airship/treasuremap
Code Issues Proposed changes

Add SyncLabelller functions to target/workload phase

Browse Source 
Change-Id: I059c6262999df273cceb7c7652b74f3f524b60ba
This commit is contained in:
digambar 2021-04-12 09:06:31 +00:00
parent 87a82989b6
commit 0e25e9bfb2
33 changed files with 657 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
manifests/function/synclabeller/Kptfile Normal file
View File

@ -0,0 +1,23 @@
apiVersion: kpt.dev/v1alpha1
kind: Kptfile
dependencies:
- name: upstream/crd
git:
repo: "https://github.com/airshipit/synclabeller"
directory: "config/crd"
ref: "72766d8519e064ffeacb44ddb9afa85c994907ee"
- name: upstream/default
git:
repo: "https://github.com/airshipit/synclabeller"
directory: "config/default"
ref: "72766d8519e064ffeacb44ddb9afa85c994907ee"
- name: upstream/manager
git:
repo: "https://github.com/airshipit/synclabeller"
directory: "config/manager"
ref: "72766d8519e064ffeacb44ddb9afa85c994907ee"
- name: upstream/rbac
git:
repo: "https://github.com/airshipit/synclabeller"
directory: "config/rbac"
ref: "72766d8519e064ffeacb44ddb9afa85c994907ee"

4
manifests/function/synclabeller/kustomization.yaml Normal file
View File

@ -0,0 +1,4 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- upstream/default

2
manifests/function/synclabeller/replacements/kustomization.yaml Normal file
View File

@ -0,0 +1,2 @@
resources:
- versions.yaml

29
manifests/function/synclabeller/replacements/versions.yaml Normal file
View File

@ -0,0 +1,29 @@
apiVersion: airshipit.org/v1alpha1
kind: ReplacementTransformer
metadata:
name: synclabeller-versions-replacements
annotations:
config.kubernetes.io/function: |-
container:
image: quay.io/airshipit/replacement-transformer:latest
replacements:
- source:
objref:
kind: VariableCatalogue
name: versions-treasuremap
fieldref: "{.spec.images.synclabeller.manager}"
target:
objref:
kind: Deployment
name: synclabeller-controller-manager
fieldrefs: ["{.spec.template.spec.containers[?(.name == 'manager')].image}"]
- source:
objref:
kind: VariableCatalogue
name: versions-treasuremap
fieldref: "{.spec.images.synclabeller.kube-rbac-proxy}"
target:
objref:
kind: Deployment
name: synclabeller-controller-manager
fieldrefs: ["{.spec.template.spec.containers[?(.name == 'kube-rbac-proxy')].image}"]

11
manifests/function/synclabeller/upstream/crd/Kptfile Normal file
View File

@ -0,0 +1,11 @@
apiVersion: kpt.dev/v1alpha1
kind: Kptfile
metadata:
name: upstream/crd
upstream:
type: git
git:
commit: 72766d8519e064ffeacb44ddb9afa85c994907ee
repo: https://github.com/airshipit/synclabeller
directory: config/crd
ref: 72766d8519e064ffeacb44ddb9afa85c994907ee

56
manifests/function/synclabeller/upstream/crd/bases/airship.airshipit.org_metal3labelsyncs.yaml Normal file
View File

@ -0,0 +1,56 @@
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.3.0
creationTimestamp: null
name: metal3labelsyncs.airship.airshipit.org
spec:
group: airship.airshipit.org
names:
kind: Metal3LabelSync
listKind: Metal3LabelSyncList
plural: metal3labelsyncs
singular: metal3labelsync
scope: Namespaced
validation:
openAPIV3Schema:
description: Metal3LabelSync is the Schema for the metal3labelsyncs API
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: Metal3LabelSyncSpec defines the desired state of Metal3LabelSync
properties:
foo:
description: Foo is an example field of Metal3LabelSync. Edit Metal3LabelSync_types.go
to remove/update
type: string
type: object
status:
description: Metal3LabelSyncStatus defines the observed state of Metal3LabelSync
type: object
type: object
version: v1
versions:
- name: v1
served: true
storage: true
status:
acceptedNames:
kind: ""
plural: ""
conditions: []
storedVersions: []

