Skip to content

feat: add apl-operator #2151

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 104 commits into from
May 23, 2025
Merged
Show file tree
Hide file tree
Changes from 24 commits
Commits
Show all changes
104 commits
Select commit Hold shift + click to select a range
21a5b23
feat: add simple-git dependency and new script for apl-operator
CasLubbers May 12, 2025
8cdded2
fix: eslint errors
CasLubbers May 12, 2025
cccc3c2
feat: add apl-operator chart
CasLubbers May 12, 2025
5ee7b05
feat: update apl-chart
CasLubbers May 12, 2025
704470f
feat: update apl-chart
CasLubbers May 12, 2025
e4060f2
feat: update apl-chart
CasLubbers May 12, 2025
14f4a2b
feat: update apl-chart
CasLubbers May 12, 2025
78cf3c9
feat: update apl-chart
CasLubbers May 12, 2025
80dcce4
feat: update apl-chart
CasLubbers May 12, 2025
677d002
feat: update apl-chart
CasLubbers May 12, 2025
4196f52
feat: update apl-chart
CasLubbers May 12, 2025
4eb23f8
feat: update operator
CasLubbers May 12, 2025
71207ae
feat: update operator
CasLubbers May 12, 2025
07bcf24
feat: update operator
CasLubbers May 13, 2025
626181b
feat: set correct env dir
CasLubbers May 13, 2025
d327ebb
feat: set repoPath correctly
CasLubbers May 13, 2025
41681bb
fix: errors in main
CasLubbers May 13, 2025
6f7634a
fix: errors in main
CasLubbers May 13, 2025
6d17b32
feat: add safe directory for git
CasLubbers May 13, 2025
a836bce
feat: add safe directory for git
CasLubbers May 13, 2025
31946f3
feat: add safe directory for git
CasLubbers May 13, 2025
a69e459
feat: add safe directory for git
CasLubbers May 13, 2025
0b60ef2
feat: add safe directory for git
CasLubbers May 13, 2025
b7bb31c
feat: add safe directory for git
CasLubbers May 13, 2025
41fa71d
Merge remote-tracking branch 'origin/main' into APL-769
svcAPLBot May 13, 2025
7365540
Merge remote-tracking branch 'origin/main' into APL-769
svcAPLBot May 13, 2025
65f6b0f
feat: add safe directory for git
CasLubbers May 13, 2025
461c24a
feat: add logs
CasLubbers May 13, 2025
8d41c03
Merge remote-tracking branch 'origin/main' into APL-769
svcAPLBot May 13, 2025
d85742c
feat: add logs
CasLubbers May 13, 2025
ffaaa37
feat: add logs
CasLubbers May 13, 2025
fe71e75
feat: add logs
CasLubbers May 13, 2025
5149b4a
feat: add logs
CasLubbers May 13, 2025
b28acb3
feat: add logs
CasLubbers May 13, 2025
193704f
feat: add logs
CasLubbers May 13, 2025
4efb26e
feat: add logs
CasLubbers May 13, 2025
1236a89
feat: add logs
CasLubbers May 13, 2025
e2455c4
feat: add logs
CasLubbers May 13, 2025
2fe9a56
feat: add logs
CasLubbers May 13, 2025
6a9f0ff
feat: add logs
CasLubbers May 13, 2025
4bda084
feat: add logs
CasLubbers May 13, 2025
ea3eebf
feat: add logs
CasLubbers May 13, 2025
7d9789d
feat: add logs
CasLubbers May 13, 2025
cceb1c5
feat: test without clone repository
CasLubbers May 14, 2025
bc8d9f2
feat: use tmp directory
CasLubbers May 14, 2025
a0f1ad3
fix: remove core label
CasLubbers May 14, 2025
c675bd2
fix: add back core label
CasLubbers May 14, 2025
5ebdade
fix: fix bootstrap
CasLubbers May 14, 2025
b19578b
fix: operator
CasLubbers May 14, 2025
4dd10f2
fix: add git clone back
CasLubbers May 14, 2025
d3a6f10
fix: remove simple git
CasLubbers May 14, 2025
ba5490b
fix: remove simple git
CasLubbers May 14, 2025
560e58c
fix: add global gitconfig
CasLubbers May 14, 2025
93f6074
fix: add global gitconfig
CasLubbers May 14, 2025
95eb5c7
fix: rbac rules
CasLubbers May 14, 2025
422bb2c
feat: add reconcile loop
CasLubbers May 15, 2025
694b9ce
feat: update rbac rules
CasLubbers May 15, 2025
09224e4
feat: update rbac rules
CasLubbers May 15, 2025
918428e
feat: update rbac rules
CasLubbers May 15, 2025
99eeb51
feat: set CI to true
CasLubbers May 15, 2025
076cdca
feat: add back simple-git
