newrelic · juanjjaramillo · May 24, 2024 · May 23, 2024
@@ -0,0 +1,19 @@
+## Structure
+
+The `kustomize` folder contains the Kustomize resources that are used to assemble the operator's deployment units for testing
+
+```
+.
+├── certmanager   # Kustomize options dealing with cert-manager
+├── crd           # Kustomize options for our CRDs
+│   ├── bases     # auto generated based on the code annotations (`make manifests`)
+│   └── patches   # patches to apply to the generated CRD
+├── default       # Kustomize's "entry point", generating the distribution YAML file
+├── manager       # the operator's Deployment
+├── manifests     # the resulting CSV
+│   └── bases
+├── prometheus    # ServiceMonitor that exposes our operator's metrics
+├── rbac          # RBAC rules
+├── samples       # Set of examples of how to accomplish specific scenarios. Those are bundled in the final CSV
+└── webhook       # Webhook configuration and service
+```
@@ -0,0 +1,29 @@
+# The following manifests contain a self-signed issuer CR and a certificate CR.
+# More document can be found at https://docs.cert-manager.io
+# WARNING: Targets CertManager 0.11 check https://docs.cert-manager.io/en/latest/tasks/upgrading/index.html for 
+# breaking changes
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: selfsigned-issuer
+  namespace: system
+spec:
+  selfSigned: {}
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: serving-cert  # this name should match the one appeared in kustomizeconfig.yaml
+  namespace: system
+spec:
+  # $(SERVICE_NAME) and $(SERVICE_NAMESPACE) will be substituted by kustomize
+  dnsNames:
+  - $(SERVICE_NAME).$(SERVICE_NAMESPACE).svc
+  - $(SERVICE_NAME).$(SERVICE_NAMESPACE).svc.cluster.local
+  issuerRef:
+    kind: Issuer
+    name: selfsigned-issuer
+  secretName: k8s-agents-operator-controller-manager-service-cert # this secret will not be prefixed, since it's not managed by kustomize
+  subject:
+    organizationalUnits:
+      - "k8s-agents-operator"
@@ -0,0 +1,5 @@
+resources:
+- certificate.yaml
+
+configurations:
+- kustomizeconfig.yaml
@@ -0,0 +1,16 @@
+# This configuration is for teaching kustomize how to update name ref and var substitution 
+nameReference:
+- kind: Issuer
+  group: cert-manager.io
+  fieldSpecs:
+  - kind: Certificate
+    group: cert-manager.io
+    path: spec/issuerRef/name
+
+varReference:
+- kind: Certificate
+  group: cert-manager.io
+  path: spec/commonName
+- kind: Certificate
+  group: cert-manager.io
+  path: spec/dnsNames
@@ -0,0 +1,17 @@
+# This kustomization.yaml is not intended to be run by itself,
+# since it depends on service name and namespace that are out of this kustomize package.
+# It should be run by config/default
+resources:
+- bases/newrelic.com_instrumentations.yaml
+# +kubebuilder:scaffold:crdkustomizeresource
+
+patchesStrategicMerge:
+# patches here are for enabling the conversion webhook for each CRD
+# +kubebuilder:scaffold:crdkustomizewebhookpatch
+
+# patches here are for enabling the CA injection for each CRD
+# +kubebuilder:scaffold:crdkustomizecainjectionpatch
+
+# the following config is for teaching kustomize how to do kustomization for CRDs.
+configurations:
+- kustomizeconfig.yaml
@@ -0,0 +1,17 @@
+# This file is for teaching kustomize how to substitute name and namespace reference in CRD
+nameReference:
+- kind: Service
+  version: v1
+  fieldSpecs:
+  - kind: CustomResourceDefinition
+    group: apiextensions.k8s.io
+    path: spec/conversion/webhookClientConfig/service/name
+
+namespace:
+- kind: CustomResourceDefinition
+  group: apiextensions.k8s.io
+  path: spec/conversion/webhookClientConfig/service/namespace
+  create: false
+
+varReference:
+- path: metadata/annotations
@@ -0,0 +1,60 @@
+# Adds namespace to all resources.
+namespace: k8s-agents-operator-system
+
+# Value of this field is prepended to the
+# names of all resources, e.g. a deployment named
+# "wordpress" becomes "alices-wordpress".
+# Note that it should also match with the prefix (text before '-') of the namespace
+# field above.
