Improve compatibility with APPUiO

Now with k8s 1.29.x and networkpolicy support. Also installs espejo with a rule to create an approximation of APPUiO's default network policies in each appcat namespace.
vshn · Nov 7, 2024 · 04b3a96 · 04b3a96
1 parent 96327d3
commit 04b3a96
Show file tree

Hide file tree

Showing 14 changed files with 636 additions and 3 deletions.
diff --git a/Makefile b/Makefile
@@ -20,10 +20,10 @@ appcat-apiserver: vshnpostgresql ## Install appcat-apiserver dependencies
 vshnall: vshnpostgresql vshnredis
 
 .PHONY: vshnpostgresql
-vshnpostgresql: certmanager-setup stackgres-setup prometheus-setup minio-setup metallb-setup ## Install vshn postgres dependencies
+vshnpostgresql: certmanager-setup stackgres-setup prometheus-setup minio-setup metallb-setup netpols-setup ## Install vshn postgres dependencies
 
 .PHONY: vshnredis
-vshnredis: certmanager-setup k8up-setup ## Install vshn redis dependencies
+vshnredis: certmanager-setup k8up-setup netpols-setup ## Install vshn redis dependencies
 
 .PHONY: help
 help: ## Show this help
@@ -128,6 +128,7 @@ $(prometheus_sentinel): kind-setup-ingress
 		--values prometheus/values.yaml \
 		prometheus-community/kube-prometheus-stack
 	kubectl -n prometheus-system wait --for condition=Available deployment/kube-prometheus-kube-prome-operator --timeout 120s
+	kubectl apply -f prometheus/netpol.yaml
 	@echo -e "***\n*** Installed Prometheus in http://prometheus.127.0.0.1.nip.io:8088/ and AlertManager in http://alertmanager.127.0.0.1.nip.io:8088/.\n***"
 	@touch $@
 
@@ -175,3 +176,17 @@ unset-default-sc:
 	for sc in $$(kubectl get sc -o name) ; do \
 		kubectl patch $$sc -p '{"metadata": {"annotations":{"storageclass.kubernetes.io/is-default-class":"false"}}}'; \
 	done
+
+netpols-setup: $(espejo_sentinel) $(netpols_sentinel) ## Install netpols to simulate appuio's netpols
+
+$(netpols_sentinel): export KUBECONFIG = $(KIND_KUBECONFIG)
+$(netpols_sentinel):
+	kubectl apply -f netpols
+	touch $@
+
+espejo-setup: $(espejo_sentinel)
+
+$(espejo_sentinel): export KUBECONFIG = $(KIND_KUBECONFIG)
+$(espejo_sentinel):
+	kubectl apply -f espejo
+	touch $@
diff --git a/Makefile.vars.mk b/Makefile.vars.mk
@@ -6,6 +6,8 @@ local_pv_sentinel = $(kind_dir)/local_pv
 csi_sentinel = $(kind_dir)/csi_provider
 metallb_sentinel = $(kind_dir)/metallb
 komoplane_sentinel = $(kind_dir)/komoplane
+netpols_sentinel = $(kind_dir)/netpols
+espejo_sentinel = $(kind_dir)/espejo
 enable_xfn = true
 
 PROJECT_ROOT_DIR = .
@@ -18,7 +20,7 @@ DOCKER_CMD ?= docker
 ## KIND:setup
 
 # https://hub.docker.com/r/kindest/node/tags
-KIND_NODE_VERSION ?= v1.28.9
+KIND_NODE_VERSION ?= v1.29.7
 KIND_IMAGE ?= docker.io/kindest/node:$(KIND_NODE_VERSION)
 KIND_CMD ?= go run sigs.k8s.io/kind
 KIND_KUBECONFIG ?= $(kind_dir)/kind-kubeconfig-$(KIND_NODE_VERSION)

diff --git a/espejo/00_namespace.yaml b/espejo/00_namespace.yaml
@@ -0,0 +1,6 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  labels:
+    control-plane: controller-manager
+  name: system
diff --git a/espejo/leader_election_role.yaml b/espejo/leader_election_role.yaml
@@ -0,0 +1,31 @@
+# permissions to do leader election.
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: leader-election-role
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  verbs:
+  - get
+  - list
+  - watch
+  - create
+  - update
+  - patch
+  - delete
+- apiGroups:
+  - ""
+  resources:
+  - configmaps/finalizers
+  verbs:
+  - update
+- apiGroups:
+  - ""
+  resources:
+  - events
+  verbs:
+  - create
+  - patch
diff --git a/espejo/leader_election_role_binding.yaml b/espejo/leader_election_role_binding.yaml
@@ -0,0 +1,12 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: leader-election-rolebinding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: leader-election-role
+subjects:
+- kind: ServiceAccount
+  name: default
+  namespace: system
diff --git a/espejo/manager.yaml b/espejo/manager.yaml
@@ -0,0 +1,35 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: espejo
+  namespace: system
+spec:
+  selector:
+    matchLabels:
+      control-plane: controller-manager
+  replicas: 1
+  template:
+    metadata:
+      labels:
+        control-plane: controller-manager
+    spec:
+      securityContext:
+        runAsUser: 65532
+      containers:
+      - name: operator
+        image: quay.io/vshn/espejo:v0.5.0
+        args:
+        - --enable-leader-election
+        resources:
+          limits:
+            cpu: 300m
+            memory: 100Mi
+          requests:
+            cpu: 20m
+            memory: 50Mi
+        env:
+        - name: WATCH_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+      terminationGracePeriodSeconds: 10
diff --git a/espejo/role.yaml b/espejo/role.yaml
@@ -0,0 +1,73 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: manager-role
+rules:
+- apiGroups:
+  - coordination.k8s.io
+  resources:
+  - leases
+  verbs:
+  - create
+  - get
+  - list
+  - update
+- apiGroups:
+  - ""
+  resources:
+  - namespaces
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - namespaces/status
+  verbs:
+  - get
+- apiGroups:
+  - ""
+  resources:
+  - events
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - sync.appuio.ch
+  resources:
+  - syncconfigs
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - sync.appuio.ch
+  resources:
+  - syncconfigs/status
+  verbs:
+  - get
+  - patch
+  - update
+- apiGroups:
+    - networking.k8s.io
+  resources:
+    - networkpolicies
+  verbs:
+    - create
+    - delete
+    - get
+    - list
+    - patch
+    - update
+    - watch
diff --git a/espejo/role_binding.yaml b/espejo/role_binding.yaml
@@ -0,0 +1,12 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: manager-rolebinding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: manager-role
+subjects:
+- kind: ServiceAccount
+  name: default
+  namespace: system