-
Notifications
You must be signed in to change notification settings - Fork 51
/
kustomization.yaml
180 lines (161 loc) · 7.49 KB
/
kustomization.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
# CRDs
# HACK: This hack to use stripped-down-crds works around the following operator-sdk
# limitation when running a catalog (FBC) image.
#
# ❯ ./tmp/bin/operator-sdk run bundle <bundle-image> --install-mode AllNamespaces --namespace operators --skip-tls
# INFO[0016] Creating a File-Based Catalog of the bundle <bundle-image>
# INFO[0020] Generated a valid File-Based Catalog
# FATA[0020] Failed to run bundle
# : create catalog
# : error creating registry pod: error building registry pod definition
# : configMap error: error updating ConfigMap
# : error creating ConfigMap
# : ConfigMap "operator-sdk-run-bundle-config" is invalid
# : []: Too long: must have at most 1048576 bytes
- https://raw.githubusercontent.com/rhobs/obo-prometheus-operator/v0.66.0-rhobs1/example/stripped-down-crds/all.yaml
# NOTE: enable this when the bug above is solved
# - https://raw.githubusercontent.com/rhobs/obo-prometheus-operator/v0.66.0-rhobs1/example/prometheus-operator-crd/monitoring.rhobs_alertmanagers.yaml
# - https://raw.githubusercontent.com/rhobs/obo-prometheus-operator/v0.66.0-rhobs1/example/prometheus-operator-crd/monitoring.rhobs_podmonitors.yaml
# - https://raw.githubusercontent.com/rhobs/obo-prometheus-operator/v0.66.0-rhobs1/example/prometheus-operator-crd/monitoring.rhobs_probes.yaml
# - https://raw.githubusercontent.com/rhobs/obo-prometheus-operator/v0.66.0-rhobs1/example/prometheus-operator-crd/monitoring.rhobs_prometheuses.yaml
# - https://raw.githubusercontent.com/rhobs/obo-prometheus-operator/v0.66.0-rhobs1/example/prometheus-operator-crd/monitoring.rhobs_prometheusrules.yaml
# - https://raw.githubusercontent.com/rhobs/obo-prometheus-operator/v0.66.0-rhobs1/example/prometheus-operator-crd/monitoring.rhobs_servicemonitors.yaml
# - https://raw.githubusercontent.com/rhobs/obo-prometheus-operator/v0.66.0-rhobs1/example/prometheus-operator-crd/monitoring.rhobs_thanosrulers.yaml
# - https://raw.githubusercontent.com/rhobs/obo-prometheus-operator/v0.66.0-rhobs1/example/prometheus-operator-crd/monitoring.rhobs_prometheusagents.yaml
# PO Deployment
- https://raw.githubusercontent.com/rhobs/obo-prometheus-operator/v0.66.0-rhobs1/example/rbac/prometheus-operator/prometheus-operator-deployment.yaml
- https://raw.githubusercontent.com/rhobs/obo-prometheus-operator/v0.66.0-rhobs1/example/rbac/prometheus-operator/prometheus-operator-cluster-role-binding.yaml
- https://raw.githubusercontent.com/rhobs/obo-prometheus-operator/v0.66.0-rhobs1/example/rbac/prometheus-operator/prometheus-operator-cluster-role.yaml
- https://raw.githubusercontent.com/rhobs/obo-prometheus-operator/v0.66.0-rhobs1/example/rbac/prometheus-operator/prometheus-operator-service-account.yaml
- https://raw.githubusercontent.com/rhobs/obo-prometheus-operator/v0.66.0-rhobs1/example/rbac/prometheus-operator/prometheus-operator-service.yaml
# Admission Webhook Deployment
- https://raw.githubusercontent.com/rhobs/obo-prometheus-operator/v0.66.0-rhobs1/example/admission-webhook/deployment.yaml
- https://raw.githubusercontent.com/rhobs/obo-prometheus-operator/v0.66.0-rhobs1/example/admission-webhook/service-account.yaml
