From 2ab5c07b89823c1bcebde0678cbe5a46a1176d2c Mon Sep 17 00:00:00 2001 From: Rishabh Kumar Jain Date: Fri, 24 Jul 2020 12:10:41 -0700 Subject: [PATCH] Project Test CAPD Initial Commit --- certmanager/certificate.yaml | 24 +++ certmanager/kustomization.yaml | 8 + certmanager/kustomizeconfig.yaml | 19 ++ ...cture.cluster.x-k8s.io_dockerclusters.yaml | 164 ++++++++++++++++++ ...cture.cluster.x-k8s.io_dockermachines.yaml | 148 ++++++++++++++++ ...uster.x-k8s.io_dockermachinetemplates.yaml | 107 ++++++++++++ crd/kustomization.yaml | 30 ++++ crd/kustomizeconfig.yaml | 17 ++ .../cainjection_in_dockerclusters.yaml | 8 + .../cainjection_in_dockermachines.yaml | 8 + crd/patches/webhook_in_dockerclusters.yaml | 19 ++ crd/patches/webhook_in_dockermachines.yaml | 19 ++ default/kustomization.yaml | 9 + default/namespace.yaml | 6 + kustomization.yaml | 9 + manager/kustomization.yaml | 8 + manager/manager.yaml | 44 +++++ manager/manager_auth_proxy_patch.yaml | 25 +++ manager/manager_image_patch.yaml | 12 ++ manager/manager_prometheus_metrics_patch.yaml | 19 ++ manager/manager_pull_policy.yaml | 11 ++ rbac/auth_proxy_role.yaml | 13 ++ rbac/auth_proxy_role_binding.yaml | 12 ++ rbac/auth_proxy_service.yaml | 18 ++ rbac/kustomization.yaml | 13 ++ rbac/leader_election_role.yaml | 32 ++++ rbac/leader_election_role_binding.yaml | 12 ++ rbac/role.yaml | 65 +++++++ rbac/role_binding.yaml | 12 ++ webhook/kustomization.yaml | 45 +++++ webhook/kustomizeconfig.yaml | 20 +++ webhook/manager_webhook_patch.yaml | 24 +++ webhook/manifests.yaml | 28 +++ webhook/service.yaml | 12 ++ webhook/webhookcainjection_patch.yaml | 8 + 35 files changed, 1028 insertions(+) create mode 100644 certmanager/certificate.yaml create mode 100644 certmanager/kustomization.yaml create mode 100644 certmanager/kustomizeconfig.yaml create mode 100644 crd/bases/infrastructure.cluster.x-k8s.io_dockerclusters.yaml create mode 100644 crd/bases/infrastructure.cluster.x-k8s.io_dockermachines.yaml create mode 100644 crd/bases/infrastructure.cluster.x-k8s.io_dockermachinetemplates.yaml create mode 100644 crd/kustomization.yaml create mode 100644 crd/kustomizeconfig.yaml create mode 100644 crd/patches/cainjection_in_dockerclusters.yaml create mode 100644 crd/patches/cainjection_in_dockermachines.yaml create mode 100644 crd/patches/webhook_in_dockerclusters.yaml create mode 100644 crd/patches/webhook_in_dockermachines.yaml create mode 100644 default/kustomization.yaml create mode 100644 default/namespace.yaml create mode 100644 kustomization.yaml create mode 100644 manager/kustomization.yaml create mode 100644 manager/manager.yaml create mode 100644 manager/manager_auth_proxy_patch.yaml create mode 100644 manager/manager_image_patch.yaml create mode 100644 manager/manager_prometheus_metrics_patch.yaml create mode 100644 manager/manager_pull_policy.yaml create mode 100644 rbac/auth_proxy_role.yaml create mode 100644 rbac/auth_proxy_role_binding.yaml create mode 100644 rbac/auth_proxy_service.yaml create mode 100644 rbac/kustomization.yaml create mode 100644 rbac/leader_election_role.yaml create mode 100644 rbac/leader_election_role_binding.yaml create mode 100644 rbac/role.yaml create mode 100644 rbac/role_binding.yaml create mode 100644 webhook/kustomization.yaml create mode 100644 webhook/kustomizeconfig.yaml create mode 100644 webhook/manager_webhook_patch.yaml create mode 100644 webhook/manifests.yaml create mode 100644 webhook/service.yaml create mode 100644 webhook/webhookcainjection_patch.yaml diff --git a/certmanager/certificate.yaml b/certmanager/certificate.yaml new file mode 100644 index 0000000..cc53cbd --- /dev/null +++ b/certmanager/certificate.yaml @@ -0,0 +1,24 @@ +# The following manifests contain a self-signed issuer CR and a certificate CR. +# More document can be found at https://docs.cert-manager.io +apiVersion: cert-manager.io/v1alpha2 +kind: Issuer +metadata: + name: selfsigned-issuer + namespace: system +spec: + selfSigned: {} +--- +apiVersion: cert-manager.io/v1alpha2 +kind: Certificate +metadata: + name: serving-cert # this name should match the one appeared in kustomizeconfig.yaml + namespace: system +spec: + # $(SERVICE_NAME) and $(SERVICE_NAMESPACE) will be substituted by kustomize + dnsNames: + - $(SERVICE_NAME).$(SERVICE_NAMESPACE).svc + - $(SERVICE_NAME).