-
Notifications
You must be signed in to change notification settings - Fork 29
/
daemonset.go
155 lines (148 loc) · 3.98 KB
/
daemonset.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
package asset
import (
appsv1 "k8s.io/api/apps/v1"
corev1 "k8s.io/api/core/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/utils/pointer"
)
func (a *Asset) DaemonSet() *daemonset {
return &daemonset{
asset: a,
}
}
type daemonset struct {
asset *Asset
}
func (d *daemonset) Name() string {
return d.asset.Values().Name
}
func (d *daemonset) New() *appsv1.DaemonSet {
tolerationSeconds := int64(120)
values := d.asset.Values()
return &appsv1.DaemonSet{
TypeMeta: metav1.TypeMeta{
Kind: "DaemonSet",
APIVersion: "apps/v1",
},
ObjectMeta: metav1.ObjectMeta{
Namespace: values.Namespace,
Name: d.Name(),
Labels: map[string]string{
values.OwnerLabelKey: values.OwnerLabelValue,
},
},
Spec: appsv1.DaemonSetSpec{
Selector: &metav1.LabelSelector{
MatchLabels: map[string]string{
values.SelectorLabelKey: values.SelectorLabelValue,
},
},
Template: corev1.PodTemplateSpec{
ObjectMeta: metav1.ObjectMeta{
Name: d.Name(),
Labels: map[string]string{
values.SelectorLabelKey: values.SelectorLabelValue,
values.OwnerLabelKey: values.OwnerLabelValue,
},
},
Spec: corev1.PodSpec{
NodeSelector: map[string]string{
"node-role.kubernetes.io/master": "",
},
ServiceAccountName: values.ServiceAccountName,
Containers: []corev1.Container{
{
Name: d.Name(),
Image: values.OperandImage,
ImagePullPolicy: corev1.PullAlways,
Command: []string{
"/usr/bin/cluster-resource-override-admission",
},
Args: []string{
"--secure-port=9400",
"--tls-cert-file=/var/serving-cert/tls.crt",
"--tls-private-key-file=/var/serving-cert/tls.key",
"--v=3",
},
Env: []corev1.EnvVar{
{
Name: "CONFIGURATION_PATH",
Value: "/etc/clusterresourceoverride/config/override.yaml",
},
},
Ports: []corev1.ContainerPort{
{
ContainerPort: 9400,
},
},
SecurityContext: &corev1.SecurityContext{
AllowPrivilegeEscalation: pointer.BoolPtr(false),
Capabilities: &corev1.Capabilities{
Drop: []corev1.Capability{"ALL"},
},
RunAsNonRoot: pointer.BoolPtr(true),
SeccompProfile: &corev1.SeccompProfile{
Type: "RuntimeDefault",
},
},
VolumeMounts: []corev1.VolumeMount{
{
Name: "serving-cert",
MountPath: "/var/serving-cert",
},
{
Name: "configuration",
MountPath: "/etc/clusterresourceoverride/config/override.yaml",
SubPath: values.ConfigurationKey,
},
},
},
},
Volumes: []corev1.Volume{
{
Name: "serving-cert",
VolumeSource: corev1.VolumeSource{
Secret: &corev1.SecretVolumeSource{
SecretName: d.asset.ServiceServingSecret().Name(),
DefaultMode: func() *int32 {
v := int32(420)
return &v
}(),
},
},
},
{
Name: "configuration",
VolumeSource: corev1.VolumeSource{
ConfigMap: &corev1.ConfigMapVolumeSource{
LocalObjectReference: corev1.LocalObjectReference{
Name: d.asset.Configuration().Name(),
},
},
},
},
},
Tolerations: []corev1.Toleration{
{
Key: "node-role.kubernetes.io/master",
Operator: corev1.TolerationOpExists,
Effect: corev1.TaintEffectNoSchedule,
},
{
Key: "node.kubernetes.io/unreachable",
Operator: corev1.TolerationOpExists,
Effect: corev1.TaintEffectNoExecute,
TolerationSeconds: &tolerationSeconds,
},
{
Key: "node.kubernetes.io/not-ready",
Operator: corev1.TolerationOpExists,
Effect: corev1.TaintEffectNoExecute,
TolerationSeconds: &tolerationSeconds,
},
},
},
},
},
}
}