# NOTE: a service although automatically created by OLM for webhooks still
# requires admission-webhook/service as the port generated by OLM uses 443
# but assumes targetPort to be 443 as opposed to "https" port of webhook - 8443
- https://raw.githubusercontent.com/rhobs/obo-prometheus-operator/v0.66.0-rhobs1/example/admission-webhook/service.yaml
- https://raw.githubusercontent.com/rhobs/obo-prometheus-operator/v0.66.0-rhobs1/example/admission-webhook/pod-disruption-budget.yaml
- admission-webhook/cluster-role.yaml
- admission-webhook/cluster-role-binding.yaml
- admission-webhook/alertmanager-config-validating-webhook.yaml
- admission-webhook/prometheus-rule-validating-webhook.yaml
namespace: operators
namePrefix: obo-
commonLabels:
app.kubernetes.io/part-of: observability-operator
patches:
- patch: |-
apiVersion: apps/v1
kind: Deployment
metadata:
name: prometheus-operator
spec:
selector:
matchLabels:
app.kubernetes.io/part-of: observability-operator
template:
metadata:
annotations:
target.workload.openshift.io/management: '{"effect": "PreferredDuringScheduling"}'
labels:
app.kubernetes.io/part-of: observability-operator
spec:
containers:
- name: prometheus-operator
image: quay.io/rhobs/obo-prometheus-operator:v0.66.0-rhobs1
args:
- --prometheus-config-reloader=quay.io/rhobs/obo-prometheus-config-reloader:v0.66.0-rhobs1
- --prometheus-instance-selector=app.kubernetes.io/managed-by=observability-operator
- --alertmanager-instance-selector=app.kubernetes.io/managed-by=observability-operator
- --thanos-ruler-instance-selector=app.kubernetes.io/managed-by=observability-operator
resources:
requests:
cpu: 5m
memory: 150Mi
limits:
cpu: 100m
memory: 500Mi
terminationMessagePolicy: FallbackToLogsOnError
securityContext:
runAsNonRoot: true
- patch: |-
- op: remove
path: /spec/template/spec/nodeSelector
target:
group: apps
version: v1
kind: Deployment
name: prometheus-operator
- patch: |-
- op: add
path: /rules/-
value:
apiGroups:
- security.openshift.io
resourceNames:
- nonroot-v2
- nonroot
resources:
- securitycontextconstraints
verbs:
- use
target:
group: rbac.authorization.k8s.io
version: v1
kind: ClusterRole
name: prometheus-operator
- patch: |-
apiVersion: apps/v1
kind: Deployment
metadata:
name: prometheus-operator-admission-webhook
spec:
template:
spec:
containers:
- name: prometheus-operator-admission-webhook
args:
- --web.enable-tls=true
- --web.cert-file=/tmp/k8s-webhook-server/serving-certs/tls.crt
- --web.key-file=/tmp/k8s-webhook-server/serving-certs/tls.key
# rely on tls-certificates injected by OLM instead of mounting empty files
- patch: |-
apiVersion: apps/v1
kind: Deployment
metadata:
name: prometheus-operator-admission-webhook
spec:
template:
spec:
volumes:
- name: tls-certificates
$patch: delete
- patch: |-
apiVersion: apps/v1
kind: Deployment
metadata:
name: prometheus-operator-admission-webhook
spec:
template:
spec:
containers:
- name: prometheus-operator-admission-webhook
volumeMounts:
- name: tls-certificates
$patch: delete
# HACK: remove the RuntimeDefault from ALL deploymens until we figure out
# how to run the operator on all openshift version from 4.9-13. Currently the
# webhook fails to deploy on 4.10
# SEE: https://issues.redhat.com/browse/MON-3225 which should provide an actual fix
- patch: |-
- op: remove
path: /spec/template/spec/securityContext/seccompProfile
target:
group: apps
version: v1
kind: Deployment
name: '.*'