chore: create Helm chart

.gitignore

@@ -37,4 +37,7 @@ build/
 .prefs
 *.prefs
 .metadata/
-.factorypath
+.factorypath
+
+### Macbook ###
+.DS_Store

helm/.helmignore

@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/

helm/Chart.yaml

@@ -0,0 +1,9 @@
+apiVersion: v2
+name: resource-group-controller
+description: A Helm chart for resource-group-controller
+
+type: application
+
+version: 1.0.0
+
+appVersion: "1.1.0-SNAPSHOT"

helm/templates/_helpers.tpl

@@ -0,0 +1,19 @@
+{{/*
+Create Resource Group Controller app version
+*/}}
+{{- define "resource-group-controller.version" -}}
+{{- default .Chart.AppVersion .Values.image.tag }}
+{{- end -}}
+
+{{/*
+Resource Group Controller Envs Configuration
+*/}}
+{{- define "resource-group-controller.cm.envs" -}}
+TZ: {{ .Values.app.timezone }}
+SPRING_PROFILES_ACTIVE: {{ .Values.app.profile }}
+LOGGING_LEVEL_IO_TEN1010_COASTER_GROUPCONTROLLER: {{ .Values.app.loggingLevel }}
+SERVER_SSL_CERTIFICATE: {{ .Values.app.certificatePath }}/tls.crt
+SERVER_SSL_CERTIFICATE_PRIVATE_KEY: {{ .Values.app.certificatePath }}/tls.key
+SERVER_SSL_TRUST_CERTIFICATE: {{ .Values.app.certificatePath }}/ca.crt
+APP_SCHEDULING_GROUP_NODE_ONLY: '{{ .Values.app.schedulingGroupNodeOnly }}'
+{{- end }}

helm/templates/certificate-and-webhook.yaml

@@ -0,0 +1,56 @@
+{{- $altNames := list ( "resource-group-controller.resource-group-controller.svc" ) -}}
+{{- $ca := genCA "coaster" 365 -}}
+{{- $cert := genSignedCert "resource-group-controller" nil $altNames 365 $ca -}}
+
+
+apiVersion: admissionregistration.k8s.io/v1
+kind: MutatingWebhookConfiguration
+metadata:
+  name: resource-group-controller.resource-group.ten1010.io
+  namespace: {{ .Release.Namespace }}
+webhooks:
+  - name: resource-group-controller.resource-group.ten1010.io
+    admissionReviewVersions: ["v1"]
+    clientConfig:
+      caBundle: {{ $ca.Cert | b64enc | quote }}
+      service:
+        namespace: {{ .Release.Namespace }}
+        name: resource-group-controller
+        path: /admissionreviews
+        port: 8080
+    failurePolicy: Ignore
+    matchPolicy: Equivalent
+    namespaceSelector: {}
+    objectSelector: {}
+    reinvocationPolicy: IfNeeded
+    rules:
+      - apiGroups: [ "" ]
+        apiVersions: [ "v1" ]
+        operations: [ "CREATE" ]
+        resources: [ "pods", "replicationcontrollers" ]
+        scope: "*"
+      - apiGroups: [ "batch" ]
+        apiVersions: [ "v1" ]
+        operations: [ "CREATE" ]
+        resources: [ "cronjobs", "jobs" ]
+        scope: "*"
+      - apiGroups: [ "apps" ]
+        apiVersions: [ "v1" ]
+        operations: [ "CREATE" ]
+        resources: [ "daemonsets", "deployments", "replicasets", "statefulsets" ]
+        scope: "*"
+    sideEffects: None
+    timeoutSeconds: 10
+---
+
+apiVersion: v1
+kind: Secret
+type: kubernetes.io/tls
+metadata:
+  name: resource-group-controller-tls
+  namespace: {{ .Release.Namespace }}
+
+data:
+  tls.crt: {{ $cert.Cert | b64enc | quote }}
+  tls.key: {{ $cert.Key | b64enc | quote }}
+  ca.crt: {{ $ca.Cert | b64enc | quote }}

