From 8d943e6fffefa2415b6d73e30ae9b999984c6a46 Mon Sep 17 00:00:00 2001 From: Cho Youngrae Date: Mon, 7 Aug 2023 14:42:54 +0900 Subject: [PATCH 1/6] chore: spring boot version 2.6 -> 2.7 to use PEM certificate --- pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pom.xml b/pom.xml index dc0e2ec4..53a7b13a 100644 --- a/pom.xml +++ b/pom.xml @@ -18,7 +18,7 @@ org.springframework.boot spring-boot-starter-parent - 2.6.4 + 2.7.14 From 564cf0eeb01d43ec8b64723d9128b29eb1057811 Mon Sep 17 00:00:00 2001 From: Cho Youngrae Date: Mon, 7 Aug 2023 14:44:37 +0900 Subject: [PATCH 2/6] chore: PEM certificate properties --- src/main/resources/application-enable-ssl.properties | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/main/resources/application-enable-ssl.properties b/src/main/resources/application-enable-ssl.properties index b76c6b30..7a3472f0 100644 --- a/src/main/resources/application-enable-ssl.properties +++ b/src/main/resources/application-enable-ssl.properties @@ -1,4 +1,4 @@ server.ssl.enabled=true -server.ssl.key-store-type=PKCS12 -server.ssl.key-store=### To be filled ### -server.ssl.key-store-password=### To be filled ### +server.ssl.certificate=### To be filled ### +server.ssl.certificate-private-key=### To be filled ### +server.ssl.trust-certificate=### To be filled ### \ No newline at end of file From 0219c742c5a53ee4e86f1d4944c5a4266f862340 Mon Sep 17 00:00:00 2001 From: Cho Youngrae Date: Mon, 7 Aug 2023 14:45:21 +0900 Subject: [PATCH 3/6] chore: Add Macbook .DS_Store file --- .gitignore | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/.gitignore b/.gitignore index ab4d21d6..d4b0f2bf 100644 --- a/.gitignore +++ b/.gitignore @@ -37,4 +37,7 @@ build/ .prefs *.prefs .metadata/ -.factorypath \ No newline at end of file +.factorypath + +### Macbook ### +.DS_Store From e4bb46fe797748bb180a003baa3aa3a488662a84 Mon Sep 17 00:00:00 2001 From: Cho Youngrae Date: Fri, 8 Sep 2023 12:37:09 +0900 Subject: [PATCH 4/6] chore: resolve conflict --- helm/.helmignore | 23 ++++++ helm/Chart.yaml | 9 ++ helm/templates/_helpers.tpl | 19 +++++ helm/templates/certificate-and-webhook.yaml | 46 +++++++++++ helm/templates/configmap.yaml | 9 ++ helm/templates/crd.yaml | 92 +++++++++++++++++++++ helm/templates/deployment.yaml | 53 ++++++++++++ helm/templates/role.yaml | 75 +++++++++++++++++ helm/templates/service.yaml | 13 +++ helm/templates/serviceaccount.yaml | 5 ++ helm/values.yaml | 16 ++++ 11 files changed, 360 insertions(+) create mode 100644 helm/.helmignore create mode 100644 helm/Chart.yaml create mode 100644 helm/templates/_helpers.tpl create mode 100644 helm/templates/certificate-and-webhook.yaml create mode 100644 helm/templates/configmap.yaml create mode 100644 helm/templates/crd.yaml create mode 100644 helm/templates/deployment.yaml create mode 100644 helm/templates/role.yaml create mode 100644 helm/templates/service.yaml create mode 100644 helm/templates/serviceaccount.yaml create mode 100644 helm/values.yaml diff --git a/helm/.helmignore b/helm/.helmignore new file mode 100644 index 00000000..0e8a0eb3 --- /dev/null +++ b/helm/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/helm/Chart.yaml b/helm/Chart.yaml new file mode 100644 index 00000000..b65bfa77 --- /dev/null +++ b/helm/Chart.yaml @@ -0,0 +1,9 @@ +apiVersion: v2 +name: resource-group-controller +description: A Helm chart for resource-group-controller + +type: application + +version: 1.0.0 + +appVersion: "1.1.0-SNAPSHOT" diff --git a/helm/templates/_helpers.tpl b/helm/templates/_helpers.tpl new file mode 100644 index 00000000..f5e1dfba --- /dev/null +++ b/helm/templates/_helpers.tpl @@ -0,0 +1,19 @@ +{{/* +Create Resource Group Controller app version +*/}} +{{- define "resource-group-controller.version" -}} +{{- default .Chart.AppVersion .Values.image.tag }} +{{- end -}} + +{{/* +Resource Group Controller Envs Configuration +*/}} +{{- define "resource-group-controller.cm.envs" -}} +TZ: {{ .Values.app.timezone }} +SPRING_PROFILES_ACTIVE: {{ .Values.app.profile }} +LOGGING_LEVEL_IO_TEN1010_COASTER_GROUPCONTROLLER: {{ .Values.app.loggingLevel }} +SERVER_SSL_CERTIFICATE: {{ .Values.app.certificatePath }}/tls.crt +SERVER_SSL_CERTIFICATE_PRIVATE_KEY: {{ .Values.app.certificatePath }}/tls.key +SERVER_SSL_TRUST_CERTIFICATE: {{ .Values.app.certificatePath }}/ca.crt +APP_SCHEDULING_GROUP_NODE_ONLY: '{{ .Values.app.schedulingGroupNodeOnly }}' +{{- end }} \ No newline at end of file diff --git a/helm/templates/certificate-and-webhook.yaml b/helm/templates/certificate-and-webhook.yaml new file mode 100644 index 00000000..d6189053 --- /dev/null +++ b/helm/templates/certificate-and-webhook.yaml @@ -0,0 +1,46 @@ +{{- $altNames := list ( "resource-group-controller.resource-group-controller.svc" ) -}} +{{- $ca := genCA "coaster" 365 -}} +{{- $cert := genSignedCert "resource-group-controller" nil $altNames 365 $ca -}} + + +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: + name: resource-group-controller.ten1010.io + namespace: {{ .Release.Namespace }} +webhooks: + - name: resource-group-controller.ten1010.io + admissionReviewVersions: ["v1"] + clientConfig: + caBundle: {{ $ca.Cert | b64enc | quote }} + service: + namespace: {{ .Release.Namespace }} + name: resource-group-controller + path: /admissionreviews + port: 8080 + failurePolicy: Ignore + matchPolicy: Equivalent + namespaceSelector: {} + objectSelector: {} + reinvocationPolicy: IfNeeded + rules: + - apiGroups: [""] + apiVersions: ["v1"] + operations: ["CREATE"] + resources: ["pods"] + scope: "*" + sideEffects: None + timeoutSeconds: 10 +--- + +apiVersion: v1 +kind: Secret +type: kubernetes.io/tls +metadata: + name: resource-group-controller-tls + namespace: {{ .Release.Namespace }} + +data: + tls.crt: {{ $cert.Cert | b64enc | quote }} + tls.key: {{ $cert.Key | b64enc | quote }} + ca.crt: {{ $ca.Cert | b64enc | quote }} \ No newline at end of file diff --git a/helm/templates/configmap.yaml b/helm/templates/configmap.yaml new file mode 100644 index 00000000..8c0f566d --- /dev/null +++ b/helm/templates/configmap.yaml @@ -0,0 +1,9 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: resource-group-controller-envs + namespace: {{ .Release.Namespace }} + +data: + {{- include "resource-group-controller.cm.envs" . | nindent 2 }} +--- diff --git a/helm/templates/crd.yaml b/helm/templates/crd.yaml new file mode 100644 index 00000000..2f7d8dd5 --- /dev/null +++ b/helm/templates/crd.yaml @@ -0,0 +1,92 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: resourcegroups.ten1010.io +spec: + scope: Cluster + names: + kind: ResourceGroup + plural: resourcegroups + singular: resourcegroup + shortNames: + - rgrp + group: ten1010.io + versions: + - name: v1 + served: true + storage: true + additionalPrinterColumns: + - name: NODES + type: string + jsonPath: .spec.nodes + - name: NAMESPACES + type: string + jsonPath: .spec.namespaces + - name: EXCEPTIONS.DAEMONSETS + type: string + jsonPath: .spec.exceptions.daemonSets + - name: SUBJECTS + type: string + jsonPath: .spec.subjects + subresources: + status: {} + schema: + openAPIV3Schema: + type: object + required: + - metadata + - spec + properties: + metadata: + type: object + spec: + type: object + properties: + nodes: + type: array + items: + type: string + default: [] + namespaces: + type: array + items: + type: string + default: [] + exceptions: + type: object + properties: + daemonSets: + type: array + items: + type: object + required: + - namespace + - name + properties: + namespace: + type: string + name: + type: string + default: [] + default: {} + subjects: + type: array + items: + type: object + required: + - apiGroup + - kind + - name + properties: + apiGroup: + type: string + kind: + type: string + name: + type: string + namespace: + type: string + default: [] + status: + type: object +--- diff --git a/helm/templates/deployment.yaml b/helm/templates/deployment.yaml new file mode 100644 index 00000000..ecd365f2 --- /dev/null +++ b/helm/templates/deployment.yaml @@ -0,0 +1,53 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: resource-group-controller + namespace: {{ .Release.Namespace }} +spec: + replicas: 1 + selector: + matchLabels: + app: resource-group-controller + template: + metadata: + labels: + app: resource-group-controller + spec: + serviceAccountName: resource-group-controller + automountServiceAccountToken: true + containers: + - name: resource-group-controller + image: "{{ .Values.image.repository }}:{{ include "resource-group-controller.version" . }}" + imagePullPolicy: {{ .Values.image.pullPolicy }} + envFrom: + - configMapRef: + name: resource-group-controller-envs + volumeMounts: + - name: tls + readOnly: true + mountPath: {{ .Values.app.certificatePath }} + affinity: + nodeAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 1 + preference: + matchExpressions: + - key: node-role.kubernetes.io/control-plane + operator: Exists + tolerations: + - key: "node-role.kubernetes.io/control-plane" + operator: "Exists" + effect: "NoSchedule" + volumes: + - name: tls + projected: + sources: + - secret: + name: resource-group-controller-tls + items: + - key: tls.crt + path: "tls.crt" + - key: tls.key + path: "tls.key" + - key: ca.crt + path: "ca.crt" \ No newline at end of file diff --git a/helm/templates/role.yaml b/helm/templates/role.yaml new file mode 100644 index 00000000..e4b26c57 --- /dev/null +++ b/helm/templates/role.yaml @@ -0,0 +1,75 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: resource-group-controller.ten1010.io +rules: + - apiGroups: ["ten1010.io"] + resources: ["resourcegroups"] + verbs: ["get", "watch", "list"] + - apiGroups: [""] + resources: ["pods"] + verbs: ["get", "watch", "list", "update", "delete"] + - apiGroups: [""] + resources: ["nodes"] + verbs: ["get", "watch", "list", "update"] + - apiGroups: ["rbac.authorization.k8s.io"] + resources: ["roles"] + verbs: ["create", "get", "watch", "list", "update", "delete"] + - apiGroups: ["rbac.authorization.k8s.io"] + resources: ["rolebindings"] + verbs: ["create", "get", "watch", "list", "update", "delete"] + - apiGroups: ["rbac.authorization.k8s.io"] + resources: ["clusterroles"] + verbs: ["create", "get", "watch", "list", "update", "delete"] + - apiGroups: ["rbac.authorization.k8s.io"] + resources: ["clusterrolebindings"] + verbs: ["create", "get", "watch", "list", "update", "delete"] + - apiGroups: [""] + resources: ["namespaces"] + verbs: ["get", "watch", "list"] + - apiGroups: ["apps"] + resources: ["daemonsets"] + verbs: ["get", "watch", "list", "update"] + + ### Needed to reconcile resource group role ### + - apiGroups: [""] + resources: ["pods", "services", "configmaps", "secrets", "persistentvolumeclaims", "serviceaccounts", "limitranges", "events"] + verbs: ["*"] + - apiGroups: ["events.k8s.io"] + resources: ["events"] + verbs: ["*"] + - apiGroups: ["batch"] + resources: ["jobs", "cronjobs"] + verbs: ["*"] + - apiGroups: ["apps"] + resources: ["deployments", "statefulsets"] + verbs: ["*"] + - apiGroups: ["autoscaling"] + resources: ["horizontalpodautoscalers"] + verbs: ["*"] + - apiGroups: ["policy"] + resources: ["poddisruptionbudgets"] + verbs: ["*"] + - apiGroups: ["ten1010.io"] + resources: ["resourcegroups"] + verbs: ["get"] + - apiGroups: [""] + resources: ["nodes"] + verbs: ["get"] + - apiGroups: [""] + resources: ["namespaces"] + verbs: ["get"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: resource-group-controller.ten1010.io +subjects: + - kind: ServiceAccount + namespace: {{ .Release.Namespace }} + name: resource-group-controller +roleRef: + kind: ClusterRole + name: resource-group-controller.ten1010.io + apiGroup: rbac.authorization.k8s.io +--- diff --git a/helm/templates/service.yaml b/helm/templates/service.yaml new file mode 100644 index 00000000..8d07e257 --- /dev/null +++ b/helm/templates/service.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: Service +metadata: + name: resource-group-controller + namespace: {{ .Release.Namespace }} +spec: + type: {{ .Values.service.type }} + selector: + app: resource-group-controller + ports: + - protocol: TCP + port: {{ .Values.service.port }} + targetPort: {{ .Values.service.targetPort }} diff --git a/helm/templates/serviceaccount.yaml b/helm/templates/serviceaccount.yaml new file mode 100644 index 00000000..e196df25 --- /dev/null +++ b/helm/templates/serviceaccount.yaml @@ -0,0 +1,5 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: resource-group-controller + namespace: {{ .Release.Namespace }} diff --git a/helm/values.yaml b/helm/values.yaml new file mode 100644 index 00000000..12e2aa78 --- /dev/null +++ b/helm/values.yaml @@ -0,0 +1,16 @@ +image: + pullPolicy: IfNotPresent + repository: ten1010io/resource-group-controller + tag: "" + +app: + certificatePath: /etc/resource-group-controller/tls + timezone: Asia/Seoul + profile: production + loggingLevel: info + schedulingGroupNodeOnly: true + +service: + type: ClusterIP + targetPort: 8080 + port: 8080 From 977b85e3da7566a128b3b8d5a7f2bf46a1682d17 Mon Sep 17 00:00:00 2001 From: Cho Youngrae Date: Mon, 28 Aug 2023 15:41:00 +0900 Subject: [PATCH 5/6] chore: apply spring boot version 2.7 to kustomization --- kubernetes/controller/cert/configure.sh | 4 +++- kubernetes/controller/kustomization.yaml | 11 ++++++----- kubernetes/controller/templates/deployment.yaml | 10 ++++++---- 3 files changed, 15 insertions(+), 10 deletions(-) diff --git a/kubernetes/controller/cert/configure.sh b/kubernetes/controller/cert/configure.sh index 97c034a0..d9c66c75 100755 --- a/kubernetes/controller/cert/configure.sh +++ b/kubernetes/controller/cert/configure.sh @@ -10,4 +10,6 @@ if [ ! -e "$output_dir_path/tls.p12" ]; then fi ca_bundle=$($script_path/get-ca-bundle.sh) sed -i 's/caBundle:.