Skip to content

Commit

Permalink
add namespace-lister deployment to staging
Browse files Browse the repository at this point in the history
This is largely for testing purposes, to see if this deployment
configuration is functional.  As such, we're only going to deploy this
to one of the member clusters for the time being, and we're not going to
integrate this with the UI's nginx config until we have a stable
deployment.

Signed-off-by: Andy Sadler <[email protected]>
  • Loading branch information
sadlerap committed Dec 17, 2024
1 parent 89439c7 commit aa01551
Show file tree
Hide file tree
Showing 17 changed files with 393 additions and 0 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -28,5 +28,6 @@ resources:
- crossplane-control-plane
- konflux-ui
- konflux-rbac
- namespace-lister
components:
- ../../../k-components/inject-infra-deployments-repo-details
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- namespace-lister.yaml
components:
- ../../../../k-components/inject-infra-deployments-repo-details
- ../../../../k-components/deploy-to-member-cluster-merge-generator
Original file line number Diff line number Diff line change
@@ -0,0 +1,43 @@
apiVersion: argoproj.io/v1alpha1
kind: ApplicationSet
metadata:
name: namespace-lister
spec:
generators:
- merge:
mergeKeys:
- nameNormalized
generators:
- clusters:
values:
sourceRoot: components/namespace-lister
environment: staging
clusterDir: ""
- list:
elements:
- nameNormalized: stone-stg-rh01
values.clusterDir: stone-stg-rh01
template:
metadata:
name: namespace-lister-{{nameNormalized}}
spec:
project: default
source:
path: '{{values.sourceRoot}}/{{values.environment}}/{{values.clusterDir}}'
repoURL: https://github.com/redhat-appstudio/infra-deployments.git
targetRevision: main
destination:
namespace: namespace-lister
server: '{{server}}'
syncPolicy:
automated:
prune: true
selfHeal: true
syncOptions:
- CreateNamespace=true
retry:
limit: -1
backoff:
duration: 10s
factor: 2
maxDuration: 3m
6 changes: 6 additions & 0 deletions argo-cd-apps/overlays/development/delete-applications.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -112,3 +112,9 @@ kind: ApplicationSet
metadata:
name: konflux-rbac
$patch: delete
---
apiVersion: argoproj.io/v1alpha1
kind: ApplicationSet
metadata:
name: namespace-lister
$patch: delete
Original file line number Diff line number Diff line change
Expand Up @@ -39,3 +39,9 @@ kind: ApplicationSet
metadata:
name: nvme-storage-configurator
$patch: delete
---
apiVersion: argoproj.io/v1alpha1
kind: ApplicationSet
metadata:
name: namespace-lister
$patch: delete
Original file line number Diff line number Diff line change
Expand Up @@ -11,3 +11,9 @@ kind: ApplicationSet
metadata:
name: konflux-rbac
$patch: delete
---
apiVersion: argoproj.io/v1alpha1
kind: ApplicationSet
metadata:
name: namespace-lister
$patch: delete
11 changes: 11 additions & 0 deletions components/namespace-lister/OWNERS
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
# See the OWNERS docs: https://go.k8s.io/owners

approvers:
- dperaza4dustbit
- filariow
- sadlerap

reviewers:
- dperaza4dustbit
- filariow
- sadlerap
47 changes: 47 additions & 0 deletions components/namespace-lister/base/deployment.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,47 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: namespace-lister
namespace: namespace-lister
labels:
apps: namespace-lister
spec:
selector:
matchLabels:
apps: namespace-lister
replicas: 1
template:
metadata:
labels:
apps: namespace-lister
spec:
# securityContext:
# runAsNonRoot: true
serviceAccountName: namespace-lister
containers:
- image: namespace-lister:foo
name: namespace-lister
imagePullPolicy: IfNotPresent
env:
- name: LOG_LEVEL
value: "0"
# - name: AUTH_USERNAME_HEADER
# value: "X-User"
resources:
limits:
cpu: 500m
memory: 128Mi
requests:
cpu: 10m
memory: 64Mi
ports:
- containerPort: 8080
name: http
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
runAsNonRoot: true
capabilities:
drop:
- "ALL"
terminationGracePeriodSeconds: 60
18 changes: 18 additions & 0 deletions components/namespace-lister/base/kustomization.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- deployment.yaml
- namespace.yaml
- rbac.yaml
- proxy.yaml
- route.yaml
- service.yaml
namespace: namespace-lister
configMapGenerator:
- files:
- nginx.conf=nginx.conf
name: nginx
images:
- name: namespace-lister
newName: quay.io/konflux-ci/namespace-lister
newTag: fd195c941b3151c165ddf376ce5f44d57db3f071
4 changes: 4 additions & 0 deletions components/namespace-lister/base/namespace.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
apiVersion: v1
kind: Namespace
metadata:
name: namespace-lister
59 changes: 59 additions & 0 deletions components/namespace-lister/base/nginx.conf
Original file line number Diff line number Diff line change
@@ -0,0 +1,59 @@
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;

