Skip to content

Commit

Permalink
Merge kubebuilder v2->v3 changes into TF resources
Browse files Browse the repository at this point in the history
  • Loading branch information
Oliver Soell committed Nov 10, 2021
1 parent 1aa1f8c commit bbccd54
Show file tree
Hide file tree
Showing 3 changed files with 97 additions and 9 deletions.
5 changes: 3 additions & 2 deletions .github/workflows/go.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -35,8 +35,9 @@ jobs:
- name: Test
run: |
sudo mkdir -p /usr/local/kubebuilder
curl -Ls https://github.com/kubernetes-sigs/kubebuilder/releases/download/v2.3.2/kubebuilder_2.3.2_linux_amd64.tar.gz | sudo tar -xvz --strip-components=1 -C /usr/local/kubebuilder -f -
curl -Ls https://github.com/kubernetes-sigs/kubebuilder/releases/download/v3.1.0/kubebuilder_linux_amd64 -o /var/tmp/kubebuilder
chmod +x /var/tmp/kubebuilder
sudo mv /var/tmp/kubebuilder /usr/local/bin/
make test
- name: Login to GitHub Container Registry
Expand Down
14 changes: 14 additions & 0 deletions deploy/autoneg.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -189,6 +189,20 @@ subjects:
apiVersion: v1
data:
controller_manager_config.yaml: |
# Copyright 2021 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
apiVersion: controller-runtime.sigs.k8s.io/v1alpha1
kind: ControllerManagerConfig
health:
Expand Down
87 changes: 80 additions & 7 deletions terraform/kubernetes/main.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -37,7 +37,7 @@ resource "kubernetes_namespace" "namespace_autoneg_system" {
resource "kubernetes_service_account" "service_account" {
metadata {
namespace = kubernetes_namespace.namespace_autoneg_system.metadata[0].name
name = "autoneg"
name = "autoneg-controller-manager"
labels = {
app = "autoneg"
}
Expand All @@ -63,10 +63,11 @@ resource "kubernetes_role" "role_autoneg_leader_election_role" {
resources = ["configmaps"]
verbs = ["get", "list", "watch", "create", "update", "patch", "delete"]
}

rule {
api_groups = [""]
resources = ["configmaps/status"]
verbs = ["get", "update", "patch"]
api_groups = ["coordination.k8s.io"]
resources = ["leases"]
verbs = ["get", "list", "watch", "create", "update", "patch", "delete"]
}

rule {
Expand Down Expand Up @@ -97,13 +98,34 @@ resource "kubernetes_cluster_role" "clusterrole_autoneg_manager_role" {
verbs = ["get", "list", "patch", "update", "watch"]
}

rule {
api_groups = [""]
resources = ["services/finalizers"]
verbs = ["update"]
}

rule {
api_groups = [""]
resources = ["services/status"]
verbs = ["get", "patch", "update"]
}
}

resource "kubernetes_cluster_role" "clusterrole_autoneg_metrics_reader" {
metadata {
name = "autoneg-metrics-reader"

labels = {
app = "autoneg"
}
}

rule {
non_resource_urls = ["/metrics"]
verbs = ["get"]
}
}

resource "kubernetes_cluster_role" "clusterrole_autoneg_proxy_role" {
metadata {
name = "autoneg-proxy-role"
Expand Down Expand Up @@ -190,6 +212,32 @@ resource "kubernetes_cluster_role_binding" "clusterrolebinding_autoneg_proxy_rol
}
}

resource "kubernetes_config_map" "example" {
metadata {
namespace = kubernetes_namespace.namespace_autoneg_system.metadata[0].name
name = "autoneg-manager-config"
labels = {
app = "autoneg"
}
}

data = {
"controller_manager_config.yaml" = <<-EOT
apiVersion: controller-runtime.sigs.k8s.io/v1alpha1
kind: ControllerManagerConfig
health:
healthProbeBindAddress: :8081
metrics:
bindAddress: 127.0.0.1:8080
webhook:
port: 9443
leaderElection:
leaderElect: true
resourceName: 9fe89c94.controller.autoneg.dev
EOT
}
}

resource "kubernetes_service" "service_autoneg_controller_manager_metrics_service" {
metadata {
annotations = {
Expand Down Expand Up @@ -251,24 +299,44 @@ resource "kubernetes_deployment" "deployment_autoneg_controller_manager" {

spec {
service_account_name = kubernetes_service_account.service_account.metadata[0].name
automount_service_account_token = true
termination_grace_period_seconds = 10

security_context {
run_as_non_root = true
}

container {
name = "manager"

image = var.controller_image
image_pull_policy = var.image_pull_policy

args = ["--metrics-addr=127.0.0.1:8080", "--enable-leader-election"]
args = ["--health-probe-bind-address=:8081", "--metrics-bind-address=127.0.0.1:8080", "--leader-elect"]
command = ["/manager"]

security_context {
run_as_non_root = true
allow_privilege_escalation = false
privileged = false
}

liveness_probe {
http_get {
path = "/healthz"
port = 8081
}
initial_delay_seconds = 15
period_seconds = 20
}

readiness_probe {
http_get {
path = "/readyz"
port = 8081
}
initial_delay_seconds = 5
period_seconds = 10
}

resources {
limits = {
cpu = "100m"
Expand All @@ -289,6 +357,11 @@ resource "kubernetes_deployment" "deployment_autoneg_controller_manager" {

args = ["--secure-listen-address=0.0.0.0:8443", "--upstream=http://127.0.0.1:8080/", "--logtostderr=true", "--v=10"]

security_context {
allow_privilege_escalation = false
privileged = false
}

port {
container_port = 8443
name = "https"
Expand Down

0 comments on commit bbccd54

Please sign in to comment.