├── .github ├── ISSUE_TEMPLATE │ ├── bug_report.md │ └── feature_request.md └── PULL_REQUEST_TEMPLATE.md ├── .gitignore ├── .goreleaser.yaml ├── .pre-commit-config.yaml ├── .prow.yaml ├── CONTRIBUTING.md ├── DCO ├── LICENSE ├── Makefile ├── NOTICE ├── OWNERS ├── OWNERS_ALIASES ├── README.md ├── Zenhub.md ├── cmd ├── apiserver │ └── main.go ├── catapult │ └── main.go ├── elevator │ └── main.go ├── fake-operator │ └── main.go ├── ferry │ └── main.go ├── kubectl-kubecarrier │ └── main.go ├── manager │ └── main.go └── operator │ └── main.go ├── code-of-conduct.md ├── config ├── addon │ ├── README.md │ ├── cert-manager-config.yaml │ ├── cert-manager │ │ └── cert-manager.yaml │ ├── kubecarrier-config.yaml │ ├── kubecarrier │ │ ├── kubecarrier.yaml │ │ ├── operator.yaml │ │ └── service-cluster.yaml │ ├── kustomization.yaml │ └── loglevel_patch.yaml ├── dockerfiles │ ├── apiserver.Dockerfile │ ├── catapult.Dockerfile │ ├── dev.Dockerfile │ ├── elevator.Dockerfile │ ├── fake-operator.Dockerfile │ ├── ferry.Dockerfile │ ├── manager.Dockerfile │ ├── operator.Dockerfile │ └── test.Dockerfile ├── internal │ ├── README.md │ ├── apiserver │ │ ├── certmanager │ │ │ ├── certificate.yaml │ │ │ ├── kustomization.yaml │ │ │ └── kustomizeconfig.yaml │ │ ├── default │ │ │ ├── kustomization.yaml │ │ │ ├── manager_webhook_patch.yaml │ │ │ └── webhookcainjection_patch.yaml │ │ ├── manager │ │ │ ├── kustomization.yaml │ │ │ ├── manager.yaml │ │ │ └── service.yaml │ │ ├── prometheus │ │ │ ├── kustomization.yaml │ │ │ └── monitor.yaml │ │ ├── rbac │ │ │ ├── agg_role.yaml │ │ │ ├── agg_role_binding.yaml │ │ │ ├── kustomization.yaml │ │ │ ├── leader_election_role.yaml │ │ │ ├── leader_election_role_binding.yaml │ │ │ ├── role.yaml │ │ │ └── role_binding.yaml │ │ └── webhook │ │ │ ├── kustomization.yaml │ │ │ ├── kustomizeconfig.yaml │ │ │ ├── manifests.yaml │ │ │ └── service.yaml │ ├── catapult │ │ ├── certmanager │ │ │ ├── certificate.yaml │ │ │ ├── kustomization.yaml │ │ │ └── kustomizeconfig.yaml │ │ ├── default │ │ │ ├── kustomization.yaml │ │ │ ├── kustomizeconfig.yaml │ │ │ ├── manager_webhook_patch.yaml │ │ │ └── webhookcainjection_patch.yaml │ │ ├── manager │ │ │ ├── kustomization.yaml │ │ │ └── manager.yaml │ │ ├── prometheus │ │ │ ├── kustomization.yaml │ │ │ └── monitor.yaml │ │ ├── rbac │ │ │ ├── bindings.yaml │ │ │ ├── cluster_role.yaml │ │ │ ├── kustomization.yaml │ │ │ ├── leader_election_role.yaml │ │ │ ├── leader_election_role_binding.yaml │ │ │ └── role.yaml │ │ └── webhook │ │ │ ├── kustomization.yaml │ │ │ ├── kustomizeconfig.yaml │ │ │ ├── manifests.yaml │ │ │ └── service.yaml │ ├── elevator │ │ ├── certmanager │ │ │ ├── certificate.yaml │ │ │ ├── kustomization.yaml │ │ │ └── kustomizeconfig.yaml │ │ ├── default │ │ │ ├── kustomization.yaml │ │ │ ├── kustomizeconfig.yaml │ │ │ ├── manager_webhook_patch.yaml │ │ │ └── webhookcainjection_patch.yaml │ │ ├── manager │ │ │ ├── kustomization.yaml │ │ │ └── manager.yaml │ │ ├── prometheus │ │ │ ├── kustomization.yaml │ │ │ └── monitor.yaml │ │ ├── rbac │ │ │ ├── bindings.yaml │ │ │ ├── cluster_role.yaml │ │ │ ├── kustomization.yaml │ │ │ ├── leader_election_role.yaml │ │ │ ├── leader_election_role_binding.yaml │ │ │ └── role.yaml │ │ └── webhook │ │ │ ├── kustomization.yaml │ │ │ ├── kustomizeconfig.yaml │ │ │ ├── manifests.yaml │ │ │ └── service.yaml │ ├── fake-operator │ │ ├── certmanager │ │ │ ├── certificate.yaml │ │ │ ├── kustomization.yaml │ │ │ └── kustomizeconfig.yaml │ │ ├── crd │ │ │ ├── bases │ │ │ │ ├── fake.kubecarrier.io_backups.yaml │ │ │ │ ├── fake.kubecarrier.io_dbs.yaml │ │ │ │ └── fake.kubecarrier.io_snapshots.yaml │ │ │ ├── kustomization.yaml │ │ │ ├── kustomizeconfig.yaml │ │ │ └── patches │ │ │ │ ├── cainjection_in_dbs.yaml │ │ │ │ └── webhook_in_dbs.yaml │ │ ├── default │ │ │ ├── kustomization.yaml │ │ │ ├── kustomizeconfig.yaml │ │ │ ├── manager_webhook_patch.yaml │ │ │ └── webhookcainjection_patch.yaml │ │ ├── manager │ │ │ ├── kustomization.yaml │ │ │ └── manager.yaml │ │ ├── rbac │ │ │ ├── kustomization.yaml │ │ │ ├── role.yaml │ │ │ └── role_binding.yaml │ │ └── webhook │ │ │ ├── kustomization.yaml │ │ │ ├── kustomizeconfig.yaml │ │ │ ├── manifests.yaml │ │ │ └── service.yaml │ ├── ferry │ │ ├── certmanager │ │ │ ├── certificate.yaml │ │ │ ├── kustomization.yaml │ │ │ └── kustomizeconfig.yaml │ │ ├── default │ │ │ ├── kustomization.yaml │ │ │ ├── manager_webhook_patch.yaml │ │ │ └── webhookcainjection_patch.yaml │ │ ├── manager │ │ │ ├── kustomization.yaml │ │ │ └── manager.yaml │ │ ├── prometheus │ │ │ ├── kustomization.yaml │ │ │ └── monitor.yaml │ │ ├── rbac │ │ │ ├── kustomization.yaml │ │ │ ├── leader_election_role.yaml │ │ │ ├── leader_election_role_binding.yaml │ │ │ ├── role.yaml │ │ │ └── role_binding.yaml │ │ └── webhook │ │ │ ├── kustomization.yaml │ │ │ ├── kustomizeconfig.yaml │ │ │ ├── manifests.yaml │ │ │ └── service.yaml │ └── manager │ │ ├── certmanager │ │ ├── certificate.yaml │ │ ├── kustomization.yaml │ │ └── kustomizeconfig.yaml │ │ ├── crd │ │ ├── bases │ │ │ ├── catalog.kubecarrier.io_accounts.yaml │ │ │ ├── catalog.kubecarrier.io_catalogentries.yaml │ │ │ ├── catalog.kubecarrier.io_catalogentrysets.yaml │ │ │ ├── catalog.kubecarrier.io_catalogs.yaml │ │ │ ├── catalog.kubecarrier.io_derivedcustomresources.yaml │ │ │ ├── catalog.kubecarrier.io_offerings.yaml │ │ │ ├── catalog.kubecarrier.io_providers.yaml │ │ │ ├── catalog.kubecarrier.io_regions.yaml │ │ │ ├── catalog.kubecarrier.io_tenants.yaml │ │ │ ├── kubecarrier.io_customresourcediscoveries.yaml │ │ │ ├── kubecarrier.io_customresourcediscoverysets.yaml │ │ │ ├── kubecarrier.io_serviceclusterassignments.yaml │ │ │ └── kubecarrier.io_serviceclusters.yaml │ │ ├── kustomization.yaml │ │ ├── kustomizeconfig.yaml │ │ └── patches │ │ │ ├── cainjection_in_accounts.yaml │ │ │ ├── cainjection_in_catalogentries.yaml │ │ │ ├── cainjection_in_catalogs.yaml │ │ │ ├── cainjection_in_customresourcediscoveries.yaml │ │ │ ├── cainjection_in_derivedcustomresources.yaml │ │ │ ├── cainjection_in_offerings.yaml │ │ │ ├── cainjection_in_providers.yaml │ │ │ ├── cainjection_in_regions.yaml │ │ │ ├── cainjection_in_serviceclusterassignments.yaml │ │ │ ├── cainjection_in_serviceclusters.yaml │ │ │ ├── cainjection_in_tenants.yaml │ │ │ ├── webhook_in_accounts.yaml │ │ │ ├── webhook_in_catalogentries.yaml │ │ │ ├── webhook_in_catalogs.yaml │ │ │ ├── webhook_in_offerings.yaml │ │ │ ├── webhook_in_providers.yaml │ │ │ ├── webhook_in_regions.yaml │ │ │ └── webhook_in_tenants.yaml │ │ ├── default │ │ ├── kustomization.yaml │ │ ├── kustomizeconfig.yaml │ │ ├── manager_webhook_patch.yaml │ │ └── webhookcainjection_patch.yaml │ │ ├── manager │ │ ├── kustomization.yaml │ │ └── manager.yaml │ │ ├── prometheus │ │ ├── kustomization.yaml │ │ └── monitor.yaml │ │ ├── rbac │ │ ├── agg_role.yaml │ │ ├── agg_role_binding.yaml │ │ ├── kustomization.yaml │ │ ├── leader_election_role.yaml │ │ ├── leader_election_role_binding.yaml │ │ └── role.yaml │ │ └── webhook │ │ ├── kustomization.yaml │ │ ├── kustomizeconfig.yaml │ │ ├── manifests.yaml │ │ └── service.yaml ├── operator │ ├── certmanager │ │ ├── certificate.yaml │ │ ├── kustomization.yaml │ │ └── kustomizeconfig.yaml │ ├── crd │ │ ├── bases │ │ │ ├── operator.kubecarrier.io_apiservers.yaml │ │ │ ├── operator.kubecarrier.io_catapults.yaml │ │ │ ├── operator.kubecarrier.io_elevators.yaml │ │ │ ├── operator.kubecarrier.io_ferries.yaml │ │ │ └── operator.kubecarrier.io_kubecarriers.yaml │ │ ├── kustomization.yaml │ │ ├── kustomizeconfig.yaml │ │ └── patches │ │ │ ├── cainjection_in_kubecarriers.yaml │ │ │ └── webhook_in_kubecarriers.yaml │ ├── default │ │ ├── kustomization.yaml │ │ ├── kustomizeconfig.yaml │ │ ├── manager_webhook_patch.yaml │ │ └── webhookcainjection_patch.yaml │ ├── manager │ │ ├── kustomization.yaml │ │ └── manager.yaml │ ├── prometheus │ │ ├── kustomization.yaml │ │ └── monitor.yaml │ ├── rbac │ │ ├── kustomization.yaml │ │ ├── leader_election_role.yaml │ │ ├── leader_election_role_binding.yaml │ │ ├── role.yaml │ │ └── role_binding.yaml │ └── webhook │ │ ├── kustomization.yaml │ │ ├── kustomizeconfig.yaml │ │ ├── manifests.yaml │ │ └── service.yaml ├── serviceCluster │ ├── e2e-role.yaml │ ├── e2e-rolebinding.yaml │ └── role.yaml └── swagger │ ├── favicon-16x16.png │ ├── favicon-32x32.png │ ├── index.html │ ├── oauth2-redirect.html │ ├── swagger-ui-bundle.js │ ├── swagger-ui-bundle.js.map │ ├── swagger-ui-standalone-preset.js │ ├── swagger-ui-standalone-preset.js.map │ ├── swagger-ui.css │ ├── swagger-ui.css.map │ ├── swagger-ui.js │ └── swagger-ui.js.map ├── docs ├── api_reference │ └── _index.md ├── img │ ├── KubeCarrier-old.png │ ├── KubeCarrier-old.svg │ └── KubeCarrier.png └── manifests │ ├── accounts.yaml │ ├── catalog.yaml │ ├── catalogentryset.yaml │ ├── couchdb.crd.yaml │ ├── couchdb.eu-west-1.yaml │ ├── images │ ├── couchdb_icon.png │ ├── couchdb_icon.png.base64 │ ├── couchdb_logo.png │ └── couchdb_logo.png.base64 │ └── servicecluster.yaml ├── go.mod ├── go.sum ├── hack ├── .e2e-test.sh ├── audit.yaml ├── boilerplate │ ├── boilerplate.Dockerfile.txt │ ├── boilerplate.Makefile.txt │ ├── boilerplate.bzl.txt │ ├── boilerplate.generatego.txt │ ├── boilerplate.go.txt │ ├── boilerplate.proto.txt │ ├── boilerplate.py.txt │ └── boilerplate.sh.txt ├── codegen.sh ├── docgen.sh ├── docgen │ └── main.go ├── gen-tasks.go ├── get-servicecluster-kubeconfig.sh ├── impersonate │ └── impersonate.go ├── install-deps.sh ├── kind-config.yaml ├── krew-manifest │ └── main.go ├── lib.sh ├── proto-codegen.sh ├── start-docker.sh ├── testjsonformat │ └── main.go ├── tf │ ├── .gitignore │ ├── e2e_logs.tf │ └── terraform.tfvars ├── validate-directory-clean.sh └── verify-boilerplate.sh ├── pkg ├── apis │ ├── catalog │ │ └── v1alpha1 │ │ │ ├── account_types.go │ │ │ ├── catalog_types.go │ │ │ ├── catalogentry_types.go │ │ │ ├── catalogentryset_types.go │ │ │ ├── crds_types.go │ │ │ ├── derivedcustomresource_types.go │ │ │ ├── groupversion_info.go │ │ │ ├── index.go │ │ │ ├── offering_types.go │ │ │ ├── provider_types.go │ │ │ ├── region_types.go │ │ │ ├── tenant_types.go │ │ │ ├── types.go │ │ │ └── zz_generated.deepcopy.go │ ├── core │ │ └── v1alpha1 │ │ │ ├── customresourcediscovery_types.go │ │ │ ├── customresourcediscoveryset_types.go │ │ │ ├── groupversion_info.go │ │ │ ├── index.go │ │ │ ├── servicecluster_types.go │ │ │ ├── serviceclusterassignment_types.go │ │ │ ├── types.go │ │ │ └── zz_generated.deepcopy.go │ ├── fake │ │ ├── v1 │ │ │ ├── backup_type.go │ │ │ ├── db_conversion.go │ │ │ ├── db_types.go │ │ │ ├── groupversion_info.go │ │ │ ├── snapshot_type.go │ │ │ ├── types.go │ │ │ └── zz_generated.deepcopy.go │ │ └── v1alpha1 │ │ │ ├── db_conversion.go │ │ │ ├── db_types.go │ │ │ ├── groupversion_info.go │ │ │ ├── types.go │ │ │ └── zz_generated.deepcopy.go │ └── operator │ │ └── v1alpha1 │ │ ├── apiserver_types.go │ │ ├── catapult_types.go │ │ ├── elevator_types.go │ │ ├── ferry_types.go │ │ ├── groupversion_info.go │ │ ├── kubecarrier_types.go │ │ ├── kubecarrier_types_test.go │ │ ├── types.go │ │ └── zz_generated.deepcopy.go ├── apiserver │ ├── api │ │ └── v1 │ │ │ ├── account.pb.go │ │ │ ├── account.pb.gw.go │ │ │ ├── account.proto │ │ │ ├── apidocs.swagger.json │ │ │ ├── auth.go │ │ │ ├── doc.go │ │ │ ├── doc.pb.go │ │ │ ├── doc.pb.gw.go │ │ │ ├── doc.proto │ │ │ ├── event.pb.go │ │ │ ├── event.proto │ │ │ ├── instance.pb.go │ │ │ ├── instance.pb.gw.go │ │ │ ├── instance.proto │ │ │ ├── kubecarrier.pb.go │ │ │ ├── kubecarrier.pb.gw.go │ │ │ ├── kubecarrier.proto │ │ │ ├── meta.pb.go │ │ │ ├── meta.proto │ │ │ ├── offering.pb.go │ │ │ ├── offering.pb.gw.go │ │ │ ├── offering.proto │ │ │ ├── provider.pb.go │ │ │ ├── provider.pb.gw.go │ │ │ ├── provider.proto │ │ │ ├── region.pb.go │ │ │ ├── region.pb.gw.go │ │ │ ├── region.proto │ │ │ ├── request.pb.go │ │ │ ├── request.proto │ │ │ ├── types.pb.go │ │ │ ├── types.proto │ │ │ ├── util.go │ │ │ ├── v1.pb.go │ │ │ ├── v1.proto │ │ │ ├── validation.go │ │ │ └── validation_test.go │ ├── apiserver.go │ ├── auth │ │ └── auth.go │ ├── authorizer │ │ └── authorizer.go │ └── internal │ │ ├── auth │ │ ├── anonymous │ │ │ └── anonymous.go │ │ ├── htpasswd │ │ │ ├── htpasswd.go │ │ │ └── htpasswd_test.go │ │ ├── oidc │ │ │ ├── oidc.go │ │ │ └── oidc_unsafe.go │ │ └── token │ │ │ └── token.go │ │ ├── authorizer │ │ └── authorizer.go │ │ ├── util │ │ └── util.go │ │ └── v1 │ │ ├── account.go │ │ ├── account_test.go │ │ ├── apiserver_test.go │ │ ├── doc.go │ │ ├── instance.go │ │ ├── instance_test.go │ │ ├── kubecarrier.go │ │ ├── offering.go │ │ ├── offering_test.go │ │ ├── provider.go │ │ ├── provider_test.go │ │ ├── region.go │ │ ├── region_test.go │ │ ├── statik.go │ │ ├── util.go │ │ └── z_init.go ├── catapult │ ├── catapult.go │ └── internal │ │ ├── controllers │ │ ├── adoption_controller.go │ │ ├── adoption_controller_test.go │ │ ├── controller_test.go │ │ ├── managementclusterobj_controller.go │ │ └── managementclusterobj_controller_test.go │ │ └── webhooks │ │ └── managementclusterobj_webhook.go ├── cli │ ├── cli.go │ └── internal │ │ ├── cmd │ │ ├── delete │ │ │ ├── account.go │ │ │ └── delete.go │ │ ├── e2e-test │ │ │ ├── main.go │ │ │ ├── run.go │ │ │ └── setup-e2e-operator.go │ │ ├── preflight │ │ │ ├── checkers │ │ │ │ ├── checkers.go │ │ │ │ ├── checkers_test.go │ │ │ │ ├── crd.go │ │ │ │ ├── crd_test.go │ │ │ │ ├── kubernetes.go │ │ │ │ └── kubernetes_test.go │ │ │ └── preflight.go │ │ ├── root.go │ │ ├── setup │ │ │ └── setup.go │ │ ├── sut │ │ │ ├── service.go │ │ │ ├── service_test.go │ │ │ └── sut.go │ │ └── version │ │ │ ├── version.go │ │ │ └── version_test.go │ │ └── spinner │ │ ├── spinner.go │ │ └── spinner_test.go ├── elevator │ ├── elevator.go │ └── internal │ │ ├── controllers │ │ ├── adoption_controller.go │ │ ├── adoption_controller_test.go │ │ ├── controller_test.go │ │ ├── tenantobj_controller.go │ │ └── tenantobj_controller_test.go │ │ ├── util │ │ ├── util.go │ │ └── util_test.go │ │ └── webhooks │ │ └── tenantobj_webhook.go ├── fakeoperator │ ├── fakeoperator.go │ └── internal │ │ ├── controllers │ │ ├── backup_controller.go │ │ ├── db_controller.go │ │ └── snapshot_controller.go │ │ └── webhooks │ │ ├── controller_test.go │ │ ├── db_webhook.go │ │ └── db_webhook_test.go ├── ferry │ ├── ferry.go │ └── internal │ │ └── controllers │ │ ├── controller_test.go │ │ ├── customresourcediscovery_controller.go │ │ ├── customresourcediscovery_controller_test.go │ │ ├── servicecluster_controller.go │ │ ├── servicecluster_controller_test.go │ │ ├── serviceclusterassignment_controller.go │ │ └── serviceclusterassignment_controller_test.go ├── ide │ └── task.go ├── internal │ ├── constants │ │ └── kubecarrier.go │ ├── kustomize │ │ ├── doc.go │ │ └── kustomize.go │ ├── reconcile │ │ ├── admissionregistration.go │ │ ├── apiextensions.go │ │ ├── apps.go │ │ ├── certmanager.go │ │ ├── core.go │ │ ├── doc.go │ │ ├── rbac.go │ │ ├── reconcile_test.go │ │ └── unstructured.go │ ├── resources │ │ ├── apiserver │ │ │ ├── apiserver.go │ │ │ ├── apiserver.golden.yaml │ │ │ ├── apiserver_test.go │ │ │ ├── statik.go │ │ │ └── z_init.go │ │ ├── catapult │ │ │ ├── catapult.go │ │ │ ├── catapult.golden.yaml │ │ │ ├── catapult_test.go │ │ │ ├── statik.go │ │ │ └── z_init.go │ │ ├── constants │ │ │ └── labels.go │ │ ├── elevator │ │ │ ├── elevator.go │ │ │ ├── elevator.golden.yaml │ │ │ ├── elevator_test.go │ │ │ ├── statik.go │ │ │ └── z_init.go │ │ ├── fakeoperator │ │ │ ├── fakeoperator.go │ │ │ ├── fakeoperator.golden.yaml │ │ │ ├── fakeoperator_test.go │ │ │ ├── statik.go │ │ │ └── z_init.go │ │ ├── ferry │ │ │ ├── ferry.go │ │ │ ├── ferry.golden.yaml │ │ │ ├── ferry_test.go │ │ │ ├── statik.go │ │ │ └── z_init.go │ │ ├── manager │ │ │ ├── manager.go │ │ │ ├── manager.golden.yaml │ │ │ ├── manager_test.go │ │ │ ├── statik.go │ │ │ └── z_init.go │ │ └── operator │ │ │ ├── operator.go │ │ │ ├── operator.golden.yaml │ │ │ ├── operator_test.go │ │ │ ├── statik.go │ │ │ └── z_init.go │ ├── util │ │ └── webhook │ │ │ ├── webhook.go │ │ │ └── webhook_test.go │ └── version │ │ ├── version.go │ │ └── version_test.go ├── manager │ ├── internal │ │ ├── controllers │ │ │ ├── account_controller.go │ │ │ ├── catalog_controller.go │ │ │ ├── catalog_controller_test.go │ │ │ ├── catalogentry_controller.go │ │ │ ├── catalogentry_controller_test.go │ │ │ ├── catalogentryset_controller.go │ │ │ ├── catalogentryset_controller_test.go │ │ │ ├── controller_test.go │ │ │ ├── customresourcediscovery_controller.go │ │ │ ├── customresourcediscovery_controller_test.go │ │ │ ├── customresourcediscoveryset_controller.go │ │ │ ├── customresourcediscoveryset_controller_test.go │ │ │ ├── derivedcustomresource_controller.go │ │ │ ├── derivedcustomresource_controller_test.go │ │ │ ├── servicecluster_controller.go │ │ │ ├── servicecluster_controller_test.go │ │ │ └── util.go │ │ └── webhooks │ │ │ ├── account_webhook.go │ │ │ ├── account_webhook_test.go │ │ │ ├── catalogentry_webhook.go │ │ │ ├── catalogentry_webhook_test.go │ │ │ ├── controller_test.go │ │ │ ├── customresourcediscovery_webhook.go │ │ │ ├── customresourcediscovery_webhook_test.go │ │ │ ├── derivedcustomresource_webhook.go │ │ │ ├── derivedcustomresource_webhook_test.go │ │ │ ├── offering_webhook.go │ │ │ ├── offering_webhook_test.go │ │ │ ├── provider_webhook.go │ │ │ ├── provider_webhook_test.go │ │ │ ├── servicecluster_webhook.go │ │ │ ├── servicecluster_webhook_test.go │ │ │ ├── serviceclusterassignment_webhook.go │ │ │ ├── serviceclusterassignment_webhook_test.go │ │ │ ├── serviceclusterreference_webhook.go │ │ │ ├── serviceclusterreference_webhook_test.go │ │ │ ├── tenant_webhook.go │ │ │ └── tenant_webhook_test.go │ └── manager.go ├── operator │ ├── internal │ │ ├── controllers │ │ │ ├── apiserver_controller.go │ │ │ ├── catapult_controller.go │ │ │ ├── elevator_controller.go │ │ │ ├── ferry_controller.go │ │ │ ├── kubecarrier_controller.go │ │ │ └── util.go │ │ └── webhooks │ │ │ ├── apiserver_webhook.go │ │ │ ├── catapult_webhook.go │ │ │ ├── elevator_webhook.go │ │ │ ├── ferry_webhook.go │ │ │ ├── kubecarrier_webhook.go │ │ │ └── kubecarrier_webhook_test.go │ └── operator.go └── testutil │ ├── framework.go │ ├── helpers.go │ └── mockclient │ └── client.go └── test ├── installation ├── e2eoperator.go ├── installation.go └── kubecarrier.go ├── integration ├── account.go ├── apiserver.go ├── catalog.go ├── cli.go ├── derivedcr.go ├── fakedb.go ├── integration.go └── servicecluster.go ├── scenarios ├── scenarios.go └── simple.go ├── test.go ├── testdata ├── 00_prereq.yaml ├── dex_values.yaml ├── htpassword-secret.yaml ├── kubecarrier-config.yaml ├── statik.go └── z_init.go └── verify └── verify.go /.github/ISSUE_TEMPLATE/bug_report.md: -------------------------------------------------------------------------------- 1 | --- 2 | name: Bug report 3 | about: Create a report to help us improve 4 | title: "[Bug] " 5 | labels: kind/bug 6 | assignees: '' 7 | 8 | --- 9 | 10 | **Describe the bug** 11 | A clear and concise description of what the bug is. 12 | 13 | **To Reproduce** 14 | Steps to reproduce the behavior: 15 | 1. Go to '...' 16 | 2. Click on '....' 17 | 3. Scroll down to '....' 18 | 4. See error 19 | 20 | **Expected behavior** 21 | A clear and concise description of what you expected to happen. 22 | 23 | **Screenshots** 24 | If applicable, add screenshots to help explain your problem. 25 | 26 | **Kubernetes/Openshift Cluster** 27 | - Version 28 | 29 | **Desktop (please complete the following information):** 30 | - OS: [e.g. iOS] 31 | - Browser [e.g. chrome, safari] 32 | - Version [e.g. 22] 33 | 34 | **Additional context** 35 | Add any other context about the problem here. 36 | -------------------------------------------------------------------------------- /.github/ISSUE_TEMPLATE/feature_request.md: -------------------------------------------------------------------------------- 1 | --- 2 | name: Feature request 3 | about: Suggest an idea for this project 4 | title: "[Feature] " 5 | labels: kind/feature 6 | assignees: '' 7 | 8 | --- 9 | 10 | **Is your feature request related to a problem? Please describe.** 11 | A clear and concise description of what the problem is. Ex. I'm always frustrated when [...] 12 | 13 | **Describe the solution you'd like** 14 | A clear and concise description of what you want to happen. 15 | 16 | **Describe alternatives you've considered** 17 | A clear and concise description of any alternative solutions or features you've considered. 18 | 19 | **Additional context** 20 | Add any other context or screenshots about the feature request here. 21 | -------------------------------------------------------------------------------- /.github/PULL_REQUEST_TEMPLATE.md: -------------------------------------------------------------------------------- 1 | **What this PR does / why we need it**: 2 | 3 | **Which issue(s) this PR fixes** *(optional, in `fixes #(, fixes #, ...)` format, will close the issue(s) when PR gets merged)*: 4 | Fixes # 5 | 6 | **Special notes for your reviewer**: 7 | 8 | **Documentation**: 9 | 10 | 11 | **Does this PR introduce a user-facing change?**: 12 | 16 | ```release-note 17 | ``` 18 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | .idea 2 | .vscode 3 | vendor 4 | bin 5 | dist/ 6 | -------------------------------------------------------------------------------- /.pre-commit-config.yaml: -------------------------------------------------------------------------------- 1 | exclude: "vendor/ | *.deepcopy.go" 2 | repos: 3 | - repo: https://github.com/pre-commit/pre-commit-hooks 4 | rev: v2.4.0 5 | hooks: 6 | - id: check-added-large-files 7 | exclude: "config/swagger/.*" 8 | - id: check-case-conflict 9 | - id: check-json 10 | - id: check-merge-conflict 11 | - id: check-symlinks 12 | - id: detect-private-key 13 | - id: end-of-file-fixer 14 | - id: pretty-format-json 15 | args: 16 | - --autofix 17 | - id: trailing-whitespace 18 | - repo: git://github.com/dnephin/pre-commit-golang 19 | rev: v0.3.5 20 | hooks: 21 | - id: go-fmt 22 | - repo: local 23 | hooks: 24 | - id: goimports 25 | name: goimports 26 | entry: goimports -local github.com/kubermatic -w 27 | language: system 28 | types: [go] 29 | - id: LICENSE 30 | name: LICENSE 31 | language: system 32 | entry: bash ./hack/verify-boilerplate.sh 33 | exclude: ".*" 34 | always_run: true 35 | - id: go-mod-tidy 36 | name: go-mod-tidy 37 | entry: make tidy 38 | language: system 39 | exclude: ".*" 40 | always_run: true 41 | -------------------------------------------------------------------------------- /DCO: -------------------------------------------------------------------------------- 1 | Developer Certificate of Origin 2 | Version 1.1 3 | 4 | Copyright (C) 2004, 2006 The Linux Foundation and its contributors. 5 | 660 York Street, Suite 102, 6 | San Francisco, CA 94110 USA 7 | 8 | Everyone is permitted to copy and distribute verbatim copies of this 9 | license document, but changing it is not allowed. 10 | 11 | 12 | Developer's Certificate of Origin 1.1 13 | 14 | By making a contribution to this project, I certify that: 15 | 16 | (a) The contribution was created in whole or in part by me and I 17 | have the right to submit it under the open source license 18 | indicated in the file; or 19 | 20 | (b) The contribution is based upon previous work that, to the best 21 | of my knowledge, is covered under an appropriate open source 22 | license and I have the right under that license to submit that 23 | work with modifications, whether created in whole or in part 24 | by me, under the same open source license (unless I am 25 | permitted to submit under a different license), as indicated 26 | in the file; or 27 | 28 | (c) The contribution was provided directly to me by some other 29 | person who certified (a), (b) or (c) and I have not modified 30 | it. 31 | 32 | (d) I understand and agree that this project and the contribution 33 | are public and that a record of the contribution (including all 34 | personal information I submit with it, including my sign-off) is 35 | maintained indefinitely and may be redistributed consistent with 36 | this project or the open source license(s) involved. 37 | -------------------------------------------------------------------------------- /NOTICE: -------------------------------------------------------------------------------- 1 | Kubermatic Project 2 | Copyright 2019 Loodse GmbH 3 | 4 | This product includes software developed at Loodse GmbH. 5 | (http://www.kubermatic.com/). 6 | -------------------------------------------------------------------------------- /OWNERS: -------------------------------------------------------------------------------- 1 | # See the OWNERS docs: https://git.k8s.io/community/contributors/guide/owners.md 2 | 3 | approvers: 4 | - sig-app-management 5 | 6 | reviewers: 7 | - sig-app-management 8 | -------------------------------------------------------------------------------- /OWNERS_ALIASES: -------------------------------------------------------------------------------- 1 | # This file was automatically generated by prow-aliases-syncer. DO NOT EDIT. 2 | # To change team associations, update the GitHub teams via https://github.com/kubermatic/access. 3 | 4 | aliases: 5 | sig-app-management: 6 | - ahmedwaleedmalik 7 | - dermorz 8 | - hdurand0710 9 | - rastislavs 10 | - sankalp-r 11 | - simontheleg 12 | - vgramer 13 | - wurbanski 14 | - xrstf 15 | - zyanichaimaa 16 | -------------------------------------------------------------------------------- /Zenhub.md: -------------------------------------------------------------------------------- 1 | # ZenHub 2 | 3 | As an Open Source community, it is necessary for our work, communication, and collaboration to be done in the open. 4 | GitHub provides a central repository for code, pull requests, issues, and documentation. When applicable, we will use Google Docs for design reviews, proposals, and other working documents. 