diff --git a/README.md b/README.md index ca318bb..4098398 100644 --- a/README.md +++ b/README.md @@ -30,6 +30,7 @@ Since this is a quick start, we can ignore the manual creation of the cloud reso Their name hints at their purpose. Resource monitors sync on an interval with your cloud service and create new resources on the cluster for you. This makes the tagging process a bit more streamlined — You can tag instances in a way that they are visible to the operator and expect to see the corresponding new resources being created on the cluster in 2 minutes. The only field that monitors require as of now is a type: + ```yaml apiVersion: manager.kotaico.de/v1 kind: ResourceMonitor @@ -115,3 +116,249 @@ Kubebuilder is a hard development dependency of the project, so one of the best ## Roadmap - Recurring bookings + +--- + +# Helm Chart + +A Helm chart for deploying the Resource Booking Operator to Kubernetes clusters. + +## Overview + +The Resource Booking Operator is a Kubernetes operator that manages resource bookings and reservations. It provides custom resources for managing bookings, resources, and resource monitors. + +## Prerequisites + +- Kubernetes 1.19+ +- Helm 3.0+ + +## Installation + +### Add the Helm repository + +```bash +helm repo add resource-booking-operator https://kotaicode.github.io/resource-booking-operator +helm repo update +``` + +### Install the chart + +```bash +# Install with default values +helm install resource-booking-operator resource-booking-operator/resource-booking-operator + +# Install with custom values +helm install resource-booking-operator resource-booking-operator/resource-booking-operator \ + --values custom-values.yaml +``` + +### Install from local chart + +```bash +# Clone the repository +git clone https://github.com/kotaicode/resource-booking-operator.git +cd resource-booking-operator + +# Install from local chart +helm install resource-booking-operator charts/resource-booking-operator/ +``` + +## Configuration + +The following table lists the configurable parameters of the resource-booking-operator chart and their default values. + +| Parameter | Description | Default | +|-----------|-------------|---------| +| `global.imageRegistry` | Global Docker image registry | `""` | +| `global.imagePullPolicy` | Global image pull policy | `IfNotPresent` | +| `global.imagePullSecrets` | Global image pull secrets | `[]` | +| `operator.image.repository` | Operator image repository | `controller` | +| `operator.image.tag` | Operator image tag | `latest` | +| `operator.image.pullPolicy` | Operator image pull policy | `IfNotPresent` | +| `operator.deployment.replicas` | Number of operator replicas | `1` | +| `operator.deployment.resources.limits.cpu` | CPU resource limits | `500m` | +| `operator.deployment.resources.limits.memory` | Memory resource limits | `128Mi` | +| `operator.deployment.resources.requests.cpu` | CPU resource requests | `10m` | +| `operator.deployment.resources.requests.memory` | Memory resource requests | `64Mi` | +| `rbac.create` | Create RBAC resources | `true` | +| `rbac.createClusterRoleBinding` | Create cluster role binding | `true` | +| `rbac.serviceAccount.create` | Create service account | `true` | +| `rbac.serviceAccount.name` | Service account name | `controller-manager` | +| `crd.install` | Install CRDs | `true` | +| `crd.validation` | Enable CRD validation | `true` | +| `metrics.enabled` | Enable metrics | `true` | +| `metrics.serviceMonitor.enabled` | Create service monitor | `false` | +| `authProxy.enabled` | Enable auth proxy | `true` | +| `authProxy.image.repository` | Auth proxy image repository | `gcr.io/kubebuilder/kube-rbac-proxy` | +| `authProxy.image.tag` | Auth proxy image tag | `v0.13.0` | +| `namespace.create` | Create namespace | `true` | +| `namespace.name` | Namespace name | `system` | + +### Example custom values + +```yaml +# custom-values.yaml +operator: + image: + repository: my-registry/controller + tag: v1.0.0 + deployment: + replicas: 2 + resources: + limits: + cpu: 1000m + memory: 256Mi + requests: + cpu: 100m + memory: 128Mi + +rbac: + create: true + serviceAccount: + create: true + name: resource-booking-operator + +metrics: + enabled: true + serviceMonitor: + enabled: true + +authProxy: + enabled: true + resources: + limits: + cpu: 200m + memory: 64Mi + requests: + cpu: 10m + memory: 32Mi +``` + +## Custom Resources + +The operator creates the following custom resources: + +### Resource + +```yaml +apiVersion: manager.kotaico.de/v1 +kind: Resource +metadata: + name: example-resource +spec: + type: "ec2" + tag: "production" + booked_by: "user@example.com" + booked_until: "2024-12-31T23:59:59Z" +``` + +### Booking + +```yaml +apiVersion: manager.kotaico.de/v1 +kind: Booking +metadata: + name: example-booking +spec: + resource_name: "example-resource" + user_id: "user@example.com" + start_at: "2024-01-01T09:00:00Z" + end_at: "2024-01-01T17:00:00Z" + notifications: + - type: "email" + recipient: "user@example.com" +``` + +### ResourceMonitor + +```yaml +apiVersion: manager.kotaico.de/v1 +kind: ResourceMonitor +metadata: + name: example-monitor +spec: + type: "ec2" +``` + +## Additional RBAC Roles + +The chart includes additional RBAC roles for fine-grained access control: + +- `booking-editor`: Full access to bookings +- `booking-viewer`: Read-only access to bookings +- `resource-editor`: Full access to resources +- `resource-viewer`: Read-only access to resources +- `resourcemonitor-editor`: Full access to resource monitors +- `resourcemonitor-viewer`: Read-only access to resource monitors + +These roles can be enabled/disabled via the `additionalRoles` section in values.yaml. + +## Monitoring + +The operator exposes metrics on port 8080 (or 8443 when auth proxy is enabled). You can configure Prometheus ServiceMonitor for monitoring: + +```yaml +metrics: + enabled: true + serviceMonitor: + enabled: true + interval: 30s + scrapeTimeout: 10s +``` + +## Security + +The operator runs with the following security features: + +- Non-root user execution +- Dropped capabilities +- No privilege escalation +- RBAC authorization via auth proxy (when enabled) + +## Troubleshooting + +### Check operator status + +```bash +kubectl get pods -n system -l control-plane=controller-manager +``` + +### View operator logs + +```bash +kubectl logs -n system -l control-plane=controller-manager -c manager +``` + +### Check CRD installation + +```bash +kubectl get crd | grep manager.kotaico.de +``` + +### Test operator functionality + +```bash +helm test resource-booking-operator +``` + +## Uninstallation + +```bash +helm uninstall resource-booking-operator +``` + +**Note**: CRDs are not automatically removed. To remove them: + +```bash +kubectl delete crd resources.manager.kotaico.de +kubectl delete crd bookings.manager.kotaico.de +kubectl delete crd resourcemonitors.manager.kotaico.de +``` + +## Contributing + +Please read [CONTRIBUTING.md](CONTRIBUTING.md) for details on our code of conduct and the process for submitting pull requests. + +## License + +This project is licensed under the Apache License 2.0 - see the [LICENSE](LICENSE) file for details. diff --git a/charts/resource-booking-operator/.helmignore b/charts/resource-booking-operator/.helmignore new file mode 100644 index 0000000..d2abb48 --- /dev/null +++ b/charts/resource-booking-operator/.helmignore @@ -0,0 +1,61 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ +# OS generated files +Thumbs.db +ehthumbs.db +# Kubernetes generated files +*.generated.go +# Go generated files +*.pb.go +# Documentation +docs/ +# Test files +*_test.go +# Build artifacts +bin/ +dist/ +# Docker files +Dockerfile* +.dockerignore +# Makefile +Makefile +# Config files +config/ +# Source code +api/ +controllers/ +clients/ +notify/ +# Assets +assets/ +# Web files +index.html +# License and project files +LICENSE +PROJECT +# Go module files +go.mod +go.sum +# Hack files +hack/ \ No newline at end of file diff --git a/charts/resource-booking-operator/Chart.yaml b/charts/resource-booking-operator/Chart.yaml new file mode 100644 index 0000000..016c3df --- /dev/null +++ b/charts/resource-booking-operator/Chart.yaml @@ -0,0 +1,21 @@ +apiVersion: v2 +name: resource-booking-operator +description: A Helm chart for the Resource Booking Operator +type: application +version: 0.1.0 +appVersion: "1.0.0" +keywords: + - kubernetes + - operator + - resource-booking + - booking + - resource-management +home: https://github.com/kotaicode/resource-booking-operator +sources: + - https://github.com/kotaicode/resource-booking-operator +maintainers: + - name: Kotaicode Team + email: team@kotaico.de +annotations: + category: Infrastructure + licenses: Apache-2.0 \ No newline at end of file diff --git a/charts/resource-booking-operator/templates/NOTES.txt b/charts/resource-booking-operator/templates/NOTES.txt new file mode 100644 index 0000000..5a98e9d --- /dev/null +++ b/charts/resource-booking-operator/templates/NOTES.txt @@ -0,0 +1,75 @@ +Thank you for installing {{ .Chart.Name }}. + +Your release is named {{ .Release.Name }}. + +To learn more about the release, try: + + $ helm status {{ .Release.Name }} + $ helm get all {{ .Release.Name }} + +The Resource Booking Operator has been installed with the following components: + +{{- if .Values.namespace.create }} +- Namespace: {{ include "resource-booking-operator.namespace" . }} +{{- end }} +{{- if .Values.rbac.serviceAccount.create }} +- Service Account: {{ include "resource-booking-operator.serviceAccountName" . }} +{{- end }} +{{- if .Values.rbac.create }} +- Cluster Role: {{ include "resource-booking-operator.fullname" . }}-role +- Cluster Role Binding: {{ include "resource-booking-operator.fullname" . }}-rolebinding +{{- end }} +- Deployment: {{ include "resource-booking-operator.fullname" . }} +- Service: {{ include "resource-booking-operator.fullname" . }}-metrics-service +{{- if .Values.crd.install }} +- Custom Resource Definitions: + - resources.manager.kotaico.de + - bookings.manager.kotaico.de + - resourcemonitors.manager.kotaico.de +{{- end }} +{{- if and .Values.metrics.enabled .Values.metrics.serviceMonitor.enabled }} +- Service Monitor: {{ include "resource-booking-operator.fullname" . }}-metrics-monitor +{{- end }} + +The operator is now ready to manage resource bookings. You can create custom resources: + +Example Resource: +```yaml +apiVersion: manager.kotaico.de/v1 +kind: Resource +metadata: + name: example-resource +spec: + type: "ec2" + tag: "production" + booked_by: "user@example.com" + booked_until: "2024-12-31T23:59:59Z" +``` + +Example Booking: +```yaml +apiVersion: manager.kotaico.de/v1 +kind: Booking +metadata: + name: example-booking +spec: + resource_name: "example-resource" + user_id: "user@example.com" + start_at: "2024-01-01T09:00:00Z" + end_at: "2024-01-01T17:00:00Z" + notifications: + - type: "email" + recipient: "user@example.com" +``` + +Example Resource Monitor: +```yaml +apiVersion: manager.kotaico.de/v1 +kind: ResourceMonitor +metadata: + name: example-monitor +spec: + type: "ec2" +``` + +For more information, visit: https://github.com/kotaicode/resource-booking-operator \ No newline at end of file diff --git a/charts/resource-booking-operator/templates/_helpers.tpl b/charts/resource-booking-operator/templates/_helpers.tpl new file mode 100644 index 0000000..92d9be9 --- /dev/null +++ b/charts/resource-booking-operator/templates/_helpers.tpl @@ -0,0 +1,110 @@ +{{/* +Expand the name of the chart. +*/}} +{{- define "resource-booking-operator.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "resource-booking-operator.fullname" -}} +{{- if .Values.fullnameOverride }} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- $name := default .Chart.Name .Values.nameOverride }} +{{- if contains $name .Release.Name }} +{{- .Release.Name | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end }} +{{- end }} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "resource-booking-operator.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Common labels +*/}} +{{- define "resource-booking-operator.labels" -}} +helm.sh/chart: {{ include "resource-booking-operator.chart" . }} +{{ include "resource-booking-operator.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "resource-booking-operator.selectorLabels" -}} +app.kubernetes.io/name: {{ include "resource-booking-operator.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} + +{{/* +Create the name of the service account to use +*/}} +{{- define "resource-booking-operator.serviceAccountName" -}} +{{- if .Values.rbac.serviceAccount.create }} +{{- default (include "resource-booking-operator.fullname" .) .Values.rbac.serviceAccount.name }} +{{- else }} +{{- default "default" .Values.rbac.serviceAccount.name }} +{{- end }} +{{- end }} + +{{/* +Create the namespace name +*/}} +{{- define "resource-booking-operator.namespace" -}} +{{- .Values.namespace.name | default "system" }} +{{- end }} + +{{/* +Create the operator image +*/}} +{{- define "resource-booking-operator.image" -}} +{{- $registry := .Values.global.imageRegistry -}} +{{- $repository := .Values.operator.image.repository -}} +{{- $tag := .Values.operator.image.tag | default .Chart.AppVersion -}} +{{- if $registry -}} +{{- printf "%s/%s:%s" $registry $repository $tag -}} +{{- else -}} +{{- printf "%s:%s" $repository $tag -}} +{{- end -}} +{{- end }} + +{{/* +Create the auth proxy image +*/}} +{{- define "resource-booking-operator.authProxyImage" -}} +{{- $registry := .Values.global.imageRegistry -}} +{{- $repository := .Values.authProxy.image.repository -}} +{{- $tag := .Values.authProxy.image.tag -}} +{{- if $registry -}} +{{- printf "%s/%s:%s" $registry $repository $tag -}} +{{- else -}} +{{- printf "%s:%s" $repository $tag -}} +{{- end -}} +{{- end }} + +{{/* +Create the operator command args +*/}} +{{- define "resource-booking-operator.args" -}} +{{- $args := list "--leader-elect" -}} +{{- if .Values.authProxy.enabled -}} +{{- $args = concat $args (list "--health-probe-bind-address=:8081" "--metrics-bind-address=127.0.0.1:8080") -}} +{{- else -}} +{{- $args = concat $args (list "--health-probe-bind-address=:8081" "--metrics-bind-address=:8080") -}} +{{- end -}} +{{- join " " $args -}} +{{- end }} \ No newline at end of file diff --git a/charts/resource-booking-operator/templates/crds/bookings.yaml b/charts/resource-booking-operator/templates/crds/bookings.yaml new file mode 100644 index 0000000..871d46e --- /dev/null +++ b/charts/resource-booking-operator/templates/crds/bookings.yaml @@ -0,0 +1,88 @@ +{{- if .Values.crd.install }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.9.2 + name: bookings.manager.kotaico.de + labels: + {{- include "resource-booking-operator.labels" . | nindent 4 }} +spec: + group: manager.kotaico.de + names: + kind: Booking + listKind: BookingList + plural: bookings + singular: booking + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .spec.start_at + name: START + type: string + - jsonPath: .spec.end_at + name: END + type: string + - jsonPath: .status.status + name: STATUS + type: string + name: v1 + schema: + openAPIV3Schema: + description: Booking is the Schema for the bookings API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: BookingSpec defines the desired state of Booking + properties: + end_at: + type: string + notifications: + items: + properties: + recipient: + type: string + type: + type: string + required: + - recipient + - type + type: object + type: array + resource_name: + type: string + start_at: + type: string + user_id: + type: string + required: + - end_at + - resource_name + - start_at + - user_id + type: object + status: + description: BookingStatus defines the observed state of Booking + properties: + notification_sent: + type: boolean + status: + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +{{- end }} \ No newline at end of file diff --git a/charts/resource-booking-operator/templates/crds/resourcemonitors.yaml b/charts/resource-booking-operator/templates/crds/resourcemonitors.yaml new file mode 100644 index 0000000..7694d1b --- /dev/null +++ b/charts/resource-booking-operator/templates/crds/resourcemonitors.yaml @@ -0,0 +1,52 @@ +{{- if .Values.crd.install }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.9.2 + name: resourcemonitors.manager.kotaico.de + labels: + {{- include "resource-booking-operator.labels" . | nindent 4 }} +spec: + group: manager.kotaico.de + names: + kind: ResourceMonitor + listKind: ResourceMonitorList + plural: resourcemonitors + singular: resourcemonitor + scope: Namespaced + versions: + - name: v1 + schema: + openAPIV3Schema: + description: ResourceMonitor is the Schema for the resourcemonitors API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: ResourceMonitorSpec defines the desired state of ResourceMonitor + properties: + type: + type: string + required: + - type + type: object + status: + description: ResourceMonitorStatus defines the observed state of ResourceMonitor + type: object + type: object + served: true + storage: true + subresources: + status: {} +{{- end }} \ No newline at end of file diff --git a/charts/resource-booking-operator/templates/crds/resources.yaml b/charts/resource-booking-operator/templates/crds/resources.yaml new file mode 100644 index 0000000..ed36d94 --- /dev/null +++ b/charts/resource-booking-operator/templates/crds/resources.yaml @@ -0,0 +1,94 @@ +{{- if .Values.crd.install }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.9.2 + name: resources.manager.kotaico.de + labels: + {{- include "resource-booking-operator.labels" . | nindent 4 }} +spec: + group: manager.kotaico.de + names: + kind: Resource + listKind: ResourceList + plural: resources + singular: resource + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .status.locked_by + name: LOCKED BY + type: string + - jsonPath: .status.locked_until + name: LOCKED UNTIL + type: string + - jsonPath: .status.instances + name: INSTANCES + type: integer + - jsonPath: .status.running + name: RUNNING + type: integer + - jsonPath: .status.status + name: STATUS + type: string + name: v1 + schema: + openAPIV3Schema: + description: Resource is the Schema for the resources API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: ResourceSpec defines the desired state of Resource + properties: + booked_by: + type: string + booked_until: + type: string + tag: + type: string + type: + type: string + required: + - booked_by + - booked_until + - tag + - type + type: object + status: + description: ResourceStatus defines the observed state of Resource + properties: + instances: + type: integer + locked_by: + type: string + locked_until: + type: string + running: + type: integer + status: + type: string + required: + - instances + - locked_by + - locked_until + - running + - status + type: object + type: object + served: true + storage: true + subresources: + status: {} +{{- end }} \ No newline at end of file diff --git a/charts/resource-booking-operator/templates/deployment.yaml b/charts/resource-booking-operator/templates/deployment.yaml new file mode 100644 index 0000000..f5a062c --- /dev/null +++ b/charts/resource-booking-operator/templates/deployment.yaml @@ -0,0 +1,93 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "resource-booking-operator.fullname" . }} + namespace: {{ include "resource-booking-operator.namespace" . }} + labels: + {{- include "resource-booking-operator.labels" . | nindent 4 }} + control-plane: controller-manager +spec: + selector: + matchLabels: + {{- include "resource-booking-operator.selectorLabels" . | nindent 6 }} + control-plane: controller-manager + replicas: {{ .Values.operator.deployment.replicas }} + template: + metadata: + annotations: + kubectl.kubernetes.io/default-container: manager + labels: + {{- include "resource-booking-operator.selectorLabels" . | nindent 8 }} + control-plane: controller-manager + spec: + {{- with .Values.operator.deployment.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.operator.deployment.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.operator.deployment.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.operator.deployment.securityContext }} + securityContext: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.global.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + serviceAccountName: {{ include "resource-booking-operator.serviceAccountName" . }} + terminationGracePeriodSeconds: {{ .Values.operator.deployment.terminationGracePeriodSeconds }} + containers: + {{- if .Values.authProxy.enabled }} + - name: kube-rbac-proxy + image: {{ include "resource-booking-operator.authProxyImage" . }} + args: + - "--secure-listen-address=0.0.0.0:8443" + - "--upstream=http://127.0.0.1:8080/" + - "--logtostderr=true" + - "--v=0" + ports: + - containerPort: 8443 + protocol: TCP + name: https + {{- with .Values.authProxy.resources }} + resources: + {{- toYaml . | nindent 10 }} + {{- end }} + {{- with .Values.authProxy.securityContext }} + securityContext: + {{- toYaml . | nindent 10 }} + {{- end }} + {{- end }} + - name: manager + image: {{ include "resource-booking-operator.image" . }} + args: + - "--leader-elect" + {{- if .Values.authProxy.enabled }} + - "--health-probe-bind-address=:8081" + - "--metrics-bind-address=127.0.0.1:8080" + {{- else }} + - "--health-probe-bind-address=:8081" + - "--metrics-bind-address=:8080" + {{- end }} + {{- with .Values.operator.deployment.containerSecurityContext }} + securityContext: + {{- toYaml . | nindent 10 }} + {{- end }} + {{- with .Values.operator.deployment.livenessProbe }} + livenessProbe: + {{- toYaml . | nindent 10 }} + {{- end }} + {{- with .Values.operator.deployment.readinessProbe }} + readinessProbe: + {{- toYaml . | nindent 10 }} + {{- end }} + {{- with .Values.operator.deployment.resources }} + resources: + {{- toYaml . | nindent 10 }} + {{- end }} \ No newline at end of file diff --git a/charts/resource-booking-operator/templates/namespace.yaml b/charts/resource-booking-operator/templates/namespace.yaml new file mode 100644 index 0000000..1996639 --- /dev/null +++ b/charts/resource-booking-operator/templates/namespace.yaml @@ -0,0 +1,11 @@ +{{- if .Values.namespace.create }} +apiVersion: v1 +kind: Namespace +metadata: + name: {{ include "resource-booking-operator.namespace" . }} + labels: + {{- include "resource-booking-operator.labels" . | nindent 4 }} + {{- with .Values.namespace.