Add deployment config to metal-provider (#433)

* Add deployment config to IRI machine provider * Rename irimachineprovider to metal-provider
aobort · Feb 1, 2024 · 42d99d4 · 42d99d4
1 parent 8d9d31b
commit 42d99d4
Show file tree

Hide file tree

Showing 24 changed files with 486 additions and 15 deletions.
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -16,7 +16,7 @@ updates:
       interval: "daily"
     open-pull-requests-limit: 10
   - package-ecosystem: "docker"
-    directory: "/irimachineprovider"
+    directory: "/metal-provider"
     schedule:
       interval: "daily"
     open-pull-requests-limit: 10
diff --git a/...ows/publish-docker-irimachineprovider.yml → ...rkflows/publish-docker-metal-provider.yml b/...ows/publish-docker-irimachineprovider.yml → ...rkflows/publish-docker-metal-provider.yml
@@ -63,7 +63,7 @@ jobs:
         timeout-minutes: 40
         uses: docker/build-push-action@v5
         with:
-          file: irimachineprovider/Dockerfile
+          file: metal-provider/Dockerfile
           context: .
           platforms: ${{ env.platforms }}
           push: true

diff --git a/irimachineprovider/Dockerfile → metal-provider/Dockerfile b/irimachineprovider/Dockerfile → metal-provider/Dockerfile
@@ -12,9 +12,9 @@ RUN --mount=type=ssh --mount=type=secret,id=github_pat GITHUB_PAT_PATH=/run/secr
 
 COPY apis/ apis/
 COPY applyconfiguration/ applyconfiguration/
-COPY irimachineprovider/ irimachineprovider/
+COPY metal-provider/ metal-provider/
 COPY pkg/ pkg/
-RUN CGO_ENABLED=0 GOOS=linux GOARCH=${GOARCH} go build -a -o /metal-provider irimachineprovider/main.go
+RUN CGO_ENABLED=0 GOOS=linux GOARCH=${GOARCH} go build -a -o /metal-provider metal-provider/main.go
 
