From 8d40f65bca6487f6db0031d58ad1544560bec3d1 Mon Sep 17 00:00:00 2001
From: Xiaodong Ye <yeahdongcn@gmail.com>
Date: Sun, 19 Nov 2023 10:29:26 +0800
Subject: [PATCH] Extra updates for the operator

Signed-off-by: Xiaodong Ye <yeahdongcn@gmail.com>
---
 .github/workflows/makefile.yml       | 29 ++++++++++++++++++++++++++++
 Makefile                             |  2 +-
 config/default/kustomization.yaml    |  8 ++++----
 config/manager/kustomization.yaml    |  6 ++++++
 config/manager/manager.yaml          |  2 +-
 config/rbac/clusterrole.yaml         | 15 ++++++++++++++
 config/rbac/clusterrole_binding.yaml | 12 ++++++++++++
 config/rbac/kustomization.yaml       |  2 ++
 config/rbac/role.yaml                | 10 ++++++++++
 9 files changed, 80 insertions(+), 6 deletions(-)
 create mode 100644 .github/workflows/makefile.yml
 create mode 100644 config/rbac/clusterrole.yaml
 create mode 100644 config/rbac/clusterrole_binding.yaml

diff --git a/.github/workflows/makefile.yml b/.github/workflows/makefile.yml
new file mode 100644
index 0000000..74e5066
--- /dev/null
+++ b/.github/workflows/makefile.yml
@@ -0,0 +1,29 @@
+name: Makefile CI
+
+on:
+  push:
+    branches: [ "main" ]
+  pull_request:
+    branches: [ "main" ]
+
+jobs:
+  build:
+
+    runs-on: ubuntu-latest
+
+    steps:
+    - name: Checkout code
+      uses: actions/checkout@v3
+
+    - name: Login to GitHub Container Registry
+      uses: docker/login-action@v2
+      with:
+        registry: ghcr.io
+        username: ${{ github.actor }}
+        password: ${{ secrets.GITHUB_TOKEN }}
+
+    - name: Build image
+      run: make docker-build
+
+    - name: Push image
+      run: make docker-push
diff --git a/Makefile b/Makefile
index 36f49fb..bf45726 100644
--- a/Makefile
+++ b/Makefile
@@ -51,7 +51,7 @@ endif
 OPERATOR_SDK_VERSION ?= v1.32.0
 
 # Image URL to use all building/pushing image targets
-IMG ?= controller:latest
+IMG ?= ghcr.io/openloft/vcluster-operator:latest
 
 .PHONY: all
 all: docker-build
diff --git a/config/default/kustomization.yaml b/config/default/kustomization.yaml
index fc80c37..1eb132e 100644
--- a/config/default/kustomization.yaml
+++ b/config/default/kustomization.yaml
@@ -21,10 +21,10 @@ resources:
 # [PROMETHEUS] To enable prometheus monitor, uncomment all sections with 'PROMETHEUS'.
 #- ../prometheus
 
-patchesStrategicMerge:
 # Protect the /metrics endpoint by putting it behind auth.
 # If you want your controller-manager to expose the /metrics
 # endpoint w/o any authn/z, please comment the following line.
-- manager_auth_proxy_patch.yaml
-
-
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+patches:
+- path: manager_auth_proxy_patch.yaml
diff --git a/config/manager/kustomization.yaml b/config/manager/kustomization.yaml
index 5c5f0b8..bc0a4cb 100644
--- a/config/manager/kustomization.yaml
+++ b/config/manager/kustomization.yaml
@@ -1,2 +1,8 @@
 resources:
 - manager.yaml
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+images:
+- name: controller
+  newName: ghcr.io/openloft/vcluster-operator
+  newTag: latest
diff --git a/config/manager/manager.yaml b/config/manager/manager.yaml
index c7aa9ce..9fe9cd2 100644
--- a/config/manager/manager.yaml
+++ b/config/manager/manager.yaml
@@ -93,7 +93,7 @@ spec:
         resources:
           limits:
             cpu: 500m
-            memory: 128Mi
+            memory: 256Mi
           requests:
             cpu: 10m
             memory: 64Mi
diff --git a/config/rbac/clusterrole.yaml b/config/rbac/clusterrole.yaml
new file mode 100644
index 0000000..36c6bec
--- /dev/null
+++ b/config/rbac/clusterrole.yaml
@@ -0,0 +1,15 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  # "namespace" omitted since ClusterRoles are not namespaced
+  name: manager-clusterrole
+rules:
+  - apiGroups:
+      - rbac.authorization.k8s.io
+    resources:
+      - clusterroles
+      - clusterrolebindings
+    verbs:
+      - get
+      - list
+      - watch
diff --git a/config/rbac/clusterrole_binding.yaml b/config/rbac/clusterrole_binding.yaml
new file mode 100644
index 0000000..6c6ca1b
--- /dev/null
+++ b/config/rbac/clusterrole_binding.yaml
@@ -0,0 +1,12 @@
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: manager-clusterrolebinding
+subjects:
+  - kind: ServiceAccount
+    name: controller-manager
+    namespace: system
+roleRef:
+  kind: ClusterRole
+  name: manager-clusterrole
+  apiGroup: rbac.authorization.k8s.io
diff --git a/config/rbac/kustomization.yaml b/config/rbac/kustomization.yaml
index 731832a..35deae1 100644
--- a/config/rbac/kustomization.yaml
+++ b/config/rbac/kustomization.yaml
@@ -16,3 +16,5 @@ resources:
 - auth_proxy_role.yaml
 - auth_proxy_role_binding.yaml
 - auth_proxy_client_clusterrole.yaml
+- clusterrole.yaml
+- clusterrole_binding.yaml
diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml
index 406d77d..b55ef11 100644
--- a/config/rbac/role.yaml
+++ b/config/rbac/role.yaml
@@ -67,4 +67,14 @@ rules:
   resources:
   - "statefulsets"
 
+##
+## Extra rules used by the controller manager
+##
+- apiGroups: ["networking.k8s.io"]
+  resources: ["networkpolicies"]
+  verbs: ["get", "list", "watch", "patch"]
+- apiGroups: [""]
+  resources: ["limitranges", "resourcequotas"]
+  verbs: ["get", "list", "watch"]
+
 #+kubebuilder:scaffold:rules