Extra updates for the operator

Signed-off-by: Xiaodong Ye <[email protected]>
openloft · Nov 19, 2023 · 8d40f65 · 8d40f65
1 parent 5f520f8
commit 8d40f65
Show file tree

Hide file tree

Showing 9 changed files with 80 additions and 6 deletions.
diff --git a/.github/workflows/makefile.yml b/.github/workflows/makefile.yml
@@ -0,0 +1,29 @@
+name: Makefile CI
+
+on:
+  push:
+    branches: [ "main" ]
+  pull_request:
+    branches: [ "main" ]
+
+jobs:
+  build:
+
+    runs-on: ubuntu-latest
+
+    steps:
+    - name: Checkout code
+      uses: actions/checkout@v3
+
+    - name: Login to GitHub Container Registry
+      uses: docker/login-action@v2
+      with:
+        registry: ghcr.io
+        username: ${{ github.actor }}
+        password: ${{ secrets.GITHUB_TOKEN }}
+
+    - name: Build image
+      run: make docker-build
+
+    - name: Push image
+      run: make docker-push
diff --git a/Makefile b/Makefile
@@ -51,7 +51,7 @@ endif
 OPERATOR_SDK_VERSION ?= v1.32.0
 
 # Image URL to use all building/pushing image targets
-IMG ?= controller:latest
+IMG ?= ghcr.io/openloft/vcluster-operator:latest
 
 .PHONY: all
 all: docker-build

diff --git a/config/default/kustomization.yaml b/config/default/kustomization.yaml
@@ -21,10 +21,10 @@ resources:
 # [PROMETHEUS] To enable prometheus monitor, uncomment all sections with 'PROMETHEUS'.
 #- ../prometheus
 
-patchesStrategicMerge:
 # Protect the /metrics endpoint by putting it behind auth.
 # If you want your controller-manager to expose the /metrics
 # endpoint w/o any authn/z, please comment the following line.
-- manager_auth_proxy_patch.yaml
-
-
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+patches:
+- path: manager_auth_proxy_patch.yaml
diff --git a/config/manager/kustomization.yaml b/config/manager/kustomization.yaml
@@ -1,2 +1,8 @@
 resources:
 - manager.yaml
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+images:
+- name: controller
+  newName: ghcr.io/openloft/vcluster-operator
+  newTag: latest
diff --git a/config/manager/manager.yaml b/config/manager/manager.yaml
@@ -93,7 +93,7 @@ spec:
         resources:
           limits:
             cpu: 500m
-            memory: 128Mi
+            memory: 256Mi
           requests:
             cpu: 10m
             memory: 64Mi

diff --git a/config/rbac/clusterrole.yaml b/config/rbac/clusterrole.yaml
@@ -0,0 +1,15 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  # "namespace" omitted since ClusterRoles are not namespaced
+  name: manager-clusterrole
+rules:
+  - apiGroups:
+      - rbac.authorization.k8s.io
+    resources:
+      - clusterroles
+      - clusterrolebindings
+    verbs:
+      - get
+      - list
+      - watch
diff --git a/config/rbac/clusterrole_binding.yaml b/config/rbac/clusterrole_binding.yaml
@@ -0,0 +1,12 @@
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: manager-clusterrolebinding
+subjects:
+  - kind: ServiceAccount
+    name: controller-manager
+    namespace: system
+roleRef:
+  kind: ClusterRole
+  name: manager-clusterrole
+  apiGroup: rbac.authorization.k8s.io
diff --git a/config/rbac/kustomization.yaml b/config/rbac/kustomization.yaml
@@ -16,3 +16,5 @@ resources:
 - auth_proxy_role.yaml
 - auth_proxy_role_binding.yaml
 - auth_proxy_client_clusterrole.yaml
+- clusterrole.yaml
+- clusterrole_binding.yaml
diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml
@@ -67,4 +67,14 @@ rules:
   resources:
   - "statefulsets"
 
+##
+## Extra rules used by the controller manager
+##
+- apiGroups: ["networking.k8s.io"]
+  resources: ["networkpolicies"]
+  verbs: ["get", "list", "watch", "patch"]
+- apiGroups: [""]
+  resources: ["limitranges", "resourcequotas"]
+  verbs: ["get", "list", "watch"]
+
 #+kubebuilder:scaffold:rules