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/resource-booking-operator/templates/rbac-additional-roles.yaml b/charts/resource-booking-operator/templates/rbac-additional-roles.yaml new file mode 100644 index 0000000..124b398 --- /dev/null +++ b/charts/resource-booking-operator/templates/rbac-additional-roles.yaml @@ -0,0 +1,161 @@ +{{- if .Values.additionalRoles.bookingEditor.enabled }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ include "resource-booking-operator.fullname" . }}-booking-editor + labels: + {{- include "resource-booking-operator.labels" . | nindent 4 }} +rules: +- apiGroups: + - manager.kotaico.de + resources: + - bookings + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - manager.kotaico.de + resources: + - bookings/status + verbs: + - get +{{- end }} + +{{- if .Values.additionalRoles.bookingViewer.enabled }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ include "resource-booking-operator.fullname" . }}-booking-viewer + labels: + {{- include "resource-booking-operator.labels" . | nindent 4 }} +rules: +- apiGroups: + - manager.kotaico.de + resources: + - bookings + verbs: + - get + - list + - watch +- apiGroups: + - manager.kotaico.de + resources: + - bookings/status + verbs: + - get +{{- end }} + +{{- if .Values.additionalRoles.resourceEditor.enabled }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ include "resource-booking-operator.fullname" . }}-resource-editor + labels: + {{- include "resource-booking-operator.labels" . | nindent 4 }} +rules: +- apiGroups: + - manager.kotaico.de + resources: + - resources + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - manager.kotaico.de + resources: + - resources/status + verbs: + - get +{{- end }} + +{{- if .Values.additionalRoles.resourceViewer.enabled }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ include "resource-booking-operator.fullname" . }}-resource-viewer + labels: + {{- include "resource-booking-operator.labels" . | nindent 4 }} +rules: +- apiGroups: + - manager.kotaico.de + resources: + - resources + verbs: + - get + - list + - watch +- apiGroups: + - manager.kotaico.de + resources: + - resources/status + verbs: + - get +{{- end }} + +{{- if .Values.additionalRoles.resourceMonitorEditor.enabled }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ include "resource-booking-operator.fullname" . }}-resourcemonitor-editor + labels: + {{- include "resource-booking-operator.labels" . | nindent 4 }} +rules: +- apiGroups: + - manager.kotaico.de + resources: + - resourcemonitors + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - manager.kotaico.de + resources: + - resourcemonitors/status + verbs: + - get +{{- end }} + +{{- if .Values.additionalRoles.resourceMonitorViewer.enabled }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ include "resource-booking-operator.fullname" . }}-resourcemonitor-viewer + labels: + {{- include "resource-booking-operator.labels" . | nindent 4 }} +rules: +- apiGroups: + - manager.kotaico.de + resources: + - resourcemonitors + verbs: + - get + - list + - watch +- apiGroups: + - manager.kotaico.de + resources: + - resourcemonitors/status + verbs: + - get +{{- end }} \ No newline at end of file diff --git a/charts/resource-booking-operator/templates/rbac.yaml b/charts/resource-booking-operator/templates/rbac.yaml new file mode 100644 index 0000000..c86ed6b --- /dev/null +++ b/charts/resource-booking-operator/templates/rbac.yaml @@ -0,0 +1,106 @@ +{{- if .Values.rbac.create }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ include "resource-booking-operator.fullname" . }}-role + labels: + {{- include "resource-booking-operator.labels" . | nindent 4 }} +rules: +- apiGroups: + - manager.kotaico.de + resources: + - bookings + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - manager.kotaico.de + resources: + - bookings/finalizers + verbs: + - update +- apiGroups: + - manager.kotaico.de + resources: + - bookings/status + verbs: + - get + - patch + - update +- apiGroups: + - manager.kotaico.de + resources: + - resourcemonitors + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - manager.kotaico.de + resources: + - resourcemonitors/finalizers + verbs: + - update +- apiGroups: + - manager.kotaico.de + resources: + - resourcemonitors/status + verbs: + - get + - patch + - update +- apiGroups: + - manager.kotaico.de + resources: + - resources + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - manager.kotaico.de + resources: + - resources/finalizers + verbs: + - update +- apiGroups: + - manager.kotaico.de + resources: + - resources/status + verbs: + - get + - patch + - update +{{- end }} + +{{- if and .Values.rbac.create .Values.rbac.createClusterRoleBinding }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ include "resource-booking-operator.fullname" . }}-rolebinding + labels: + {{- include "resource-booking-operator.