5 | 6 | While GitHub issues, milestones, and labels generally work pretty well, the Loodse team has found that product planning requires some additional tooling that GitHub projects do not offer. 7 | 8 | In our effort to minimize tooling while enabling product management insights, we have decided to use [ZenHub Open-Source](https://www.zenhub.com/blog/open-source/) to overlay product and project tracking on top of GitHub. 9 | ZenHub is a GitHub application that provides Kanban visualization, Epic tracking, fine-grained prioritization, and more. It's primary backing storage system is existing GitHub issues along with additional metadata stored in ZenHub's database. 10 | 11 | If you are an user or Developer, you do not _need_ to use ZenHub for your regular workflow (e.g to see open bug reports or feature requests, work on pull requests). However, if you'd like to be able to visualize the high-level project goals and roadmap, you will need to use the free version of ZenHub. 12 | 13 | ## Using ZenHub 14 | 15 | ZenHub can be integrated within the GitHub interface using their [Chrome or FireFox extensions](https://www.zenhub.com/extension). In addition, you can use their dedicated web application. 16 | -------------------------------------------------------------------------------- /cmd/apiserver/main.go: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright 2019 The KubeCarrier Authors. 3 | 4 | Licensed under the Apache License, Version 2.0 (the "License"); 5 | you may not use this file except in compliance with the License. 6 | You may obtain a copy of the License at 7 | 8 | http://www.apache.org/licenses/LICENSE-2.0 9 | 10 | Unless required by applicable law or agreed to in writing, software 11 | distributed under the License is distributed on an "AS IS" BASIS, 12 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | See the License for the specific language governing permissions and 14 | limitations under the License. 15 | */ 16 | 17 | package main 18 | 19 | import ( 20 | "os" 21 | 22 | "k8c.io/kubecarrier/pkg/apiserver" 23 | ) 24 | 25 | func main() { 26 | if err := apiserver.NewAPIServer().Execute(); err != nil { 27 | os.Exit(1) 28 | } 29 | } 30 | -------------------------------------------------------------------------------- /cmd/catapult/main.go: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright 2019 The KubeCarrier Authors. 3 | 4 | Licensed under the Apache License, Version 2.0 (the "License"); 5 | you may not use this file except in compliance with the License. 6 | You may obtain a copy of the License at 7 | 8 | http://www.apache.org/licenses/LICENSE-2.0 9 | 10 | Unless required by applicable law or agreed to in writing, software 11 | distributed under the License is distributed on an "AS IS" BASIS, 12 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | See the License for the specific language governing permissions and 14 | limitations under the License. 15 | */ 16 | 17 | package main 18 | 19 | import ( 20 | "os" 21 | 22 | "k8c.io/kubecarrier/pkg/catapult" 23 | ) 24 | 25 | func main() { 26 | if err := catapult.NewCatapult().Execute(); err != nil { 27 | os.Exit(1) 28 | } 29 | } 30 | -------------------------------------------------------------------------------- /cmd/elevator/main.go: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright 2019 The KubeCarrier Authors. 3 | 4 | Licensed under the Apache License, Version 2.0 (the "License"); 5 | you may not use this file except in compliance with the License. 6 | You may obtain a copy of the License at 7 | 8 | http://www.apache.org/licenses/LICENSE-2.0 9 | 10 | Unless required by applicable law or agreed to in writing, software 11 | distributed under the License is distributed on an "AS IS" BASIS, 12 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | See the License for the specific language governing permissions and 14 | limitations under the License. 15 | */ 16 | 17 | package main 18 | 19 | import ( 20 | "os" 21 | 22 | "k8c.io/kubecarrier/pkg/elevator" 23 | ) 24 | 25 | func main() { 26 | if err := elevator.NewElevator().Execute(); err != nil { 27 | os.Exit(1) 28 | } 29 | } 30 | -------------------------------------------------------------------------------- /cmd/fake-operator/main.go: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright 2019 The KubeCarrier Authors. 3 | 4 | Licensed under the Apache License, Version 2.0 (the "License"); 5 | you may not use this file except in compliance with the License. 6 | You may obtain a copy of the License at 7 | 8 | http://www.apache.org/licenses/LICENSE-2.0 9 | 10 | Unless required by applicable law or agreed to in writing, software 11 | distributed under the License is distributed on an "AS IS" BASIS, 12 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | See the License for the specific language governing permissions and 14 | limitations under the License. 15 | */ 16 | 17 | package main 18 | 19 | import ( 20 | "fmt" 21 | "os" 22 | 23 | "k8c.io/kubecarrier/pkg/fakeoperator" 24 | ) 25 | 26 | func main() { 27 | if err := fakeoperator.NewFakeOperator().Execute(); err != nil { 28 | fmt.Println(err) 29 | os.Exit(1) 30 | } 31 | } 32 | -------------------------------------------------------------------------------- /cmd/ferry/main.go: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright 2019 The KubeCarrier Authors. 3 | 4 | Licensed under the Apache License, Version 2.0 (the "License"); 5 | you may not use this file except in compliance with the License. 6 | You may obtain a copy of the License at 7 | 8 | http://www.apache.org/licenses/LICENSE-2.0 9 | 10 | Unless required by applicable law or agreed to in writing, software 11 | distributed under the License is distributed on an "AS IS" BASIS, 12 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | See the License for the specific language governing permissions and 14 | limitations under the License. 15 | */ 16 | 17 | package main 18 | 19 | import ( 20 | "fmt" 21 | "os" 22 | 23 | ctrl "sigs.k8s.io/controller-runtime" 24 | 25 | "k8c.io/kubecarrier/pkg/ferry" 26 | ) 27 | 28 | func main() { 29 | if err := ferry.NewFerryCommand(ctrl.Log.WithName("ferry")).Execute(); err != nil { 30 | fmt.Println(err) 31 | os.Exit(1) 32 | } 33 | } 34 | -------------------------------------------------------------------------------- /cmd/kubectl-kubecarrier/main.go: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright 2019 The KubeCarrier Authors. 3 | 4 | Licensed under the Apache License, Version 2.0 (the "License"); 5 | you may not use this file except in compliance with the License. 6 | You may obtain a copy of the License at 7 | 8 | http://www.apache.org/licenses/LICENSE-2.0 9 | 10 | Unless required by applicable law or agreed to in writing, software 11 | distributed under the License is distributed on an "AS IS" BASIS, 12 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | See the License for the specific language governing permissions and 14 | limitations under the License. 15 | */ 16 | 17 | package main 18 | 19 | import ( 20 | "fmt" 21 | "os" 22 | 23 | "k8c.io/kubecarrier/pkg/cli" 24 | ) 25 | 26 | func main() { 27 | if err := cli.NewKubecarrierCLI().Execute(); err != nil { 28 | fmt.Println(err) 29 | os.Exit(1) 30 | } 31 | } 32 | -------------------------------------------------------------------------------- /cmd/manager/main.go: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright 2019 The KubeCarrier Authors. 3 | 4 | Licensed under the Apache License, Version 2.0 (the "License"); 5 | you may not use this file except in compliance with the License. 6 | You may obtain a copy of the License at 7 | 8 | http://www.apache.org/licenses/LICENSE-2.0 9 | 10 | Unless required by applicable law or agreed to in writing, software 11 | distributed under the License is distributed on an "AS IS" BASIS, 12 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | See the License for the specific language governing permissions and 14 | limitations under the License. 15 | */ 16 | 17 | package main 18 | 19 | import ( 20 | "os" 21 | 22 | "k8c.io/kubecarrier/pkg/manager" 23 | ) 24 | 25 | func main() { 26 | command := manager.NewManagerCommand() 27 | 28 | if err := command.Execute(); err != nil { 29 | os.Exit(1) 30 | } 31 | } 32 | -------------------------------------------------------------------------------- /cmd/operator/main.go: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright 2019 The KubeCarrier Authors. 3 | 4 | Licensed under the Apache License, Version 2.0 (the "License"); 5 | you may not use this file except in compliance with the License. 6 | You may obtain a copy of the License at 7 | 8 | http://www.apache.org/licenses/LICENSE-2.0 9 | 10 | Unless required by applicable law or agreed to in writing, software 11 | distributed under the License is distributed on an "AS IS" BASIS, 12 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | See the License for the specific language governing permissions and 14 | limitations under the License. 15 | */ 16 | 17 | package main 18 | 19 | import ( 20 | "os" 21 | 22 | "k8c.io/kubecarrier/pkg/operator" 23 | ) 24 | 25 | func main() { 26 | cmd := operator.NewOperatorCommand() 27 | 28 | if err := cmd.Execute(); err != nil { 29 | os.Exit(1) 30 | } 31 | } 32 | -------------------------------------------------------------------------------- /config/addon/kubecarrier/kubecarrier.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2020 The KubeCarrier Authors. 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | apiVersion: v1 16 | kind: Namespace 17 | metadata: 18 | name: kubecarrier-system 19 | --- 20 | apiVersion: operator.kubecarrier.io/v1alpha1 21 | kind: KubeCarrier 22 | metadata: 23 | name: kubecarrier 24 | spec: 25 | api: 26 | authentication: 27 | - serviceAccount: {} 28 | - anonymous: {} 29 | -------------------------------------------------------------------------------- /config/addon/kubecarrier/service-cluster.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2020 The KubeCarrier Authors. 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | {{ if .Variables.SingleCluster }} 16 | 17 | apiVersion: catalog.kubecarrier.io/v1alpha1 18 | kind: Account 19 | metadata: 20 | name: kubecarrier-provider 21 | spec: 22 | metadata: 23 | displayName: Kubecarrier Provider 24 | shortDescription: The Kubecarrier provider account 25 | description: Auto-genarated Kubecarrier provider account for single-cluster mode 26 | roles: 27 | - Provider 28 | subjects: 29 | - kind: User 30 | name: kubecarrier-provider 31 | apiGroup: rbac.authorization.k8s.io 32 | --- 33 | apiVersion: kubecarrier.io/v1alpha1 34 | kind: ServiceCluster 35 | metadata: 36 | name: service-cluster 37 | namespace: kubecarrier-provider 38 | spec: 39 | metadata: 40 | displayName: Kubecarrier Service Cluster 41 | kubeconfigSecret: 42 | name: service-cluster-kubeconfig 43 | --- 44 | apiVersion: v1 45 | kind: Secret 46 | type: Opaque 47 | metadata: 48 | name: service-cluster-kubeconfig 49 | namespace: kubecarrier-provider 50 | data: 51 | kubeconfig: {{ b64enc .Cluster.Kubeconfig }} 52 | 53 | {{ end }} 54 | -------------------------------------------------------------------------------- /config/addon/kustomization.yaml: -------------------------------------------------------------------------------- 1 | bases: 2 | - ../operator/default 3 | 4 | images: 5 | - name: quay.io/kubecarrier/operator 6 | newTag: v0.3.0 7 | 8 | patchesStrategicMerge: 9 | - loglevel_patch.yaml 10 | -------------------------------------------------------------------------------- /config/addon/loglevel_patch.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apps/v1 2 | kind: Deployment 3 | metadata: 4 | name: kubecarrier-operator-manager 5 | namespace: kubecarrier-system 6 | spec: 7 | template: 8 | spec: 9 | containers: 10 | - name: manager 11 | env: 12 | - name: LOG_LEVEL 13 | value: "0" 14 | -------------------------------------------------------------------------------- /config/dockerfiles/apiserver.Dockerfile: -------------------------------------------------------------------------------- 1 | # Copyright 2019 The KubeCarrier Authors. 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | # Use distroless as minimal base image to package the catapult binary 16 | # Refer to https://github.com/GoogleContainerTools/distroless for more details 17 | FROM gcr.io/distroless/static:nonroot 18 | WORKDIR / 19 | COPY apiserver . 20 | USER nonroot:nonroot 21 | 22 | ENTRYPOINT ["/apiserver"] 23 | -------------------------------------------------------------------------------- /config/dockerfiles/catapult.Dockerfile: -------------------------------------------------------------------------------- 1 | # Copyright 2019 The KubeCarrier Authors. 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | # Use distroless as minimal base image to package the catapult binary 16 | # Refer to https://github.com/GoogleContainerTools/distroless for more details 17 | FROM gcr.io/distroless/static:nonroot 18 | WORKDIR / 19 | COPY catapult . 