$(SERVICE_NAMESPACE).svc.cluster.local + issuerRef: + kind: Issuer + name: selfsigned-issuer + secretName: $(SERVICE_NAME)-cert # this secret will not be prefixed, since it's not managed by kustomize diff --git a/certmanager/kustomization.yaml b/certmanager/kustomization.yaml new file mode 100644 index 0000000..438e93c --- /dev/null +++ b/certmanager/kustomization.yaml @@ -0,0 +1,8 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: +- certificate.yaml + +configurations: +- kustomizeconfig.yaml diff --git a/certmanager/kustomizeconfig.yaml b/certmanager/kustomizeconfig.yaml new file mode 100644 index 0000000..28a895a --- /dev/null +++ b/certmanager/kustomizeconfig.yaml @@ -0,0 +1,19 @@ +# This configuration is for teaching kustomize how to update name ref and var substitution +nameReference: +- kind: Issuer + group: cert-manager.io + fieldSpecs: + - kind: Certificate + group: cert-manager.io + path: spec/issuerRef/name + +varReference: +- kind: Certificate + group: cert-manager.io + path: spec/commonName +- kind: Certificate + group: cert-manager.io + path: spec/dnsNames +- kind: Certificate + group: cert-manager.io + path: spec/secretName diff --git a/crd/bases/infrastructure.cluster.x-k8s.io_dockerclusters.yaml b/crd/bases/infrastructure.cluster.x-k8s.io_dockerclusters.yaml new file mode 100644 index 0000000..e3537a0 --- /dev/null +++ b/crd/bases/infrastructure.cluster.x-k8s.io_dockerclusters.yaml @@ -0,0 +1,164 @@ + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.2.9 + creationTimestamp: null + name: dockerclusters.infrastructure.cluster.x-k8s.io +spec: + group: infrastructure.cluster.x-k8s.io + names: + categories: + - cluster-api + kind: DockerCluster + listKind: DockerClusterList + plural: dockerclusters + singular: dockercluster + scope: Namespaced + versions: + - name: v1alpha3 + schema: + openAPIV3Schema: + description: DockerCluster is the Schema for the dockerclusters API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: DockerClusterSpec defines the desired state of DockerCluster. + properties: + controlPlaneEndpoint: + description: ControlPlaneEndpoint represents the endpoint used to + communicate with the control plane. + properties: + host: + description: Host is the hostname on which the API server is serving. + type: string + port: + description: Port is the port on which the API server is serving. + type: integer + required: + - host + - port + type: object + failureDomains: + additionalProperties: + description: FailureDomainSpec is the Schema for Cluster API failure + domains. It allows controllers to understand how many failure + domains a cluster can optionally span across. + properties: + attributes: + additionalProperties: + type: string + description: Attributes is a free form map of attributes an + infrastructure provider might use or require. + type: object + controlPlane: + description: ControlPlane determines if this failure domain + is suitable for use by control plane machines. + type: boolean + type: object + description: FailureDomains are not usulaly defined on the spec. The + docker provider is special since failure domains don't mean anything + in a local docker environment. Instead, the docker cluster controller + will simply copy these into the Status and allow the Cluster API + controllers to do what they will with the defined failure domains. + type: object + type: object + status: + description: DockerClusterStatus defines the observed state of DockerCluster. + properties: + conditions: + description: Conditions defines current service state of the DockerCluster. + items: + description: Condition defines an observation of a Cluster API resource + operational state. + properties: + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. This should be when the underlying condition changed. + If that is not known, then using the time when the API field + changed is acceptable. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. This field may be empty. + type: string + reason: + description: The reason for the condition's last transition + in CamelCase. The specific API may choose whether or not this + field is considered a guaranteed API. This field may not be + empty. + type: string + severity: + description: Severity provides an explicit classification of + Reason code, so the users or machines can immediately understand + the current situation and act accordingly. The Severity field + MUST be set only when Status=False. