From 75d39c5d0d2177ca86f04387139f83fc6e15d3b3 Mon Sep 17 00:00:00 2001 From: D074096 Date: Fri, 15 Nov 2024 16:56:36 +0100 Subject: [PATCH] Add boot-operator-remote chart --- system/Makefile | 15 + system/boot-operator-remote/.helmignore | 23 + system/boot-operator-remote/Chart.yaml | 21 + .../managedresources/kustomize.yaml | 463 ++++++++++++++++++ .../templates/_helpers.tpl | 62 +++ .../templates/deployment.yaml | 67 +++ .../templates/managedresource.yaml | 24 + .../templates/remote-kubeconfig.yaml | 31 ++ system/boot-operator-remote/values.yaml | 31 ++ .../kustomization.yaml | 7 + .../boot-operator-remote/kustomization.yaml | 6 + .../boot-operator-remote/managedresource.yaml | 24 + .../manager-remote-patch.yaml | 35 ++ .../remote-kubeconfig.yaml | 31 ++ 14 files changed, 840 insertions(+) create mode 100644 system/boot-operator-remote/.helmignore create mode 100644 system/boot-operator-remote/Chart.yaml create mode 100644 system/boot-operator-remote/managedresources/kustomize.yaml create mode 100644 system/boot-operator-remote/templates/_helpers.tpl create mode 100644 system/boot-operator-remote/templates/deployment.yaml create mode 100644 system/boot-operator-remote/templates/managedresource.yaml create mode 100644 system/boot-operator-remote/templates/remote-kubeconfig.yaml create mode 100644 system/boot-operator-remote/values.yaml create mode 100644 system/kustomize/boot-operator-managedresources/kustomization.yaml create mode 100644 system/kustomize/boot-operator-remote/kustomization.yaml create mode 100644 system/kustomize/boot-operator-remote/managedresource.yaml create mode 100644 system/kustomize/boot-operator-remote/manager-remote-patch.yaml create mode 100644 system/kustomize/boot-operator-remote/remote-kubeconfig.yaml diff --git a/system/Makefile b/system/Makefile index 6e01f35c312..f1524b871a7 100644 --- a/system/Makefile +++ b/system/Makefile @@ -139,6 +139,21 @@ build-boot-operator: @yq -i '.fullnameOverride="boot-operator"' boot-operator/values.yaml @yq -i '.version="1.0.1"' boot-operator/Chart.yaml +build-boot-operator-remote: + @cat kustomize/boot-operator-remote/kustomization.yaml > kustomization.yaml + @kubectl kustomize | helmify -crd-dir boot-operator-remote + @cp kustomize/boot-operator-remote/remote-kubeconfig.yaml boot-operator-remote/templates + @cp kustomize/boot-operator-remote/managedresource.yaml boot-operator-remote/templates + @mkdir boot-operator-remote/managedresources + @kubectl kustomize kustomize/boot-operator-managedresources > boot-operator-remote/managedresources/kustomize.yaml + @yq -i '.controllerManager.manager.image.tag="$(BOOT_OPERATOR_VERSION)"' boot-operator-remote/values.yaml + @yq -i '.fullnameOverride="boot-operator"' boot-operator-remote/values.yaml + @yq -i '.remote.ca=""' boot-operator-remote/values.yaml + @yq -i '.remote.server=""' boot-operator-remote/values.yaml + @yq -i '.version="0.1.0"' boot-operator-remote/Chart.yaml + @$(SED) -i 's/serviceAccountName.*$$/serviceAccountName: default/g' boot-operator-remote/templates/deployment.yaml + @$(SED) -i 's/kind: Role/kind: ClusterRole/g' boot-operator-remote/managedresources/kustomize.yaml + build-ipxe-operator: @cat kustomize/ipxe-operator/kustomization.yaml >> kustomization.yaml $(call build-chart,ipxe-operator,https://github.com/ironcore-dev/ipxe-operator//config/default,$(IPXE_OPERATOR_VERSION)) diff --git a/system/boot-operator-remote/.helmignore b/system/boot-operator-remote/.helmignore new file mode 100644 index 00000000000..0e8a0eb36f4 --- /dev/null +++ b/system/boot-operator-remote/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/system/boot-operator-remote/Chart.yaml b/system/boot-operator-remote/Chart.yaml new file mode 100644 index 00000000000..6be0d1239ee --- /dev/null +++ b/system/boot-operator-remote/Chart.yaml @@ -0,0 +1,21 @@ +apiVersion: v2 +name: boot-operator-remote +description: A Helm chart for Kubernetes +# A chart can be either an 'application' or a 'library' chart. +# +# Application