CasLubbers May 15, 2025
ebd1625
Merge remote-tracking branch 'origin/main' into APL-769
svcAPLBot May 15, 2025
93646c5
feat: refactor code for apl-operator
CasLubbers May 15, 2025
0747f3a
feat: set otomi-pipeliens to false
CasLubbers May 15, 2025
7ecfeb8
feat: update secret keys for GIT credentials
CasLubbers May 16, 2025
1ddafba
feat: add wait for commits function
CasLubbers May 16, 2025
4520607
feat: ignore tests
CasLubbers May 16, 2025
37ad25a
feat: change order for gitRepo
CasLubbers May 16, 2025
0c8f0bf
feat: update rbac
CasLubbers May 16, 2025
a223e5e
feat: update rbac
CasLubbers May 16, 2025
3364c9e
feat: enhance apply process to support teams-only application
CasLubbers May 16, 2025
a798cec
feat: refactor pull method to improve change detection and skip logic
CasLubbers May 16, 2025
842e338
Merge remote-tracking branch 'origin/main' into APL-769
svcAPLBot May 16, 2025
9d83085
feat: add tests to src/operator
CasLubbers May 19, 2025
80daa39
Merge remote-tracking branch 'origin/main' into APL-769
CasLubbers May 19, 2025
0c6959b
feat: add migration for apl-operator
CasLubbers May 19, 2025
66645dd
feat: add migration for apl-operator
CasLubbers May 19, 2025
730828a
feat: add migration for apl-operator
CasLubbers May 20, 2025
06f93a0
fix: refactor and review comments
CasLubbers May 20, 2025
e11d346
fix: tests
CasLubbers May 20, 2025
9f5124a
fix: install apl-operator via helm
CasLubbers May 20, 2025
cab7a88
Merge remote-tracking branch 'origin/main' into APL-769
svcAPLBot May 20, 2025
b8964ef
fix: add rootdir to hf install
CasLubbers May 20, 2025
3a37647
fix: add migrate function to apply step
CasLubbers May 20, 2025
90244e6
fix: check if apl-operator already exists
CasLubbers May 20, 2025
bac5e5a
fix: add RBAC rules
CasLubbers May 20, 2025
64bdab3
fix: set last revision correctly
CasLubbers May 20, 2025
ed55952
fix: update RBAC
CasLubbers May 20, 2025
7839394
feat: set migrate to non-interactive
CasLubbers May 20, 2025
567ceab
feat: fix tests
CasLubbers May 20, 2025
a205042
Merge remote-tracking branch 'origin/main' into APL-769
svcAPLBot May 21, 2025
c5db01a
feat: increase retries and timeout
CasLubbers May 21, 2025
1de8c2d
Merge remote-tracking branch 'origin/main' into APL-769
svcAPLBot May 21, 2025
65c5b04
Merge remote-tracking branch 'origin/main' into APL-769
svcAPLBot May 22, 2025
341810d
Merge remote-tracking branch 'origin/main' into APL-769
svcAPLBot May 22, 2025
22b04e2
feat: values/apl-operator/apl-operator.gotmpl
CasLubbers May 22, 2025
f653081
feat: charts/apl-operator/templates/secret.yaml
CasLubbers May 22, 2025
6c4b1e3
Merge remote-tracking branch 'origin/main' into APL-769
svcAPLBot May 22, 2025
3fca02f
fix: review comments
CasLubbers May 22, 2025
877b075
fix: add persistentvolumeclaims
CasLubbers May 22, 2025
1f9d699
fix: git values
CasLubbers May 22, 2025
26d91e2
fix: test
CasLubbers May 22, 2025
c056f8e
fix: test
CasLubbers May 22, 2025
2839fb1
fix: use cluster admin role for RBAC
CasLubbers May 22, 2025
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
23 changes: 23 additions & 0 deletions charts/apl-operator/.helmignore
Original file line number Diff line number Diff line change
@@ -0,0 +1,23 @@
# Patterns to ignore when building packages.
# This supports shell glob matching, relative path matching, and
# negation (prefixed with !). Only one pattern per line.
.DS_Store
# Common VCS dirs
.git/
.gitignore
.bzr/
.bzrignore
.hg/
.hgignore
.svn/
# Common backup files
*.swp
*.bak
*.tmp
*.orig
*~
# Various IDEs
.project
.idea/
*.tmproj
.vscode/
24 changes: 24 additions & 0 deletions charts/apl-operator/Chart.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@
apiVersion: v2
name: apl-operator
description: A Helm chart for Kubernetes