21
manifests/function/synclabeller/upstream/crd/kustomization.yaml Normal file
View File

@ -0,0 +1,21 @@
# This kustomization.yaml is not intended to be run by itself,
# since it depends on service name and namespace that are out of this kustomize package.
# It should be run by config/default
resources:
- bases/airship.airshipit.org_metal3labelsyncs.yaml
# +kubebuilder:scaffold:crdkustomizeresource
patchesStrategicMerge:
# [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix.
# patches here are for enabling the conversion webhook for each CRD
#- patches/webhook_in_metal3labelsyncs.yaml
# +kubebuilder:scaffold:crdkustomizewebhookpatch
# [CERTMANAGER] To enable webhook, uncomment all the sections with [CERTMANAGER] prefix.
# patches here are for enabling the CA injection for each CRD
#- patches/cainjection_in_metal3labelsyncs.yaml
# +kubebuilder:scaffold:crdkustomizecainjectionpatch
# the following config is for teaching kustomize how to do kustomization for CRDs.
configurations:
- kustomizeconfig.yaml

17
manifests/function/synclabeller/upstream/crd/kustomizeconfig.yaml Normal file
View File

@ -0,0 +1,17 @@
# This file is for teaching kustomize how to substitute name and namespace reference in CRD
nameReference:
- kind: Service
version: v1
fieldSpecs:
- kind: CustomResourceDefinition
group: apiextensions.k8s.io
path: spec/conversion/webhookClientConfig/service/name
namespace:
- kind: CustomResourceDefinition
group: apiextensions.k8s.io
path: spec/conversion/webhookClientConfig/service/namespace
create: false
varReference:
- path: metadata/annotations

8
manifests/function/synclabeller/upstream/crd/patches/cainjection_in_metal3labelsyncs.yaml Normal file
View File

@ -0,0 +1,8 @@
# The following patch adds a directive for certmanager to inject CA into the CRD
# CRD conversion requires k8s 1.13 or later.
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
annotations:
cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME)
name: metal3labelsyncs.airship.airshipit.org

17
manifests/function/synclabeller/upstream/crd/patches/webhook_in_metal3labelsyncs.yaml Normal file
View File

@ -0,0 +1,17 @@
# The following patch enables conversion webhook for CRD
# CRD conversion requires k8s 1.13 or later.
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: metal3labelsyncs.airship.airshipit.org
spec:
conversion:
strategy: Webhook
webhookClientConfig:
# this is "\n" used as a placeholder, otherwise it will be rejected by the apiserver for being blank,
# but we're going to set it later using the cert-manager (or potentially a patch if not using cert-manager)
caBundle: Cg==
service:
namespace: system
name: webhook-service
path: /convert

11
manifests/function/synclabeller/upstream/default/Kptfile Normal file
View File

@ -0,0 +1,11 @@
apiVersion: kpt.dev/v1alpha1
kind: Kptfile
metadata:
name: upstream/default
upstream:
type: git
git:
commit: 72766d8519e064ffeacb44ddb9afa85c994907ee
repo: https://github.com/airshipit/synclabeller
directory: config/default
ref: 72766d8519e064ffeacb44ddb9afa85c994907ee

70
manifests/function/synclabeller/upstream/default/kustomization.yaml Normal file
View File