+namePrefix: k8s-agents-operator-
+
+# Labels to add to all resources and selectors.
+commonLabels:
+  app.kubernetes.io/name: k8s-agents-operator
+
+bases:
+- ../crd
+- ../rbac
+- ../manager
+- ../webhook
+- ../certmanager
+# [PROMETHEUS] To enable prometheus monitor, uncomment all sections with 'PROMETHEUS'. 
+#- ../prometheus
+
+patchesStrategicMerge:
+  # Protect the /metrics endpoint by putting it behind auth.
+  # If you want your controller-manager to expose the /metrics
+  # endpoint w/o any authn/z, please comment the following line.
+- manager_auth_proxy_patch.yaml
+
+- manager_webhook_patch.yaml
+- webhookcainjection_patch.yaml
+
+# the following config is for teaching kustomize how to do var substitution
+vars:
+- name: CERTIFICATE_NAMESPACE # namespace of the certificate CR
+  objref:
+    kind: Certificate
+    group: cert-manager.io
+    version: v1
+    name: serving-cert # this name should match the one in certificate.yaml
+  fieldref:
+    fieldpath: metadata.namespace
+- name: CERTIFICATE_NAME
+  objref:
+    kind: Certificate
+    group: cert-manager.io
+    version: v1
+    name: serving-cert # this name should match the one in certificate.yaml
+- name: SERVICE_NAMESPACE # namespace of the service
+  objref:
+    kind: Service
+    version: v1
+    name: webhook-service
+  fieldref:
+    fieldpath: metadata.namespace
+- name: SERVICE_NAME
+  objref:
+    kind: Service
+    version: v1
+    name: webhook-service
@@ -0,0 +1,35 @@
+# This patch inject a sidecar container which is a HTTP proxy for the 
+# controller manager, it performs RBAC authorization against the Kubernetes API using SubjectAccessReviews.
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: controller-manager
+  namespace: system
+spec:
+  template:
+    spec:
+      containers:
+      - name: kube-rbac-proxy
+        image: gcr.io/kubebuilder/kube-rbac-proxy:v0.13.0
+        args:
+        - "--secure-listen-address=0.0.0.0:8443"
+        - "--upstream=http://127.0.0.1:8080/"
+        - "--logtostderr=true"
+        - "--v=0"
+        ports:
+        - containerPort: 8443
+          name: https
+          protocol: TCP
+        resources:
+          limits:
+            cpu: 500m
+            memory: 128Mi
+          requests:
+            cpu: 5m
+            memory: 64Mi
+      - name: manager
+        args:
+        - "--metrics-addr=127.0.0.1:8080"
+        - "--enable-leader-election"
+        - "--zap-log-level=info"
+        - "--zap-time-encoding=rfc3339nano"
@@ -0,0 +1,23 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: controller-manager
+  namespace: system
+spec:
+  template:
+    spec:
+      containers:
+      - name: manager
+        ports:
+        - containerPort: 9443
+          name: webhook-server
+          protocol: TCP
+        volumeMounts:
+        - mountPath: /tmp/k8s-webhook-server/serving-certs
+          name: cert
+          readOnly: true
+      volumes:
+      - name: cert
+        secret:
+          defaultMode: 420
+          secretName: k8s-agents-operator-controller-manager-service-cert
@@ -0,0 +1,15 @@
+# This patch add annotation to admission webhook config and
+# the variables $(CERTIFICATE_NAMESPACE) and $(CERTIFICATE_NAME) will be substituted by kustomize.