charts are a collection of templates that can be packaged into versioned archives +# to be deployed. +# +# Library charts provide useful utilities or functions for the chart developer. They're included as +# a dependency of application charts to inject those utilities and functions into the rendering +# pipeline. Library charts do not define any templates and therefore cannot be deployed. +type: application +# This is the chart version. This version number should be incremented each time you make changes +# to the chart and its templates, including the app version. +# Versions are expected to follow Semantic Versioning (https://semver.org/) +version: 0.1.0 +# This is the version number of the application being deployed. This version number should be +# incremented each time you make changes to the application. Versions are not expected to +# follow Semantic Versioning. They should reflect the version the application is using. +# It is recommended to use it with quotes. +appVersion: "0.1.0" diff --git a/system/boot-operator-remote/managedresources/kustomize.yaml b/system/boot-operator-remote/managedresources/kustomize.yaml new file mode 100644 index 00000000000..d528b2b926a --- /dev/null +++ b/system/boot-operator-remote/managedresources/kustomize.yaml @@ -0,0 +1,463 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.16.0 + name: httpbootconfigs.boot.ironcore.dev +spec: + group: boot.ironcore.dev + names: + kind: HTTPBootConfig + listKind: HTTPBootConfigList + plural: httpbootconfigs + singular: httpbootconfig + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .status.state + name: State + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: HTTPBootConfig is the Schema for the httpbootconfigs API + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: HTTPBootConfigSpec defines the desired state of HTTPBootConfig + properties: + ignitionSecretRef: + description: |- + LocalObjectReference contains enough information to let you locate the + referenced object inside the same namespace. + properties: + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + type: object + x-kubernetes-map-type: atomic + systemIPs: + items: + type: string + type: array + systemUUID: + type: string + ukiURL: + type: string + type: object + status: + description: HTTPBootConfigStatus defines the observed state of HTTPBootConfig + properties: + state: + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.16.0 + name: ipxebootconfigs.boot.ironcore.dev +spec: + group: boot.ironcore.dev + names: + kind: IPXEBootConfig + listKind: IPXEBootConfigList + plural: ipxebootconfigs + singular: ipxebootconfig + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .status.state + name: State + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: IPXEBootConfig is the Schema for the ipxebootconfigs API + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: IPXEBootConfigSpec defines the desired state of IPXEBootConfig + properties: + ignitionSecretRef: + description: |- + LocalObjectReference contains enough information to let you locate the + referenced object inside the same namespace. + properties: + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + type: object + x-kubernetes-map-type: atomic + image: + type: string + initrdURL: + type: string + ipxeScriptSecretRef: + description: |- + LocalObjectReference contains enough information to let you locate the + referenced object inside the same namespace. + properties: + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + type: object + x-kubernetes-map-type: atomic + ipxeServerURL: + type: string + kernelURL: + type: string + squashfsURL: + type: string + systemIPs: + items: + type: string + type: array + systemUUID: + description: 'Important: Run "make" to regenerate code after modifying + this file' + type: string + type: object + status: + description: IPXEBootConfigStatus defines the observed state of IPXEBootConfig + properties: + state: + description: 'Important: Run "make" to regenerate code after modifying + this file' + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + app.kubernetes.io/component: rbac + app.kubernetes.io/created-by: boot-operator + app.kubernetes.io/instance: controller-manager-sa + app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/name: serviceaccount + app.kubernetes.io/part-of: boot-operator + name: boot-operator-controller-manager + namespace: kube-system +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/component: rbac + app.kubernetes.io/created-by: boot-operator + app.kubernetes.io/instance: leader-election-role + app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/name: role + app.kubernetes.io/part-of: boot-operator + name: boot-operator-leader-election-role + namespace: kube-system +rules: +- apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: boot-operator-manager-role +rules: +- apiGroups: + - "" + resources: + - secrets + verbs: + - get + - list + - watch +- apiGroups: + - boot.ironcore.dev + resources: + - httpbootconfig + - ipxebootconfig + verbs: + - create + - delete + - get + - list + - patch + - watch +- apiGroups: + - boot.ironcore.dev + resources: + - httpbootconfig/status + - ipxebootconfig/status + verbs: + - get +- apiGroups: + - boot.ironcore.dev + resources: + - httpbootconfigs + - ipxebootconfigs + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - boot.ironcore.dev + resources: + - httpbootconfigs/finalizers + - ipxebootconfigs/finalizers + verbs: + - update +- apiGroups: + - boot.ironcore.dev + resources: + - httpbootconfigs/status + - ipxebootconfigs/status + verbs: + - get + - patch + - update +- apiGroups: + - metal.ironcore.dev + resources: + - serverbootconfigurations + - servers + verbs: + - get + - list + - watch +- apiGroups: + - metal.ironcore.dev + resources: + - serverbootconfigurations/finalizers + verbs: + - update +- apiGroups: + - metal.ironcore.dev + resources: + - serverbootconfigurations/status + verbs: + - get + - patch + - update +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/component: kube-rbac-proxy + app.kubernetes.io/created-by: boot-operator + app.kubernetes.io/instance: metrics-reader + app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/name: clusterrole + app.kubernetes.io/part-of: boot-operator + name: boot-operator-metrics-reader +rules: +- nonResourceURLs: + - /metrics + verbs: + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/component: kube-rbac-proxy + app.kubernetes.io/created-by: boot-operator + app.kubernetes.io/instance: proxy-role + app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/name: clusterrole + app.kubernetes.io/part-of: boot-operator + name: boot-operator-proxy-role +rules: +- apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create +- apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app.kubernetes.io/component: rbac + app.kubernetes.io/created-by: boot-operator + app.kubernetes.io/instance: leader-election-rolebinding + app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/name: rolebinding + app.kubernetes.io/part-of: boot-operator + name: boot-operator-leader-election-rolebinding + namespace: kube-system +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: boot-operator-leader-election-role +subjects: +- kind: ServiceAccount + name: boot-operator-controller-manager + namespace: kube-system +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app.kubernetes.io/component: rbac + app.kubernetes.io/created-by: boot-operator + app.kubernetes.io/instance: manager-rolebinding + app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/name: clusterrolebinding + app.kubernetes.io/part-of: boot-operator + name: boot-operator-manager-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: boot-operator-manager-role +subjects: +- kind: ServiceAccount + name: boot-operator-controller-manager + namespace: kube-system +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app.kubernetes.io/component: kube-rbac-proxy + app.kubernetes.io/created-by: boot-operator + app.kubernetes.io/instance: proxy-rolebinding + app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/name: clusterrolebinding + app.kubernetes.io/part-of: boot-operator + name: boot-operator-proxy-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: boot-operator-proxy-role +subjects: +- kind: ServiceAccount + name: boot-operator-controller-manager + namespace: kube-system +--- +apiVersion: v1 +kind: Service +metadata: + labels: + app.kubernetes.io/component: kube-rbac-proxy + app.kubernetes.io/created-by: boot-operator + app.kubernetes.io/instance: controller-manager-metrics-service + app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/name: service + app.kubernetes.io/part-of: boot-operator + control-plane: controller-manager + name: boot-operator-controller-manager-metrics-service + namespace: kube-system +spec: + ports: + - name: https + port: 8443 + protocol: TCP + targetPort: https + selector: + control-plane: controller-manager diff --git a/system/boot-operator-remote/templates/_helpers.tpl b/system/boot-operator-remote/templates/_helpers.tpl new file mode 100644 index 00000000000..c7065073a41 --- /dev/null +++ b/system/boot-operator-remote/templates/_helpers.tpl @@ -0,0 +1,62 @@ +{{/* +Expand the name of the chart. +*/}} +{{- define "boot-operator-remote.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "boot-operator-remote.fullname" -}} +{{- if .Values.fullnameOverride }} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- $name := default .Chart.Name .Values.nameOverride }} +{{- if contains $name .Release.Name }} +{{- .Release.Name | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end }} +{{- end }} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "boot-operator-remote.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Common labels +*/}} +{{- define "boot-operator-remote.labels" -}} +helm.sh/chart: {{ include "boot-operator-remote.chart" . }} +{{ include "boot-operator-remote.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "boot-operator-remote.selectorLabels" -}} +app.kubernetes.io/name: {{ include "boot-operator-remote.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} + +{{/* +Create the name of the service account to use +*/}} +{{- define "boot-operator-remote.serviceAccountName" -}} +{{- if .Values.serviceAccount.create }} +{{- default (include "boot-operator-remote.fullname" .) .Values.serviceAccount.name }} +{{- else }} +{{- default "default" .Values.serviceAccount.name }} +{{- end }} +{{- end }} diff --git a/system/boot-operator-remote/templates/deployment.yaml b/system/boot-operator-remote/templates/deployment.yaml new file mode 100644 index 00000000000..c7a7bdd4ec8 --- /dev/null +++ b/system/boot-operator-remote/templates/deployment.yaml @@ -0,0 +1,67 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "boot-operator-remote.fullname" . }}-controller-manager + labels: + app.kubernetes.io/component: manager + app.kubernetes.io/created-by: boot-operator + app.kubernetes.io/part-of: boot-operator + control-plane: controller-manager + {{- include "boot-operator-remote.labels" . | nindent 4 }} +spec: + replicas: {{ .Values.controllerManager.replicas }} + selector: + matchLabels: + control-plane: controller-manager + {{- include "boot-operator-remote.selectorLabels" . | nindent 6 }} + template: + metadata: + labels: + control-plane: controller-manager + {{- include "boot-operator-remote.selectorLabels" . | nindent 8 }} + annotations: + kubectl.kubernetes.io/default-container: manager + spec: + containers: + - args: {{- toYaml .Values.controllerManager.manager.args | nindent 8 }} + command: + - /manager + env: + - name: KUBERNETES_CLUSTER_DOMAIN + value: {{ quote .Values.kubernetesClusterDomain }} + image: {{ .Values.controllerManager.manager.image.repository }}:{{ .Values.controllerManager.manager.image.tag + | default .Chart.AppVersion }} + livenessProbe: + httpGet: + path: /healthz + port: 8087 + initialDelaySeconds: 15 + periodSeconds: 20 + name: manager + ports: + - containerPort: 8082 + name: ipxe + protocol: TCP + readinessProbe: + httpGet: + path: /readyz + port: 8087 + initialDelaySeconds: 5 + periodSeconds: 10 + resources: {{- toYaml .Values.controllerManager.manager.resources | nindent 10 + }} + securityContext: {{- toYaml .Values.controllerManager.manager.containerSecurityContext + | nindent 10 }} + volumeMounts: + - mountPath: /kubeconfig + name: remote-kubeconfig + readOnly: true + hostNetwork: true + securityContext: {{- toYaml .Values.controllerManager.podSecurityContext | nindent + 8 }} + serviceAccountName: default + terminationGracePeriodSeconds: 10 + volumes: + - name: remote-kubeconfig + secret: + secretName: boot-operator-remote-kubeconfig \ No newline at end of file diff --git a/system/boot-operator-remote/templates/managedresource.yaml b/system/boot-operator-remote/templates/managedresource.yaml new file mode 100644 index 00000000000..5c066f8d21c --- /dev/null +++ b/system/boot-operator-remote/templates/managedresource.yaml @@ -0,0 +1,24 @@ +apiVersion: resources.gardener.cloud/v1alpha1 +kind: ManagedResource +metadata: + name: {{ include "boot-operator-remote.fullname" . }}-resources +spec: + secretRefs: + - name: {{ include "boot-operator-remote.fullname" . }}-resources +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "boot-operator-remote.fullname" . }}-resources +type: Opaque +data: + # Cannot use .Files.AsSecrets because it would create a map + # of "file: base64 data" instead of concatenating the data + # and encoding that + objects.yaml: |- + {{- $combined := "" }} + {{- range $path, $_ := .Files.Glob "managedresources/*.yaml" }} + {{- $combined = print $combined ($.Files.Get $path) "\n"}} + {{- end }} + {{- $encoded := $combined | b64enc }} + {{ $encoded }} diff --git a/system/boot-operator-remote/templates/remote-kubeconfig.yaml b/system/boot-operator-remote/templates/remote-kubeconfig.yaml new file mode 100644 index 00000000000..0c5864797cf --- /dev/null +++ b/system/boot-operator-remote/templates/remote-kubeconfig.yaml @@ -0,0 +1,31 @@ +apiVersion: v1 +kind: Secret +metadata: + name: boot-operator-remote-kubeconfig + labels: + resources.gardener.cloud/purpose: token-requestor + resources.gardener.cloud/class: shoot + annotations: + serviceaccount.resources.gardener.cloud/name: boot-operator-controller-manager + serviceaccount.resources.gardener.cloud/namespace: kube-system +stringData: + kubeconfig: | + apiVersion: v1 + clusters: + - cluster: + certificate-authority-data: {{ .Values.remote.ca }} + server: {{ .Values.remote.server }} + name: remote-cluster + contexts: + - context: + cluster: remote-cluster + user: boot-operator-controller-manager + namespace: kube-system + name: remote-cluster + current-context: remote-cluster + kind: Config + preferences: {} + users: + - name: boot-operator-controller-manager + user: + token: "" diff --git a/system/boot-operator-remote/values.yaml b/system/boot-operator-remote/values.yaml new file mode 100644 index 00000000000..d2bc74d5709 --- /dev/null +++ b/system/boot-operator-remote/values.yaml @@ -0,0 +1,31 @@ +controllerManager: + manager: + args: + - --health-probe-bind-address=:8081 + - --metrics-bind-address=127.0.0.1:8080 + - --leader-elect + - --controllers=httpbootconfig,ipxebootconfig,serverbootconfighttp,serverbootconfigpxe + - --kubeconfig=/kubeconfig/kubeconfig + containerSecurityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + image: + repository: controller + tag: 473ef3e732fffc15e4f1e5215dc73b445d7600ad + resources: + limits: + cpu: 500m + memory: 128Mi + requests: + cpu: 10m + memory: 64Mi + podSecurityContext: + runAsNonRoot: true + replicas: 1 +kubernetesClusterDomain: cluster.local +fullnameOverride: boot-operator +remote: + ca: "" + server: "" diff --git a/system/kustomize/boot-operator-managedresources/kustomization.yaml b/system/kustomize/boot-operator-managedresources/kustomization.yaml new file mode 100644 index 00000000000..c204f2b9c96 --- /dev/null +++ b/system/kustomize/boot-operator-managedresources/kustomization.yaml @@ -0,0 +1,7 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: kube-system +namePrefix: boot-operator- +resources: +- github.com/ironcore-dev/boot-operator//config/crd +- github.com/ironcore-dev/boot-operator//config/rbac diff --git a/system/kustomize/boot-operator-remote/kustomization.yaml b/system/kustomize/boot-operator-remote/kustomization.yaml new file mode 100644 index 00000000000..e89fd7ffcfd --- /dev/null +++ b/system/kustomize/boot-operator-remote/kustomization.yaml @@ -0,0 +1,6 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: +- https://github.com/ironcore-dev/boot-operator//config/manager +patches: +- path: kustomize/boot-operator-remote/manager-remote-patch.yaml diff --git a/system/kustomize/boot-operator-remote/managedresource.yaml b/system/kustomize/boot-operator-remote/managedresource.yaml new file mode 100644 index 00000000000..5c066f8d21c --- /dev/null +++ b/system/kustomize/boot-operator-remote/managedresource.yaml @@ -0,0 +1,24 @@ +apiVersion: resources.gardener.cloud/v1alpha1 +kind: ManagedResource +metadata: + name: {{ include "boot-operator-remote.fullname" . }}-resources +spec: + secretRefs: + - name: {{ include "boot-operator-remote.fullname" . }}-resources +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "boot-operator-remote.fullname" . }}-resources +type: Opaque +data: + # Cannot use .Files.AsSecrets because it would create a map + # of "file: base64 data" instead of concatenating the data + # and encoding that + objects.yaml: |- + {{- $combined := "" }} + {{- range $path, $_ := .Files.Glob "managedresources/*.yaml" }} + {{- $combined = print $combined ($.Files.Get $path) "\n"}} + {{- end }} + {{- $encoded := $combined | b64enc }} + {{ $encoded }} diff --git a/system/kustomize/boot-operator-remote/manager-remote-patch.yaml b/system/kustomize/boot-operator-remote/manager-remote-patch.yaml new file mode 100644 index 00000000000..2dbfa1dd0d5 --- /dev/null +++ b/system/kustomize/boot-operator-remote/manager-remote-patch.yaml @@ -0,0 +1,35 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: controller-manager + namespace: system +spec: + template: + spec: + hostNetwork: true + containers: + - name: manager + args: + - --health-probe-bind-address=:8081 + - --metrics-bind-address=127.0.0.1:8080 + - --leader-elect + - --controllers=httpbootconfig,ipxebootconfig,serverbootconfighttp,serverbootconfigpxe + - --kubeconfig=/kubeconfig/kubeconfig + livenessProbe: + httpGet: + port: 8087 + readinessProbe: + httpGet: + port: 8087 + ports: + - containerPort: 8082 + name: ipxe + protocol: TCP + volumeMounts: + - name: remote-kubeconfig + mountPath: /kubeconfig + readOnly: true + volumes: + - name: remote-kubeconfig + secret: + secretName: boot-operator-remote-kubeconfig diff --git a/system/kustomize/boot-operator-remote/remote-kubeconfig.yaml b/system/kustomize/boot-operator-remote/remote-kubeconfig.yaml new file mode 100644 index 00000000000..0c5864797cf --- /dev/null +++ b/system/kustomize/boot-operator-remote/remote-kubeconfig.yaml @@ -0,0 +1,31 @@ +apiVersion: v1 +kind: Secret +metadata: + name: boot-operator-remote-kubeconfig + labels: + resources.gardener.cloud/purpose: token-requestor + resources.gardener.cloud/class: shoot + annotations: + serviceaccount.resources.gardener.cloud/name: boot-operator-controller-manager + serviceaccount.resources.gardener.cloud/namespace: kube-system +stringData: + kubeconfig: | + apiVersion: v1 + clusters: + - cluster: + certificate-authority-data: {{ .Values.remote.ca }} + server: {{ .Values.remote.server }} + name: remote-cluster + contexts: + - context: + cluster: remote-cluster + user: boot-operator-controller-manager + namespace: kube-system + name: remote-cluster + current-context: remote-cluster + kind: Config + preferences: {} + users: + - name: boot-operator-controller-manager + user: + token: ""