*/''caBundle: '"$ca_bundle"'/g' "../patches.yaml" -cp -f $output_dir_path/tls.p12 $script_path/../ +cp -f $output_dir_path/ca.crt $script_path/../ +cp -f $output_dir_path/tls.crt $script_path/../ +cp -f $output_dir_path/tls.key $script_path/../ diff --git a/kubernetes/controller/kustomization.yaml b/kubernetes/controller/kustomization.yaml index a707567f..c801d221 100644 --- a/kubernetes/controller/kustomization.yaml +++ b/kubernetes/controller/kustomization.yaml @@ -5,14 +5,15 @@ configMapGenerator: - TZ=Asia/Seoul - SPRING_PROFILES_ACTIVE=production - LOGGING_LEVEL_IO_TEN1010_COASTER_GROUPCONTROLLER=info - - SERVER_SSL_KEY_STORE=/etc/resource-group-controller/tls/tls.p12 + - SERVER_SSL_CERTIFICATE=/etc/resource-group-controller/tls/tls.crt + - SERVER_SSL_CERTIFICATE_PRIVATE_KEY=/etc/resource-group-controller/tls/tls.key + - SERVER_SSL_TRUST_CERTIFICATE=/etc/resource-group-controller/tls/ca.crt secretGenerator: - - name: resource-group-controller-envs - literals: - - SERVER_SSL_KEY_STORE_PASSWORD="" - name: resource-group-controller-tls files: - - tls.p12 + - tls.crt + - tls.key + - ca.crt generatorOptions: disableNameSuffixHash: true resources: diff --git a/kubernetes/controller/templates/deployment.yaml b/kubernetes/controller/templates/deployment.yaml index 85ca5c18..c5568248 100644 --- a/kubernetes/controller/templates/deployment.yaml +++ b/kubernetes/controller/templates/deployment.yaml @@ -32,8 +32,6 @@ spec: envFrom: - configMapRef: name: resource-group-controller-envs - - secretRef: - name: resource-group-controller-envs volumeMounts: - name: tls readOnly: true @@ -45,6 +43,10 @@ spec: - secret: name: resource-group-controller-tls items: - - key: tls.p12 - path: "tls.p12" + - key: tls.crt + path: "tls.crt" + - key: tls.key + path: "tls.key" + - key: ca.crt + path: "ca.crt" --- From b4ba083a3520a707487aed5d4003f2576566ca90 Mon Sep 17 00:00:00 2001 From: Cho Youngrae Date: Mon, 11 Sep 2023 12:43:53 +0900 Subject: [PATCH 6/6] chore: apply update to helm chart --- helm/templates/certificate-and-webhook.yaml | 22 ++++-- helm/templates/cluster-role.yaml | 78 +++++++++++++++++++ helm/templates/crd.yaml | 19 ++--- helm/templates/role.yaml | 75 ------------------ ...rviceaccount.yaml => service-account.yaml} | 0 5 files changed, 101 insertions(+), 93 deletions(-) create mode 100644 helm/templates/cluster-role.yaml delete mode 100644 helm/templates/role.yaml rename helm/templates/{serviceaccount.yaml => service-account.yaml} (100%) diff --git a/helm/templates/certificate-and-webhook.yaml b/helm/templates/certificate-and-webhook.yaml index d6189053..a3ad7fc4 100644 --- a/helm/templates/certificate-and-webhook.yaml +++ b/helm/templates/certificate-and-webhook.yaml @@ -6,10 +6,10 @@ apiVersion: admissionregistration.k8s.io/v1 kind: MutatingWebhookConfiguration metadata: - name: resource-group-controller.ten1010.io + name: resource-group-controller.resource-group.ten1010.io namespace: {{ .Release.Namespace }} webhooks: - - name: resource-group-controller.ten1010.io + - name: resource-group-controller.resource-group.ten1010.io admissionReviewVersions: ["v1"] clientConfig: caBundle: {{ $ca.Cert | b64enc | quote }} @@ -24,10 +24,20 @@ webhooks: objectSelector: {} reinvocationPolicy: IfNeeded rules: - - apiGroups: [""] - apiVersions: ["v1"] - operations: ["CREATE"] - resources: ["pods"] + - apiGroups: [ "" ] + apiVersions: [ "v1" ] + operations: [ "CREATE" ] + resources: [ "pods", "replicationcontrollers" ] + scope: "*" + - apiGroups: [ "batch" ] + apiVersions: [ "v1" ] + operations: [ "CREATE" ] + resources: [ "cronjobs", "jobs" ] + scope: "*" + - apiGroups: [ "apps" ] + apiVersions: [ "v1" ] + operations: [ "CREATE" ] + resources: [ "daemonsets", "deployments", "replicasets", "statefulsets" ] scope: "*" sideEffects: None timeoutSeconds: 10 diff --git a/helm/templates/cluster-role.yaml b/helm/templates/cluster-role.yaml new file mode 100644 index 00000000..68b5b1c9 --- /dev/null +++ b/helm/templates/cluster-role.yaml @@ -0,0 +1,78 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: resource-group-controller.resource-group.ten1010.io +rules: + - apiGroups: [ "resource-group.ten1010.io" ] + resources: [ "resourcegroups" ] + verbs: [ "get", "watch", "list" ] + - apiGroups: [ "" ] + resources: [ "pods", "replicationcontrollers" ] + verbs: [ "get", "watch", "list", "update", "delete" ] + - apiGroups: [ "batch" ] + resources: [ "cronjobs", "jobs" ] + verbs: [ "get", "watch", "list", "update", "delete" ] + - apiGroups: [ "apps" ] + resources: [ "daemonsets", "deployments", "replicasets", "statefulsets" ] + verbs: [ "get", "watch", "list", "update", "delete" ] + - apiGroups: [ "" ] + resources: [ "nodes" ] + verbs: [ "get", "watch", "list", "update" ] + - apiGroups: [ "rbac.authorization.k8s.io" ] + resources: [ "roles" ] + verbs: [ "create", "get", "watch", "list", "update", "delete" ] + - apiGroups: [ "rbac.authorization.k8s.io" ] + resources: [ "rolebindings" ] + verbs: [ "create", "get", "watch", "list", "update", "delete" ] + - apiGroups: [ "rbac.authorization.k8s.io" ] + resources: [ "clusterroles" ] + verbs: [ "create", "get", "watch", "list", "update", "delete" ] + - apiGroups: [ "rbac.authorization.k8s.io" ] + resources: [ "clusterrolebindings" ] + verbs: [ "create", "get", "watch", "list", "update", "delete" ] + - apiGroups: [ "" ] + resources: [ "namespaces" ] + verbs: [ "get", "watch", "list" ] + + ### Needed to reconcile resource group role ### + - apiGroups: [ "" ] + resources: [ "pods", "replicationcontrollers", "services", "configmaps", "secrets", "persistentvolumeclaims", "serviceaccounts", "limitranges", "events" ] + verbs: [ "*" ] + - apiGroups: [ "events.k8s.io" ] + resources: [ "events" ] + verbs: [ "*" ] + - apiGroups: [ "batch" ] + resources: [ "cronjobs", "jobs" ] + verbs: [ "*" ] + - apiGroups: [ "apps" ] + resources: [ "daemonsets", "deployments", "replicasets", "statefulsets" ] + verbs: [ "*" ] + - apiGroups: [ "autoscaling" ] + resources: [ "horizontalpodautoscalers" ] + verbs: [ "*" ] + - apiGroups: [ "policy" ] + resources: [ "poddisruptionbudgets" ] + verbs: [ "*" ] + - apiGroups: [ "ten1010.io" ] + resources: [ "resourcegroups" ] + verbs: [ "get" ] + - apiGroups: [ "" ] + resources: [ "nodes" ] + verbs: [ "get" ] + - apiGroups: [ "" ] + resources: [ "namespaces" ] + verbs: [ "get" ] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: resource-group-controller.resource-group.ten1010.io +subjects: + - kind: ServiceAccount + namespace: {{ .Release.Namespace }} + name: resource-group-controller +roleRef: + kind: ClusterRole + name: resource-group-controller.resource-group.ten1010.io + apiGroup: rbac.authorization.k8s.io +--- diff --git a/helm/templates/crd.yaml b/helm/templates/crd.yaml index 2f7d8dd5..fbf98ccf 100644 --- a/helm/templates/crd.yaml +++ b/helm/templates/crd.yaml @@ -1,7 +1,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: - name: resourcegroups.ten1010.io + name: resourcegroups.resource-group.ten1010.io spec: scope: Cluster names: @@ -9,10 +9,10 @@ spec: plural: resourcegroups singular: resourcegroup shortNames: - - rgrp - group: ten1010.io + - rgroup + group: resource-group.ten1010.io versions: - - name: v1 + - name: v1beta1 served: true storage: true additionalPrinterColumns: @@ -22,12 +22,6 @@ spec: - name: NAMESPACES type: string jsonPath: .spec.namespaces - - name: EXCEPTIONS.DAEMONSETS - type: string - jsonPath: .spec.exceptions.daemonSets - - name: SUBJECTS - type: string - jsonPath: .spec.subjects subresources: status: {} schema: @@ -52,7 +46,7 @@ spec: items: type: string default: [] - exceptions: + daemonSet: type: object properties: daemonSets: @@ -68,7 +62,8 @@ spec: name: type: string default: [] - default: {} + default: + daemonSets: [] subjects: type: array items: diff --git a/helm/templates/role.yaml b/helm/templates/role.yaml deleted file mode 100644 index e4b26c57..00000000 --- a/helm/templates/role.yaml +++ /dev/null @@ -1,75 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: resource-group-controller.ten1010.io -rules: - - apiGroups: ["ten1010.io"] - resources: ["resourcegroups"] - verbs: ["get", "watch", "list"] - - apiGroups: [""] - resources: ["pods"] - verbs: ["get", "watch", "list", "update", "delete"] - - apiGroups: [""] - resources: ["nodes"] - verbs: ["get", "watch", "list", "update"] - - apiGroups: ["rbac.authorization.k8s.io"] - resources: ["roles"] - verbs: ["create", "get", "watch", "list", "update", "delete"] - - apiGroups: ["rbac.authorization.k8s.io"] - resources: ["rolebindings"] - verbs: ["create", "get", "watch", "list", "update", "delete"] - - apiGroups: ["rbac.authorization.k8s.io"] - resources: ["clusterroles"] - verbs: ["create", "get", "watch", "list", "update", "delete"] - - apiGroups: ["rbac.authorization.k8s.io"] - resources: ["clusterrolebindings"] - verbs: ["create", "get", "watch", "list", "update", "delete"] - - apiGroups: [""] - resources: ["namespaces"] - verbs: ["get", "watch", "list"] - - apiGroups: ["apps"] - resources: ["daemonsets"] - verbs: ["get", "watch", "list", "update"] - - ### Needed to reconcile resource group role ### - - apiGroups: [""] - resources: ["pods", "services", "configmaps", "secrets", "persistentvolumeclaims", "serviceaccounts", "limitranges", "events"] - verbs: ["*"] - - apiGroups: ["events.k8s.io"] - resources: ["events"] - verbs: ["*"] - - apiGroups: ["batch"] - resources: ["jobs", "cronjobs"] - verbs: ["*"] - - apiGroups: ["apps"] - resources: ["deployments", "statefulsets"] - verbs: ["*"] - - apiGroups: ["autoscaling"] - resources: ["horizontalpodautoscalers"] - verbs: ["*"] - - apiGroups: ["policy"] - resources: ["poddisruptionbudgets"] - verbs: ["*"] - - apiGroups: ["ten1010.io"] - resources: ["resourcegroups"] - verbs: ["get"] - - apiGroups: [""] - resources: ["nodes"] - verbs: ["get"] - - apiGroups: [""] - resources: ["namespaces"] - verbs: ["get"] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: resource-group-controller.ten1010.io -subjects: - - kind: ServiceAccount - namespace: {{ .Release.Namespace }} - name: resource-group-controller -roleRef: - kind: ClusterRole - name: resource-group-controller.ten1010.io - apiGroup: rbac.authorization.k8s.io ---- diff --git a/helm/templates/serviceaccount.yaml b/helm/templates/service-account.yaml similarity index 100% rename from helm/templates/serviceaccount.yaml rename to helm/templates/service-account.yaml