+apiVersion: admissionregistration.k8s.io/v1
+kind: MutatingWebhookConfiguration
+metadata:
+  name: mutating-webhook-configuration
+  annotations:
+    cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME)
+---
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingWebhookConfiguration
+metadata:
+  name: validating-webhook-configuration
+  annotations:
+    cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME)
@@ -0,0 +1,8 @@
+resources:
+- manager.yaml
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+images:
+- name: controller
+  newName: newrelic/k8s-agents-operator
+  newTag: latest
@@ -0,0 +1,51 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  labels:
+    app.kubernetes.io/name: k8s-agents-operator
+    control-plane: controller-manager
+  name: system
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: controller-manager
+  namespace: system
+  labels:
+    app.kubernetes.io/name: k8s-agents-operator
+    control-plane: controller-manager
+spec:
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: k8s-agents-operator
+      control-plane: controller-manager
+  replicas: 1
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: k8s-agents-operator
+        control-plane: controller-manager
+    spec:
+      containers:
+      - args:
+        - --enable-leader-election
+        image: controller
+        name: manager
+        livenessProbe:
+          httpGet:
+            path: /healthz
+            port: 8081
+          initialDelaySeconds: 15
+          periodSeconds: 20
+        readinessProbe:
+          httpGet:
+            path: /readyz
+            port: 8081
+          initialDelaySeconds: 5
+          periodSeconds: 10
+        resources:
+          requests:
+            cpu: 100m
+            memory: 64Mi
+      serviceAccountName: controller-manager
+      terminationGracePeriodSeconds: 10
@@ -0,0 +1,56 @@
+apiVersion: operators.coreos.com/v1alpha1
+kind: ClusterServiceVersion
+metadata:
+  annotations:
+    alm-examples: '[]'
+    capabilities: Basic Install
+  name: k8s-agents-operator.v0.0.0
+  namespace: placeholder
+spec:
+  apiservicedefinitions: {}
+  customresourcedefinitions:
+    owned:
+    - description: Instrumentation is the Schema for the instrumentations API
+      displayName: New Relic Instrumentation
+      kind: Instrumentation
+      name: instrumentations.newrelic.com
+      resources:
+      - kind: Pod
+        name: ""
+        version: v1
+      version: v1alpha1
+  description: The New Relic agent operator is an admission controller API that enables
+    the instrumentation of application workloads (including Java, NodeJS, Go, DotNet,
+    PHP, and Python) using a custom resource definition.
+  displayName: New Relic Agent Operator
+  icon:
+  - base64data: "PHN2ZyBpZD0iTGF5ZXJfMSIgZGF0YS1uYW1lPSJMYXllciAxIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHZpZXdCb3g9IjAgMCA4MTkgMTU4Ljk3Ij48ZGVmcz48c3R5bGU+LmNscy0xe2ZpbGw6IzAwYWM2OTt9LmNscy0ye2ZpbGw6IzFjZTc4Mzt9LmNscy0ze2ZpbGw6IzFkMjUyYzt9PC9zdHlsZT48L2RlZnM+PHBvbHlnb24gY2xhc3M9ImNscy0xIiBwb2ludHM9IjExMS4xOSA1NS4wMyAxMTEuMTkgMTAzLjk0IDY4Ljg0IDEyOC40IDY4Ljg0IDE1OC45NyAxMzcuNjggMTE5LjIzIDEzNy42OCAzOS43NCAxMTEuMTkgNTUuMDMiLz48cG9seWdvbiBjbGFzcz0iY2xzLTIiIHBvaW50cz0iNjguODQgMzAuNTggMTExLjE5IDU1LjAzIDEzNy42OCAzOS43NCAxMzcuNjggMzkuNzQgNjguODQgMCAwIDM5Ljc0IDAgMzkuNzQgMjYuNDggNTUuMDMgNjguODQgMzAuNTgiLz48cG9seWdvbiBjbGFzcz0iY2xzLTMiIHBvaW50cz0iNDIuMzYgOTQuNzggNDIuMzYgMTQzLjY5IDY4Ljg0IDE1OC45NyA2OC44NCA3OS40OSAwIDM5Ljc0IDAgNzAuMzIgNDIuMzYgOTQuNzgiLz48cGF0aCBjbGFzcz0iY2xzLTMiIGQ9Ik0yNDIuMTcsNTAuMTRjLTE0LjgyLDAtMjEuODQsOS4zNi0yMS44NCw5LjM2aC0uNzhMMjE4LDUxLjdIMjAwLjA1djc5LjU2aDE5LjV2LTQ2YzAtMTAuMTQsNy0xNy4xNiwxNy4xNi0xNy4xNnMxNy4xNiw3LDE3LjE2LDE3LjE2djQ2aDE5LjVWODMuNjhDMjczLjM3LDYzLjQsMjYwLjExLDUwLjE0LDI0Mi4xNyw1MC4xNFoiIHRyYW5zZm9ybT0idHJhbnNsYXRlKC0xMCAtMTAuNTEpIi8+PHBvbHlnb24gY2xhc3M9ImNscy0zIiBwb2ludHM9IjQ0Mi40NyA5My40NSA0NDEuMzUgOTMuNDUgNDI4LjA5IDQxLjE5IDQwOC4yNSA0MS4xOSAzOTQuOTkgOTMuNDUgMzkzLjg4IDkzLjQ1IDM4MC42MSA0MS4xOSAzNjAuMzMgNDEuMTkgMzgwLjYxIDEyMC43NSA0MDQuMzYgMTIwLjc1IDQxNy42MSA2OS4yNyA0MTguNzMgNjkuMjcgNDMxLjk5IDEyMC43NSA0NTUuNzMgMTIwLjc1IDQ3Ni4wMSA0MS4xOSA0NTUuNzMgNDEuMTkgNDQyLjQ3IDkzLjQ1Ii8+PHBhdGggY2xhc3M9ImNscy0zIiBkPSJNNTQ1LjcyLDU4LjcyaC0uNzhsLTEuNTYtN0g1Mjd2NzkuNTVoMTkuNXYtNDZjMC0xMC4xNCw0LjY4LTE0LjgyLDE0LjgyLTE0LjgyaDEwVjUxLjcxaC0xMS42QTE3LjU2LDE3LjU2LDAsMCwwLDU0NS43Miw1OC43MloiIHRyYW5zZm9ybT0idHJhbnNsYXRlKC0xMCAtMTAuNTEpIi8+PHBhdGggY2xhc3M9ImNscy0zIiBkPSJNNjE0LjQ3LDUwLjE0Yy0yMy4zOSwwLTQwLjU1LDE3LjE2LTQwLjU1LDQxLjM0czE2LjE5LDQxLjM0LDQwLjU1LDQxLjM0YzE5LjczLDAsMzEuNjEtMTEuNjEsMzYuNTYtMjAuMTVsLTE3LjktNi4zOGMtMS43NywzLjI0LTguOTEsOS40Ny0xOC42Niw5LjQ3LTExLjM3LDAtMTkuNDktNy4xMi0yMS4wNS0xOGg1OS4yN2EzNS4zOCwzNS4zOCwwLDAsMCwuNzgtNy44QzY1My40Nyw2Ny4zLDYzNi4zMSw1MC4xNCw2MTQuNDcsNTAuMTRaTTU5My40Miw4NC40NmMyLjM0LTEwLjE0LDkuMzYtMTcuOTQsMjEuMDUtMTcuOTQsMTAuOTMsMCwxNy45NCw3LjgsMTkuNSwxNy45NFoiIHRyYW5zZm9ybT0idHJhbnNsYXRlKC0xMCAtMTAuNTEpIi8+PHBhdGggY2xhc3M9ImNscy0zIiBkPSJNMzI2LjQsNTAuMTRjLTIzLjQsMC00MC41NiwxNy4xNi00MC41Niw0MS4zNFMzMDIsMTMyLjgyLDMyNi40LDEzMi44MmMxOS43MywwLDMxLjYtMTEuNjEsMzYuNTUtMjAuMTVsLTE3LjktNi4zOGMtMS43NywzLjI0LTguOSw5LjQ3LTE4LjY1LDkuNDctMTEuMzcsMC0xOS41LTcuMTItMjEuMDYtMThoNTkuMjhhMzUuMzgsMzUuMzgsMCwwLDAsLjc4LTcuOEMzNjUuNCw2Ny4zLDM0OC4yNCw1MC4xNCwzMjYuNCw1MC4xNFpNMzA1LjM0LDg0LjQ2YzIuMzQtMTAuMTQsOS4zNi0xNy45NCwyMS4wNi0xNy45NCwxMC45MiwwLDE3Ljk0LDcuOCwxOS41LDE3Ljk0WiIgdHJhbnNmb3JtPSJ0cmFuc2xhdGUoLTEwIC0xMC41MSkiLz48cmVjdCBjbGFzcz0iY2xzLTMiIHg9IjY5Mi4xNCIgeT0iOS43OCIgd2lkdGg9IjE5LjUiIGhlaWdodD0iMTkuNSIvPjxwYXRoIGNsYXNzPSJjbHMtMyIgZD0iTTc3NS40NSwxMTQuODhjLTExLjcsMC0yMS4wNi05LjM2LTIxLjA2LTIzLjRzOS4zNi0yMy40LDIxLjA2LTIzLjQsMTYuMzgsNy44LDE3Ljk0LDEyLjQ4bDE3LjY2LTYuMjhjLTQuMjgtMTEuMTEtMTQuNzgtMjQuMTQtMzUuNi0yNC4xNC0yMy40LDAtNDAuNTYsMTcuMTYtNDAuNTYsNDEuMzRzMTcuMTYsNDEuMzQsNDAuNTYsNDEuMzRjMjEsMCwzMS41LTEzLjI0LDM1LjctMjQuODhsLTE3Ljc2LTYuMzJDNzkxLjgzLDEwNy4wOCw3ODcuMTUsMTE0Ljg4LDc3NS40NSwxMTQuODhaIiB0cmFuc2Zvcm09InRyYW5zbGF0ZSgtMTAgLTEwLjUxKSIvPjxwb2x5Z29uIGNsYXNzPSJjbHMtMyIgcG9pbnRzPSI2NDUuNjMgMjcuMTEgNjU2LjcgMjcuMTEgNjU2LjcgMTIwLjc1IDY3Ni4yIDEyMC43NSA2NzYuMiA5Ljc4IDY0NS42MyA5Ljc4IDY0NS42MyAyNy4xMSIvPjxyZWN0IGNsYXNzPSJjbHMtMyIgeD0iNjkyLjE0IiB5PSI0MS4xOSIgd2lkdGg9IjE5LjUiIGhlaWdodD0iNzkuNTYiLz48cGF0aCBjbGFzcz0iY2xzLTMiIGQ9Ik04MjEuNTksMTE2YTcuNTIsNy41MiwwLDEsMCw3LjQxLDcuNTJBNy4yOCw3LjI4LDAsMCwwLDgyMS41OSwxMTZabTAsMTMuODlhNi4zNyw2LjM3LDAsMSwxLDYuMjYtNi4zN0E2LjEyLDYuMTIsMCwwLDEsODIxLjU5LDEyOS44NVoiIHRyYW5zZm9ybT0idHJhbnNsYXRlKC0xMCAtMTAuNTEpIi8+PHBhdGggY2xhc3M9ImNscy0zIiBkPSJNODI0LjgyLDEyMi4xM2EyLjY0LDIuNjQsMCwwLDAtMi44Mi0yLjYyaC0zLjM0djcuODRoMS4xNXYtMi43MmgxLjA1bDIuNzEsMi43Mkg4MjVsLTIuNzEtMi43MkEyLjUzLDIuNTMsMCwwLDAsODI0LjgyLDEyMi4xM1ptLTUsMS4zNXYtMi44Mkg4MjJhMS41LDEuNSwwLDAsMSwxLjY4LDEuNDdjMCwuODMtLjUzLDEuMzUtMS42OCwxLjM1WiIgdHJhbnNmb3JtPSJ0cmFuc2xhdGUoLTEwIC0xMC41MSkiLz48L3N2Zz4="
+    mediatype: "image/svg+xml"
+  install:
+    spec:
+      deployments: null
+    strategy: ""
+  installModes:
+  - supported: false
+    type: OwnNamespace
+  - supported: false
+    type: SingleNamespace
+  - supported: false
+    type: MultiNamespace
+  - supported: true
+    type: AllNamespaces
+  keywords:
+  - newrelic
+  - instrumentation
+  - apm
+  links:
+  - name: Newrelic Agent Operator
+    url: https://k8s-agents-operator.domain
+  maintainers:
+  - email: alozoya@newrelic.com
+    name: Andrew Lozoya
+  maturity: alpha
+  provider:
+    name: New Relic
+    url: newrelic.com
+  version: 0.0.0
@@ -0,0 +1,4 @@
+resources:
+- ../default
+- ../samples
+- ../scorecard
@@ -0,0 +1,2 @@
+resources:
+- monitor.yaml
@@ -0,0 +1,26 @@
+
+# Prometheus Monitor Service (Metrics)
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+  labels:
+    app.kubernetes.io/name: k8s-agents-operator
+    control-plane: controller-manager
+  name: controller-manager-metrics-monitor
+  namespace: system
+spec:
+  endpoints:
+    - path: /metrics
+      port: https
+      scheme: https
+      bearerTokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token
+      tlsConfig:
+        insecureSkipVerify: false
+        ca:
+          secret:
+            key: ca.crt
+            name: k8s-agents-operator-controller-manager-service-cert
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: k8s-agents-operator
+      control-plane: controller-manager