-
Notifications
You must be signed in to change notification settings - Fork 15
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add basic skeleton structure for etcdsnapshotrestore controllers/reco…
…ncilers/webhooks Also it prevents running reconcilers by hiding them behind the feature gate Signed-off-by: Furkat Gofurov <furkat.gofurov@suse.com>
- Loading branch information
1 parent
449f771
commit aadef09
Showing
35 changed files
with
1,598 additions
and
7 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,147 @@ | ||
# Adds namespace to all resources. | ||
namespace: rancher-turtles-system | ||
|
||
namePrefix: rancher-turtles- | ||
|
||
bases: | ||
- ../crd | ||
- ../rbac | ||
- ../webhook | ||
|
||
# [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix including the one in | ||
# crd/kustomization.yaml | ||
#- ../webhook | ||
# [CERTMANAGER] To enable cert-manager, uncomment all sections with 'CERTMANAGER'. 'WEBHOOK' components are required. | ||
#- ../certmanager | ||
# [PROMETHEUS] To enable prometheus monitor, uncomment all sections with 'PROMETHEUS'. | ||
#- ../prometheus | ||
|
||
# Protect the /metrics endpoint by putting it behind auth. | ||
# If you want your controller-manager to expose the /metrics | ||
# endpoint w/o any authn/z, please comment the following line. | ||
patchesStrategicMerge: | ||
- manager_webhook_patch.yaml | ||
- webhookcainjection_patch.yaml | ||
- manager_role_aggregation_patch.yaml | ||
|
||
# patchesStrategicMerge: | ||
# - manager_role_aggregation_patch.yaml | ||
|
||
# [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix including the one in | ||
# crd/kustomization.yaml | ||
# - path: manager_webhook_patch.yaml | ||
|
||
# [CERTMANAGER] To enable cert-manager, uncomment all sections with 'CERTMANAGER'. | ||
# Uncomment 'CERTMANAGER' sections in crd/kustomization.yaml to enable the CA injection in the admission webhooks. | ||
# 'CERTMANAGER' needs to be enabled to use ca injection | ||
# - path: webhookcainjection_patch.yaml | ||
|
||
# [CERTMANAGER] To enable cert-manager, uncomment all sections with 'CERTMANAGER' prefix. | ||
# Uncomment the following replacements to add the cert-manager CA injection annotations | ||
# replacements: | ||
# - source: # Add cert-manager annotation to ValidatingWebhookConfiguration, MutatingWebhookConfiguration and CRDs | ||
# kind: Certificate | ||
# group: cert-manager.io | ||
# version: v1 | ||
# name: serving-cert # this name should match the one in certificate.yaml | ||
# fieldPath: .metadata.namespace # namespace of the certificate CR | ||
# targets: | ||
# - select: | ||
# kind: ValidatingWebhookConfiguration | ||
# fieldPaths: | ||
# - .metadata.annotations.[cert-manager.io/inject-ca-from] | ||
# options: | ||
# delimiter: '/' | ||
# index: 0 | ||
# create: true | ||
# - select: | ||
# kind: MutatingWebhookConfiguration | ||
# fieldPaths: | ||
# - .metadata.annotations.[cert-manager.io/inject-ca-from] | ||
# options: | ||
# delimiter: '/' | ||
# index: 0 | ||
# create: true | ||
# - select: | ||
# kind: CustomResourceDefinition | ||
# fieldPaths: | ||
# - .metadata.annotations.[cert-manager.io/inject-ca-from] | ||
# options: | ||
# delimiter: '/' | ||
# index: 0 | ||
# create: true | ||
# - source: | ||
# kind: Certificate | ||
# group: cert-manager.io | ||
# version: v1 | ||
# name: serving-cert # this name should match the one in certificate.yaml | ||
# fieldPath: .metadata.name | ||
# targets: | ||
# - select: | ||
# kind: ValidatingWebhookConfiguration | ||
# fieldPaths: | ||
# - .metadata.annotations.