From cd933018b1e9bb7decd4b041942f086d82582437 Mon Sep 17 00:00:00 2001 From: Artem Torubarov Date: Thu, 13 Nov 2025 12:31:33 +0100 Subject: [PATCH] upgrade ci --- .github/workflows/ci.yml | 105 ++-- test_data/k8s-operator-ci.yaml | 990 +++++++++++++++++---------------- 2 files changed, 558 insertions(+), 537 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 2bb91fa2..85ffe43e 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -2,26 +2,25 @@ name: CI on: push: - branches: [ main ] + branches: [main] pull_request: - branches: [ main ] + branches: [main] jobs: - build: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v3 -# GO tests - - name: Set up Go - uses: actions/setup-go@v4 - with: - go-version: '1.21' - cache: false + # GO tests + - name: Set up Go + uses: actions/setup-go@v4 + with: + go-version: "1.21" + cache: false - - name: Fmt - run: | + - name: Fmt + run: | # Run gofmt in "diff" mode to check for unformatted code UNFORMATTED_FILES=$(gofmt -l .) # Check if any files are unformatted @@ -33,23 +32,23 @@ jobs: else echo "All Go files are properly formatted." fi - - name: Vet - run: go vet ./... + - name: Vet + run: go vet ./... - - name: Test - run: go test ./... + - name: Test + run: go test ./... - - name: golangci-lint - uses: golangci/golangci-lint-action@v3 - with: - version: v1.54 -# Generate example charts - - name: Generate example charts - run: | + - name: golangci-lint + uses: golangci/golangci-lint-action@v3 + with: + version: v1.54 + # Generate example charts + - name: Generate example charts + run: | cat test_data/sample-app.yaml | go run ./cmd/helmify examples/app cat test_data/k8s-operator-kustomize.output | go run ./cmd/helmify examples/operator - - name: Check that chart examples were commited - run: | + - name: Check that chart examples were commited + run: | if [[ -n "$(git status --porcelain)" ]]; then # Capture the list of uncommitted files UNCOMMITTED_FILES=$(git status --porcelain) @@ -61,36 +60,36 @@ jobs: else echo "Chart examples generation check passed. No uncommitted changes." fi -# Dry-run generated charts in cluster - - name: Install k8s cluster - uses: helm/kind-action@v1.4.0 - - name: Install certs - run: kubectl apply -f https://github.com/jetstack/cert-manager/releases/download/v1.1.1/cert-manager.yaml + # Dry-run generated charts in cluster + - name: Install k8s cluster + uses: helm/kind-action@v1.13.0 + - name: Install certs + run: kubectl apply -f https://github.com/jetstack/cert-manager/releases/download/v1.1.1/cert-manager.yaml - - name: Generate operator ci chart - run: cat test_data/k8s-operator-ci.yaml | go run ./cmd/helmify examples/operator-ci - - name: Fill operator ci secrets - run: sed -i 's/""/"abc"/' ./examples/operator-ci/values.yaml - - name: Dry-run operator in k8s cluster - run: helm template ./examples/operator-ci -n operator-ns --create-namespace | kubectl apply --dry-run=server -f - + - name: Generate operator ci chart + run: cat test_data/k8s-operator-ci.yaml | go run ./cmd/helmify examples/operator-ci + - name: Fill operator ci secrets + run: sed -i 's/""/"abc"/' ./examples/operator-ci/values.yaml + - name: Dry-run operator in k8s cluster + run: helm template ./examples/operator-ci -n operator-ns --create-namespace | kubectl apply --dry-run=server -f - - - name: Generate app chart - run: cat test_data/sample-app.yaml | go run ./cmd/helmify examples/app - - name: Fill app secrets - run: sed -i 's/""/"abc"/' ./examples/app/values.yaml - - name: Dry-run app in k8s cluster - run: helm template ./examples/app -n app-ns --create-namespace | kubectl apply --dry-run=server -f - + - name: Generate app chart + run: cat test_data/sample-app.yaml | go run ./cmd/helmify examples/app + - name: Fill app secrets + run: sed -i 's/""/"abc"/' ./examples/app/values.yaml + - name: Dry-run app in k8s cluster + run: helm template ./examples/app -n app-ns --create-namespace | kubectl apply --dry-run=server -f - -# Validate charts with Kubeconform - - name: Install Kubeconform - run: go install github.com/yannh/kubeconform/cmd/kubeconform@v0.6.1 + # Validate charts with Kubeconform + - name: Install Kubeconform + run: go install github.com/yannh/kubeconform/cmd/kubeconform@v0.6.1 - - name: Validate app - run: helm template ./examples/app -n app-ns --create-namespace | kubeconform -schema-location 'https://raw.githubusercontent.com/kubernetes/kubernetes/master/api/openapi-spec/v3/apis__apiextensions.k8s.io__v1_openapi.json' -strict + - name: Validate app + run: helm template ./examples/app -n app-ns --create-namespace | kubeconform -schema-location 'https://raw.githubusercontent.com/kubernetes/kubernetes/master/api/openapi-spec/v3/apis__apiextensions.k8s.io__v1_openapi.json' -strict - - name: Generate operator example chart - run: cat test_data/k8s-operator-kustomize.output | go run ./cmd/helmify examples/operator - - name: Fill operator example secrets - run: sed -i 's/""/"abc"/' ./examples/operator/values.yaml - - name: Validate example operator - run: helm template ./examples/operator -n operator-ns --create-namespace | kubeconform -schema-location 'https://raw.githubusercontent.com/kubernetes/kubernetes/master/api/openapi-spec/v3/apis__apiextensions.k8s.io__v1_openapi.json' -strict + - name: Generate operator example chart + run: cat test_data/k8s-operator-kustomize.output | go run ./cmd/helmify examples/operator + - name: Fill operator example secrets + run: sed -i 's/""/"abc"/' ./examples/operator/values.yaml + - name: Validate example operator + run: helm template ./examples/operator -n operator-ns --create-namespace | kubeconform -schema-location 'https://raw.githubusercontent.com/kubernetes/kubernetes/master/api/openapi-spec/v3/apis__apiextensions.k8s.io__v1_openapi.json' -strict diff --git a/test_data/k8s-operator-ci.yaml b/test_data/k8s-operator-ci.yaml index c488a5bf..17de91ee 100644 --- a/test_data/k8s-operator-ci.yaml +++ b/test_data/k8s-operator-ci.yaml @@ -24,202 +24,219 @@ spec: singular: cephvolume scope: Namespaced versions: - - additionalPrinterColumns: - - description: Ceph RBD pool name - jsonPath: .spec.pool - name: Pool - type: string - - description: Storage type - jsonPath: .status.type - name: Type - type: string - - description: Volume size - jsonPath: .spec.size - name: Size - type: string - - description: Max number of volume I/O operations per second - jsonPath: .status.limits.iops - name: IOPS - type: string - - description: true if volume contains latest type,size spec from Ceph - jsonPath: .status.conditions[?(@.type=="Provided")].status - name: Provided - type: string - - description: true if volume IOPS limits calculated. False indicates error - - check reason for details - jsonPath: .status.conditions[?(@.type=="Calculated")].status - name: Calculated - type: string - - description: true if volume IOPS limits applied to volume. False indicates error - - check reason for details - jsonPath: .status.conditions[?(@.type=="Limited")].status - name: Limited - type: string - - description: latest resource generation - jsonPath: .metadata.generation - name: gen - type: string - - description: latest observed generation of Limited condition - jsonPath: .status.conditions[?(@.type=="Limited")].observedGeneration - name: Lim-gen - type: string - name: v1alpha1 - schema: - openAPIV3Schema: - description: CephVolume represents Ceph RBD volume - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: CephVolumeSpec defines the desired state of CephVolume - properties: - pool: - description: Pool - volume pool name - type: string - size: - anyOf: - - type: integer - - type: string - description: Size - volume size - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - type: object - status: - description: CephVolumeStatus defines the observed state of CephVolume - properties: - conditions: - description: 'Conditions represent the latest available observations - of an object''s state Known .status.conditions.type are: "Provided". - "Calculated", "Limited"' - items: - description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: - \"Available\", \"Progressing\", and \"Degraded\" // +patchMergeKey=type - \ // +patchStrategy=merge // +listType=map // +listMapKey=type - \ Conditions []metav1.Condition `json:\"conditions,omitempty\" - patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` - \n // other fields }" + - additionalPrinterColumns: + - description: Ceph RBD pool name + jsonPath: .spec.pool + name: Pool + type: string + - description: Storage type + jsonPath: .status.type + name: Type + type: string + - description: Volume size + jsonPath: .spec.size + name: Size + type: string + - description: Max number of volume I/O operations per second + jsonPath: .status.limits.iops + name: IOPS + type: string + - description: true if volume contains latest type,size spec from Ceph + jsonPath: .status.conditions[?