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ include "resource-booking-operator.fullname" . }}-role +subjects: +- kind: ServiceAccount + name: {{ include "resource-booking-operator.serviceAccountName" . }} + namespace: {{ include "resource-booking-operator.namespace" . }} +{{- end }} \ No newline at end of file diff --git a/charts/resource-booking-operator/templates/service.yaml b/charts/resource-booking-operator/templates/service.yaml new file mode 100644 index 0000000..93dc197 --- /dev/null +++ b/charts/resource-booking-operator/templates/service.yaml @@ -0,0 +1,24 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ include "resource-booking-operator.fullname" . }}-metrics-service + namespace: {{ include "resource-booking-operator.namespace" . }} + labels: + {{- include "resource-booking-operator.labels" . | nindent 4 }} + control-plane: controller-manager +spec: + ports: + {{- if .Values.authProxy.enabled }} + - name: https + port: 8443 + protocol: TCP + targetPort: https + {{- else }} + - name: metrics + port: 8080 + protocol: TCP + targetPort: 8080 + {{- end }} + selector: + {{- include "resource-booking-operator.selectorLabels" . | nindent 4 }} + control-plane: controller-manager \ No newline at end of file diff --git a/charts/resource-booking-operator/templates/serviceaccount.yaml b/charts/resource-booking-operator/templates/serviceaccount.yaml new file mode 100644 index 0000000..ecd014d --- /dev/null +++ b/charts/resource-booking-operator/templates/serviceaccount.yaml @@ -0,0 +1,16 @@ +{{- if .Values.rbac.serviceAccount.create }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "resource-booking-operator.serviceAccountName" . }} + namespace: {{ include "resource-booking-operator.namespace" . }} + labels: + {{- include "resource-booking-operator.labels" . | nindent 4 }} + {{- with .Values.rbac.serviceAccount.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.rbac.serviceAccount.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/resource-booking-operator/templates/servicemonitor.yaml b/charts/resource-booking-operator/templates/servicemonitor.yaml new file mode 100644 index 0000000..d1fa696 --- /dev/null +++ b/charts/resource-booking-operator/templates/servicemonitor.yaml @@ -0,0 +1,26 @@ +{{- if and .Values.metrics.enabled .Values.metrics.serviceMonitor.enabled }} +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: {{ include "resource-booking-operator.fullname" . }}-metrics-monitor + namespace: {{ include "resource-booking-operator.namespace" . }} + labels: + {{- include "resource-booking-operator.labels" . | nindent 4 }} + control-plane: controller-manager +spec: + endpoints: + - path: {{ .Values.metrics.serviceMonitor.path }} + port: {{ .Values.metrics.serviceMonitor.port }} + scheme: {{ .Values.metrics.serviceMonitor.scheme }} + interval: {{ .Values.metrics.serviceMonitor.interval }} + scrapeTimeout: {{ .Values.metrics.serviceMonitor.scrapeTimeout }} + bearerTokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token + {{- with .Values.metrics.serviceMonitor.tlsConfig }} + tlsConfig: + {{- toYaml . | nindent 8 }} + {{- end }} + selector: + matchLabels: + {{- include "resource-booking-operator.selectorLabels" . | nindent 6 }} + control-plane: controller-manager +{{- end }} \ No newline at end of file diff --git a/charts/resource-booking-operator/templates/tests/test-connection.yaml b/charts/resource-booking-operator/templates/tests/test-connection.yaml new file mode 100644 index 0000000..b3fe1b4 --- /dev/null +++ b/charts/resource-booking-operator/templates/tests/test-connection.