# A chart can be either an 'application' or a 'library' chart.
#
# Application charts are a collection of templates that can be packaged into versioned archives
# to be deployed.
#
# Library charts provide useful utilities or functions for the chart developer. They're included as
# a dependency of application charts to inject those utilities and functions into the rendering
# pipeline. Library charts do not define any templates and therefore cannot be deployed.
type: application

# This is the chart version. This version number should be incremented each time you make changes
# to the chart and its templates, including the app version.
# Versions are expected to follow Semantic Versioning (https://semver.org/)
version: 0.1.0

# This is the version number of the application being deployed. This version number should be
# incremented each time you make changes to the application. Versions are not expected to
# follow Semantic Versioning. They should reflect the version the application is using.
# It is recommended to use it with quotes.
appVersion: "1.16.0"
1 change: 1 addition & 0 deletions charts/apl-operator/templates/NOTES.txt
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
The apl-operator has been deployed.
62 changes: 62 additions & 0 deletions charts/apl-operator/templates/_helpers.tpl
Original file line number Diff line number Diff line change
@@ -0,0 +1,62 @@
{{/*
Expand the name of the chart.
*/}}
{{- define "apl-operator.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
{{- end }}

{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
If release name contains chart name it will be used as a full name.
*/}}
{{- define "apl-operator.fullname" -}}
{{- if .Values.fullnameOverride }}
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
{{- else }}
{{- $name := default .Chart.Name .Values.nameOverride }}
{{- if contains $name .Release.Name }}
{{- .Release.Name | trunc 63 | trimSuffix "-" }}
{{- else }}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
{{- end }}
{{- end }}
{{- end }}

{{/*
Create chart name and version as used by the chart label.
*/}}
{{- define "apl-operator.chart" -}}
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
{{- end }}

{{/*
Common labels
*/}}
{{- define "apl-operator.labels" -}}
helm.sh/chart: {{ include "apl-operator.chart" . }}
{{ include "apl-operator.selectorLabels" . }}
{{- if .Chart.AppVersion }}
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
{{- end }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- end }}

{{/*
Selector labels
*/}}
{{- define "apl-operator.selectorLabels" -}}
app.kubernetes.io/name: {{ include "apl-operator.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
{{- end }}