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition in CamelCase or in foo.example.com/CamelCase. + Many .condition.type values are consistent across resources + like Available, but because arbitrary conditions can be useful + (see .node.status.conditions), the ability to deconflict is + important. + type: string + required: + - status + - type + type: object + type: array + failureDomains: + additionalProperties: + description: FailureDomainSpec is the Schema for Cluster API failure + domains. It allows controllers to understand how many failure + domains a cluster can optionally span across. + properties: + attributes: + additionalProperties: + type: string + description: Attributes is a free form map of attributes an + infrastructure provider might use or require. + type: object + controlPlane: + description: ControlPlane determines if this failure domain + is suitable for use by control plane machines. + type: boolean + type: object + description: FailureDomains don't mean much in CAPD since it's all + local, but we can see how the rest of cluster API will use this + if we populate it. + type: object + ready: + description: Ready denotes that the docker cluster (infrastructure) + is ready. + type: boolean + required: + - ready + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] diff --git a/crd/bases/infrastructure.cluster.x-k8s.io_dockermachines.yaml b/crd/bases/infrastructure.cluster.x-k8s.io_dockermachines.yaml new file mode 100644 index 0000000..5f16c8a --- /dev/null +++ b/crd/bases/infrastructure.cluster.x-k8s.io_dockermachines.yaml @@ -0,0 +1,148 @@ + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.2.9 + creationTimestamp: null + name: dockermachines.infrastructure.cluster.x-k8s.io +spec: + group: infrastructure.cluster.x-k8s.io + names: + categories: + - cluster-api + kind: DockerMachine + listKind: DockerMachineList + plural: dockermachines + singular: dockermachine + scope: Namespaced + versions: + - name: v1alpha3 + schema: + openAPIV3Schema: + description: DockerMachine is the Schema for the dockermachines API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: DockerMachineSpec defines the desired state of DockerMachine + properties: + bootstrapped: + description: Bootstrapped is true when the kubeadm bootstrapping has + been run against this machine + type: boolean + customImage: + description: CustomImage allows customizing the container image that + is used for running the machine + type: string + extraMounts: + description: ExtraMounts describes additional mount points for the + node container These may be used to bind a hostPath + items: + description: Mount specifies a host volume to mount into a container. + This is a simplified version of kind v1alpha4.Mount types + properties: + containerPath: + description: Path of the mount within the container. + type: string + hostPath: + description: Path of the mount on the host. If the hostPath + doesn't exist, then runtimes should report error. If the hostpath + is a symbolic link, runtimes should follow the symlink and + mount the real destination to container. + type: string + readOnly: + description: If set, the mount is read-only. + type: boolean + type: object + type: array + preLoadImages: + description: PreLoadImages allows to pre-load images in a newly created + machine. This can be used to speed up tests by avoiding e.g. to + download CNI images on all the containers. + items: + type: string + type: array + providerID: + description: ProviderID will be the container name in ProviderID format + (docker:////) + type: string + type: object + status: + description: DockerMachineStatus defines the observed state of DockerMachine + properties: + conditions: + description: Conditions defines current service state of the DockerMachine. + items: + description: Condition defines an observation of a Cluster API resource + operational state. + properties: + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. This should be when the underlying condition changed. + If that is not known, then using the time when the API field + changed is acceptable. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. This field may be empty. + type: string + reason: + description: The reason for the condition's last transition + in CamelCase. The specific API may choose whether or not this + field is considered a guaranteed API. This field may not be + empty. + type: string + severity: + description: Severity provides an explicit classification of + Reason code, so the users or machines can immediately understand + the current situation and act accordingly. The Severity field + MUST be set only when Status=False. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition in CamelCase or in foo.example.com/CamelCase. + Many .condition.type values are consistent across resources + like Available, but because arbitrary conditions can be useful + (see .node.status.conditions), the ability to deconflict is + important. + type: string + required: + - status + - type + type: object + type: array + loadBalancerConfigured: + description: LoadBalancerConfigured denotes that the machine has been + added to the load balancer + type: boolean + ready: + description: Ready denotes that the machine (docker container) is + ready + type: boolean + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] diff --git a/crd/bases/infrastructure.cluster.x-k8s.io_dockermachinetemplates.yaml b/crd/bases/infrastructure.cluster.x-k8s.io_dockermachinetemplates.yaml new file mode 100644 index 0000000..9758443 --- /dev/null +++ b/crd/bases/infrastructure.cluster.x-k8s.io_dockermachinetemplates.yaml @@ -0,0 +1,107 @@ + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.2.9 + creationTimestamp: null + name: dockermachinetemplates.infrastructure.cluster.x-k8s.io +spec: + group: infrastructure.cluster.x-k8s.io + names: + categories: + - cluster-api + kind: DockerMachineTemplate + listKind: DockerMachineTemplateList + plural: dockermachinetemplates + singular: dockermachinetemplate + scope: Namespaced + versions: + - name: v1alpha3 + schema: + openAPIV3Schema: + description: DockerMachineTemplate is the Schema for the dockermachinetemplates + API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: DockerMachineTemplateSpec defines the desired state of DockerMachineTemplate + properties: + template: + description: DockerMachineTemplateResource describes the data needed + to create a DockerMachine from a template + properties: + spec: + description: Spec is the specification of the desired behavior + of the machine. + properties: + bootstrapped: + description: Bootstrapped is true when the kubeadm bootstrapping + has been run against this machine + type: boolean + customImage: + description: CustomImage allows customizing the container + image that is used for running the machine + type: string + extraMounts: + description: ExtraMounts describes additional mount points + for the node container These may be used to bind a hostPath + items: + description: Mount specifies a host volume to mount into + a container. This is a simplified version of kind v1alpha4.Mount + types + properties: + containerPath: + description: Path of the mount within the container. + type: string + hostPath: + description: Path of the mount on the host. If the hostPath + doesn't exist, then runtimes should report error. + If the hostpath is a symbolic link, runtimes should + follow the symlink and mount the real destination + to container. + type: string + readOnly: + description: If set, the mount is read-only. + type: boolean + type: object + type: array + preLoadImages: + description: PreLoadImages allows to pre-load images in a + newly created machine. This can be used to speed up tests + by avoiding e.g. to download CNI images on all the containers. + items: + type: string + type: array + providerID: + description: ProviderID will be the container name in ProviderID + format (docker:////) + type: string + type: object + required: + - spec + type: object + required: + - template + type: object + type: object + served: true + storage: true +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] diff --git a/crd/kustomization.yaml b/crd/kustomization.yaml new file mode 100644 index 0000000..257fa4b --- /dev/null +++ b/crd/kustomization.yaml @@ -0,0 +1,30 @@ +commonLabels: + cluster.x-k8s.io/v1alpha3: v1alpha3 + +# This kustomization.yaml is not intended to be run by itself, +# since it depends on service name and namespace that are out of this kustomize package. +# It should be run by config/ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: +- bases/infrastructure.cluster.x-k8s.io_dockermachines.yaml +- bases/infrastructure.cluster.x-k8s.io_dockerclusters.yaml +- bases/infrastructure.cluster.x-k8s.io_dockermachinetemplates.yaml +# +kubebuilder:scaffold:crdkustomizeresource + +patchesStrategicMerge: [] +# [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix. +# patches here are for enabling the conversion webhook for each CRD +#- patches/webhook_in_dockermachines.yaml +#- patches/webhook_in_dockerclusters.yaml +# +kubebuilder:scaffold:crdkustomizewebhookpatch + +# [CERTMANAGER] To enable webhook, uncomment all the sections with [CERTMANAGER] prefix. +# patches here are for enabling the CA injection for each CRD +#- patches/cainjection_in_dockermachines.yaml +#- patches/cainjection_in_dockerclusters.yaml +# +kubebuilder:scaffold:crdkustomizecainjectionpatch + +# the following config is for teaching kustomize how to do kustomization for CRDs. +configurations: +- kustomizeconfig.yaml diff --git a/crd/kustomizeconfig.yaml b/crd/kustomizeconfig.yaml new file mode 100644 index 0000000..8e2d8d6 --- /dev/null +++ b/crd/kustomizeconfig.yaml @@ -0,0 +1,17 @@ +# This file is for teaching kustomize how to substitute name and namespace reference in CRD +nameReference: +- kind: Service + version: v1 + fieldSpecs: + - kind: CustomResourceDefinition + group: apiextensions.k8s.io + path: spec/conversion/webhook/clientConfig/service/name + +namespace: +- kind: CustomResourceDefinition + group: apiextensions.k8s.io + path: spec/conversion/webhook/clientConfig/service/namespace + create: false + +varReference: +- path: metadata/annotations diff --git a/crd/patches/cainjection_in_dockerclusters.yaml b/crd/patches/cainjection_in_dockerclusters.yaml new file mode 100644 index 0000000..588b6d6 --- /dev/null +++ b/crd/patches/cainjection_in_dockerclusters.yaml @@ -0,0 +1,8 @@ +# The following patch adds a directive for certmanager to inject CA into the CRD +# CRD conversion requires k8s 1.13 or later. +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME) + name: dockerclusters.infrastructure.cluster.x-k8s.io diff --git a/crd/patches/cainjection_in_dockermachines.yaml b/crd/patches/cainjection_in_dockermachines.yaml new file mode 100644 index 0000000..324733a --- /dev/null +++ b/crd/patches/cainjection_in_dockermachines.yaml @@ -0,0 +1,8 @@ +# The following patch adds a directive for certmanager to inject CA into the CRD +# CRD conversion requires k8s 1.13 or later. +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME) + name: dockermachines.infrastructure.cluster.x-k8s.io diff --git a/crd/patches/webhook_in_dockerclusters.yaml b/crd/patches/webhook_in_dockerclusters.yaml new file mode 100644 index 0000000..2dfca08 --- /dev/null +++ b/crd/patches/webhook_in_dockerclusters.yaml @@ -0,0 +1,19 @@ +# The following patch enables conversion webhook for CRD +# CRD conversion requires k8s 1.13 or later. +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: dockerclusters.infrastructure.cluster.x-k8s.io +spec: + conversion: + strategy: Webhook + webhook: + conversionReviewVersions: ["v1", "v1beta1"] + clientConfig: + # this is "\n" used as a placeholder, otherwise it will be rejected by the apiserver for being blank, + # but we're going to set it later using the cert-manager (or potentially a patch if not using cert-manager) + caBundle: Cg== + service: + namespace: system + name: webhook-service + path: /convert diff --git a/crd/patches/webhook_in_dockermachines.yaml b/crd/patches/webhook_in_dockermachines.yaml new file mode 100644 index 0000000..a9c5636 --- /dev/null +++ b/crd/patches/webhook_in_dockermachines.yaml @@ -0,0 +1,19 @@ +# The following patch enables conversion webhook for CRD +# CRD conversion requires k8s 1.13 or later. +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: dockermachines.infrastructure.cluster.x-k8s.io +spec: + conversion: + strategy: Webhook + webhook: + conversionReviewVersions: ["v1", "v1beta1"] + clientConfig: + # this is "\n" used as a placeholder, otherwise it will be rejected by the apiserver for being blank, + # but we're going to set it later using the cert-manager (or potentially a patch if not using cert-manager) + caBundle: Cg== + service: + namespace: system + name: webhook-service + path: /convert diff --git a/default/kustomization.yaml b/default/kustomization.yaml new file