Merge pull request #15 from appuio/feat/api-server-deploy

Add control-API sample deployment
appuio · Jan 10, 2022 · cdde5ec · cdde5ec
2 parents f7008bc + 3512e46
commit cdde5ec
Show file tree

Hide file tree

Showing 16 changed files with 164 additions and 3 deletions.
diff --git a/Dockerfile b/Dockerfile
@@ -15,4 +15,4 @@ COPY control-api /usr/local/bin/
 
 RUN chmod a+x /usr/local/bin/control-api
 
-USER 65532
+USER 65532:0
diff --git a/Makefile b/Makefile
@@ -32,7 +32,7 @@ generate: ## Generate manifests e.g. CRD, RBAC etc.
 	# Generate code
 	go run sigs.k8s.io/controller-tools/cmd/controller-gen object paths="./..."
 	# Generate CRDs
-	go run sigs.k8s.io/controller-tools/cmd/controller-gen rbac:roleName=manager-role webhook paths="./..." output:crd:artifacts:config=$(CRD_ROOT_DIR)/v1/base crd:crdVersions=v1
+	go run sigs.k8s.io/controller-tools/cmd/controller-gen rbac:roleName=control-api webhook paths="./..." output:crd:artifacts:config=$(CRD_ROOT_DIR)/v1/base crd:crdVersions=v1
 
 .PHONY: crd
 crd: generate ## Generate CRD to file

diff --git a/apis/organization/v1/organization_types.go b/apis/organization/v1/organization_types.go
@@ -8,6 +8,8 @@ import (
 	"sigs.k8s.io/apiserver-runtime/pkg/builder/resource"
 )
 
+// +kubebuilder:rbac:groups="",resources=namespaces,verbs=get;list;watch;create;delete;update
+
 var (
 	// TypeKey is the label key to identify organization namespaces
 	TypeKey = "appuio.io/resource.type"

diff --git a/apiserver/organization/organization.go b/apiserver/organization/organization.go
@@ -18,6 +18,10 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/client"
 )
 
+// +kubebuilder:rbac:groups="",resources=configmaps,verbs=get;list;watch,resourceNames=extension-apiserver-authentication
+// +kubebuilder:rbac:groups="admissionregistration.k8s.io",resources=mutatingwebhookconfigurations;validatingwebhookconfigurations,verbs=get;list;watch
+// +kubebuilder:rbac:groups="flowcontrol.apiserver.k8s.io",resources=prioritylevelconfigurations;flowschemas,verbs=get;list;watch
+
 // New returns a new storage provider for Organizations
 func New() restbuilder.ResourceHandlerProvider {
 	return func(s *runtime.Scheme, g genericregistry.RESTOptionsGetter) (rest.Storage, error) {