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: "{{ include "resource-booking-operator.fullname" . }}-test-connection" + namespace: {{ include "resource-booking-operator.namespace" . }} + labels: + {{- include "resource-booking-operator.labels" . | nindent 4 }} + annotations: + "helm.sh/hook": test +spec: + containers: + - name: test-connection + image: "{{ include "resource-booking-operator.image" . }}" + command: + - /manager + - --help + restartPolicy: Never \ No newline at end of file diff --git a/charts/resource-booking-operator/values.yaml b/charts/resource-booking-operator/values.yaml new file mode 100644 index 0000000..f93712e --- /dev/null +++ b/charts/resource-booking-operator/values.yaml @@ -0,0 +1,186 @@ +# Default values for resource-booking-operator +# This is a YAML-formatted file. + +# Global configuration +global: + # Global image registry + imageRegistry: "" + # Global image pull policy + imagePullPolicy: IfNotPresent + # Global image pull secrets + imagePullSecrets: [] + +# Operator configuration +operator: + # Operator image configuration + image: + repository: kotaicode/resource-booking-operator + tag: latest + pullPolicy: IfNotPresent + + # Operator deployment configuration + deployment: + replicas: 1 + # Node selector for deployment + nodeSelector: {} + # Tolerations for deployment + tolerations: [] + # Affinity for deployment + affinity: {} + # Security context + securityContext: + runAsNonRoot: true + runAsUser: 1000 + fsGroup: 1000 + # Container security context + containerSecurityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - "ALL" + # Resource limits and requests + resources: + limits: + cpu: 500m + memory: 128Mi + requests: + cpu: 10m + memory: 64Mi + # Liveness probe configuration + livenessProbe: + httpGet: + path: /healthz + port: 8081 + initialDelaySeconds: 15 + periodSeconds: 20 + # Readiness probe configuration + readinessProbe: + httpGet: + path: /readyz + port: 8081 + initialDelaySeconds: 5 + periodSeconds: 10 + # Termination grace period + terminationGracePeriodSeconds: 10 + # Leader election configuration + leaderElection: + enabled: true + # Leader election namespace + namespace: resource-booking-operator-system + # Leader election lease duration + leaseDuration: 15s + # Leader election renew deadline + renewDeadline: 10s + # Leader election retry period + retryPeriod: 2s + +# RBAC configuration +rbac: + # Create RBAC resources + create: true + # Create cluster role binding + createClusterRoleBinding: true + # Service account configuration + serviceAccount: + # Create service account + create: true + # Service account name + name: "resource-booking-operator-controller-manager" + # Service account annotations + annotations: {} + # Service account labels + labels: {} + +# CRD configuration +crd: + # Install CRDs + install: true + # CRD validation + validation: true + +# Metrics configuration +metrics: + # Enable metrics + enabled: true + # Service monitor configuration + serviceMonitor: + # Create service monitor + enabled: false + # Service monitor interval + interval: 30s + # Service monitor scrape timeout + scrapeTimeout: 10s + # Service monitor path + path: /metrics + # Service monitor port + port: https + # Service monitor scheme + scheme: https + # Service monitor TLS config + tlsConfig: + insecureSkipVerify: true + +# Auth proxy configuration +authProxy: + # Enable auth proxy + enabled: true + # Auth proxy image + image: + repository: gcr.io/kubebuilder/kube-rbac-proxy + tag: v0.13.0 + pullPolicy: IfNotPresent + # Auth proxy resources + resources: + limits: + cpu: 500m + memory: 128Mi + requests: + cpu: 5m + memory: 64Mi + # Auth proxy security context + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - "ALL" + +# Namespace configuration +namespace: + # Create namespace + create: true + # Namespace name + name: resource-booking-operator-system + # Namespace labels + labels: + control-plane: resource-booking-operator-controller-manager + app.kubernetes.io/name: namespace + app.kubernetes.io/instance: resource-booking-operator-system + app.kubernetes.io/component: manager + app.kubernetes.io/created-by: resource-booking-operator + app.kubernetes.io/part-of: resource-booking-operator + app.kubernetes.io/managed-by: helm + +# Labels and annotations +labels: {} +annotations: {} + +# Additional RBAC roles +additionalRoles: + # Booking editor role + bookingEditor: + enabled: true + # Booking viewer role + bookingViewer: + enabled: true + # Resource editor role + resourceEditor: + enabled: true + # Resource viewer role + resourceViewer: + enabled: true + # Resource monitor editor role + resourceMonitorEditor: + enabled: true + # Resource monitor viewer role + resourceMonitorViewer: + enabled: true \ No newline at end of file