@ -0,0 +1,70 @@
# Adds namespace to all resources.
namespace: synclabeller-system
# Value of this field is prepended to the
# names of all resources, e.g. a deployment named
# "wordpress" becomes "alices-wordpress".
# Note that it should also match with the prefix (text before '-') of the namespace
# field above.
namePrefix: synclabeller-
# Labels to add to all resources and selectors.
#commonLabels:
# someName: someValue
bases:
- ../crd
- ../rbac
- ../manager
# [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix including the one in
# crd/kustomization.yaml
#- ../webhook
# [CERTMANAGER] To enable cert-manager, uncomment all sections with 'CERTMANAGER'. 'WEBHOOK' components are required.
#- ../certmanager
# [PROMETHEUS] To enable prometheus monitor, uncomment all sections with 'PROMETHEUS'.
#- ../prometheus
patchesStrategicMerge:
# Protect the /metrics endpoint by putting it behind auth.
# If you want your controller-manager to expose the /metrics
# endpoint w/o any authn/z, please comment the following line.
- manager_auth_proxy_patch.yaml
# [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix including the one in
# crd/kustomization.yaml
#- manager_webhook_patch.yaml
# [CERTMANAGER] To enable cert-manager, uncomment all sections with 'CERTMANAGER'.
# Uncomment 'CERTMANAGER' sections in crd/kustomization.yaml to enable the CA injection in the admission webhooks.
# 'CERTMANAGER' needs to be enabled to use ca injection
#- webhookcainjection_patch.yaml
# the following config is for teaching kustomize how to do var substitution
vars:
# [CERTMANAGER] To enable cert-manager, uncomment all sections with 'CERTMANAGER' prefix.
#- name: CERTIFICATE_NAMESPACE # namespace of the certificate CR
# objref:
# kind: Certificate
# group: cert-manager.io
# version: v1alpha2
# name: serving-cert # this name should match the one in certificate.yaml
# fieldref:
# fieldpath: metadata.namespace
#- name: CERTIFICATE_NAME
# objref:
# kind: Certificate
# group: cert-manager.io
# version: v1alpha2
# name: serving-cert # this name should match the one in certificate.yaml
#- name: SERVICE_NAMESPACE # namespace of the service
# objref:
# kind: Service
# version: v1
# name: webhook-service
# fieldref:
# fieldpath: metadata.namespace
#- name: SERVICE_NAME
# objref:
# kind: Service
# version: v1
# name: webhook-service

25
manifests/function/synclabeller/upstream/default/manager_auth_proxy_patch.yaml Normal file
View File

@ -0,0 +1,25 @@
# This patch inject a sidecar container which is a HTTP proxy for the
# controller manager, it performs RBAC authorization against the Kubernetes API using SubjectAccessReviews.
apiVersion: apps/v1
kind: Deployment
metadata:
name: controller-manager
namespace: system
spec:
template:
spec:
containers:
- name: kube-rbac-proxy
image: gcr.io/kubebuilder/kube-rbac-proxy:v0.5.0
args:
- "--secure-listen-address=0.0.0.0:8443"
- "--upstream=http://127.0.0.1:8080/"
- "--logtostderr=true"
- "--v=10"
ports:
- containerPort: 8443
name: https
- name: manager
args:
- "--metrics-addr=127.0.0.1:8080"
- "--enable-leader-election"

23
manifests/function/synclabeller/upstream/default/manager_webhook_patch.yaml Normal file
View File

@ -0,0 +1,23 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: controller-manager
namespace: system
spec:
template:
spec:
containers:
- name: manager
ports:
- containerPort: 9443
name: webhook-server
protocol: TCP
volumeMounts:
- mountPath: /tmp/k8s-webhook-server/serving-certs
name: cert
readOnly: true
volumes:
- name: cert
secret:
defaultMode: 420
secretName: webhook-server-cert

15
manifests/function/synclabeller/upstream/default/webhookcainjection_patch.yaml Normal file
View File

@ -0,0 +1,15 @@
# This patch add annotation to admission webhook config and
# the variables $(CERTIFICATE_NAMESPACE) and $(CERTIFICATE_NAME) will be substituted by kustomize.
apiVersion: admissionregistration.k8s.io/v1beta1
kind: MutatingWebhookConfiguration
metadata:
name: mutating-webhook-configuration
annotations:
cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME)
---
apiVersion: admissionregistration.k8s.io/v1beta1
kind: ValidatingWebhookConfiguration
metadata:
name: validating-webhook-configuration
annotations:
cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME)

11
manifests/function/synclabeller/upstream/manager/Kptfile Normal file
View File

