From baeee457a695f33b917834bdb7d554e975218414 Mon Sep 17 00:00:00 2001 From: Dario Tranchitella Date: Thu, 25 Aug 2022 17:29:32 +0200 Subject: [PATCH] chore(kustomize): support for datastore --- .../bases/kamaji.clastix.io_datastores.yaml | 269 ++++++++++++++++++ .../patches/cainjection_in_datastores.yaml | 7 + config/crd/patches/webhook_in_datastores.yaml | 16 ++ config/default/kustomization.yaml | 1 + config/install.yaml | 56 ++++ config/rbac/datastore_editor_role.yaml | 24 ++ config/rbac/datastore_viewer_role.yaml | 20 ++ config/rbac/role.yaml | 20 ++ config/samples/kustomization.yaml | 2 +- 9 files changed, 414 insertions(+), 1 deletion(-) create mode 100644 config/crd/bases/kamaji.clastix.io_datastores.yaml create mode 100644 config/crd/patches/cainjection_in_datastores.yaml create mode 100644 config/crd/patches/webhook_in_datastores.yaml create mode 100644 config/rbac/datastore_editor_role.yaml create mode 100644 config/rbac/datastore_viewer_role.yaml diff --git a/config/crd/bases/kamaji.clastix.io_datastores.yaml b/config/crd/bases/kamaji.clastix.io_datastores.yaml new file mode 100644 index 0000000..984200c --- /dev/null +++ b/config/crd/bases/kamaji.clastix.io_datastores.yaml @@ -0,0 +1,269 @@ + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.6.1 + creationTimestamp: null + name: datastores.kamaji.clastix.io +spec: + group: kamaji.clastix.io + names: + kind: DataStore + listKind: DataStoreList + plural: datastores + singular: datastore + scope: Cluster + versions: + - additionalPrinterColumns: + - description: Kamaji data store driver + jsonPath: .spec.driver + name: Driver + type: string + - description: Age + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: DataStore is the Schema for the datastores API. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: DataStoreSpec defines the desired state of DataStore. + properties: + basicAuth: + description: In case of authentication enabled for the given data + store, specifies the username and password pair. This value is optional. + properties: + password: + properties: + content: + description: Bare content of the file, base64 encoded. It + has precedence over the SecretReference value. + format: byte + type: string + secretReference: + properties: + keyPath: + description: Name of the key for the given Secret reference + where the content is stored. This value is mandatory. + type: string + name: + description: Name is unique within a namespace to reference + a secret resource. + type: string + namespace: + description: Namespace defines the space within which + the secret name must be unique. + type: string + required: + - keyPath + type: object + type: object + username: + properties: + content: + description: Bare content of the file, base64 encoded. It + has precedence over the SecretReference value. + format: byte + type: string + secretReference: + properties: + keyPath: + description: Name of the key for the given Secret reference + where the content is stored. This value is mandatory. + type: string + name: + description: Name is unique within a namespace to reference + a secret resource. + type: string + namespace: + description: Namespace defines the space within which + the secret name must be unique. + type: string + required: + - keyPath + type: object + type: object + required: + - password + - username + type: object + driver: + description: The driver to use to connect to the shared datastore. + type: string + endpoints: + description: List of the endpoints to connect to the shared datastore. + No need for protocol, just bare IP/FQDN and port. + items: + type: string + type: array + tlsConfig: + description: Defines the TLS/SSL configuration required to connect + to the data store in a secure way. + properties: + certificateAuthority: + description: Retrieve the Certificate Authority certificate and + private key, such as bare content of the file, or a SecretReference. + The key reference is required since etcd authentication is based + on certificates, and Kamaji is responsible in creating this. + properties: + certificate: + properties: + content: + description: Bare content of the file, base64 encoded. + It has precedence over the SecretReference value. + format: byte + type: string + secretReference: + properties: + keyPath: + description: Name of the key for the given Secret + reference where the content is stored. This value + is mandatory. + type: string + name: + description: Name is unique within a namespace to + reference a secret resource. + type: string + namespace: + description: Namespace defines the space within which + the secret name must be unique. + type: string + required: + - keyPath + type: object + type: object + privateKey: + properties: + content: + description: Bare content of the file, base64 encoded. + It has precedence over the SecretReference value. + format: byte + type: string + secretReference: + properties: + keyPath: + description: Name of the key for the given Secret + reference where the content is stored. This value + is mandatory. + type: string + name: + description: Name is unique within a namespace to + reference a secret resource. + type: string + namespace: + description: Namespace defines the space within which + the secret name must be unique. + type: string + required: + - keyPath + type: object + type: object + required: + - certificate + type: object + clientCertificate: + description: Specifies the SSL/TLS key and private key pair used + to connect to the data store. + properties: + certificate: + properties: + content: + description: Bare content of the file, base64 encoded. + It has precedence over the SecretReference value. + format: byte + type: string + secretReference: + properties: + keyPath: + description: Name of the key for the given Secret + reference where the content is stored. This value + is mandatory. + type: string + name: + description: Name is unique within a namespace to + reference a secret