(@.type=="Provided")].status + name: Provided + type: string + - description: + true if volume IOPS limits calculated. False indicates error - + check reason for details + jsonPath: .status.conditions[?(@.type=="Calculated")].status + name: Calculated + type: string + - description: + true if volume IOPS limits applied to volume. False indicates error + - check reason for details + jsonPath: .status.conditions[?(@.type=="Limited")].status + name: Limited + type: string + - description: latest resource generation + jsonPath: .metadata.generation + name: gen + type: string + - description: latest observed generation of Limited condition + jsonPath: .status.conditions[?(@.type=="Limited")].observedGeneration + name: Lim-gen + type: string + name: v1alpha1 + schema: + openAPIV3Schema: + description: CephVolume represents Ceph RBD volume + properties: + apiVersion: + description: + "APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources" + type: string + kind: + description: + "Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds" + type: string + metadata: + type: object + spec: + description: CephVolumeSpec defines the desired state of CephVolume + properties: + pool: + description: Pool - volume pool name + type: string + size: + anyOf: + - type: integer + - type: string + description: Size - volume size + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + status: + description: CephVolumeStatus defines the observed state of CephVolume + properties: + conditions: + description: + 'Conditions represent the latest available observations + of an object''s state Known .status.conditions.type are: "Provided". + "Calculated", "Limited"' + items: + description: + "Condition contains details for one aspect of the current + state of this API Resource. --- This struct is intended for direct + use as an array at the field path .status.conditions. For example, + type FooStatus struct{ // Represents the observations of a + foo's current state. // Known .status.conditions.type are: + \"Available\", \"Progressing\", and \"Degraded\" // +patchMergeKey=type + \ // +patchStrategy=merge // +listType=map // +listMapKey=type + \ Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` + \n // other fields }" + properties: + lastTransitionTime: + description: + lastTransitionTime is the last time the condition + transitioned from one status to another. This should be when + the underlying condition changed. If that is not known, then + using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: + message is a human readable message indicating + details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: + observedGeneration represents the .metadata.generation + that the condition was set based upon. For instance, if .metadata.generation + is currently 12, but the .status.conditions[x].observedGeneration + is 9, the condition is out of date with respect to the current + state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: + reason contains a programmatic identifier indicating + the reason for the condition's last transition. Producers + of specific condition types may define expected values and + meanings for this field, and whether the values are considered + a guaranteed API. The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: + type of condition in CamelCase or in foo.example.com/CamelCase. + --- Many .condition.type values are consistent across resources + like Available, but because arbitrary conditions can be useful + (see .node.status.conditions), the ability to deconflict is + important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + limits: + description: Limits represent calculated IOPS limits properties: - lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. + iops: + description: + IOPS - desired limit of IO operations per second. + See Ceph rbd_qos_iops_limit property. + format: int64 + minimum: 0 + type: integer + iopsBurst: + description: + IOPSBurst - desired burst limit of IO operations. + See Ceph rbd_qos_iops_burst property. + format: int64 + minimum: 0 + type: integer + readIOPS: + description: + ReadIOPS - desired limit of read operations per second. + See Ceph rbd_qos_read_iops_limit property. + format: int64 + minimum: 0 + type: integer + readIOPSBurst: + description: + ReadIOPSBurst - desired burst limit of read operations. + See Ceph rbd_qos_read_iops_burst property. + format: int64 + minimum: 0 + type: integer + writeIOPS: + description: + WriteIOPS - desired limit of write operations per + second. See Ceph rbd_qos_write_iops_limit property + format: int64 + minimum: 0 + type: integer + writeIOPSBurst: + description: + WriteIOPSBurst - desired burst limit of write operations. + See Ceph rbd_qos_write_iops_burst property. format: int64 minimum: 0 type: integer - reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type type: object - type: array - limits: - description: Limits represent calculated IOPS limits - properties: - iops: - description: IOPS - desired limit of IO operations per second. - See Ceph rbd_qos_iops_limit property. - format: int64 - minimum: 0 - type: integer - iopsBurst: - description: IOPSBurst - desired burst limit of IO operations. - See Ceph rbd_qos_iops_burst property. - format: int64 - minimum: 0 - type: integer - readIOPS: - description: ReadIOPS - desired limit of read operations per second. - See Ceph rbd_qos_read_iops_limit property. - format: int64 - minimum: 0 - type: integer - readIOPSBurst: - description: ReadIOPSBurst - desired burst limit of read operations. - See Ceph rbd_qos_read_iops_burst property. - format: int64 - minimum: 0 - type: integer - writeIOPS: - description: WriteIOPS - desired limit of write operations per - second. See Ceph rbd_qos_write_iops_limit property - format: int64 - minimum: 0 - type: integer - writeIOPSBurst: - description: WriteIOPSBurst - desired burst limit of write operations. - See Ceph rbd_qos_write_iops_burst property. - format: int64 - minimum: 0 - type: integer - type: object - type: - description: Type - volume storage type. See StorageType CRD. - type: string - required: - - conditions - type: object - type: object - served: true - storage: true - subresources: - status: {} + type: + description: Type - volume storage type. See StorageType CRD. + type: string + required: + - conditions + type: object + type: object + served: true + storage: true + subresources: + status: {} status: acceptedNames: kind: "" @@ -243,64 +260,67 @@ spec: singular: manifestcephvolume scope: Namespaced versions: - - additionalPrinterColumns: - - description: Ceph RBD pool name - jsonPath: .spec.poolName - name: PoolName - type: string - - description: Sync interval in seconds - jsonPath: .spec.interval - name: Interval - type: string - - description: Last update time - jsonPath: .status.lastUpdate - name: LastUpdate - type: string - name: v1alpha1 - schema: - openAPIV3Schema: - description: ManifestCephVolume monitors given ceph pool and manifests containing - volumes as CephVolume CR - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: ManifestCephVolumeSpec defines the desired state of ManifestCephVolume - properties: - interval: - description: Interval - Ceph pool polling interval - format: int32 - minimum: 60 - type: integer - poolName: - description: PoolName name of Ceph RBD pool to get volumes - type: string - required: - - interval - type: object - status: - description: ManifestCephVolumeStatus defines the observed state of ManifestCephVolume - properties: - lastUpdate: - description: LastUpdate - time of last successful volumes update - format: date-time - type: string - type: object - type: object - served: true - storage: true - subresources: - status: {} + - additionalPrinterColumns: + - description: Ceph RBD pool name + jsonPath: .spec.poolName + name: PoolName + type: string + - description: Sync interval in seconds + jsonPath: .spec.interval + name: Interval + type: string + - description: Last update time + jsonPath: .status.lastUpdate + name: LastUpdate + type: string + name: v1alpha1 + schema: + openAPIV3Schema: + description: + ManifestCephVolume monitors given ceph pool and manifests containing + volumes as CephVolume CR + properties: + apiVersion: + description: + "APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources" + type: string + kind: + description: + "Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds" + type: string + metadata: + type: object + spec: + description: ManifestCephVolumeSpec defines the desired state of ManifestCephVolume + properties: + interval: + description: Interval - Ceph pool polling interval + format: int32 + minimum: 60 + type: integer + poolName: + description: PoolName name of Ceph RBD pool to get volumes + type: string + required: + - interval + type: object + status: + description: ManifestCephVolumeStatus defines the observed state of ManifestCephVolume + properties: + lastUpdate: + description: LastUpdate - time of last successful volumes update + format: date-time + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} status: acceptedNames: kind: "" @@ -322,37 +342,37 @@ metadata: name: my-operator-leader-election-role namespace: my-operator-system rules: -- apiGroups: - - "" - resources: - - configmaps - verbs: - - get - - list - - watch - - create - - update - - patch - - delete -- apiGroups: - - coordination.k8s.io - resources: - - leases - verbs: - - get - - list - - watch - - create - - update - - patch - - delete -- apiGroups: - - "" - resources: - - events - verbs: - - create - - patch + - apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - watch + - create + - update + - patch + - delete + - apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - get + - list + - watch + - create + - update + - patch + - delete + - apiGroups: + - "" + resources: + - events + verbs: + - create + - patch --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole @@ -361,11 +381,11 @@ metadata: name: my-operator-manager-aggregated-role aggregationRule: clusterRoleSelectors: - - matchExpressions: - - key: app.kubernetes.io/instance - operator: In - values: - - my-operator + - matchExpressions: + - key: app.kubernetes.io/instance + operator: In + values: + - my-operator rules: [] --- apiVersion: rbac.authorization.k8s.io/v1 @@ -374,114 +394,114 @@ metadata: creationTimestamp: null name: my-operator-manager-role rules: -- apiGroups: - - "" - resources: - - pods - verbs: - - get - - list -- apiGroups: - - "" - resources: - - pods/exec - verbs: - - create - - get -- apiGroups: - - test.example.com - resources: - - cephvolumes - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - test.example.com - resources: - - cephvolumes/finalizers - verbs: - - update -- apiGroups: - - test.example.com - resources: - - cephvolumes/status - verbs: - - get - - patch - - update -- apiGroups: - - test.example.com - resources: - - manifestcephvolumes - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - test.example.com - resources: - - manifestcephvolumes/finalizers - verbs: - - update -- apiGroups: - - test.example.com - resources: - - manifestcephvolumes/status - verbs: - - get - - patch - - update -- apiGroups: - - test.example.com - resources: - - storagetypes - verbs: - - get - - list - - watch -- apiGroups: - - test.example.com - resources: - - storagetypes/status - verbs: - - get + - apiGroups: + - "" + resources: + - pods + verbs: + - get + - list + - apiGroups: + - "" + resources: + - pods/exec + verbs: + - create + - get + - apiGroups: + - test.example.com + resources: + - cephvolumes + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - test.example.com + resources: + - cephvolumes/finalizers + verbs: + - update + - apiGroups: + - test.example.com + resources: + - cephvolumes/status + verbs: + - get + - patch + - update + - apiGroups: + - test.example.com + resources: + - manifestcephvolumes + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - test.example.com + resources: + - manifestcephvolumes/finalizers + verbs: + - update + - apiGroups: + - test.example.com + resources: + - manifestcephvolumes/status + verbs: + - get + - patch + - update + - apiGroups: + - test.example.com + resources: + - storagetypes + verbs: + - get + - list + - watch + - apiGroups: + - test.example.com + resources: + - storagetypes/status + verbs: + - get --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: my-operator-metrics-reader rules: -- nonResourceURLs: - - /metrics - verbs: - - get + - nonResourceURLs: + - /metrics + verbs: + - get --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: my-operator-proxy-role rules: -- apiGroups: - - authentication.k8s.io - resources: - - tokenreviews - verbs: - - create -- apiGroups: - - authorization.k8s.io - resources: - - subjectaccessreviews - verbs: - - create + - apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create + - apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding @@ -493,9 +513,9 @@ roleRef: kind: Role name: my-operator-leader-election-role subjects: -- kind: ServiceAccount - name: my-operator-controller-manager - namespace: my-operator-system + - kind: ServiceAccount + name: my-operator-controller-manager + namespace: my-operator-system --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding @@ -506,9 +526,9 @@ roleRef: kind: ClusterRole name: my-operator-manager-role subjects: -- kind: ServiceAccount - name: my-operator-controller-manager - namespace: my-operator-system + - kind: ServiceAccount + name: my-operator-controller-manager + namespace: my-operator-system --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding @@ -519,9 +539,9 @@ roleRef: kind: ClusterRole name: my-operator-proxy-role subjects: -- kind: ServiceAccount - name: my-operator-controller-manager - namespace: my-operator-system + - kind: ServiceAccount + name: my-operator-controller-manager + namespace: my-operator-system --- apiVersion: v1 data: @@ -555,9 +575,9 @@ metadata: namespace: my-operator-system spec: ports: - - name: https - port: 8443 - targetPort: https + - name: https + port: 8443 + targetPort: https selector: control-plane: controller-manager --- @@ -580,91 +600,94 @@ spec: control-plane: controller-manager spec: topologySpreadConstraints: - - maxSkew: 1 - topologyKey: kubernetes.io/hostname - whenUnsatisfiable: DoNotSchedule - matchLabelKeys: - - app - - pod-template-hash + - maxSkew: 1 + topologyKey: kubernetes.io/hostname + whenUnsatisfiable: DoNotSchedule + labelSelector: + matchLables: + app: myapp + matchLabelKeys: + - app + - pod-template-hash containers: - - args: - - --secure-listen-address=0.0.0.0:8443 - - --upstream=http://127.0.0.1:8080/ - - --logtostderr=true - - --v=10 - image: gcr.io/kubebuilder/kube-rbac-proxy:v0.8.0 - name: kube-rbac-proxy - ports: - - containerPort: 8443 - name: https - - args: - - --health-probe-bind-address=:8081 - - --metrics-bind-address=127.0.0.1:8080 - - --leader-elect - command: - - /manager - volumeMounts: - - mountPath: /controller_manager_config.yaml - name: manager-config - subPath: controller_manager_config.yaml - - name: secret-volume - mountPath: /my.ca - env: - - name: VAR1 - valueFrom: - secretKeyRef: - name: my-operator-secret-vars - key: VAR1 - - name: VAR2 - value: "ciao" - - name: VAR3_MY_ENV - value: "ciao" - - name: VAR4 - valueFrom: - configMapKeyRef: - name: my-operator-configmap-vars - key: VAR4 - - name: VAR5 - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: VAR6 - valueFrom: - resourceFieldRef: - resource: limits.cpu - image: busybox:latest - imagePullPolicy: Always - livenessProbe: - httpGet: - path: /healthz - port: 8081 - initialDelaySeconds: 15 - periodSeconds: 20 - name: manager - readinessProbe: - httpGet: - path: /readyz - port: 8081 - initialDelaySeconds: 5 - periodSeconds: 10 - resources: - limits: - cpu: 100m - memory: 30Mi - requests: - cpu: 100m - memory: 20Mi - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - privileged: false - readOnlyRootFilesystem: true - runAsNonRoot: true - runAsUser: 65532 - seccompProfile: - type: RuntimeDefault + - args: + - --secure-listen-address=0.0.0.0:8443 + - --upstream=http://127.0.0.1:8080/ + - --logtostderr=true + - --v=10 + image: gcr.io/kubebuilder/kube-rbac-proxy:v0.8.0 + name: kube-rbac-proxy + ports: + - containerPort: 8443 + name: https + - args: + - --health-probe-bind-address=:8081 + - --metrics-bind-address=127.0.0.1:8080 + - --leader-elect + command: + - /manager + volumeMounts: + - mountPath: /controller_manager_config.yaml + name: manager-config + subPath: controller_manager_config.yaml + - name: secret-volume + mountPath: /my.ca + env: + - name: VAR1 + valueFrom: + secretKeyRef: + name: my-operator-secret-vars + key: VAR1 + - name: VAR2 + value: "ciao" + - name: VAR3_MY_ENV + value: "ciao" + - name: VAR4 + valueFrom: + configMapKeyRef: + name: my-operator-configmap-vars + key: VAR4 + - name: VAR5 + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: VAR6 + valueFrom: + resourceFieldRef: + resource: limits.cpu + image: busybox:latest + imagePullPolicy: Always + livenessProbe: + httpGet: + path: /healthz + port: 8081 + initialDelaySeconds: 15 + periodSeconds: 20 + name: manager + readinessProbe: + httpGet: + path: /readyz + port: 8081 + initialDelaySeconds: 5 + periodSeconds: 10 + resources: + limits: + cpu: 100m + memory: 30Mi + requests: + cpu: 100m + memory: 20Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 65532 + seccompProfile: + type: RuntimeDefault securityContext: runAsNonRoot: true nodeSelector: @@ -673,12 +696,12 @@ spec: serviceAccountName: my-operator-controller-manager terminationGracePeriodSeconds: 10 volumes: - - configMap: - name: my-operator-manager-config - name: manager-config - - name: secret-volume - secret: - secretName: my-operator-secret-ca + - configMap: + name: my-operator-manager-config + name: manager-config + - name: secret-volume + secret: + secretName: my-operator-secret-ca --- apiVersion: v1 data: @@ -709,4 +732,3 @@ spec: requests: storage: 2Gi storageClassName: cust1-mypool-lim -