feat: Add webui deployment

hack/prepare-release.sh

@@ -24,7 +24,11 @@ fi
 
 echo VERSION=$VERSION
 
-FILES="install/controller/.kluctl.yaml install/controller/controller/kustomization.yaml docs/installation.md"
+FILES=""
+FILES="$FILES install/controller/.kluctl.yaml"
+FILES="$FILES install/controller/controller/kustomization.yaml"
+FILES="$FILES install/webui/.kluctl.yaml"
+FILES="$FILES docs/installation.md"
 
 for f in $FILES; do
   cat $f | sed "s/$VERSION_REGEX_SED/$VERSION/g" > $f.tmp

install/webui/.kluctl.yaml

@@ -0,0 +1,9 @@
+discriminator: kluctl.io-webui
+
+args:
+  - name: kluctl_version
+    default: v2.20.4
+  - name: webui_args
+    default: []
+  - name: webui_envs
+    default: []

install/webui/deployment.yaml

@@ -0,0 +1,3 @@
+
+deployments:
+  - path: webui

install/webui/webui/admin-rbac.yaml

@@ -0,0 +1,41 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: kluctl-webui-admin-role
+rules:
+  - apiGroups:
+      - gitops.kluctl.io
+    resources:
+      - kluctldeployments
+    verbs:
+      - create
+      - delete
+      - get
+      - list
+      - patch
+      - update
+      - watch
+  # Read access for all other Kubernetes objects
+  - apiGroups: ["*"]
+    resources: ["*"]
+    verbs: ["get", "list", "watch"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  labels:
+    app.kubernetes.io/component: rbac
+    app.kubernetes.io/created-by: controller
+    app.kubernetes.io/instance: kluctl-webui-rolebinding
+    app.kubernetes.io/managed-by: kluctl
+    app.kubernetes.io/name: clusterrolebinding
+    app.kubernetes.io/part-of: controller
+  name: kluctl-webui-admin-rolebinding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: kluctl-webui-admin-role
+subjects:
+  - kind: User
+    apiGroup: rbac.authorization.k8s.io
+    name: kluctl-webui-admin

install/webui/webui/deployment.yaml

@@ -0,0 +1,65 @@
+{% set kluctl_version = get_var("args.kluctl_version", "v2.20.4") %}
+{% set pull_policy = "Always" if "-devel" in kluctl_version or "-snapshot" in kluctl_version else "IfNotPresent" %}
+
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app.kubernetes.io/component: kluctl-webui
+    app.kubernetes.io/instance: kluctl-controller
+    app.kubernetes.io/managed-by: kluctl
+    app.kubernetes.io/name: kluctl-webui
+    control-plane: kluctl-webui
+  name: kluctl-webui
+  namespace: kluctl-system
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      control-plane: kluctl-controller
+  template:
+    metadata:
+      labels:
+        control-plane: kluctl-controller
+    spec:
+      containers:
+      - name: webui
+        image: ghcr.io/kluctl/kluctl:{{ kluctl_version }}
+        imagePullPolicy: {{ pull_policy }}
+        command:
+          - kluctl
+          - webui
+          - --in-cluster
+        args: {{ get_var(["args.webui_args", "webui_args"], []) | to_json }}
+        env: {{ get_var(["args.webui_envs", "webui_envs"], []) | to_json }}
+        ports:
+          - containerPort: 8080
+            name: http
+        livenessProbe:
+          httpGet:
+            path: /
+            port: 8080
+          initialDelaySeconds: 15
+          periodSeconds: 20
+        readinessProbe:
+          httpGet:
+            path: /
+            port: 8080
+          initialDelaySeconds: 5
+          periodSeconds: 10
+        resources:
+          limits:
+            cpu: 2000m
+            memory: 512Mi
+          requests:
+            cpu: 500m
+            memory: 512Mi
+        securityContext:
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+            - ALL
+      securityContext:
+        runAsNonRoot: true
+      serviceAccountName: kluctl-webui
+      terminationGracePeriodSeconds: 10

install/webui/webui/webui-rbac.yaml

@@ -0,0 +1,48 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  labels:
+    app.kubernetes.io/component: rbac
+    app.kubernetes.io/instance: kluctl-webui-sa
+    app.kubernetes.io/managed-by: kluctl
+    app.kubernetes.io/name: serviceaccount
+    app.kubernetes.io/part-of: controller
+  name: kluctl-webui
+  namespace: kluctl-system
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: kluctl-webui-cluster-role
+rules:
+  - apiGroups: [""]
+    resources: ["namespaces"]
+    verbs: ["get", "list"]
+    # allow access to results
+  - apiGroups: [""]
+    resources: ["secrets"]
+    verbs: ["get", "list", "watch"]
+    # allow to impersonate other users, groups and serviceaccounts
+  - apiGroups: [""]
+    resources: ["users", "groups", "serviceaccounts"]
+    verbs: ["impersonate"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  labels:
+    app.kubernetes.io/component: rbac
+    app.kubernetes.io/created-by: controller
+    app.kubernetes.io/instance: kluctl-webui-rolebinding
+    app.kubernetes.io/managed-by: kluctl
+    app.kubernetes.io/name: clusterrolebinding
+    app.kubernetes.io/part-of: controller
+  name: kluctl-webui-cluster-rolebinding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: kluctl-webui-cluster-role
+subjects:
+  - kind: ServiceAccount
+    name: kluctl-webui
+    namespace: kluctl-system