{{/*
Create the name of the service account to use
*/}}
{{- define "apl-operator.serviceAccountName" -}}
{{- if .Values.serviceAccount.create }}
{{- default (include "apl-operator.fullname" .) .Values.serviceAccount.name }}
{{- else }}
{{- .Values.serviceAccount.name }}
{{- end }}
{{- end }}
68 changes: 68 additions & 0 deletions charts/apl-operator/templates/deployment.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,68 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ include "apl-operator.fullname" . }}
labels:
{{- include "apl-operator.labels" . | nindent 4 }}
spec:
replicas: {{ .Values.replicaCount }}
selector:
matchLabels:
{{- include "apl-operator.selectorLabels" . | nindent 6 }}
template:
metadata:
{{- with .Values.podAnnotations }}
annotations:
{{- toYaml . | nindent 8 }}
{{- end }}
labels:
{{- include "apl-operator.selectorLabels" . | nindent 8 }}
spec:
{{- with .Values.imagePullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 8 }}
{{- end }}
serviceAccountName: {{ include "apl-operator.serviceAccountName" . }}
securityContext:
{{- toYaml .Values.podSecurityContext | nindent 8 }}
containers:
- name: {{ .Chart.Name }}
securityContext:
{{- toYaml .Values.securityContext | nindent 12 }}
image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
imagePullPolicy: {{ .Values.image.pullPolicy }}
command:
- node
- dist/src/operator/main.js
env:
- name: RUN_AS_OPERATOR
value: "true"
envFrom:
- secretRef:
name: gitea-credentials
- secretRef:
name: apl-sops-secrets
resources:
{{- toYaml .Values.resources | nindent 12 }}
volumeMounts:
- name: apl-values
mountPath: /home/app/stack/env
- name: git-config
mountPath: /home/app/stack/gitconfig
volumes:
- name: apl-values
emptyDir: {}
- name: git-config
emptyDir: {}
{{- with .Values.nodeSelector }}
nodeSelector:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.affinity }}
affinity:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.tolerations }}
tolerations:
{{- toYaml . | nindent 8 }}
{{- end }}
165 changes: 165 additions & 0 deletions charts/apl-operator/templates/rbac.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,165 @@
apiVersion: v1
kind: ServiceAccount
metadata:
name: apl-operator
namespace: {{ .Release.Namespace }}
---
# Role for operations in the otomi namespace
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: apl-operator
namespace: {{ .Release.Namespace }}
rules:
# Needed for deployment state management
- apiGroups: [""]
resources: ["configmaps"]
verbs: ["get", "create", "update", "patch"]
resourceNames: ["otomi-deployment-status"]

# General ConfigMap operations for other ConfigMaps
- apiGroups: [""]
resources: ["configmaps"]
verbs: ["get", "list", "create"]

# Secret management for stored credentials
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get", "create", "update", "patch"]
resourceNames: ["otomi-deployment-passwords"]

# General Secret operations for other secrets
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get", "list", "create"]
---
# Role for operations in the argocd namespace
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: apl-operator
namespace: argocd
rules:
# ArgoCD application management
- apiGroups: ["argoproj.io"]
resources: ["applications"]
verbs: ["get", "list", "create", "update", "patch", "delete"]

# For patching ArgoCD application controller
- apiGroups: ["apps"]
resources: ["statefulsets"]
verbs: ["get", "list", "patch"]
resourceNames: ["argocd-application-controller"]