20 | USER nonroot:nonroot 21 | 22 | ENTRYPOINT ["/catapult"] 23 | -------------------------------------------------------------------------------- /config/dockerfiles/elevator.Dockerfile: -------------------------------------------------------------------------------- 1 | # Copyright 2019 The KubeCarrier Authors. 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | # Use distroless as minimal base image to package the elevator binary 16 | # Refer to https://github.com/GoogleContainerTools/distroless for more details 17 | FROM gcr.io/distroless/static:nonroot 18 | WORKDIR / 19 | COPY elevator . 20 | USER nonroot:nonroot 21 | 22 | ENTRYPOINT ["/elevator"] 23 | -------------------------------------------------------------------------------- /config/dockerfiles/fake-operator.Dockerfile: -------------------------------------------------------------------------------- 1 | # Copyright 2019 The KubeCarrier Authors. 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | # Use distroless as minimal base image to package the manager binary 16 | # Refer to https://github.com/GoogleContainerTools/distroless for more details 17 | FROM gcr.io/distroless/static:nonroot 18 | WORKDIR / 19 | COPY fake-operator . 20 | USER nonroot:nonroot 21 | 22 | ENTRYPOINT ["/fake-operator"] 23 | -------------------------------------------------------------------------------- /config/dockerfiles/ferry.Dockerfile: -------------------------------------------------------------------------------- 1 | # Copyright 2019 The KubeCarrier Authors. 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | # Use distroless as minimal base image to package the manager binary 16 | # Refer to https://github.com/GoogleContainerTools/distroless for more details 17 | FROM gcr.io/distroless/static:nonroot 18 | WORKDIR / 19 | COPY ferry . 20 | USER nonroot:nonroot 21 | 22 | ENTRYPOINT ["/ferry"] 23 | -------------------------------------------------------------------------------- /config/dockerfiles/manager.Dockerfile: -------------------------------------------------------------------------------- 1 | # Copyright 2019 The KubeCarrier Authors. 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | # Use distroless as minimal base image to package the manager binary 16 | # Refer to https://github.com/GoogleContainerTools/distroless for more details 17 | FROM gcr.io/distroless/static:nonroot 18 | WORKDIR / 19 | COPY manager . 20 | USER nonroot:nonroot 21 | 22 | ENTRYPOINT ["/manager"] 23 | -------------------------------------------------------------------------------- /config/dockerfiles/operator.Dockerfile: -------------------------------------------------------------------------------- 1 | # Copyright 2019 The KubeCarrier Authors. 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | # Use distroless as minimal base image to package the manager binary 16 | # Refer to https://github.com/GoogleContainerTools/distroless for more details 17 | FROM gcr.io/distroless/static:nonroot 18 | WORKDIR / 19 | COPY operator . 20 | USER nonroot:nonroot 21 | 22 | ENTRYPOINT ["/operator"] 23 | -------------------------------------------------------------------------------- /config/internal/README.md: -------------------------------------------------------------------------------- 1 | # internal configuration 2 | 3 | This configuration is used within KubeCarrier's CLI and the KubeCarrier Operator to bootstrap and reconcile KubeCarrier installation, it's not meant for direct use. 4 | -------------------------------------------------------------------------------- /config/internal/apiserver/certmanager/certificate.yaml: -------------------------------------------------------------------------------- 1 | # The following manifests contain a self-signed issuer CR and a certificate CR. 2 | # More document can be found at https://docs.cert-manager.io 3 | # WARNING: Targets CertManager 0.11 check https://docs.cert-manager.io/en/latest/tasks/upgrading/index.html for breaking changes 4 | apiVersion: cert-manager.io/v1alpha2 5 | kind: Issuer 6 | metadata: 7 | name: kubecarrier-apiserver-selfsigned-issuer 8 | namespace: system 9 | spec: 10 | selfSigned: {} 11 | --- 12 | apiVersion: cert-manager.io/v1alpha2 13 | kind: Certificate 14 | metadata: 15 | name: kubecarrier-apiserver-serving-cert # this name should match the one appeared in kustomizeconfig.yaml 16 | namespace: system 17 | spec: 18 | # $(SERVICE_NAME) and $(SERVICE_NAMESPACE) will be substituted by kustomize 19 | dnsNames: 20 | - $(SERVICE_NAME).$(SERVICE_NAMESPACE).svc 21 | - $(SERVICE_NAME).$(SERVICE_NAMESPACE).svc.cluster.local 22 | - localhost 23 | issuerRef: 24 | kind: Issuer 25 | name: kubecarrier-apiserver-selfsigned-issuer 26 | secretName: apiserver-tls-cert # this secret will not be prefixed, since it's not managed by kustomize 27 | isCA: true 28 | -------------------------------------------------------------------------------- /config/internal/apiserver/certmanager/kustomization.yaml: -------------------------------------------------------------------------------- 1 | resources: 2 | - certificate.yaml 3 | 4 | configurations: 5 | - kustomizeconfig.yaml 6 | -------------------------------------------------------------------------------- /config/internal/apiserver/certmanager/kustomizeconfig.yaml: -------------------------------------------------------------------------------- 1 | # This configuration is for teaching kustomize how to update name ref and var substitution 2 | nameReference: 3 | - kind: Issuer 4 | group: cert-manager.io 5 | fieldSpecs: 6 | - kind: Certificate 7 | group: cert-manager.io 8 | path: spec/issuerRef/name 9 | 10 | varReference: 11 | - kind: Certificate 12 | group: cert-manager.io 13 | path: spec/commonName 14 | - kind: Certificate 15 | group: cert-manager.io 16 | path: spec/dnsNames 17 | -------------------------------------------------------------------------------- /config/internal/apiserver/default/manager_webhook_patch.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apps/v1 2 | kind: Deployment 3 | metadata: 4 | name: manager 5 | namespace: system 6 | spec: 7 | template: 8 | spec: 9 | containers: 10 | - name: manager 11 | ports: 12 | - containerPort: 9443 13 | name: webhook-server 14 | protocol: TCP 15 | volumeMounts: 16 | - mountPath: /tmp/k8s-webhook-server/serving-certs 17 | name: cert 18 | readOnly: true 19 | volumes: 20 | - name: cert 21 | secret: 22 | defaultMode: 420 23 | secretName: webhook-server-cert 24 | -------------------------------------------------------------------------------- /config/internal/apiserver/default/webhookcainjection_patch.yaml: -------------------------------------------------------------------------------- 1 | # This patch add annotation to admission webhook config and 2 | # the variables $(CERTIFICATE_NAMESPACE) and $(CERTIFICATE_NAME) will be substituted by kustomize. 3 | apiVersion: admissionregistration.k8s.io/v1beta1 4 | kind: MutatingWebhookConfiguration 5 | metadata: 6 | name: mutating-webhook-configuration 7 | annotations: 8 | cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME) 9 | --- 10 | apiVersion: admissionregistration.k8s.io/v1beta1 11 | kind: ValidatingWebhookConfiguration 12 | metadata: 13 | name: validating-webhook-configuration 14 | annotations: 15 | cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME) 16 | -------------------------------------------------------------------------------- /config/internal/apiserver/manager/kustomization.yaml: -------------------------------------------------------------------------------- 1 | resources: 2 | - manager.yaml 3 | - service.yaml 4 | -------------------------------------------------------------------------------- /config/internal/apiserver/manager/manager.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apps/v1 2 | kind: Deployment 3 | metadata: 4 | name: manager 5 | namespace: system 6 | labels: 7 | control-plane: api-server 8 | spec: 9 | selector: 10 | matchLabels: 11 | control-plane: api-server 12 | replicas: 1 13 | template: 14 | metadata: 15 | labels: 16 | control-plane: api-server 17 | spec: 18 | serviceAccountName: sa 19 | containers: 20 | - image: quay.io/kubecarrier/apiserver:lastest 21 | name: manager 22 | resources: 23 | limits: 24 | cpu: 1000m 25 | memory: 200Mi 26 | requests: 27 | cpu: 100m 28 | memory: 100Mi 29 | readinessProbe: 30 | tcpSocket: 31 | port: https 32 | livenessProbe: 33 | tcpSocket: 34 | port: https 35 | ports: 36 | - name: https 37 | containerPort: 8443 38 | protocol: "TCP" 39 | terminationGracePeriodSeconds: 10 40 | -------------------------------------------------------------------------------- /config/internal/apiserver/manager/service.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Service 3 | metadata: 4 | name: manager 5 | namespace: system 6 | labels: 7 | control-plane: api-server 8 | spec: 9 | selector: 10 | control-plane: api-server 11 | ports: 12 | - protocol: TCP 13 | port: 443 14 | targetPort: https 15 | name: "https" 16 | -------------------------------------------------------------------------------- /config/internal/apiserver/prometheus/kustomization.yaml: -------------------------------------------------------------------------------- 1 | resources: 2 | - monitor.yaml 3 | -------------------------------------------------------------------------------- /config/internal/apiserver/prometheus/monitor.yaml: -------------------------------------------------------------------------------- 1 | 2 | # Prometheus Monitor Service (Metrics) 3 | apiVersion: monitoring.coreos.com/v1 4 | kind: ServiceMonitor 5 | metadata: 6 | labels: 7 | control-plane: api-server 8 | name: api-server-metrics-monitor 9 | namespace: system 10 | spec: 11 | endpoints: 12 | - path: /metrics 13 | port: https 14 | selector: 15 | control-plane: api-server 16 | -------------------------------------------------------------------------------- /config/internal/apiserver/rbac/agg_role.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | kind: ClusterRole 4 | metadata: 5 | creationTimestamp: null 6 | name: agg-manager-role 7 | aggregationRule: 8 | clusterRoleSelectors: 9 | - matchLabels: 10 | "kubecarrier.io/apiserver": "true" 11 | rules: [] 12 | -------------------------------------------------------------------------------- /config/internal/apiserver/rbac/agg_role_binding.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: rbac.authorization.k8s.io/v1 2 | kind: ClusterRoleBinding 3 | metadata: 4 | name: agg-manager-rolebinding 5 | roleRef: 6 | apiGroup: rbac.authorization.k8s.io 7 | kind: ClusterRole 8 | name: agg-manager-role 9 | subjects: 10 | - kind: ServiceAccount 11 | name: sa 12 | -------------------------------------------------------------------------------- /config/internal/apiserver/rbac/kustomization.yaml: -------------------------------------------------------------------------------- 1 | resources: 2 | - role.yaml 3 | - role_binding.yaml 4 | - agg_role.yaml 5 | - agg_role_binding.yaml 6 | - leader_election_role.yaml 7 | - leader_election_role_binding.yaml 8 | -------------------------------------------------------------------------------- /config/internal/apiserver/rbac/leader_election_role.yaml: -------------------------------------------------------------------------------- 1 | # permissions to do leader election. 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | kind: Role 4 | metadata: 5 | name: leader-election-role 6 | rules: 7 | - apiGroups: 8 | - "" 9 | resources: 10 | - configmaps 11 | verbs: 12 | - get 13 | - list 14 | - watch 15 | - create 16 | - update 17 | - patch 18 | - delete 19 | - apiGroups: 20 | - "" 21 | resources: 22 | - configmaps/status 23 | verbs: 24 | - get 25 | - update 26 | - patch 27 | - apiGroups: 28 | - "" 29 | resources: 30 | - events 31 | verbs: 32 | - create 33 | -------------------------------------------------------------------------------- /config/internal/apiserver/rbac/leader_election_role_binding.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: rbac.authorization.k8s.io/v1 2 | kind: RoleBinding 3 | metadata: 4 | name: leader-election-rolebinding 5 | roleRef: 6 | apiGroup: rbac.authorization.k8s.io 7 | kind: Role 8 | name: leader-election-role 9 | subjects: 10 | - kind: ServiceAccount 11 | name: sa 12 | -------------------------------------------------------------------------------- /config/internal/apiserver/rbac/role.yaml: -------------------------------------------------------------------------------- 1 | 2 | --- 3 | apiVersion: rbac.authorization.k8s.io/v1 4 | kind: ClusterRole 5 | metadata: 6 | creationTimestamp: null 7 | name: manager-role 8 | rules: 9 | - apiGroups: 10 | - "" 11 | resources: 12 | - secrets 13 | verbs: 14 | - get 15 | - list 16 | - watch 17 | - apiGroups: 18 | - authentication.k8s.io 19 | resources: 20 | - tokenreviews 21 | verbs: 22 | - create 23 | - apiGroups: 24 | - authorization.k8s.io 25 | resources: 26 | - subjectaccessreviews 27 | verbs: 28 | - create 29 | - apiGroups: 30 | - catalog.kubecarrier.io 31 | resources: 32 | - accounts 33 | verbs: 34 | - get 35 | - list 36 | - watch 37 | - apiGroups: 38 | - catalog.kubecarrier.io 39 | resources: 40 | - offerings 41 | verbs: 42 | - get 43 | - list 44 | - watch 45 | - apiGroups: 46 | - catalog.kubecarrier.io 47 | resources: 48 | - providers 49 | verbs: 50 | - get 51 | - list 52 | - watch 53 | - apiGroups: 54 | - catalog.kubecarrier.io 55 | resources: 56 | - regions 57 | verbs: 58 | - get 59 | - list 60 | - watch 61 | -------------------------------------------------------------------------------- /config/internal/apiserver/rbac/role_binding.