# Load dynamic modules. See /usr/share/doc/nginx/README.dynamic.
include /usr/share/nginx/modules/*.conf;

events {
worker_connections 1024;
}

http {
log_format upstreamlog '[$time_local] $remote_addr - $remote_user - $server_name $host to: $proxy_host $upstream_addr: $request $status upstream_response_time $upstream_response_time msec $msec request_time $request_time';
access_log /dev/stderr upstreamlog;

sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 4096;

include /etc/nginx/mime.types;
default_type application/octet-stream;

map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}

server {
listen 8080 default_server;
server_name _;

location ~* /api/v1/namespaces(/?)$ {
# namespace-lister endpoint
rewrite ^/(.*)/$ /$1 permanent;
proxy_pass https://kubernetes.default.svc;
if ($request_method = GET) {
proxy_pass http://namespace-lister.namespace-lister.svc.cluster.local:12000;
}
proxy_read_timeout 1m;
}


location / {
proxy_pass https://kubernetes.default.svc;
proxy_ssl_verify off;
proxy_read_timeout 30m;
proxy_set_header KONFLUX-REQUEST YES;
}


location /health {
# Used for liveness probes
return 200;
}
}
}

Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
- op: add
path: /spec/template/spec/containers/0/env/-
value:
name: AUTH_USERNAME_HEADER
value: Impersonate-User
96 changes: 96 additions & 0 deletions components/namespace-lister/base/proxy.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,96 @@
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: proxy
name: proxy
namespace: namespace-lister
spec:
minReadySeconds: 60
progressDeadlineSeconds: 600
replicas: 1
revisionHistoryLimit: 10
selector:
matchLabels:
app: proxy
strategy:
rollingUpdate:
maxSurge: 1
maxUnavailable: 0
type: RollingUpdate
template:
metadata:
creationTimestamp: null
labels:
app: proxy
spec:
containers:
- command:
- nginx
- -g
- daemon off;
image: registry.access.redhat.com/ubi9/nginx-120@sha256:88a4f2d184f52c4d3956be06b12d578d0bf681ec9d0a8b80e558a98c1860fa12
imagePullPolicy: IfNotPresent
livenessProbe:
failureThreshold: 3
httpGet:
path: /health
port: 8080
scheme: HTTP
initialDelaySeconds: 60
periodSeconds: 60
successThreshold: 1
timeoutSeconds: 1
name: nginx-120
ports:
- containerPort: 8080
name: web
protocol: TCP
readinessProbe:
failureThreshold: 3
httpGet:
path: /health
port: 8080
scheme: HTTP
initialDelaySeconds: 60
periodSeconds: 30
successThreshold: 3
timeoutSeconds: 1
resources:
limits:
cpu: 300m
memory: 256Mi
requests:
cpu: 30m
memory: 128Mi
securityContext:
readOnlyRootFilesystem: true
runAsNonRoot: true
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
volumeMounts:
- mountPath: /etc/nginx/nginx.conf
name: proxy
readOnly: true
subPath: nginx.conf
- mountPath: /var/log/nginx
name: logs
- mountPath: /var/lib/nginx/tmp
name: nginx-tmp
- mountPath: /run
name: run
dnsPolicy: ClusterFirst
volumes:
- configMap:
defaultMode: 420
items:
- key: nginx.conf
path: nginx.conf
name: proxy-konflux
name: proxy
- emptyDir: {}
name: logs
- emptyDir: {}
name: nginx-tmp
- emptyDir: {}
name: run
50 changes: 50 additions & 0 deletions components/namespace-lister/base/rbac.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,50 @@
apiVersion: v1
kind: ServiceAccount
metadata:
name: namespace-lister
namespace: namespace-lister
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: namespace-lister-authorizer
subjects:
- apiGroup: ""
kind: ServiceAccount
name: namespace-lister
namespace: namespace-lister
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: namespace-lister-authorizer
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: namespace-lister-auth-delegator
subjects:
- apiGroup: ""
kind: ServiceAccount
name: namespace-lister
namespace: namespace-lister
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: system:auth-delegator
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: namespace-lister-authorizer
rules:
- apiGroups: [""]
resources: ["namespaces"]
verbs: ["get", "list", "watch"]
- apiGroups:
- "rbac.authorization.k8s.io"
resources:
- clusterroles
- clusterrolebindings
- roles
- rolebindings
verbs: ["get", "list", "watch"]
Loading

0 comments on commit aa01551

Please sign in to comment.