resource. + type: string + namespace: + description: Namespace defines the space within which + the secret name must be unique. + type: string + required: + - keyPath + type: object + type: object + privateKey: + properties: + content: + description: Bare content of the file, base64 encoded. + It has precedence over the SecretReference value. + format: byte + type: string + secretReference: + properties: + keyPath: + description: Name of the key for the given Secret + reference where the content is stored. This value + is mandatory. + type: string + name: + description: Name is unique within a namespace to + reference a secret resource. + type: string + namespace: + description: Namespace defines the space within which + the secret name must be unique. + type: string + required: + - keyPath + type: object + type: object + required: + - certificate + - privateKey + type: object + required: + - certificateAuthority + - clientCertificate + type: object + required: + - driver + - endpoints + - tlsConfig + type: object + status: + description: DataStoreStatus defines the observed state of DataStore. + properties: + usedBy: + description: List of the Tenant Control Planes, namespaced named, + using this data store. + items: + type: string + type: array + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] diff --git a/config/crd/patches/cainjection_in_datastores.yaml b/config/crd/patches/cainjection_in_datastores.yaml new file mode 100644 index 0000000..10e247c --- /dev/null +++ b/config/crd/patches/cainjection_in_datastores.yaml @@ -0,0 +1,7 @@ +# The following patch adds a directive for certmanager to inject CA into the CRD +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME) + name: datastores.kamaji.clastix.io diff --git a/config/crd/patches/webhook_in_datastores.yaml b/config/crd/patches/webhook_in_datastores.yaml new file mode 100644 index 0000000..dda5fac --- /dev/null +++ b/config/crd/patches/webhook_in_datastores.yaml @@ -0,0 +1,16 @@ +# The following patch enables a conversion webhook for the CRD +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: datastores.kamaji.clastix.io +spec: + conversion: + strategy: Webhook + webhook: + clientConfig: + service: + namespace: system + name: webhook-service + path: /convert + conversionReviewVersions: + - v1 diff --git a/config/default/kustomization.yaml b/config/default/kustomization.yaml index 9504706..d6b30de 100644 --- a/config/default/kustomization.yaml +++ b/config/default/kustomization.yaml @@ -16,6 +16,7 @@ bases: - ../crd - ../rbac - ../manager +- ../samples # [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix including the one in # crd/kustomization.yaml #- ../webhook diff --git a/config/install.yaml b/config/install.yaml index 3f7a8c8..30286c4 100644 --- a/config/install.yaml +++ b/config/install.yaml @@ -1233,6 +1233,26 @@ rules: - patch - update - watch +- apiGroups: + - kamaji.clastix.io + resources: + - datastores + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - kamaji.clastix.io + resources: + - datastores/status + verbs: + - get + - patch + - update - apiGroups: - kamaji.clastix.io resources: @@ -1438,3 +1458,39 @@ spec: runAsNonRoot: true serviceAccountName: kamaji-controller-manager terminationGracePeriodSeconds: 10 +--- +apiVersion: kamaji.clastix.io/v1alpha1 +kind: DataStore +metadata: + name: kamaji-etcd + namespace: kamaji-system +spec: + basicAuth: null + driver: etcd + endpoints: + - etcd-0.etcd.kamaji-system.svc:2379 + - etcd-1.etcd.kamaji-system.svc:2379 + - etcd-2.etcd.kamaji-system.svc:2379 + tlsConfig: + certificateAuthority: + certificate: + secretReference: + keyPath: ca.crt + name: etcd-certs + namespace: kamaji-system + privateKey: + secretReference: + keyPath: ca.key + name: etcd-certs + namespace: kamaji-system + clientCertificate: + certificate: + secretReference: + keyPath: tls.crt + name: root-client-certs + namespace: kamaji-system + privateKey: + secretReference: + keyPath: tls.key + name: root-client-certs + namespace: kamaji-system diff --git a/config/rbac/datastore_editor_role.yaml b/config/rbac/datastore_editor_role.yaml new file mode 100644 index 0000000..a7891ed --- /dev/null +++ b/config/rbac/datastore_editor_role.yaml @@ -0,0 +1,24 @@ +# permissions for end users to edit datastores. +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: datastore-editor-role +rules: +- apiGroups: + - kamaji.clastix.io + resources: + - datastores + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - kamaji.clastix.io + resources: + - datastores/status + verbs: + - get diff --git a/config/rbac/datastore_viewer_role.yaml b/config/rbac/datastore_viewer_role.yaml new file mode 100644 index 0000000..e686f2f --- /dev/null +++ b/config/rbac/datastore_viewer_role.yaml @@ -0,0 +1,20 @@ +# permissions for end users to view datastores. +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: datastore-viewer-role +rules: +- apiGroups: + - kamaji.clastix.io + resources: + - datastores + verbs: + - get + - list + - watch +- apiGroups: + - kamaji.clastix.io + resources: + - datastores/status + verbs: + - get diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml index 8148604..41fbe09 100644 --- a/config/rbac/role.yaml +++ b/config/rbac/role.yaml @@ -54,6 +54,26 @@ rules: - patch - update - watch +- apiGroups: + - kamaji.clastix.io + resources: + - datastores + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - kamaji.clastix.io + resources: + - datastores/status + verbs: + - get + - patch + - update - apiGroups: - kamaji.clastix.io resources: diff --git a/config/samples/kustomization.yaml b/config/samples/kustomization.yaml index 6f2e031..35b6e22 100644 --- a/config/samples/kustomization.yaml +++ b/config/samples/kustomization.yaml @@ -1,4 +1,4 @@ ## Append samples you want in your CSV to this file as resources ## resources: -- kamaji_v1alpha1_tenantcontrolplane.yaml +- kamaji_v1alpha1_datastore_etcd.yaml #+kubebuilder:scaffold:manifestskustomizesamples