[cert-manager.io/inject-ca-from] | ||
# options: | ||
# delimiter: '/' | ||
# index: 1 | ||
# create: true | ||
# - select: | ||
# kind: MutatingWebhookConfiguration | ||
# fieldPaths: | ||
# - .metadata.annotations.[cert-manager.io/inject-ca-from] | ||
# options: | ||
# delimiter: '/' | ||
# index: 1 | ||
# create: true | ||
# - select: | ||
# kind: CustomResourceDefinition | ||
# fieldPaths: | ||
# - .metadata.annotations.[cert-manager.io/inject-ca-from] | ||
# options: | ||
# delimiter: '/' | ||
# index: 1 | ||
# create: true | ||
# - source: # Add cert-manager annotation to the webhook Service | ||
# kind: Service | ||
# version: v1 | ||
# name: webhook-service | ||
# fieldPath: .metadata.name # namespace of the service | ||
# targets: | ||
# - select: | ||
# kind: Certificate | ||
# group: cert-manager.io | ||
# version: v1 | ||
# fieldPaths: | ||
# - .spec.dnsNames.0 | ||
# - .spec.dnsNames.1 | ||
# options: | ||
# delimiter: '.' | ||
# index: 0 | ||
# create: true | ||
# - source: | ||
# kind: Service | ||
# version: v1 | ||
# name: webhook-service | ||
# fieldPath: .metadata.namespace # namespace of the service | ||
# targets: | ||
# - select: | ||
# kind: Certificate | ||
# group: cert-manager.io | ||
# version: v1 | ||
# fieldPaths: | ||
# - .spec.dnsNames.0 | ||
# - .spec.dnsNames.1 | ||
# options: | ||
# delimiter: '.' | ||
# index: 1 | ||
# create: true | ||
|
||
vars: | ||
- name: SERVICE_NAME | ||
objref: | ||
kind: Service | ||
version: v1 | ||
name: webhook-service | ||
|
||
configurations: | ||
- kustomizeconfig.yaml |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,3 @@ | ||
varReference: | ||
- kind: Deployment | ||
path: spec/template/spec/volumes/secret/secretName |
15 changes: 15 additions & 0 deletions
15
config/exp/etcdrestore/default/manager_role_aggregation_patch.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,15 @@ | ||
apiVersion: rbac.authorization.k8s.io/v1 | ||
kind: ClusterRole | ||
metadata: | ||
name: manager-role | ||
labels: | ||
turtles-capi.cattle.io/aggregate-to-manager: "true" | ||
--- | ||
apiVersion: rbac.authorization.k8s.io/v1 | ||
kind: ClusterRoleBinding | ||
metadata: | ||
name: manager-rolebinding | ||
roleRef: | ||
apiGroup: rbac.authorization.k8s.io | ||
kind: ClusterRole | ||
name: aggregated-manager-role |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,22 @@ | ||
apiVersion: apps/v1 | ||
kind: Deployment | ||
metadata: | ||
name: controller-manager | ||
namespace: system | ||
spec: | ||
template: | ||
spec: | ||
containers: | ||
- name: manager | ||
ports: | ||
- containerPort: 9443 | ||
name: webhook-server | ||
protocol: TCP | ||
volumeMounts: | ||
- mountPath: /tmp/k8s-webhook-server/serving-certs | ||
name: cert | ||
readOnly: true | ||
volumes: | ||
- name: cert | ||
secret: | ||
secretName: $(SERVICE_NAME)-cert |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,8 @@ | ||
# This patch add annotation to admission webhook config and | ||
# the variables $(CERTIFICATE_NAMESPACE) and $(CERTIFICATE_NAME) will be substituted by kustomize. | ||
apiVersion: admissionregistration.k8s.io/v1 | ||
kind: MutatingWebhookConfiguration | ||
metadata: | ||
name: mutating-webhook-configuration | ||
annotations: | ||
cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,9 @@ | ||
apiVersion: rbac.authorization.k8s.io/v1 | ||
kind: ClusterRole | ||