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: ServiceAccount 3 | metadata: 4 | name: sa 5 | --- 6 | apiVersion: rbac.authorization.k8s.io/v1 7 | kind: ClusterRoleBinding 8 | metadata: 9 | name: manager-rolebinding 10 | roleRef: 11 | apiGroup: rbac.authorization.k8s.io 12 | kind: ClusterRole 13 | name: manager-role 14 | subjects: 15 | - kind: ServiceAccount 16 | name: sa 17 | -------------------------------------------------------------------------------- /config/internal/apiserver/webhook/kustomization.yaml: -------------------------------------------------------------------------------- 1 | resources: 2 | - manifests.yaml 3 | - service.yaml 4 | 5 | configurations: 6 | - kustomizeconfig.yaml 7 | -------------------------------------------------------------------------------- /config/internal/apiserver/webhook/kustomizeconfig.yaml: -------------------------------------------------------------------------------- 1 | # the following config is for teaching kustomize where to look at when substituting vars. 2 | # It requires kustomize v2.1.0 or newer to work properly. 3 | nameReference: 4 | - kind: Service 5 | version: v1 6 | fieldSpecs: 7 | - kind: MutatingWebhookConfiguration 8 | group: admissionregistration.k8s.io 9 | path: webhooks/clientConfig/service/name 10 | - kind: ValidatingWebhookConfiguration 11 | group: admissionregistration.k8s.io 12 | path: webhooks/clientConfig/service/name 13 | 14 | namespace: 15 | - kind: MutatingWebhookConfiguration 16 | group: admissionregistration.k8s.io 17 | path: webhooks/clientConfig/service/namespace 18 | create: true 19 | - kind: ValidatingWebhookConfiguration 20 | group: admissionregistration.k8s.io 21 | path: webhooks/clientConfig/service/namespace 22 | create: true 23 | 24 | varReference: 25 | - path: metadata/annotations 26 | -------------------------------------------------------------------------------- /config/internal/apiserver/webhook/manifests.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubermatic/kubecarrier/51fad0d135894331c312b7628cb87c4c129b53e7/config/internal/apiserver/webhook/manifests.yaml -------------------------------------------------------------------------------- /config/internal/apiserver/webhook/service.yaml: -------------------------------------------------------------------------------- 1 | 2 | apiVersion: v1 3 | kind: Service 4 | metadata: 5 | name: webhook-service 6 | namespace: system 7 | spec: 8 | ports: 9 | - port: 443 10 | targetPort: 9443 11 | selector: 12 | control-plane: api-server 13 | -------------------------------------------------------------------------------- /config/internal/catapult/certmanager/certificate.yaml: -------------------------------------------------------------------------------- 1 | # The following manifests contain a self-signed issuer CR and a certificate CR. 2 | # More document can be found at https://docs.cert-manager.io 3 | # WARNING: Targets CertManager 0.11 check https://docs.cert-manager.io/en/latest/tasks/upgrading/index.html for breaking changes 4 | apiVersion: cert-manager.io/v1alpha2 5 | kind: Issuer 6 | metadata: 7 | name: selfsigned-issuer 8 | namespace: system 9 | spec: 10 | selfSigned: {} 11 | --- 12 | apiVersion: cert-manager.io/v1alpha2 13 | kind: Certificate 14 | metadata: 15 | name: serving-cert # this name should match the one appeared in kustomizeconfig.yaml 16 | namespace: system 17 | spec: 18 | # $(SERVICE_NAME) and $(SERVICE_NAMESPACE) will be substituted by kustomize 19 | dnsNames: 20 | - $(SERVICE_NAME).$(SERVICE_NAMESPACE).svc 21 | - $(SERVICE_NAME).$(SERVICE_NAMESPACE).svc.cluster.local 22 | issuerRef: 23 | kind: Issuer 24 | name: selfsigned-issuer 25 | secretName: $(SECRET_NAME)-webhook-service-cert # this secret will not be prefixed, since it's not managed by kustomize 26 | -------------------------------------------------------------------------------- /config/internal/catapult/certmanager/kustomization.yaml: -------------------------------------------------------------------------------- 1 | resources: 2 | - certificate.yaml 3 | 4 | configurations: 5 | - kustomizeconfig.yaml 6 | -------------------------------------------------------------------------------- /config/internal/catapult/certmanager/kustomizeconfig.yaml: -------------------------------------------------------------------------------- 1 | # This configuration is for teaching kustomize how to update name ref and var substitution 2 | nameReference: 3 | - kind: Issuer 4 | group: cert-manager.io 5 | fieldSpecs: 6 | - kind: Certificate 7 | group: cert-manager.io 8 | path: spec/issuerRef/name 9 | 10 | varReference: 11 | - kind: Certificate 12 | group: cert-manager.io 13 | path: spec/commonName 14 | - kind: Certificate 15 | group: cert-manager.io 16 | path: spec/dnsNames 17 | - kind: Certificate 18 | group: cert-manager.io 19 | path: spec/secretName 20 | -------------------------------------------------------------------------------- /config/internal/catapult/default/kustomizeconfig.yaml: -------------------------------------------------------------------------------- 1 | varReference: 2 | - kind: Deployment 3 | group: apps 4 | path: spec/template/spec/volumes/secret 5 | -------------------------------------------------------------------------------- /config/internal/catapult/default/manager_webhook_patch.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apps/v1 2 | kind: Deployment 3 | metadata: 4 | name: manager 5 | namespace: system 6 | spec: 7 | template: 8 | spec: 9 | containers: 10 | - name: manager 11 | ports: 12 | - containerPort: 9443 13 | name: webhook-server 14 | protocol: TCP 15 | volumeMounts: 16 | - mountPath: /tmp/k8s-webhook-server/serving-certs 17 | name: cert 18 | readOnly: true 19 | volumes: 20 | - name: cert 21 | secret: 22 | defaultMode: 420 23 | secretName: $(SECRET_NAME)-webhook-service-cert 24 | -------------------------------------------------------------------------------- /config/internal/catapult/default/webhookcainjection_patch.yaml: -------------------------------------------------------------------------------- 1 | # This patch add annotation to admission webhook config and 2 | # the variables $(CERTIFICATE_NAMESPACE) and $(CERTIFICATE_NAME) will be substituted by kustomize. 3 | apiVersion: admissionregistration.k8s.io/v1beta1 4 | kind: MutatingWebhookConfiguration 5 | metadata: 6 | name: mutating-webhook-configuration 7 | annotations: 8 | cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME) 9 | # Enable for Validating Webhooks. 10 | #--- 11 | #apiVersion: admissionregistration.k8s.io/v1beta1 12 | #kind: ValidatingWebhookConfiguration 13 | #metadata: 14 | # name: validating-webhook-configuration 15 | # annotations: 16 | # cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME) 17 | -------------------------------------------------------------------------------- /config/internal/catapult/manager/kustomization.yaml: -------------------------------------------------------------------------------- 1 | resources: 2 | - manager.yaml 3 | -------------------------------------------------------------------------------- /config/internal/catapult/manager/manager.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apps/v1 2 | kind: Deployment 3 | metadata: 4 | name: manager 5 | namespace: system 6 | labels: 7 | control-plane: manager 8 | spec: 9 | selector: 10 | matchLabels: 11 | control-plane: manager 12 | replicas: 1 13 | template: 14 | metadata: 15 | labels: 16 | control-plane: manager 17 | spec: 18 | serviceAccountName: sa 19 | containers: 20 | - image: quay.io/kubecarrier/catapult:latest 21 | name: manager 22 | args: 23 | - "--cert-dir=$(CERT_DIR)" 24 | - "-v=$(LOG_LEVEL)" 25 | env: 26 | - name: KUBERNETES_NAMESPACE 27 | valueFrom: 28 | fieldRef: 29 | fieldPath: metadata.namespace 30 | - name: CERT_DIR 31 | value: "/tmp/k8s-webhook-server/serving-certs" 32 | resources: 33 | limits: 34 | cpu: 100m 35 | memory: 30Mi 36 | requests: 37 | cpu: 100m 38 | memory: 20Mi 39 | ports: 40 | - name: readiness-port 41 | containerPort: 9440 42 | protocol: TCP 43 | readinessProbe: 44 | httpGet: 45 | path: /readyz 46 | port: readiness-port 47 | livenessProbe: 48 | httpGet: 49 | path: /healthz 50 | port: readiness-port 51 | terminationGracePeriodSeconds: 10 52 | -------------------------------------------------------------------------------- /config/internal/catapult/prometheus/kustomization.yaml: -------------------------------------------------------------------------------- 1 | resources: 2 | - monitor.yaml 3 | -------------------------------------------------------------------------------- /config/internal/catapult/prometheus/monitor.yaml: -------------------------------------------------------------------------------- 1 | 2 | # Prometheus Monitor Service (Metrics) 3 | apiVersion: monitoring.coreos.com/v1 4 | kind: ServiceMonitor 5 | metadata: 6 | labels: 7 | control-plane: manager 8 | name: manager-metrics-monitor 9 | namespace: system 10 | spec: 11 | endpoints: 12 | - path: /metrics 13 | port: https 14 | selector: 15 | control-plane: manager 16 | -------------------------------------------------------------------------------- /config/internal/catapult/rbac/bindings.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: ServiceAccount 3 | metadata: 4 | name: sa 5 | --- 6 | apiVersion: rbac.authorization.k8s.io/v1 7 | kind: ClusterRoleBinding 8 | metadata: 9 | name: manager 10 | roleRef: 11 | apiGroup: rbac.authorization.k8s.io 12 | kind: ClusterRole 13 | name: manager 14 | subjects: 15 | - kind: ServiceAccount 16 | name: sa 17 | --- 18 | apiVersion: rbac.authorization.k8s.io/v1 19 | kind: RoleBinding 20 | metadata: 21 | name: manager 22 | roleRef: 23 | apiGroup: rbac.authorization.k8s.io 24 | kind: Role 25 | name: manager 26 | subjects: 27 | - kind: ServiceAccount 28 | name: sa 29 | -------------------------------------------------------------------------------- /config/internal/catapult/rbac/cluster_role.yaml: -------------------------------------------------------------------------------- 1 | # generated by operator on run 2 | # because we work with arbitrary types, we only know the needed permissions on runtime 3 | apiVersion: rbac.authorization.k8s.io/v1 4 | kind: ClusterRole 5 | metadata: 6 | creationTimestamp: null 7 | name: manager 8 | rules: [] 9 | -------------------------------------------------------------------------------- /config/internal/catapult/rbac/kustomization.yaml: -------------------------------------------------------------------------------- 1 | resources: 2 | - role.yaml 3 | - cluster_role.yaml 4 | - bindings.yaml 5 | - leader_election_role.yaml 6 | - leader_election_role_binding.yaml 7 | -------------------------------------------------------------------------------- /config/internal/catapult/rbac/leader_election_role.yaml: -------------------------------------------------------------------------------- 1 | # permissions to do leader election. 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | kind: Role 4 | metadata: 5 | name: leader-election-role 6 | rules: 7 | - apiGroups: 8 | - "" 9 | resources: 10 | - configmaps 11 | verbs: 12 | - get 13 | - list 14 | - watch 15 | - create 16 | - update 17 | - patch 18 | - delete 19 | - apiGroups: 20 | - "" 21 | resources: 22 | - configmaps/status 23 | verbs: 24 | - get 25 | - update 26 | - patch 27 | - apiGroups: 28 | - "" 29 | resources: 30 | - events 31 | verbs: 32 | - create 33 | -------------------------------------------------------------------------------- /config/internal/catapult/rbac/leader_election_role_binding.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: rbac.authorization.k8s.io/v1 2 | kind: RoleBinding 3 | metadata: 4 | name: leader-election-rolebinding 5 | roleRef: 6 | apiGroup: rbac.authorization.k8s.io 7 | kind: Role 8 | name: leader-election-role 9 | subjects: 10 | - kind: ServiceAccount 11 | name: sa 12 | -------------------------------------------------------------------------------- /config/internal/catapult/rbac/role.yaml: -------------------------------------------------------------------------------- 1 | 2 | --- 3 | apiVersion: rbac.authorization.k8s.io/v1 4 | kind: Role 5 | metadata: 6 | creationTimestamp: null 7 | name: manager 8 | rules: 9 | - apiGroups: 10 | - kubecarrier.io 11 | resources: 12 | - serviceclusterassignments 13 | verbs: 14 | - get 15 | - list 16 | - watch 17 | - apiGroups: 18 | - kubecarrier.io 19 | resources: 20 | - serviceclusterassignments/status 21 | verbs: 22 | - get 23 | -------------------------------------------------------------------------------- /config/internal/catapult/webhook/kustomization.yaml: -------------------------------------------------------------------------------- 1 | resources: 2 | - manifests.yaml 3 | - service.yaml 4 | 5 | configurations: 6 | - kustomizeconfig.yaml 7 | -------------------------------------------------------------------------------- /config/internal/catapult/webhook/kustomizeconfig.yaml: -------------------------------------------------------------------------------- 1 | # the following config is for teaching kustomize where to look at when substituting vars. 2 | # It requires kustomize v2.1.0 or newer to work properly. 