helm/templates/cluster-role.yaml

@@ -0,0 +1,78 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: resource-group-controller.resource-group.ten1010.io
+rules:
+  - apiGroups: [ "resource-group.ten1010.io" ]
+    resources: [ "resourcegroups" ]
+    verbs: [ "get", "watch", "list" ]
+  - apiGroups: [ "" ]
+    resources: [ "pods", "replicationcontrollers" ]
+    verbs: [ "get", "watch", "list", "update", "delete" ]
+  - apiGroups: [ "batch" ]
+    resources: [ "cronjobs", "jobs" ]
+    verbs: [ "get", "watch", "list", "update", "delete" ]
+  - apiGroups: [ "apps" ]
+    resources: [ "daemonsets", "deployments", "replicasets", "statefulsets" ]
+    verbs: [ "get", "watch", "list", "update", "delete" ]
+  - apiGroups: [ "" ]
+    resources: [ "nodes" ]
+    verbs: [ "get", "watch", "list", "update" ]
+  - apiGroups: [ "rbac.authorization.k8s.io" ]
+    resources: [ "roles" ]
+    verbs: [ "create", "get", "watch", "list", "update", "delete" ]
+  - apiGroups: [ "rbac.authorization.k8s.io" ]
+    resources: [ "rolebindings" ]
+    verbs: [ "create", "get", "watch", "list", "update", "delete" ]
+  - apiGroups: [ "rbac.authorization.k8s.io" ]
+    resources: [ "clusterroles" ]
+    verbs: [ "create", "get", "watch", "list", "update", "delete" ]
+  - apiGroups: [ "rbac.authorization.k8s.io" ]
+    resources: [ "clusterrolebindings" ]
+    verbs: [ "create", "get", "watch", "list", "update", "delete" ]
+  - apiGroups: [ "" ]
+    resources: [ "namespaces" ]
+    verbs: [ "get", "watch", "list" ]
+
+  ### Needed to reconcile resource group role ###
+  - apiGroups: [ "" ]
+    resources: [ "pods", "replicationcontrollers", "services", "configmaps", "secrets", "persistentvolumeclaims", "serviceaccounts", "limitranges", "events" ]
+    verbs: [ "*" ]
+  - apiGroups: [ "events.k8s.io" ]
+    resources: [ "events" ]
+    verbs: [ "*" ]
+  - apiGroups: [ "batch" ]
+    resources: [ "cronjobs", "jobs" ]
+    verbs: [ "*" ]
+  - apiGroups: [ "apps" ]
+    resources: [ "daemonsets", "deployments", "replicasets", "statefulsets" ]
+    verbs: [ "*" ]
+  - apiGroups: [ "autoscaling" ]
+    resources: [ "horizontalpodautoscalers" ]
+    verbs: [ "*" ]
+  - apiGroups: [ "policy" ]
+    resources: [ "poddisruptionbudgets" ]
+    verbs: [ "*" ]
+  - apiGroups: [ "ten1010.io" ]
+    resources: [ "resourcegroups" ]
+    verbs: [ "get" ]
+  - apiGroups: [ "" ]
+    resources: [ "nodes" ]
+    verbs: [ "get" ]
+  - apiGroups: [ "" ]
+    resources: [ "namespaces" ]
+    verbs: [ "get" ]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: resource-group-controller.resource-group.ten1010.io
+subjects:
+  - kind: ServiceAccount
+    namespace: {{ .Release.Namespace }}
+    name: resource-group-controller
+roleRef:
+  kind: ClusterRole
+  name: resource-group-controller.resource-group.ten1010.io
+  apiGroup: rbac.authorization.k8s.io
+---

helm/templates/configmap.yaml

@@ -0,0 +1,9 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: resource-group-controller-envs
+  namespace: {{ .Release.Namespace }}
+
+data:
+  {{- include "resource-group-controller.cm.envs" . | nindent 2 }}
+---