# For restarting ArgoCD pods
- apiGroups: [""]
resources: ["pods"]
verbs: ["get", "list", "delete"]
---
# Role for accessing ingress resources
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: apl-operator
namespace: ingress
rules:
# Needed for LoadBalancer IP/hostname retrieval
- apiGroups: [""]
resources: ["services"]
verbs: ["get"]
resourceNames: ["ingress-nginx-platform-controller"]
---
# RoleBinding for otomi namespace
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: apl-operator
namespace: {{ .Release.Namespace }}
subjects:
- kind: ServiceAccount
name: apl-operator
namespace: {{ .Release.Namespace }}
roleRef:
kind: Role
name: apl-operator
apiGroup: rbac.authorization.k8s.io
---
# RoleBinding for argocd namespace
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: apl-operator
namespace: argocd
subjects:
- kind: ServiceAccount
name: apl-operator
namespace: {{ .Release.Namespace }}
roleRef:
kind: Role
name: apl-operator
apiGroup: rbac.authorization.k8s.io
---
# RoleBinding for ingress namespace
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: apl-operator
namespace: ingress
subjects:
- kind: ServiceAccount
name: apl-operator
namespace: {{ .Release.Namespace }}
roleRef:
kind: Role
name: apl-operator
apiGroup: rbac.authorization.k8s.io
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: apl-operator-crds
rules:
# Required for applying the Prometheus CRDs
- apiGroups: ["apiextensions.k8s.io"]
resources: ["customresourcedefinitions"]
verbs: ["get", "create", "update", "patch"]
resourceNames:
- "alertmanagerconfigs.monitoring.coreos.com"
- "alertmanagers.monitoring.coreos.com"
- "podmonitors.monitoring.coreos.com"
- "probes.monitoring.coreos.com"
- "prometheuses.monitoring.coreos.com"
- "prometheusrules.monitoring.coreos.com"
- "servicemonitors.monitoring.coreos.com"
- "thanosrulers.monitoring.coreos.com"

# Required for applying Tekton Triggers CRDs
- apiGroups: ["apiextensions.k8s.io"]
resources: ["customresourcedefinitions"]
verbs: ["get", "create", "update", "patch"]
resourceNames:
- "clusterinterceptors.triggers.tekton.dev"
- "clustertriggerbindings.triggers.tekton.dev"
- "eventlisteners.triggers.tekton.dev"
- "interceptors.triggers.tekton.dev"
- "triggers.triggers.tekton.dev"
- "triggerbindings.triggers.tekton.dev"
- "triggertemplates.triggers.tekton.dev"

# For listing CRDs (needed to check existence)
- apiGroups: ["apiextensions.k8s.io"]
resources: ["customresourcedefinitions"]
verbs: ["list"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: apl-operator-crds
subjects:
- kind: ServiceAccount
name: apl-operator
namespace: otomi
roleRef:
kind: ClusterRole
name: apl-operator-crds
apiGroup: rbac.authorization.k8s.io
47 changes: 47 additions & 0 deletions charts/apl-operator/templates/secret.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,47 @@
{{- $kms := .Values.kms | default dict }}
{{- if hasKey $kms "sops" }}
{{- $v := $kms.sops }}

apiVersion: v1
kind: Secret
metadata:
name: apl-sops-secrets
namespace: {{ .Release.Namespace }}
type: Opaque
data:
{{- with $v.azure }}
AZURE_CLIENT_ID: {{ .clientId | b64enc }}
AZURE_CLIENT_SECRET: {{ .clientSecret | b64enc }}
{{- with .tenantId }}
AZURE_TENANT_ID: {{ . | b64enc }}{{ end }}
{{- with .environment }}
AZURE_ENVIRONMENT: {{ . | b64enc }}{{ end }}
{{- end }}
{{- with $v.aws }}
AWS_ACCESS_KEY_ID: {{ .accessKey | b64enc }}
AWS_SECRET_ACCESS_KEY: {{ .secretKey | b64enc }}
{{- with .region }}
AWS_REGION: {{ . | b64enc }}{{ end }}
{{- end }}
{{- with $v.age }}
SOPS_AGE_KEY: {{ .privateKey | b64enc }}
{{- end }}
{{- with $v.google }}
GCLOUD_SERVICE_KEY: {{ .accountJson | b64enc }}
{{- with .project }}
GOOGLE_PROJECT: {{ . | b64enc }}{{ end }}
{{- with .region }}
GOOGLE_REGION: {{ . | b64enc }}{{ end }}
{{- end }}
{{- end }}

---
apiVersion: v1
kind: Secret
metadata:
name: gitea-credentials
namespace: {{ .Release.Namespace }}
type: Opaque
stringData:
GITEA_USERNAME: otomi-admin
GITEA_PASSWORD: {{ .Values.giteaPassword }}
Loading