3 | nameReference: 4 | - kind: Service 5 | version: v1 6 | fieldSpecs: 7 | - kind: MutatingWebhookConfiguration 8 | group: admissionregistration.k8s.io 9 | path: webhooks/clientConfig/service/name 10 | - kind: ValidatingWebhookConfiguration 11 | group: admissionregistration.k8s.io 12 | path: webhooks/clientConfig/service/name 13 | 14 | namespace: 15 | - kind: MutatingWebhookConfiguration 16 | group: admissionregistration.k8s.io 17 | path: webhooks/clientConfig/service/namespace 18 | create: true 19 | - kind: ValidatingWebhookConfiguration 20 | group: admissionregistration.k8s.io 21 | path: webhooks/clientConfig/service/namespace 22 | create: true 23 | 24 | varReference: 25 | - path: metadata/annotations 26 | -------------------------------------------------------------------------------- /config/internal/catapult/webhook/manifests.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubermatic/kubecarrier/51fad0d135894331c312b7628cb87c4c129b53e7/config/internal/catapult/webhook/manifests.yaml -------------------------------------------------------------------------------- /config/internal/catapult/webhook/service.yaml: -------------------------------------------------------------------------------- 1 | 2 | apiVersion: v1 3 | kind: Service 4 | metadata: 5 | name: webhook-service 6 | namespace: system 7 | spec: 8 | ports: 9 | - port: 443 10 | targetPort: 9443 11 | selector: 12 | control-plane: manager 13 | -------------------------------------------------------------------------------- /config/internal/elevator/certmanager/certificate.yaml: -------------------------------------------------------------------------------- 1 | # The following manifests contain a self-signed issuer CR and a certificate CR. 2 | # More document can be found at https://docs.cert-manager.io 3 | # WARNING: Targets CertManager 0.11 check https://docs.cert-manager.io/en/latest/tasks/upgrading/index.html for breaking changes 4 | apiVersion: cert-manager.io/v1alpha2 5 | kind: Issuer 6 | metadata: 7 | name: selfsigned-issuer 8 | namespace: system 9 | spec: 10 | selfSigned: {} 11 | --- 12 | apiVersion: cert-manager.io/v1alpha2 13 | kind: Certificate 14 | metadata: 15 | name: serving-cert # this name should match the one appeared in kustomizeconfig.yaml 16 | namespace: system 17 | spec: 18 | # $(SERVICE_NAME) and $(SERVICE_NAMESPACE) will be substituted by kustomize 19 | dnsNames: 20 | - $(SERVICE_NAME).$(SERVICE_NAMESPACE).svc 21 | - $(SERVICE_NAME).$(SERVICE_NAMESPACE).svc.cluster.local 22 | issuerRef: 23 | kind: Issuer 24 | name: selfsigned-issuer 25 | secretName: $(SECRET_NAME)-webhook-service-cert # this secret will not be prefixed, since it's not managed by kustomize 26 | -------------------------------------------------------------------------------- /config/internal/elevator/certmanager/kustomization.yaml: -------------------------------------------------------------------------------- 1 | resources: 2 | - certificate.yaml 3 | 4 | configurations: 5 | - kustomizeconfig.yaml 6 | -------------------------------------------------------------------------------- /config/internal/elevator/certmanager/kustomizeconfig.yaml: -------------------------------------------------------------------------------- 1 | # This configuration is for teaching kustomize how to update name ref and var substitution 2 | nameReference: 3 | - kind: Issuer 4 | group: cert-manager.io 5 | fieldSpecs: 6 | - kind: Certificate 7 | group: cert-manager.io 8 | path: spec/issuerRef/name 9 | 10 | varReference: 11 | - kind: Certificate 12 | group: cert-manager.io 13 | path: spec/commonName 14 | - kind: Certificate 15 | group: cert-manager.io 16 | path: spec/dnsNames 17 | - kind: Certificate 18 | group: cert-manager.io 19 | path: spec/secretName 20 | -------------------------------------------------------------------------------- /config/internal/elevator/default/kustomizeconfig.yaml: -------------------------------------------------------------------------------- 1 | varReference: 2 | - kind: Deployment 3 | group: apps 4 | path: spec/template/spec/volumes/secret 5 | -------------------------------------------------------------------------------- /config/internal/elevator/default/manager_webhook_patch.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apps/v1 2 | kind: Deployment 3 | metadata: 4 | name: manager 5 | namespace: system 6 | spec: 7 | template: 8 | spec: 9 | containers: 10 | - name: manager 11 | ports: 12 | - containerPort: 9443 13 | name: webhook-server 14 | protocol: TCP 15 | volumeMounts: 16 | - mountPath: /tmp/k8s-webhook-server/serving-certs 17 | name: cert 18 | readOnly: true 19 | volumes: 20 | - name: cert 21 | secret: 22 | defaultMode: 420 23 | secretName: $(SECRET_NAME)-webhook-service-cert 24 | -------------------------------------------------------------------------------- /config/internal/elevator/default/webhookcainjection_patch.yaml: -------------------------------------------------------------------------------- 1 | # This patch add annotation to admission webhook config and 2 | # the variables $(CERTIFICATE_NAMESPACE) and $(CERTIFICATE_NAME) will be substituted by kustomize. 3 | apiVersion: admissionregistration.k8s.io/v1beta1 4 | kind: MutatingWebhookConfiguration 5 | metadata: 6 | name: mutating-webhook-configuration 7 | annotations: 8 | cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME) 9 | # Enable for Validating Webhooks. 10 | #--- 11 | #apiVersion: admissionregistration.k8s.io/v1beta1 12 | #kind: ValidatingWebhookConfiguration 13 | #metadata: 14 | # name: validating-webhook-configuration 15 | # annotations: 16 | # cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME) 17 | -------------------------------------------------------------------------------- /config/internal/elevator/manager/kustomization.yaml: -------------------------------------------------------------------------------- 1 | resources: 2 | - manager.yaml 3 | -------------------------------------------------------------------------------- /config/internal/elevator/manager/manager.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apps/v1 2 | kind: Deployment 3 | metadata: 4 | name: manager 5 | namespace: system 6 | labels: 7 | control-plane: manager 8 | spec: 9 | selector: 10 | matchLabels: 11 | control-plane: manager 12 | replicas: 1 13 | template: 14 | metadata: 15 | labels: 16 | control-plane: manager 17 | spec: 18 | serviceAccountName: sa 19 | containers: 20 | - image: quay.io/kubecarrier/elevator:latest 21 | name: manager 22 | args: 23 | - "--cert-dir=$(CERT_DIR)" 24 | - "-v=$(LOG_LEVEL)" 25 | env: 26 | - name: KUBERNETES_NAMESPACE 27 | valueFrom: 28 | fieldRef: 29 | fieldPath: metadata.namespace 30 | - name: CERT_DIR 31 | value: "/tmp/k8s-webhook-server/serving-certs" 32 | resources: 33 | limits: 34 | cpu: 100m 35 | memory: 30Mi 36 | requests: 37 | cpu: 100m 38 | memory: 20Mi 39 | ports: 40 | - name: readiness-port 41 | containerPort: 9440 42 | protocol: TCP 43 | readinessProbe: 44 | httpGet: 45 | path: /readyz 46 | port: readiness-port 47 | livenessProbe: 48 | httpGet: 49 | path: /healthz 50 | port: readiness-port 51 | terminationGracePeriodSeconds: 10 52 | -------------------------------------------------------------------------------- /config/internal/elevator/prometheus/kustomization.yaml: -------------------------------------------------------------------------------- 1 | resources: 2 | - monitor.yaml 3 | -------------------------------------------------------------------------------- /config/internal/elevator/prometheus/monitor.yaml: -------------------------------------------------------------------------------- 1 | 2 | # Prometheus Monitor Service (Metrics) 3 | apiVersion: monitoring.coreos.com/v1 4 | kind: ServiceMonitor 5 | metadata: 6 | labels: 7 | control-plane: manager 8 | name: manager-metrics-monitor 9 | namespace: system 10 | spec: 11 | endpoints: 12 | - path: /metrics 13 | port: https 14 | selector: 15 | control-plane: manager 16 | -------------------------------------------------------------------------------- /config/internal/elevator/rbac/bindings.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: ServiceAccount 3 | metadata: 4 | name: sa 5 | --- 6 | apiVersion: rbac.authorization.k8s.io/v1 7 | kind: ClusterRoleBinding 8 | metadata: 9 | name: manager 10 | roleRef: 11 | apiGroup: rbac.authorization.k8s.io 12 | kind: ClusterRole 13 | name: manager 14 | subjects: 15 | - kind: ServiceAccount 16 | name: sa 17 | --- 18 | apiVersion: rbac.authorization.k8s.io/v1 19 | kind: RoleBinding 20 | metadata: 21 | name: manager 22 | roleRef: 23 | apiGroup: rbac.authorization.k8s.io 24 | kind: Role 25 | name: manager 26 | subjects: 27 | - kind: ServiceAccount 28 | name: sa 29 | -------------------------------------------------------------------------------- /config/internal/elevator/rbac/cluster_role.yaml: -------------------------------------------------------------------------------- 1 | # generated by operator on run 2 | # because we work with arbitrary types, we only know the needed permissions on runtime 3 | apiVersion: rbac.authorization.k8s.io/v1 4 | kind: ClusterRole 5 | metadata: 6 | creationTimestamp: null 7 | name: manager 8 | rules: [] 9 | -------------------------------------------------------------------------------- /config/internal/elevator/rbac/kustomization.yaml: -------------------------------------------------------------------------------- 1 | resources: 2 | - role.yaml 3 | - cluster_role.yaml 4 | - bindings.yaml 5 | - leader_election_role.yaml 6 | - leader_election_role_binding.yaml 7 | -------------------------------------------------------------------------------- /config/internal/elevator/rbac/leader_election_role.yaml: -------------------------------------------------------------------------------- 1 | # permissions to do leader election. 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | kind: Role 4 | metadata: 5 | name: leader-election-role 6 | rules: 7 | - apiGroups: 8 | - "" 9 | resources: 10 | - configmaps 11 | verbs: 12 | - get 13 | - list 14 | - watch 15 | - create 16 | - update 17 | - patch 18 | - delete 19 | - apiGroups: 20 | - "" 21 | resources: 22 | - configmaps/status 23 | verbs: 24 | - get 25 | - update 26 | - patch 27 | - apiGroups: 28 | - "" 29 | resources: 30 | - events 31 | verbs: 32 | - create 33 | -------------------------------------------------------------------------------- /config/internal/elevator/rbac/leader_election_role_binding.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: rbac.authorization.k8s.io/v1 2 | kind: RoleBinding 3 | metadata: 4 | name: leader-election-rolebinding 5 | roleRef: 6 | apiGroup: rbac.authorization.k8s.io 7 | kind: Role 8 | name: leader-election-role 9 | subjects: 10 | - kind: ServiceAccount 11 | name: sa 12 | -------------------------------------------------------------------------------- /config/internal/elevator/rbac/role.yaml: -------------------------------------------------------------------------------- 1 | 2 | --- 3 | apiVersion: rbac.authorization.k8s.io/v1 4 | kind: Role 5 | metadata: 6 | creationTimestamp: null 7 | name: manager 8 | rules: 9 | - apiGroups: 10 | - catalog.kubecarrier.io 11 | resources: 12 | - derivedcustomresources 13 | verbs: 14 | - get 15 | - list 16 | - watch 17 | - apiGroups: 18 | - catalog.kubecarrier.io 19 | resources: 20 | - derivedcustomresources/status 21 | verbs: 22 | - get 23 | -------------------------------------------------------------------------------- /config/internal/elevator/webhook/kustomization.yaml: -------------------------------------------------------------------------------- 1 | resources: 2 | - manifests.yaml 3 | - service.yaml 4 | 5 | configurations: 6 | - kustomizeconfig.yaml 7 | -------------------------------------------------------------------------------- /config/internal/elevator/webhook/kustomizeconfig.yaml: -------------------------------------------------------------------------------- 1 | # the following config is for teaching kustomize where to look at when substituting vars. 2 | # It requires kustomize v2.1.0 or newer to work properly. 