diff --git a/config/deployment/apiservice.yaml b/config/deployment/apiservice.yaml
@@ -0,0 +1,14 @@
+apiVersion: apiregistration.k8s.io/v1
+kind: APIService
+metadata:
+  name: v1.organization.appuio.io
+spec:
+  insecureSkipTLSVerify: true
+  group: organization.appuio.io
+  groupPriorityMinimum: 1000
+  versionPriority: 15
+  service:
+    name: apiserver
+    namespace: control-api
+  version: v1
+
diff --git a/config/deployment/deployment.yaml b/config/deployment/deployment.yaml
@@ -0,0 +1,41 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: control-api
+  namespace: control-api
+  labels:
+    app: control-api
+spec:
+  selector:
+    matchLabels:
+      app: control-api
+  replicas: 1
+  template:
+    metadata:
+      labels:
+        app: control-api
+    spec:
+      serviceAccountName: control-api
+      containers:
+      - name: apiserver
+        image: ghcr.io/appuio/control-api:latest
+        imagePullPolicy: IfNotPresent
+        ports:
+        - containerPort: 9443
+        args:
+        - "--cert-dir=/apiserver.local.config/certificates"
+        - "--secure-port=9443"
+        - "--feature-gates=APIPriorityAndFairness=false"
+        volumeMounts:
+        - name: apiserver-certs
+          mountPath: /apiserver.local.config/certificates
+        resources:
+          requests:
+            cpu: 100m
+            memory: 20Mi
+          limits:
+            cpu: 100m
+            memory: 30Mi
+      volumes:
+      - name: apiserver-certs
+        emptyDir: {}
diff --git a/config/deployment/kustomization.yaml b/config/deployment/kustomization.yaml
@@ -0,0 +1,8 @@
+namespace: control-api
+
+resources:
+- ../namespace
+- ../rbac
+- deployment.yaml
+- service.yaml
+- apiservice.yaml
diff --git a/config/deployment/service.yaml b/config/deployment/service.yaml
@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: apiserver
+  namespace: control-api
+spec:
+  ports:
+  - port: 443
+    protocol: TCP
+    targetPort: 9443
+  selector:
+    app: control-api
diff --git a/config/namespace/kustomization.yaml b/config/namespace/kustomization.yaml
@@ -0,0 +1,2 @@
+resources:
+- namespace.yaml
diff --git a/config/namespace/namespace.yaml b/config/namespace/namespace.yaml
@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: control-api
diff --git a/config/rbac/kustomization.yaml b/config/rbac/kustomization.yaml
@@ -0,0 +1,5 @@
+resources:
+- role.yaml
+- role_binding.yaml
+- role_binding_auth_delegator.yaml
+- service_account.yaml
diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml
@@ -4,8 +4,38 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   creationTimestamp: null
-  name: manager-role
+  name: control-api
 rules:
+- apiGroups:
+  - ""
+  resourceNames:
+  - extension-apiserver-authentication
+  resources:
+  - configmaps
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - namespaces
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - update
+  - watch
+- apiGroups:
+  - admissionregistration.k8s.io
+  resources:
+  - mutatingwebhookconfigurations
+  - validatingwebhookconfigurations
+  verbs:
+  - get
+  - list
+  - watch
 - apiGroups:
   - coordination.k8s.io
   resources:
@@ -15,3 +45,12 @@ rules:
   - get
   - list
   - update
+- apiGroups:
+  - flowcontrol.apiserver.k8s.io
+  resources:
+  - flowschemas
+  - prioritylevelconfigurations
+  verbs:
+  - get
+  - list
+  - watch
diff --git a/config/rbac/role_binding.yaml b/config/rbac/role_binding.yaml
@@ -0,0 +1,12 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: control-api
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: control-api
+subjects:
+- kind: ServiceAccount
+  name: control-api
+  namespace: control-api
diff --git a/config/rbac/role_binding_auth_delegator.yaml b/config/rbac/role_binding_auth_delegator.yaml
@@ -0,0 +1,12 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: control-api-auth-delegator
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: system:auth-delegator
+subjects:
+- kind: ServiceAccount
+  name: control-api
+  namespace: control-api
diff --git a/config/rbac/service_account.yaml b/config/rbac/service_account.yaml
@@ -0,0 +1,5 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: control-api
+  namespace: control-api
diff --git a/local-env/setup-kind.sh b/local-env/setup-kind.sh
@@ -86,6 +86,7 @@ kubectl config set-credentials oidc-user \
   --exec-arg=--oidc-extra-scope="email offline_access profile openid"
 kubectl config set-context --current --user=oidc-user
 kubectl apply -k "${script_dir}/../config/crd/apiextensions.k8s.io/v1"
+kubectl apply -k "${script_dir}/../config/deployment"
 
 echo =======
 echo "Setup finished. To interact with the local dev cluster, set the KUBECONFIG environment variable as follows:"
Original file line number	Diff line number	Diff line change
Expand Up		@@ -15,4 +15,4 @@ COPY control-api /usr/local/bin/

		RUN chmod a+x /usr/local/bin/control-api

		USER 65532
		USER 65532:0