Skip to content

Commit

Permalink
change from hostPath mounts to TZ environment variable, update RBAC f…
Browse files Browse the repository at this point in the history 
…or finalizers (#148)

* generate rbac for controller

* remove hostPath mounts, add TZ environment variable

* add finalizers to markers for OwnerReferencesPermissionEnforcement enabled clusters

* add TZ env var

* add env to NM schema

* update nm rbac markers

* rebase
  • Loading branch information
@ctrought
ctrought authored Jun 16, 2022
1 parent 6b0e9c1 commit 26b5962
Show file tree
Hide file tree
Showing 16 changed files with 394 additions and 87 deletions.
2 changes: 1 addition & 1 deletion Makefile
View file
Original file line number Diff line number Diff line change
Expand Up @@ -69,7 +69,7 @@ undeploy:

# Generate manifests e.g. CRD, RBAC etc.
manifests: controller-gen
$(CONTROLLER_GEN) $(CRD_OPTIONS) rbac:roleName=controller-role webhook paths=./pkg/apis/v2beta1 paths=./pkg/apis/v2beta2 output:crd:artifacts:config=config/crd/bases
$(CONTROLLER_GEN) $(CRD_OPTIONS) rbac:roleName=controller-role webhook paths=./pkg/apis/v2beta1 paths=./pkg/apis/v2beta2 paths=./controllers output:crd:artifacts:config=config/crd/bases
cd config/manager && kustomize edit set image controller=${IMG} && cd ../../
kustomize build config/default | sed -e '/creationTimestamp/d' > config/bundle.yaml
kustomize build config/samples | sed -e '/creationTimestamp/d' > config/samples/bundle.yaml
Expand Down
13 changes: 3 additions & 10 deletions adapter/deploy/yaml/adapter.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -19,10 +19,9 @@ spec:
args:
- --with-stdout=true
imagePullPolicy: Always
volumeMounts:
- mountPath: /etc/localtime
name: host-time
readOnly: true
env:
- name: TZ
value: GMT
lifecycle:
preStop:
httpGet:
Expand All @@ -48,12 +47,6 @@ spec:
requests:
cpu: 20m
memory: 50Mi
volumes:
- hostPath:
path: /etc/localtime
type: ""
name: host-time

---
apiVersion: v1
kind: Service
Expand Down
16 changes: 6 additions & 10 deletions adapter/test/samples/socket.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -19,16 +19,12 @@ spec:
command:
- socket-server
imagePullPolicy: Always
volumeMounts:
- mountPath: /etc/localtime
name: host-time
readOnly: true
volumes:
- hostPath:
path: /etc/localtime
type: ""
name: host-time