metadata: | ||
name: aggregated-manager-role | ||
aggregationRule: | ||
clusterRoleSelectors: | ||
- matchLabels: | ||
rancher-turtles/aggregate-to-manager: "true" | ||
rules: [] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,22 @@ | ||
resources: | ||
# All RBAC will be applied under this service account in | ||
# the deployment namespace. You may comment out this resource | ||
# if your manager will use a service account that exists at | ||
# runtime. Be sure to update RoleBinding and ClusterRoleBinding | ||
# subjects if changing service account names. | ||
- service_account.yaml | ||
- role.yaml | ||
- role_binding.yaml | ||
- leader_election_role.yaml | ||
- leader_election_role_binding.yaml | ||
- aggregated_role.yaml | ||
|
||
patchesStrategicMerge: | ||
- manager_role_aggregation_patch.yaml | ||
# Comment the following 4 lines if you want to disable | ||
# the auth proxy (https://github.com/brancz/kube-rbac-proxy) | ||
# which protects your /metrics endpoint. | ||
#- auth_proxy_service.yaml | ||
#- auth_proxy_role.yaml | ||
#- auth_proxy_role_binding.yaml | ||
#- auth_proxy_client_clusterrole.yaml |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,44 @@ | ||
# permissions to do leader election. | ||
apiVersion: rbac.authorization.k8s.io/v1 | ||
kind: Role | ||
metadata: | ||
labels: | ||
app.kubernetes.io/name: role | ||
app.kubernetes.io/instance: leader-election-role | ||
app.kubernetes.io/component: rbac | ||
app.kubernetes.io/created-by: rancher-turtles | ||
app.kubernetes.io/part-of: rancher-turtles | ||
app.kubernetes.io/managed-by: kustomize | ||
name: leader-election-role | ||
rules: | ||
- apiGroups: | ||
- "" | ||
resources: | ||
- configmaps | ||
verbs: | ||
- get | ||
- list | ||
- watch | ||
- create | ||
- update | ||
- patch | ||
- delete | ||
- apiGroups: | ||
- coordination.k8s.io | ||
resources: | ||
- leases | ||
verbs: | ||
- get | ||
- list | ||
- watch | ||
- create | ||
- update | ||
- patch | ||
- delete | ||
- apiGroups: | ||
- "" | ||
resources: | ||
- events | ||
verbs: | ||
- create | ||
- patch |
19 changes: 19 additions & 0 deletions
19
config/exp/etcdrestore/rbac/leader_election_role_binding.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,19 @@ | ||
apiVersion: rbac.authorization.k8s.io/v1 | ||
kind: RoleBinding | ||
metadata: | ||
labels: | ||
app.kubernetes.io/name: rolebinding | ||
app.kubernetes.io/instance: leader-election-rolebinding | ||
app.kubernetes.io/component: rbac | ||
app.kubernetes.io/created-by: rancher-turtles | ||
app.kubernetes.io/part-of: rancher-turtles | ||
app.kubernetes.io/managed-by: kustomize | ||
name: leader-election-rolebinding | ||
roleRef: | ||
apiGroup: rbac.authorization.k8s.io | ||
kind: Role | ||
name: leader-election-role | ||
subjects: | ||
- kind: ServiceAccount | ||
name: manager | ||
namespace: system |
15 changes: 15 additions & 0 deletions
15
config/exp/etcdrestore/rbac/manager_role_aggregation_patch.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,15 @@ | ||
apiVersion: rbac.authorization.k8s.io/v1 | ||
kind: ClusterRole | ||
metadata: | ||
name: manager-role | ||
labels: | ||
rancher-turtles/aggregate-to-manager: "true" | ||
--- | ||
apiVersion: rbac.authorization.k8s.io/v1 | ||
kind: ClusterRoleBinding | ||
metadata: | ||
name: manager-rolebinding | ||
roleRef: | ||
apiGroup: rbac.authorization.k8s.io | ||
kind: ClusterRole | ||
name: aggregated-manager-role |
Oops, something went wrong.