@ -0,0 +1,11 @@
apiVersion: kpt.dev/v1alpha1
kind: Kptfile
metadata:
name: upstream/manager
upstream:
type: git
git:
commit: 72766d8519e064ffeacb44ddb9afa85c994907ee
repo: https://github.com/airshipit/synclabeller
directory: config/manager
ref: 72766d8519e064ffeacb44ddb9afa85c994907ee

8
manifests/function/synclabeller/upstream/manager/kustomization.yaml Normal file
View File

@ -0,0 +1,8 @@
resources:
- manager.yaml
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
images:
- name: controller
newName: digambarpat/synclabeller
newTag: latest

32
manifests/function/synclabeller/upstream/manager/manager.yaml Normal file
View File

@ -0,0 +1,32 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: controller-manager
namespace: system
labels:
control-plane: controller-manager
spec:
selector:
matchLabels:
control-plane: controller-manager
replicas: 1
template:
metadata:
labels:
control-plane: controller-manager
spec:
containers:
- command:
- /manager
args:
- --enable-leader-election
image: digambarpat/synclabeller:latest
name: manager
resources:
limits:
cpu: 100m
memory: 30Mi
requests:
cpu: 100m
memory: 20Mi
terminationGracePeriodSeconds: 10

11
manifests/function/synclabeller/upstream/rbac/Kptfile Normal file
View File

@ -0,0 +1,11 @@
IapiVersion: kpt.dev/v1alpha1
kind: Kptfile
metadata:
name: upstream/rbac
upstream:
type: git
git:
commit: 72766d8519e064ffeacb44ddb9afa85c994907ee
repo: https://github.com/airshipit/synclabeller
directory: config/rbac
ref: 72766d8519e064ffeacb44ddb9afa85c994907ee

7
manifests/function/synclabeller/upstream/rbac/auth_proxy_client_clusterrole.yaml Normal file
View File

@ -0,0 +1,7 @@
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
name: metrics-reader
rules:
- nonResourceURLs: ["/metrics"]
verbs: ["get"]

13
manifests/function/synclabeller/upstream/rbac/auth_proxy_role.yaml Normal file
View File

@ -0,0 +1,13 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: proxy-role
rules:
- apiGroups: ["authentication.k8s.io"]
resources:
- tokenreviews
verbs: ["create"]
- apiGroups: ["authorization.k8s.io"]
resources:
- subjectaccessreviews
verbs: ["create"]

12
manifests/function/synclabeller/upstream/rbac/auth_proxy_role_binding.yaml Normal file
View File

@ -0,0 +1,12 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: proxy-rolebinding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: proxy-role
subjects:
- kind: ServiceAccount
name: default
namespace: system

14
manifests/function/synclabeller/upstream/rbac/auth_proxy_service.yaml Normal file
View File

@ -0,0 +1,14 @@
apiVersion: v1
kind: Service
metadata:
labels:
control-plane: controller-manager
name: controller-manager-metrics-service
namespace: system
spec:
ports:
- name: https
port: 8443
targetPort: https
selector:
control-plane: controller-manager

12
manifests/function/synclabeller/upstream/rbac/kustomization.yaml Normal file
View File

@ -0,0 +1,12 @@
resources:
- role.yaml
- role_binding.yaml
- leader_election_role.yaml
- leader_election_role_binding.yaml
# Comment the following 4 lines if you want to disable
# the auth proxy (https://github.com/brancz/kube-rbac-proxy)
# which protects your /metrics endpoint.
- auth_proxy_service.yaml
- auth_proxy_role.yaml
- auth_proxy_role_binding.yaml
- auth_proxy_client_clusterrole.yaml

32
manifests/function/synclabeller/upstream/rbac/leader_election_role.yaml Normal file
View File

@ -0,0 +1,32 @@
# permissions to do leader election.
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: leader-election-role
rules:
- apiGroups:
- ""
resources:
- configmaps
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
- apiGroups:
- ""
resources:
- configmaps/status
verbs:
- get
- update
- patch
- apiGroups:
- ""
resources:
- events
verbs:
- create