mode 100644 index 0000000..6ff3f02 --- /dev/null +++ b/default/kustomization.yaml @@ -0,0 +1,9 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: capd-system + +resources: + - namespace.yaml + +bases: + - ../rbac diff --git a/default/namespace.yaml b/default/namespace.yaml new file mode 100644 index 0000000..8b55c3c --- /dev/null +++ b/default/namespace.yaml @@ -0,0 +1,6 @@ +apiVersion: v1 +kind: Namespace +metadata: + labels: + control-plane: controller-manager + name: system diff --git a/kustomization.yaml b/kustomization.yaml new file mode 100644 index 0000000..bd7e566 --- /dev/null +++ b/kustomization.yaml @@ -0,0 +1,9 @@ +namePrefix: capd- + +commonLabels: + cluster.x-k8s.io/provider: "infrastructure-docker" + +resources: +- crd +- default +- webhook diff --git a/manager/kustomization.yaml b/manager/kustomization.yaml new file mode 100644 index 0000000..9d299ad --- /dev/null +++ b/manager/kustomization.yaml @@ -0,0 +1,8 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: +- manager.yaml + +patchesStrategicMerge: + - manager_image_patch.yaml + - manager_auth_proxy_patch.yaml diff --git a/manager/manager.yaml b/manager/manager.yaml new file mode 100644 index 0000000..3776f0a --- /dev/null +++ b/manager/manager.yaml @@ -0,0 +1,44 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: controller-manager + namespace: system + labels: + control-plane: controller-manager +spec: + selector: + matchLabels: + control-plane: controller-manager + replicas: 1 + template: + metadata: + labels: + control-plane: controller-manager + spec: + containers: + - args: + - --enable-leader-election + image: controller:latest + name: manager + ports: + - containerPort: 9440 + name: healthz + protocol: TCP + readinessProbe: + httpGet: + path: /readyz + port: healthz + livenessProbe: + httpGet: + path: /healthz + port: healthz + volumeMounts: + - mountPath: /var/run/docker.sock + name: dockersock + securityContext: + privileged: true + terminationGracePeriodSeconds: 10 + volumes: + - name: dockersock + hostPath: + path: /var/run/docker.sock diff --git a/manager/manager_auth_proxy_patch.yaml b/manager/manager_auth_proxy_patch.yaml new file mode 100644 index 0000000..6c8f9ce --- /dev/null +++ b/manager/manager_auth_proxy_patch.yaml @@ -0,0 +1,25 @@ +# This patch inject a sidecar container which is a HTTP proxy for the controller manager, +# it performs RBAC authorization against the Kubernetes API using SubjectAccessReviews. +apiVersion: apps/v1 +kind: Deployment +metadata: + name: controller-manager + namespace: system +spec: + template: + spec: + containers: + - name: kube-rbac-proxy + image: gcr.io/kubebuilder/kube-rbac-proxy:v0.4.0 + args: + - "--secure-listen-address=0.0.0.0:8443" + - "--upstream=http://127.0.0.1:8080/" + - "--logtostderr=true" + - "--v=10" + ports: + - containerPort: 8443 + name: https + - name: manager + args: + - "--metrics-addr=0" + - "-v=4" diff --git a/manager/manager_image_patch.yaml b/manager/manager_image_patch.yaml new file mode 100644 index 0000000..2b0a3fe --- /dev/null +++ b/manager/manager_image_patch.yaml @@ -0,0 +1,12 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: controller-manager + namespace: system +spec: + template: + spec: + containers: + # Change the value of image field below to your controller image URL + - image: gcr.io/k8s-staging-cluster-api/capd-manager:master + name: manager diff --git a/manager/manager_prometheus_metrics_patch.yaml b/manager/manager_prometheus_metrics_patch.yaml new file mode 100644 index 0000000..0b96c68 --- /dev/null +++ b/manager/manager_prometheus_metrics_patch.yaml @@ -0,0 +1,19 @@ +# This patch enables Prometheus scraping for the manager pod. +apiVersion: apps/v1 +kind: Deployment +metadata: + name: controller-manager + namespace: system +spec: + template: + metadata: + annotations: + prometheus.io/scrape: 'true' + spec: + containers: + # Expose the prometheus metrics on default port + - name: manager + ports: + - containerPort: 8080 + name: metrics + protocol: TCP diff --git a/manager/manager_pull_policy.yaml b/manager/manager_pull_policy.yaml new file mode 100644 index 0000000..74a0879 --- /dev/null +++ b/manager/manager_pull_policy.yaml @@ -0,0 +1,11 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: controller-manager + namespace: system +spec: + template: + spec: + containers: + - name: manager + imagePullPolicy: Always diff --git a/rbac/auth_proxy_role.yaml b/rbac/auth_proxy_role.yaml new file mode 100644 index 0000000..618f5e4 --- /dev/null +++ b/rbac/auth_proxy_role.yaml @@ -0,0 +1,13 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: proxy-role +rules: +- apiGroups: ["authentication.k8s.io"] + resources: + - tokenreviews + verbs: ["create"] +- apiGroups: ["authorization.k8s.io"] + resources: + - subjectaccessreviews + verbs: ["create"] diff --git a/rbac/auth_proxy_role_binding.yaml b/rbac/auth_proxy_role_binding.yaml new file mode 100644 index 0000000..48ed1e4 --- /dev/null +++ b/rbac/auth_proxy_role_binding.yaml @@ -0,0 +1,12 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: proxy-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: proxy-role +subjects: +- kind: ServiceAccount + name: default + namespace: system diff --git a/rbac/auth_proxy_service.yaml b/rbac/auth_proxy_service.yaml new file mode 100644 index 0000000..d61e546 --- /dev/null +++ b/rbac/auth_proxy_service.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Service +metadata: + annotations: + prometheus.io/port: "8443" + prometheus.io/scheme: https + prometheus.io/scrape: "true" + labels: + control-plane: controller-manager + name: controller-manager-metrics-service + namespace: system +spec: + ports: + - name: https + port: 8443 + targetPort: https + selector: + control-plane: controller-manager diff --git a/rbac/kustomization.yaml b/rbac/kustomization.yaml new file mode 100644 index 0000000..82895f5 --- /dev/null +++ b/rbac/kustomization.yaml @@ -0,0 +1,13 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: +- role.yaml +- role_binding.yaml +- leader_election_role.yaml +- leader_election_role_binding.yaml +# Comment the following 3 lines if you want to disable +# the auth proxy (https://github.com/brancz/kube-rbac-proxy) +# which protects your /metrics endpoint. +- auth_proxy_service.yaml +- auth_proxy_role.yaml +- auth_proxy_role_binding.yaml diff --git a/rbac/leader_election_role.yaml b/rbac/leader_election_role.yaml new file mode 100644 index 0000000..eaa7915 --- /dev/null +++ b/rbac/leader_election_role.yaml @@ -0,0 +1,32 @@ +# permissions to do leader election. +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: leader-election-role +rules: +- apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - "" + resources: + - configmaps/status + verbs: + - get + - update + - patch +- apiGroups: + - "" + resources: + - events + verbs: + - create diff --git a/rbac/leader_election_role_binding.yaml b/rbac/leader_election_role_binding.yaml new file mode 100644 index 0000000..eed1690 --- /dev/null +++ b/rbac/leader_election_role_binding.yaml @@ -0,0 +1,12 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: leader-election-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: leader-election-role +subjects: +- kind: ServiceAccount + name: default + namespace: system diff --git a/rbac/role.yaml b/rbac/role.yaml new file mode 100644 index 0000000..18b12e9 --- /dev/null +++ b/rbac/role.yaml @@ -0,0 +1,65 @@ + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + creationTimestamp: null + name: manager-role +rules: +- apiGroups: + - "" + resources: + - secrets + verbs: + - get + - list + - watch +- apiGroups: + - cluster.x-k8s.io + resources: + - clusters + - machines + verbs: + - get + - list + - watch +- apiGroups: + - infrastructure.cluster.x-k8s.io + resources: + - dockerclusters + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - infrastructure.cluster.x-k8s.io + resources: + - dockerclusters/status + verbs: + - get + - patch + - update +- apiGroups: + - infrastructure.cluster.x-k8s.io + resources: + - dockermachines + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - infrastructure.cluster.x-k8s.io + resources: + - dockermachines/status + verbs: + - get + - patch + - update diff --git a/rbac/role_binding.yaml b/rbac/role_binding.yaml new file mode 100644 index 0000000..8f26587 --- /dev/null +++ b/rbac/role_binding.yaml @@ -0,0 +1,12 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: manager-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: manager-role +subjects: +- kind: ServiceAccount + name: default + namespace: system diff --git a/webhook/kustomization.yaml b/webhook/kustomization.yaml new file mode 100644 index 0000000..ec4e284 --- /dev/null +++ b/webhook/kustomization.yaml @@ -0,0 +1,45 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: capd-system + +resources: +- manifests.yaml +- service.yaml +- ../certmanager +- ../manager + +patchesStrategicMerge: +- manager_webhook_patch.yaml +- webhookcainjection_patch.yaml + +configurations: +- kustomizeconfig.yaml + +vars: + - name: SERVICE_NAMESPACE # namespace of the service + objref: + kind: Service + version: v1 + name: webhook-service + fieldref: + fieldpath: metadata.namespace + - name: SERVICE_NAME + objref: + kind: Service + version: v1 + name: webhook-service + # [CERTMANAGER] To enable cert-manager, uncomment all sections with 'CERTMANAGER' prefix. + - name: CERTIFICATE_NAMESPACE # namespace of the certificate CR + objref: + kind: Certificate + group: cert-manager.io + version: v1alpha2 + name: serving-cert # this name should match the one in certificate.yaml + fieldref: + fieldpath: metadata.namespace + - name: CERTIFICATE_NAME + objref: + kind: Certificate + group: cert-manager.io + version: v1alpha2 + name: serving-cert # this name should match the one in certificate.yaml diff --git a/webhook/kustomizeconfig.yaml b/webhook/kustomizeconfig.yaml new file mode 100644 index 0000000..7cf1cd5 --- /dev/null +++ b/webhook/kustomizeconfig.yaml @@ -0,0 +1,20 @@ +# the following config is for teaching kustomize where to look at when substituting vars. +# It requires kustomize v2.1.0 or newer to work properly. +nameReference: +- kind: Service + version: v1 + fieldSpecs: + - kind: ValidatingWebhookConfiguration + group: admissionregistration.k8s.io + path: webhooks/clientConfig/service/name + +namespace: +- kind: ValidatingWebhookConfiguration + group: admissionregistration.k8s.io + path: webhooks/clientConfig/service/namespace + create: true + +varReference: +- path: metadata/annotations +- kind: Deployment + path: spec/template/spec/volumes/secret/secretName diff --git a/webhook/manager_webhook_patch.yaml b/webhook/manager_webhook_patch.yaml new file mode 100644 index 0000000..ac72d58 --- /dev/null +++ b/webhook/manager_webhook_patch.yaml @@ -0,0 +1,24 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: controller-manager + namespace: system +spec: + template: + spec: + containers: + - name: manager + ports: + - containerPort: 443 + name: webhook-server + protocol: TCP + volumeMounts: + - mountPath: /tmp/k8s-webhook-server/serving-certs + name: cert + readOnly: true + volumes: + - name: cert + secret: + defaultMode: 420 + secretName: $(SERVICE_NAME)-cert # this secret will not be prefixed, since it's not managed by kustomize + diff --git a/webhook/manifests.yaml b/webhook/manifests.yaml new file mode 100644 index 0000000..9a2e1d2 --- /dev/null +++ b/webhook/manifests.yaml @@ -0,0 +1,28 @@ + +--- +apiVersion: admissionregistration.k8s.io/v1beta1 +kind: ValidatingWebhookConfiguration +metadata: + creationTimestamp: null + name: validating-webhook-configuration +webhooks: +- clientConfig: + caBundle: Cg== + service: + name: webhook-service + namespace: system + path: /validate-infrastructure-cluster-x-k8s-io-v1alpha3-dockermachinetemplate + failurePolicy: Fail + matchPolicy: Equivalent + name: validation.dockermachinetemplate.infrastructure.cluster.x-k8s.io + rules: + - apiGroups: + - infrastructure.cluster.x-k8s.io + apiVersions: + - v1alpha3 + operations: + - CREATE + - UPDATE + resources: + - dockermachinetemplates + sideEffects: None diff --git a/webhook/service.yaml b/webhook/service.yaml new file mode 100644 index 0000000..b486102 --- /dev/null +++ b/webhook/service.yaml @@ -0,0 +1,12 @@ + +apiVersion: v1 +kind: Service +metadata: + name: webhook-service + namespace: system +spec: + ports: + - port: 443 + targetPort: 443 + selector: + control-plane: controller-manager diff --git a/webhook/webhookcainjection_patch.yaml b/webhook/webhookcainjection_patch.yaml new file mode 100644 index 0000000..4e580bd --- /dev/null +++ b/webhook/webhookcainjection_patch.yaml @@ -0,0 +1,8 @@ +# This patch add annotation to admission webhook config and +# the variables $(CERTIFICATE_NAMESPACE) and $(CERTIFICATE_NAME) will be substituted by kustomize. +apiVersion: admissionregistration.k8s.io/v1beta1 +kind: ValidatingWebhookConfiguration +metadata: + name: validating-webhook-configuration + annotations: + cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME)