- delete
- get
- list