12
manifests/function/synclabeller/upstream/rbac/leader_election_role_binding.yaml Normal file
View File

@ -0,0 +1,12 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: leader-election-rolebinding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: leader-election-role
subjects:
- kind: ServiceAccount
name: default
namespace: system

24
manifests/function/synclabeller/upstream/rbac/metal3labelsync_editor_role.yaml Normal file
View File

@ -0,0 +1,24 @@
# permissions for end users to edit metal3labelsyncs.
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: metal3labelsync-editor-role
rules:
- apiGroups:
- airship.airshipit.org
resources:
- metal3labelsyncs
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- airship.airshipit.org
resources:
- metal3labelsyncs/status
verbs:
- get

20
manifests/function/synclabeller/upstream/rbac/metal3labelsync_viewer_role.yaml Normal file
View File

@ -0,0 +1,20 @@
# permissions for end users to view metal3labelsyncs.
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: metal3labelsync-viewer-role
rules:
- apiGroups:
- airship.airshipit.org
resources:
- metal3labelsyncs
verbs:
- get
- list
- watch
- apiGroups:
- airship.airshipit.org
resources:
- metal3labelsyncs/status
verbs:
- get

100
manifests/function/synclabeller/upstream/rbac/role.yaml Normal file
View File

@ -0,0 +1,100 @@
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
creationTimestamp: null
name: manager-role
rules:
- apiGroups:
- ""
resources:
- events
verbs:
- create
- get
- list
- patch
- update
- watch
- apiGroups:
- ""
resources:
- secrets
verbs:
- get
- list
- watch
- apiGroups:
- cluster.x-k8s.io
resources:
- clusters
verbs:
- get
- list
- watch
- apiGroups:
- cluster.x-k8s.io
resources:
- clusters/status
verbs:
- get
- list
- watch
- apiGroups:
- cluster.x-k8s.io
resources:
- machines
- machines/status
verbs:
- get
- list
- watch
- apiGroups:
- infrastructure.cluster.x-k8s.io
resources:
- metal3clusters
verbs:
- get
- list
- watch
- apiGroups:
- infrastructure.cluster.x-k8s.io
resources:
- metal3clusters/status
verbs:
- get
- apiGroups:
- infrastructure.cluster.x-k8s.io
resources:
- metal3machines
verbs:
- get
- list
- watch
- apiGroups:
- infrastructure.cluster.x-k8s.io
resources:
- metal3machines/status
verbs:
- get
- apiGroups:
- metal3.io
resources:
- baremetalhosts
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- metal3.io
resources:
- baremetalhosts/status
verbs:
- get
- patch
- update

12
manifests/function/synclabeller/upstream/rbac/role_binding.yaml Normal file
View File

@ -0,0 +1,12 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: manager-rolebinding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: manager-role
subjects:
- kind: ServiceAccount
name: default
namespace: system

3
manifests/function/treasuremap-base-catalogues/versions-treasuremap.yaml
View File

@ -113,3 +113,6 @@ spec:
kube-rbac-proxy: gcr.io/kubebuilder/kube-rbac-proxy:v0.5.0
libvirt: quay.io/airshipit/libvirt
manager: quay.io/airshipit/vino:6480ddc3ba98fba21fd692b8489adb0177abb8b5
synclabeller:
kube-rbac-proxy: gcr.io/kubebuilder/kube-rbac-proxy:v0.5.0
manager: quay.io/airshipit/synclabeller:72766d8519e064ffeacb44ddb9afa85c994907ee

1
manifests/site/virtual-network-cloud/target/workload/kustomization.yaml
View File

@ -4,4 +4,5 @@ resources:
transformers:
- ../../../../function/ingress/replacements
- ../../../../function/sip/replacements
- ../../../../function/synclabeller/replacements
- ../../../../function/vino/replacements

1
manifests/type/multi-tenant/target/workload/kustomization.yaml
View File

@ -1,5 +1,6 @@
resources:
- ../../../airship-core/target/workload
- ../../../../function/sip
- ../../../../function/synclabeller
- ../../../../function/vino
#- network-policy