 FROM gcr.io/distroless/static:nonroot
 WORKDIR /

diff --git a/metal-provider/config/default/kustomization.yaml b/metal-provider/config/default/kustomization.yaml
@@ -0,0 +1,10 @@
+namespace: metal-provider-system
+
+namePrefix: metal-provider-
+
+bases:
+- ../rbac
+- ../manager
+
+patchesStrategicMerge:
+- manager_auth_proxy_patch.yaml
diff --git a/metal-provider/config/default/manager_auth_proxy_patch.yaml b/metal-provider/config/default/manager_auth_proxy_patch.yaml
@@ -0,0 +1,37 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: controller-manager
+  namespace: system
+spec:
+  template:
+    spec:
+      containers:
+      - name: kube-rbac-proxy
+        securityContext:
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+              - "ALL"
+        image: gcr.io/kubebuilder/kube-rbac-proxy:v0.15.0
+        args:
+        - "--secure-listen-address=0.0.0.0:8443"
+        - "--upstream=http://127.0.0.1:8080/"
+        - "--logtostderr=true"
+        - "--v=0"
+        ports:
+        - containerPort: 8443
+          protocol: TCP
+          name: https
+        resources:
+          limits:
+            cpu: 500m
+            memory: 128Mi
+          requests:
+            cpu: 5m
+            memory: 64Mi
+      - name: manager
+        args:
+        - "--health-probe-bind-address=:8081"
+        - "--metrics-bind-address=127.0.0.1:8080"
+        - "--leader-elect"
diff --git a/metal-provider/config/manager/kustomization.yaml b/metal-provider/config/manager/kustomization.yaml
@@ -0,0 +1,5 @@
+resources:
+- manager.yaml
+
+generatorOptions:
+  disableNameSuffixHash: true
diff --git a/metal-provider/config/manager/manager.yaml b/metal-provider/config/manager/manager.yaml
@@ -0,0 +1,96 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  labels:
+    control-plane: controller-manager
+  name: system
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: controller-manager
+  namespace: system
+  labels:
+    control-plane: controller-manager
+spec:
+  selector:
+    matchLabels:
+      control-plane: controller-manager
+  replicas: 1
+  template:
+    metadata:
+      annotations:
+        kubectl.kubernetes.io/default-container: metal-provider
+      labels:
+        control-plane: controller-manager
+    spec:
+      securityContext:
+        runAsNonRoot: true
+        seccompProfile:
+          type: RuntimeDefault
+      containers:
+      - command:
+        - /metal-provier
+        args:
+        - --leader-elect
+        image: metal-provider:latest
+        name: metal-provider
+        securityContext:
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+              - "ALL"
+        livenessProbe:
+          httpGet:
+            path: /healthz
+            port: 8081
+          initialDelaySeconds: 15
+          periodSeconds: 20
+        readinessProbe:
+          httpGet:
+            path: /readyz
+            port: 8081
+          initialDelaySeconds: 5
+          periodSeconds: 10
+        resources:
+          limits:
+            cpu: 500m
+            memory: 128Mi
+          requests:
+            cpu: 10m
+            memory: 64Mi
+      - command:
+        - /machinepoollet
+        args:
+        - --leader-elect
+        image: machinepoollet:latest
+        name: machinepoollet
+        securityContext:
+          allowPrivilegeEscalation: false
+        livenessProbe:
+          httpGet:
+            path: /healthz
+            port: 8081
+          initialDelaySeconds: 15
+          periodSeconds: 20
+        readinessProbe:
+          httpGet:
+            path: /readyz
+            port: 8081
+          initialDelaySeconds: 5
+          periodSeconds: 10
+        resources:
+          limits:
+            cpu: 100m
+            memory: 30Mi
+          requests:
+            cpu: 100m
+            memory: 20Mi
+        volumeMounts:
+        - mountPath: /var/run
+          name: var-run
+      serviceAccountName: controller-manager
+      terminationGracePeriodSeconds: 10
+      volumes:
+        - name: var-run
+          emptyDir: { }
diff --git a/metal-provider/config/rbac/auth_proxy_client_clusterrole.yaml b/metal-provider/config/rbac/auth_proxy_client_clusterrole.yaml
@@ -0,0 +1,9 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: metrics-reader
+rules:
+- nonResourceURLs:
+  - "/metrics"
+  verbs:
+  - get
diff --git a/metal-provider/config/rbac/auth_proxy_role.yaml b/metal-provider/config/rbac/auth_proxy_role.yaml
@@ -0,0 +1,17 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: proxy-role
+rules:
+- apiGroups:
+  - authentication.k8s.io
+  resources:
+  - tokenreviews
+  verbs:
+  - create
+- apiGroups:
+  - authorization.k8s.io
+  resources:
+  - subjectaccessreviews
+  verbs:
+  - create
diff --git a/metal-provider/config/rbac/auth_proxy_role_binding.yaml b/metal-provider/config/rbac/auth_proxy_role_binding.yaml
@@ -0,0 +1,12 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: proxy-rolebinding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: proxy-role
+subjects:
+- kind: ServiceAccount
+  name: controller-manager
+  namespace: system
diff --git a/metal-provider/config/rbac/auth_proxy_service.yaml b/metal-provider/config/rbac/auth_proxy_service.yaml
@@ -0,0 +1,15 @@
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    control-plane: controller-manager
+  name: controller-manager-metrics-service
+  namespace: system
+spec:
+  ports:
+  - name: https
+    port: 8443
+    protocol: TCP
+    targetPort: https
+  selector:
+    control-plane: controller-manager
diff --git a/metal-provider/config/rbac/kustomization.yaml b/metal-provider/config/rbac/kustomization.yaml
@@ -0,0 +1,10 @@
+resources:
+- service_account.yaml
+- role.yaml
+- role_binding.yaml
+- leader_election_role.yaml
+- leader_election_role_binding.yaml
+- auth_proxy_service.yaml
+- auth_proxy_role.yaml
+- auth_proxy_role_binding.yaml
+- auth_proxy_client_clusterrole.yaml
diff --git a/metal-provider/config/rbac/leader_election_role.yaml b/metal-provider/config/rbac/leader_election_role.yaml
@@ -0,0 +1,37 @@
+# permissions to do leader election.
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: leader-election-role
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  verbs:
+  - get
+  - list
+  - watch
+  - create
+  - update
+  - patch
+  - delete
+- apiGroups:
+  - coordination.k8s.io
+  resources:
+  - leases
+  verbs:
+  - get
+  - list
+  - watch
+  - create
+  - update
+  - patch
+  - delete
+- apiGroups:
+  - ""
+  resources:
+  - events
+  verbs:
+  - create
+  - patch
diff --git a/metal-provider/config/rbac/leader_election_role_binding.yaml b/metal-provider/config/rbac/leader_election_role_binding.yaml
@@ -0,0 +1,12 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: leader-election-rolebinding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: leader-election-role
+subjects:
+- kind: ServiceAccount
+  name: controller-manager
+  namespace: system
diff --git a/metal-provider/config/rbac/oob_editor_role.yaml b/metal-provider/config/rbac/oob_editor_role.yaml
@@ -0,0 +1,24 @@
+# permissions for end users to edit oobs.
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: oob-editor-role
+rules:
+- apiGroups:
+  - onmetal.de
+  resources:
+  - oobs
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - onmetal.de
+  resources:
+  - oobs/status
+  verbs:
+  - get
diff --git a/metal-provider/config/rbac/oob_viewer_role.yaml b/metal-provider/config/rbac/oob_viewer_role.yaml
@@ -0,0 +1,20 @@
+# permissions for end users to view oobs.
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: oob-viewer-role
+rules:
+- apiGroups:
+  - onmetal.de
+  resources:
+  - oobs
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - onmetal.de
+  resources:
+  - oobs/status
+  verbs:
+  - get