3 | nameReference: 4 | - kind: Service 5 | version: v1 6 | fieldSpecs: 7 | - kind: MutatingWebhookConfiguration 8 | group: admissionregistration.k8s.io 9 | path: webhooks/clientConfig/service/name 10 | - kind: ValidatingWebhookConfiguration 11 | group: admissionregistration.k8s.io 12 | path: webhooks/clientConfig/service/name 13 | 14 | namespace: 15 | - kind: MutatingWebhookConfiguration 16 | group: admissionregistration.k8s.io 17 | path: webhooks/clientConfig/service/namespace 18 | create: true 19 | - kind: ValidatingWebhookConfiguration 20 | group: admissionregistration.k8s.io 21 | path: webhooks/clientConfig/service/namespace 22 | create: true 23 | 24 | varReference: 25 | - path: metadata/annotations 26 | -------------------------------------------------------------------------------- /config/internal/elevator/webhook/manifests.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubermatic/kubecarrier/51fad0d135894331c312b7628cb87c4c129b53e7/config/internal/elevator/webhook/manifests.yaml -------------------------------------------------------------------------------- /config/internal/elevator/webhook/service.yaml: -------------------------------------------------------------------------------- 1 | 2 | apiVersion: v1 3 | kind: Service 4 | metadata: 5 | name: webhook-service 6 | namespace: system 7 | spec: 8 | ports: 9 | - port: 443 10 | targetPort: 9443 11 | selector: 12 | control-plane: manager 13 | -------------------------------------------------------------------------------- /config/internal/fake-operator/certmanager/certificate.yaml: -------------------------------------------------------------------------------- 1 | # The following manifests contain a self-signed issuer CR and a certificate CR. 2 | # More document can be found at https://docs.cert-manager.io 3 | # WARNING: Targets CertManager 0.11 check https://docs.cert-manager.io/en/latest/tasks/upgrading/index.html for breaking changes 4 | apiVersion: cert-manager.io/v1alpha2 5 | kind: Issuer 6 | metadata: 7 | name: selfsigned-issuer 8 | namespace: system 9 | spec: 10 | selfSigned: {} 11 | --- 12 | apiVersion: cert-manager.io/v1alpha2 13 | kind: Certificate 14 | metadata: 15 | name: serving-cert # this name should match the one appeared in kustomizeconfig.yaml 16 | namespace: system 17 | spec: 18 | # $(SERVICE_NAME) and $(SERVICE_NAMESPACE) will be substituted by kustomize 19 | dnsNames: 20 | - $(SERVICE_NAME).$(SERVICE_NAMESPACE).svc 21 | - $(SERVICE_NAME).$(SERVICE_NAMESPACE).svc.cluster.local 22 | issuerRef: 23 | kind: Issuer 24 | name: selfsigned-issuer 25 | secretName: $(SECRET_NAME)-webhook-service-cert # this secret will not be prefixed, since it's not managed by kustomize 26 | -------------------------------------------------------------------------------- /config/internal/fake-operator/certmanager/kustomization.yaml: -------------------------------------------------------------------------------- 1 | resources: 2 | - certificate.yaml 3 | 4 | configurations: 5 | - kustomizeconfig.yaml 6 | -------------------------------------------------------------------------------- /config/internal/fake-operator/certmanager/kustomizeconfig.yaml: -------------------------------------------------------------------------------- 1 | # This configuration is for teaching kustomize how to update name ref and var substitution 2 | nameReference: 3 | - kind: Issuer 4 | group: cert-manager.io 5 | fieldSpecs: 6 | - kind: Certificate 7 | group: cert-manager.io 8 | path: spec/issuerRef/name 9 | 10 | varReference: 11 | - kind: Certificate 12 | group: cert-manager.io 13 | path: spec/commonName 14 | - kind: Certificate 15 | group: cert-manager.io 16 | path: spec/dnsNames 17 | - kind: Certificate 18 | group: cert-manager.io 19 | path: spec/secretName 20 | -------------------------------------------------------------------------------- /config/internal/fake-operator/crd/kustomization.yaml: -------------------------------------------------------------------------------- 1 | # This kustomization.yaml is not intended to be run by itself, 2 | # since it depends on service name and namespace that are out of this kustomize package. 3 | # It should be run by config/default 4 | resources: 5 | - bases/fake.kubecarrier.io_dbs.yaml 6 | - bases/fake.kubecarrier.io_snapshots.yaml 7 | - bases/fake.kubecarrier.io_backups.yaml 8 | # +kubebuilder:scaffold:crdkustomizeresource 9 | 10 | patchesStrategicMerge: 11 | # [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix. 12 | # patches here are for enabling the conversion webhook for each CRD 13 | #- patches/webhook_in_kubecarriers.yaml 14 | # +kubebuilder:scaffold:crdkustomizewebhookpatch 15 | 16 | # [CERTMANAGER] To enable webhook, uncomment all the sections with [CERTMANAGER] prefix. 17 | # patches here are for enabling the CA injection for each CRD 18 | - patches/cainjection_in_dbs.yaml 19 | # +kubebuilder:scaffold:crdkustomizecainjectionpatch 20 | - patches/webhook_in_dbs.yaml 21 | 22 | # the following config is for teaching kustomize how to do kustomization for CRDs. 23 | configurations: 24 | - kustomizeconfig.yaml 25 | -------------------------------------------------------------------------------- /config/internal/fake-operator/crd/kustomizeconfig.yaml: -------------------------------------------------------------------------------- 1 | # This file is for teaching kustomize how to substitute name and namespace reference in CRD 2 | nameReference: 3 | - kind: Service 4 | version: v1 5 | fieldSpecs: 6 | - kind: CustomResourceDefinition 7 | group: apiextensions.k8s.io 8 | path: spec/conversion/webhook/clientConfig/service/name 9 | 10 | namespace: 11 | - kind: CustomResourceDefinition 12 | group: apiextensions.k8s.io 13 | path: spec/conversion/webhook/clientConfig/service/namespace 14 | create: false 15 | 16 | varReference: 17 | - path: metadata/annotations 18 | -------------------------------------------------------------------------------- /config/internal/fake-operator/crd/patches/cainjection_in_dbs.yaml: -------------------------------------------------------------------------------- 1 | # The following patch adds a directive for certmanager to inject CA into the CRD 2 | # CRD conversion requires k8s 1.13 or later. 3 | apiVersion: apiextensions.k8s.io/v1 4 | kind: CustomResourceDefinition 5 | metadata: 6 | annotations: 7 | cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME) 8 | name: dbs.fake.kubecarrier.io 9 | -------------------------------------------------------------------------------- /config/internal/fake-operator/crd/patches/webhook_in_dbs.yaml: -------------------------------------------------------------------------------- 1 | # The following patch enables conversion webhook for CRD 2 | # CRD conversion requires k8s 1.13 or later. 3 | apiVersion: apiextensions.k8s.io/v1 4 | kind: CustomResourceDefinition 5 | metadata: 6 | name: dbs.fake.kubecarrier.io 7 | spec: 8 | conversion: 9 | strategy: Webhook 10 | webhook: 11 | # this is "\n" used as a placeholder, otherwise it will be rejected by the apiserver for being blank, 12 | # but we're going to set it later using the cert-manager (or potentially a patch if not using cert-manager) 13 | caBundle: Cg== 14 | conversionReviewVersions: ["v1","v1beta1"] 15 | clientConfig: 16 | service: 17 | namespace: system 18 | name: webhook-service 19 | path: /convert 20 | -------------------------------------------------------------------------------- /config/internal/fake-operator/default/kustomizeconfig.yaml: -------------------------------------------------------------------------------- 1 | varReference: 2 | - kind: Deployment 3 | group: apps 4 | path: spec/template/spec/volumes/secret 5 | -------------------------------------------------------------------------------- /config/internal/fake-operator/default/manager_webhook_patch.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apps/v1 2 | kind: Deployment 3 | metadata: 4 | name: manager 5 | namespace: system 6 | spec: 7 | template: 8 | spec: 9 | containers: 10 | - name: manager 11 | ports: 12 | - containerPort: 9443 13 | name: webhook-server 14 | protocol: TCP 15 | volumeMounts: 16 | - mountPath: /tmp/k8s-webhook-server/serving-certs 17 | name: cert 18 | readOnly: true 19 | volumes: 20 | - name: cert 21 | secret: 22 | defaultMode: 420 23 | secretName: $(SECRET_NAME)-webhook-service-cert 24 | -------------------------------------------------------------------------------- /config/internal/fake-operator/default/webhookcainjection_patch.yaml: -------------------------------------------------------------------------------- 1 | # This patch add annotation to admission webhook config and 2 | # the variables $(CERTIFICATE_NAMESPACE) and $(CERTIFICATE_NAME) will be substituted by kustomize. 3 | # Enable this for MutatingWebhook 4 | apiVersion: admissionregistration.k8s.io/v1beta1 5 | kind: MutatingWebhookConfiguration 6 | metadata: 7 | name: mutating-webhook-configuration 8 | annotations: 9 | cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME) 10 | # --- 11 | # apiVersion: admissionregistration.k8s.io/v1beta1 12 | # kind: ValidatingWebhookConfiguration 13 | # metadata: 14 | # name: validating-webhook-configuration 15 | # annotations: 16 | # cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME) 17 | -------------------------------------------------------------------------------- /config/internal/fake-operator/manager/kustomization.yaml: -------------------------------------------------------------------------------- 1 | resources: 2 | - manager.yaml 3 | -------------------------------------------------------------------------------- /config/internal/fake-operator/manager/manager.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apps/v1 2 | kind: Deployment 3 | metadata: 4 | name: manager 5 | namespace: system 6 | labels: 7 | control-plane: e2e-operator 8 | spec: 9 | selector: 10 | matchLabels: 11 | control-plane: e2e-operator 12 | replicas: 1 13 | template: 14 | metadata: 15 | labels: 16 | control-plane: e2e-operator 17 | spec: 18 | serviceAccountName: sa 19 | containers: 20 | - image: quay.io/kubecarrier/fake-operator:latest 21 | name: manager 22 | env: 23 | - name: CERT_DIR 24 | value: "/tmp/k8s-webhook-server/serving-certs" 25 | args: 26 | - "--cert-dir=$(CERT_DIR)" 27 | resources: 28 | limits: 29 | cpu: 100m 30 | memory: 100Mi 31 | requests: 32 | cpu: 100m 33 | memory: 100Mi 34 | ports: 35 | - name: readiness-port 36 | containerPort: 9440 37 | protocol: TCP 38 | readinessProbe: 39 | httpGet: 40 | path: /readyz 41 | port: readiness-port 42 | livenessProbe: 43 | httpGet: 44 | path: /healthz 45 | port: readiness-port 46 | 47 | terminationGracePeriodSeconds: 10 48 | -------------------------------------------------------------------------------- /config/internal/fake-operator/rbac/kustomization.yaml: -------------------------------------------------------------------------------- 1 | resources: 2 | - role.yaml 3 | - role_binding.yaml 4 | -------------------------------------------------------------------------------- /config/internal/fake-operator/rbac/role.yaml: -------------------------------------------------------------------------------- 1 | 2 | --- 3 | apiVersion: rbac.authorization.k8s.io/v1 4 | kind: ClusterRole 5 | metadata: 6 | creationTimestamp: null 7 | name: manager-role 8 | rules: 9 | - apiGroups: 10 | - fake.kubecarrier.io 11 | resources: 12 | - backups 13 | verbs: 14 | - create 15 | - delete 16 | - get 17 | - list 18 | - patch 19 | - update 20 | - watch 21 | - apiGroups: 22 | - fake.kubecarrier.io 23 | resources: 24 | - backups/status 25 | verbs: 26 | - get 27 | - patch 28 | - update 29 | - apiGroups: 30 | - fake.kubecarrier.io 31 | resources: 32 | - dbs 33 | verbs: 34 | - create 35 | - delete 36 | - get 37 | - list 38 | - patch 39 | - update 40 | - watch 41 | - apiGroups: 42 | - fake.kubecarrier.io 43 | resources: 44 | - dbs/status 45 | verbs: 46 | - get 47 | - patch 48 | - update 49 | - apiGroups: 50 | - fake.kubecarrier.io 51 | resources: 52 | - snapshots 53 | verbs: 54 | - create 55 | - delete 56 | - get 57 | - list 58 | - patch 59 | - update 60 | - watch 61 | - apiGroups: 62 | - fake.kubecarrier.io 63 | resources: 64 | - snapshots/status 65 | verbs: 66 | - get 67 | - patch 68 | - update 69 | -------------------------------------------------------------------------------- /config/internal/fake-operator/rbac/role_binding.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: ServiceAccount 3 | metadata: 4 | name: sa 5 | --- 6 | apiVersion: rbac.authorization.k8s.io/v1 7 | kind: ClusterRoleBinding 8 | metadata: 9 | name: manager-rolebinding 10 | roleRef: 11 | apiGroup: rbac.authorization.k8s.io 12 | kind: ClusterRole 13 | name: manager-role 14 | subjects: 15 | - kind: ServiceAccount 16 | name: sa 17 | -------------------------------------------------------------------------------- /config/internal/fake-operator/webhook/kustomization.yaml: -------------------------------------------------------------------------------- 1 | resources: 2 | - manifests.yaml 3 | - service.yaml 4 | 5 | configurations: 6 | - kustomizeconfig.yaml 7 | -------------------------------------------------------------------------------- /config/internal/fake-operator/webhook/kustomizeconfig.yaml: -------------------------------------------------------------------------------- 1 | # the following config is for teaching kustomize where to look at when substituting vars. 2 | # It requires kustomize v2.1.0 or newer to work properly. 