helm/templates/crd.yaml

@@ -0,0 +1,87 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  name: resourcegroups.resource-group.ten1010.io
+spec:
+  scope: Cluster
+  names:
+    kind: ResourceGroup
+    plural: resourcegroups
+    singular: resourcegroup
+    shortNames:
+      - rgroup
+  group: resource-group.ten1010.io
+  versions:
+    - name: v1beta1
+      served: true
+      storage: true
+      additionalPrinterColumns:
+        - name: NODES
+          type: string
+          jsonPath: .spec.nodes
+        - name: NAMESPACES
+          type: string
+          jsonPath: .spec.namespaces
+      subresources:
+        status: {}
+      schema:
+        openAPIV3Schema:
+          type: object
+          required:
+            - metadata
+            - spec
+          properties:
+            metadata:
+              type: object
+            spec:
+              type: object
+              properties:
+                nodes:
+                  type: array
+                  items:
+                    type: string
+                  default: []
+                namespaces:
+                  type: array
+                  items:
+                    type: string
+                  default: []
+                daemonSet:
+                  type: object
+                  properties:
+                    daemonSets:
+                      type: array
+                      items:
+                        type: object
+                        required:
+                          - namespace
+                          - name
+                        properties:
+                          namespace:
+                            type: string
+                          name:
+                            type: string
+                      default: []
+                  default:
+                    daemonSets: []
+                subjects:
+                  type: array
+                  items:
+                    type: object
+                    required:
+                      - apiGroup
+                      - kind
+                      - name
+                    properties:
+                      apiGroup:
+                        type: string
+                      kind:
+                        type: string
+                      name:
+                        type: string
+                      namespace:
+                        type: string
+                  default: []
+            status:
+              type: object
+---

helm/templates/deployment.yaml

@@ -0,0 +1,53 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: resource-group-controller
+  namespace: {{ .Release.Namespace }}
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: resource-group-controller
+  template:
+    metadata:
+      labels:
+        app: resource-group-controller
+    spec:
+      serviceAccountName: resource-group-controller
+      automountServiceAccountToken: true
+      containers:
+        - name: resource-group-controller
+          image: "{{ .Values.image.repository }}:{{ include "resource-group-controller.version" . }}"
+          imagePullPolicy: {{ .Values.image.pullPolicy }}
+          envFrom:
+            - configMapRef:
+                name: resource-group-controller-envs
+          volumeMounts:
+            - name: tls
+              readOnly: true
+              mountPath: {{ .Values.app.certificatePath }}
+      affinity:
+        nodeAffinity:
+          preferredDuringSchedulingIgnoredDuringExecution:
+            - weight: 1
+              preference:
+                matchExpressions:
+                  - key: node-role.kubernetes.io/control-plane
+                    operator: Exists
+      tolerations:
+        - key: "node-role.kubernetes.io/control-plane"
+          operator: "Exists"
+          effect: "NoSchedule"
+      volumes:
+        - name: tls
+          projected:
+            sources:
+              - secret:
+                  name: resource-group-controller-tls
+                  items:
+                    - key: tls.crt
+                      path: "tls.crt"
+                    - key: tls.key
+                      path: "tls.key"
+                    - key: ca.crt
+                      path: "ca.crt"

helm/templates/service-account.yaml

@@ -0,0 +1,5 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: resource-group-controller
+  namespace: {{ .Release.Namespace }}

helm/templates/service.yaml

@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: resource-group-controller
+  namespace: {{ .Release.Namespace }}
+spec:
+  type: {{ .Values.service.type }}
+  selector:
+    app: resource-group-controller
+  ports:
+    - protocol: TCP
+      port: {{ .Values.service.port }}
+      targetPort: {{ .Values.service.targetPort }}

helm/values.yaml

@@ -0,0 +1,16 @@
+image:
+  pullPolicy: IfNotPresent
+  repository: ten1010io/resource-group-controller
+  tag: ""
+
+app:
+  certificatePath: /etc/resource-group-controller/tls
+  timezone: Asia/Seoul
+  profile: production
+  loggingLevel: info
+  schedulingGroupNodeOnly: true
+
+service:
+  type: ClusterIP
+  targetPort: 8080
+  port: 8080

kubernetes/controller/cert/configure.sh

@@ -10,4 +10,6 @@ if [ ! -e "$output_dir_path/tls.p12" ]; then
 fi
 ca_bundle=$($script_path/get-ca-bundle.sh)
 sed -i 's/caBundle:.*/''caBundle: '"$ca_bundle"'/g' "../patches.yaml"
-cp -f $output_dir_path/tls.p12 $script_path/../
+cp -f $output_dir_path/ca.crt $script_path/../
+cp -f $output_dir_path/tls.crt $script_path/../
+cp -f $output_dir_path/tls.key $script_path/../