env:
- name: NAMESPACE
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
---
apiVersion: v1
kind: Service
Expand Down
125 changes: 117 additions & 8 deletions config/bundle.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4808,6 +4808,109 @@ spec:
description: The default namespace to which notification manager secrets
belong.
type: string
env:
description: List of environment variable
items:
description: EnvVar represents an environment variable present in
a Container.
properties:
name:
description: Name of the environment variable. Must be a C_IDENTIFIER.
type: string
value:
description: 'Variable references $(VAR_NAME) are expanded using
the previous defined environment variables in the container
and any service environment variables. If a variable cannot
be resolved, the reference in the input string will be unchanged.
The $(VAR_NAME) syntax can be escaped with a double $$, ie:
$$(VAR_NAME). Escaped references will never be expanded, regardless
of whether the variable exists or not. Defaults to "".'
type: string
valueFrom:
description: Source for the environment variable's value. Cannot
be used if value is not empty.
properties:
configMapKeyRef:
description: Selects a key of a ConfigMap.
properties:
key:
description: The key to select.
type: string
name:
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
TODO: Add other useful fields. apiVersion, kind, uid?'
type: string
optional:
description: Specify whether the ConfigMap or its key
must be defined
type: boolean
required:
- key
type: object
fieldRef:
description: 'Selects a field of the pod: supports metadata.name,
metadata.namespace, `metadata.labels[''<KEY>'']`, `metadata.annotations[''<KEY>'']`,
spec.nodeName, spec.serviceAccountName, status.hostIP,
status.podIP, status.podIPs.'
properties:
apiVersion:
description: Version of the schema the FieldPath is
written in terms of, defaults to "v1".
type: string
fieldPath:
description: Path of the field to select in the specified
API version.
type: string
required:
- fieldPath
type: object
resourceFieldRef:
description: 'Selects a resource of the container: only
resources limits and requests (limits.cpu, limits.memory,
limits.ephemeral-storage, requests.cpu, requests.memory
and requests.ephemeral-storage) are currently supported.'
properties:
containerName:
description: 'Container name: required for volumes,
optional for env vars'
type: string
divisor:
anyOf:
- type: integer
- type: string
description: Specifies the output format of the exposed
resources, defaults to "1"
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
resource:
description: 'Required: resource to select'
type: string
required:
- resource
type: object
secretKeyRef:
description: Selects a key of a secret in the pod's namespace
properties:
key:
description: The key of the secret to select from. Must
be a valid secret key.
type: string
name:
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
TODO: Add other useful fields. apiVersion, kind, uid?'
type: string
optional:
description: Specify whether the Secret or its key must
be defined
type: boolean
required:
- key
type: object
type: object
required:
- name
type: object
type: array
groupLabels:
description: Labels for grouping notifiations.
items:
Expand Down Expand Up @@ -10924,12 +11027,19 @@ rules:
- apiGroups:
- ""
resources:
- secrets
- configmaps
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- secrets
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
Expand Down Expand Up @@ -10958,6 +11068,12 @@ rules:
- patch
- update
- watch
- apiGroups:
- notification.kubesphere.io
resources:
- notificationmanagers/finalizers
verbs:
- update
- apiGroups:
- notification.kubesphere.io
resources:
Expand Down Expand Up @@ -11127,9 +11243,6 @@ spec:
- mountPath: /tmp/k8s-webhook-server/serving-certs
name: cert
readOnly: true
- mountPath: /etc/localtime
name: host-time
readOnly: true
- args:
- --secure-listen-address=0.0.0.0:8443
- --upstream=http://127.0.0.1:8080/
Expand All @@ -11147,10 +11260,6 @@ spec:
secret:
defaultMode: 420
secretName: notification-manager-webhook-server-cert
- hostPath:
path: /etc/localtime
type: ""
name: host-time
---
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
Expand Down
103 changes: 103 additions & 0 deletions config/crd/bases/notification.kubesphere.io_notificationmanagers.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3668,6 +3668,109 @@ spec:
description: The default namespace to which notification manager secrets
belong.
type: string
env:
description: List of environment variable
items:
description: EnvVar represents an environment variable present in
a Container.
properties:
name:
description: Name of the environment variable. Must be a C_IDENTIFIER.
type: string
value:
description: 'Variable references $(VAR_NAME) are expanded using
the previous defined environment variables in the container
and any service environment variables. If a variable cannot
be resolved, the reference in the input string will be unchanged.
The $(VAR_NAME) syntax can be escaped with a double $$, ie:
$$(VAR_NAME). Escaped references will never be expanded, regardless
of whether the variable exists or not. Defaults to "".'
type: string
valueFrom:
description: Source for the environment variable's value. Cannot
be used if value is not empty.
properties:
configMapKeyRef:
description: Selects a key of a ConfigMap.
properties:
key:
description: The key to select.
type: string
name:
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
TODO: Add other useful fields. apiVersion, kind, uid?'
type: string
optional:
description: Specify whether the ConfigMap or its key
must be defined
type: boolean
required:
- key
type: object
fieldRef:
description: 'Selects a field of the pod: supports metadata.name,
metadata.namespace, `metadata.labels[''<KEY>'']`, `metadata.annotations[''<KEY>'']`,
spec.nodeName, spec.serviceAccountName, status.hostIP,
status.podIP, status.podIPs.'
properties:
apiVersion:
description: Version of the schema the FieldPath is
written in terms of, defaults to "v1".
type: string
fieldPath:
description: Path of the field to select in the specified
API version.
type: string
required:
- fieldPath
type: object
resourceFieldRef:
description: 'Selects a resource of the container: only
resources limits and requests (limits.cpu, limits.memory,
limits.ephemeral-storage, requests.cpu, requests.memory
and requests.ephemeral-storage) are currently supported.'
properties:
containerName:
description: 'Container name: required for volumes,
optional for env vars'
type: string
divisor:
anyOf:
- type: integer
- type: string
description: Specifies the output format of the exposed
resources, defaults to "1"
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
resource:
description: 'Required: resource to select'
type: string
required:
- resource
type: object
secretKeyRef:
description: Selects a key of a secret in the pod's namespace
properties:
key:
description: The key of the secret to select from. Must
be a valid secret key.
type: string
name:
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
TODO: Add other useful fields. apiVersion, kind, uid?'
type: string
optional:
description: Specify whether the Secret or its key must
be defined
type: boolean
required:
- key
type: object
type: object
required:
- name
type: object
type: array
groupLabels:
description: Labels for grouping notifiations.
items:
Expand Down
19 changes: 5 additions & 14 deletions config/manager/manager.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -31,19 +31,10 @@ spec:
requests:
cpu: 100m
memory: 20Mi
volumeMounts:
- mountPath: /etc/localtime
name: host-time
readOnly: true
env:
- name: NAMESPACE
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
volumes:
- hostPath:
path: /etc/localtime
type: ""
name: host-time
- name: NAMESPACE
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
terminationGracePeriodSeconds: 10
16 changes: 14 additions & 2 deletions config/rbac/role.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -21,12 +21,19 @@ rules:
- apiGroups:
- ""
resources:
- secrets
- configmaps
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- secrets
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
Expand Down Expand Up @@ -55,6 +62,12 @@ rules:
- patch
- update
- watch
- apiGroups:
- notification.kubesphere.io
resources:
- notificationmanagers/finalizers
verbs:
- update
- apiGroups:
- notification.kubesphere.io
resources:
Expand All @@ -63,4 +76,3 @@ rules:
- get
- patch
- update

Loading

0 comments on commit 26b5962

Please sign in to comment.