3 | nameReference: 4 | - kind: Service 5 | version: v1 6 | fieldSpecs: 7 | - kind: MutatingWebhookConfiguration 8 | group: admissionregistration.k8s.io 9 | path: webhooks/clientConfig/service/name 10 | - kind: ValidatingWebhookConfiguration 11 | group: admissionregistration.k8s.io 12 | path: webhooks/clientConfig/service/name 13 | 14 | namespace: 15 | - kind: MutatingWebhookConfiguration 16 | group: admissionregistration.k8s.io 17 | path: webhooks/clientConfig/service/namespace 18 | create: true 19 | - kind: ValidatingWebhookConfiguration 20 | group: admissionregistration.k8s.io 21 | path: webhooks/clientConfig/service/namespace 22 | create: true 23 | 24 | varReference: 25 | - path: metadata/annotations 26 | -------------------------------------------------------------------------------- /config/internal/fake-operator/webhook/manifests.yaml: -------------------------------------------------------------------------------- 1 | 2 | --- 3 | apiVersion: admissionregistration.k8s.io/v1beta1 4 | kind: MutatingWebhookConfiguration 5 | metadata: 6 | creationTimestamp: null 7 | name: mutating-webhook-configuration 8 | webhooks: 9 | - clientConfig: 10 | caBundle: Cg== 11 | service: 12 | name: webhook-service 13 | namespace: system 14 | path: /mutate-fake-kubecarrier-io-v1-db 15 | failurePolicy: Fail 16 | matchPolicy: Equivalent 17 | name: mdb.kubecarrier.io 18 | rules: 19 | - apiGroups: 20 | - fake.kubecarrier.io 21 | apiVersions: 22 | - v1 23 | operations: 24 | - CREATE 25 | - UPDATE 26 | - DELETE 27 | resources: 28 | - dbs 29 | sideEffects: NoneOnDryRun 30 | -------------------------------------------------------------------------------- /config/internal/fake-operator/webhook/service.yaml: -------------------------------------------------------------------------------- 1 | 2 | apiVersion: v1 3 | kind: Service 4 | metadata: 5 | name: webhook-service 6 | namespace: system 7 | spec: 8 | ports: 9 | - port: 443 10 | targetPort: 9443 11 | selector: 12 | control-plane: e2e-operator 13 | -------------------------------------------------------------------------------- /config/internal/ferry/certmanager/certificate.yaml: -------------------------------------------------------------------------------- 1 | # The following manifests contain a self-signed issuer CR and a certificate CR. 2 | # More document can be found at https://docs.cert-manager.io 3 | # WARNING: Targets CertManager 0.11 check https://docs.cert-manager.io/en/latest/tasks/upgrading/index.html for breaking changes 4 | apiVersion: cert-manager.io/v1alpha2 5 | kind: Issuer 6 | metadata: 7 | name: selfsigned-issuer 8 | namespace: system 9 | spec: 10 | selfSigned: {} 11 | --- 12 | apiVersion: cert-manager.io/v1alpha2 13 | kind: Certificate 14 | metadata: 15 | name: serving-cert # this name should match the one appeared in kustomizeconfig.yaml 16 | namespace: system 17 | spec: 18 | # $(SERVICE_NAME) and $(SERVICE_NAMESPACE) will be substituted by kustomize 19 | dnsNames: 20 | - $(SERVICE_NAME).$(SERVICE_NAMESPACE).svc 21 | - $(SERVICE_NAME).$(SERVICE_NAMESPACE).svc.cluster.local 22 | issuerRef: 23 | kind: Issuer 24 | name: selfsigned-issuer 25 | secretName: webhook-server-cert # this secret will not be prefixed, since it's not managed by kustomize 26 | -------------------------------------------------------------------------------- /config/internal/ferry/certmanager/kustomization.yaml: -------------------------------------------------------------------------------- 1 | resources: 2 | - certificate.yaml 3 | 4 | configurations: 5 | - kustomizeconfig.yaml 6 | -------------------------------------------------------------------------------- /config/internal/ferry/certmanager/kustomizeconfig.yaml: -------------------------------------------------------------------------------- 1 | # This configuration is for teaching kustomize how to update name ref and var substitution 2 | nameReference: 3 | - kind: Issuer 4 | group: cert-manager.io 5 | fieldSpecs: 6 | - kind: Certificate 7 | group: cert-manager.io 8 | path: spec/issuerRef/name 9 | 10 | varReference: 11 | - kind: Certificate 12 | group: cert-manager.io 13 | path: spec/commonName 14 | - kind: Certificate 15 | group: cert-manager.io 16 | path: spec/dnsNames 17 | -------------------------------------------------------------------------------- /config/internal/ferry/default/manager_webhook_patch.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apps/v1 2 | kind: Deployment 3 | metadata: 4 | name: manager 5 | namespace: system 6 | spec: 7 | template: 8 | spec: 9 | containers: 10 | - name: manager 11 | ports: 12 | - containerPort: 9443 13 | name: webhook-server 14 | protocol: TCP 15 | volumeMounts: 16 | - mountPath: /tmp/k8s-webhook-server/serving-certs 17 | name: cert 18 | readOnly: true 19 | volumes: 20 | - name: cert 21 | secret: 22 | defaultMode: 420 23 | secretName: webhook-server-cert 24 | -------------------------------------------------------------------------------- /config/internal/ferry/default/webhookcainjection_patch.yaml: -------------------------------------------------------------------------------- 1 | # This patch add annotation to admission webhook config and 2 | # the variables $(CERTIFICATE_NAMESPACE) and $(CERTIFICATE_NAME) will be substituted by kustomize. 3 | apiVersion: admissionregistration.k8s.io/v1beta1 4 | kind: MutatingWebhookConfiguration 5 | metadata: 6 | name: mutating-webhook-configuration 7 | annotations: 8 | cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME) 9 | --- 10 | apiVersion: admissionregistration.k8s.io/v1beta1 11 | kind: ValidatingWebhookConfiguration 12 | metadata: 13 | name: validating-webhook-configuration 14 | annotations: 15 | cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME) 16 | -------------------------------------------------------------------------------- /config/internal/ferry/manager/kustomization.yaml: -------------------------------------------------------------------------------- 1 | resources: 2 | - manager.yaml 3 | -------------------------------------------------------------------------------- /config/internal/ferry/manager/manager.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apps/v1 2 | kind: Deployment 3 | metadata: 4 | name: manager 5 | namespace: system 6 | labels: 7 | control-plane: manager 8 | spec: 9 | selector: 10 | matchLabels: 11 | control-plane: manager 12 | replicas: 1 13 | template: 14 | metadata: 15 | labels: 16 | control-plane: manager 17 | spec: 18 | serviceAccountName: sa 19 | containers: 20 | - image: quay.io/kubecarrier/ferry:latest 21 | args: 22 | - "--service-cluster-name=$(SERVICE_CLUSTER)" 23 | - "--service-cluster-kubeconfig=/kubeconfig/kubeconfig" 24 | - "--provider-namespace=$(KUBERNETES_NAMESPACE)" 25 | - "-v=$(LOG_LEVEL)" 26 | name: manager 27 | env: 28 | # Inserted during manifest generation in resouce 29 | #- name: SERVICE_CLUSTER 30 | # value: "__SERVICE_CLUSTER_NAME__" 31 | - name: KUBERNETES_NAMESPACE 32 | valueFrom: 33 | fieldRef: 34 | fieldPath: metadata.namespace 35 | volumeMounts: 36 | - mountPath: /kubeconfig 37 | name: kubeconfig 38 | resources: 39 | limits: 40 | cpu: 100m 41 | memory: 30Mi 42 | requests: 43 | cpu: 100m 44 | memory: 20Mi 45 | terminationGracePeriodSeconds: 10 46 | volumes: 47 | - name: kubeconfig 48 | secret: 49 | optional: false 50 | # Inserted during manifest generation in resouce 51 | secretName: "__KUBECONFIG_SECRET_NAME__" 52 | items: 53 | - key: "kubeconfig" 54 | path: "kubeconfig" 55 | -------------------------------------------------------------------------------- /config/internal/ferry/prometheus/kustomization.yaml: -------------------------------------------------------------------------------- 1 | resources: 2 | - monitor.yaml 3 | -------------------------------------------------------------------------------- /config/internal/ferry/prometheus/monitor.yaml: -------------------------------------------------------------------------------- 1 | 2 | # Prometheus Monitor Service (Metrics) 3 | apiVersion: monitoring.coreos.com/v1 4 | kind: ServiceMonitor 5 | metadata: 6 | labels: 7 | control-plane: manager 8 | name: manager-metrics-monitor 9 | namespace: system 10 | spec: 11 | endpoints: 12 | - path: /metrics 13 | port: https 14 | selector: 15 | control-plane: manager 16 | -------------------------------------------------------------------------------- /config/internal/ferry/rbac/kustomization.yaml: -------------------------------------------------------------------------------- 1 | resources: 2 | - role.yaml 3 | - role_binding.yaml 4 | - leader_election_role.yaml 5 | - leader_election_role_binding.yaml 6 | -------------------------------------------------------------------------------- /config/internal/ferry/rbac/leader_election_role.yaml: -------------------------------------------------------------------------------- 1 | # permissions to do leader election. 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | kind: Role 4 | metadata: 5 | name: leader-election-role 6 | rules: 7 | - apiGroups: 8 | - "" 9 | resources: 10 | - configmaps 11 | verbs: 12 | - get 13 | - list 14 | - watch 15 | - create 16 | - update 17 | - patch 18 | - delete 19 | - apiGroups: 20 | - "" 21 | resources: 22 | - configmaps/status 23 | verbs: 24 | - get 25 | - update 26 | - patch 27 | - apiGroups: 28 | - "" 29 | resources: 30 | - events 31 | verbs: 32 | - create 33 | -------------------------------------------------------------------------------- /config/internal/ferry/rbac/leader_election_role_binding.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: rbac.authorization.k8s.io/v1 2 | kind: RoleBinding 3 | metadata: 4 | name: leader-election-rolebinding 5 | roleRef: 6 | apiGroup: rbac.authorization.k8s.io 7 | kind: Role 8 | name: leader-election-role 9 | subjects: 10 | - kind: ServiceAccount 11 | name: sa 12 | -------------------------------------------------------------------------------- /config/internal/ferry/rbac/role.yaml: -------------------------------------------------------------------------------- 1 | 2 | --- 3 | apiVersion: rbac.authorization.k8s.io/v1 4 | kind: Role 5 | metadata: 6 | creationTimestamp: null 7 | name: manager 8 | rules: 9 | - apiGroups: 10 | - kubecarrier.io 11 | resources: 12 | - customresourcediscoveries 13 | verbs: 14 | - get 15 | - list 16 | - patch 17 | - update 18 | - watch 19 | - apiGroups: 20 | - kubecarrier.io 21 | resources: 22 | - customresourcediscoveries/status 23 | verbs: 24 | - get 25 | - patch 26 | - update 27 | - apiGroups: 28 | - kubecarrier.io 29 | resources: 30 | - serviceclusterassignments 31 | verbs: 32 | - create 33 | - get 34 | - list 35 | - patch 36 | - update 37 | - watch 38 | - apiGroups: 39 | - kubecarrier.io 40 | resources: 41 | - serviceclusterassignments/status 42 | verbs: 43 | - get 44 | - patch 45 | - update 46 | - apiGroups: 47 | - kubecarrier.io 48 | resources: 49 | - serviceclusters 50 | verbs: 51 | - create 52 | - delete 53 | - get 54 | - list 55 | - patch 56 | - update 57 | - watch 58 | - apiGroups: 59 | - kubecarrier.io 60 | resources: 61 | - serviceclusters/status 62 | verbs: 63 | - get 64 | - patch 65 | - update 66 | -------------------------------------------------------------------------------- /config/internal/ferry/rbac/role_binding.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: ServiceAccount 3 | metadata: 4 | name: sa 5 | --- 6 | apiVersion: rbac.authorization.k8s.io/v1 7 | kind: RoleBinding 8 | metadata: 9 | name: manager 10 | namespace: system 11 | roleRef: 12 | apiGroup: rbac.authorization.k8s.io 13 | kind: Role 14 | name: manager 15 | subjects: 16 | - kind: ServiceAccount 17 | name: sa 18 | -------------------------------------------------------------------------------- /config/internal/ferry/webhook/kustomization.yaml: -------------------------------------------------------------------------------- 1 | resources: 2 | - manifests.yaml 3 | - service.yaml 4 | 5 | configurations: 6 | - kustomizeconfig.yaml 7 | -------------------------------------------------------------------------------- /config/internal/ferry/webhook/kustomizeconfig.yaml: -------------------------------------------------------------------------------- 1 | # the following config is for teaching kustomize where to look at when substituting vars. 2 | # It requires kustomize v2.1.0 or newer to work properly. 3 | nameReference: 4 | - kind: Service 5 | version: v1 6 | fieldSpecs: 7 | - kind: MutatingWebhookConfiguration 8 | group: admissionregistration.k8s.io 9 | path: webhooks/clientConfig/service/name 10 | - kind: ValidatingWebhookConfiguration 11 | group: admissionregistration.k8s.io 12 | path: webhooks/clientConfig/service/name 13 | 14 | namespace: 15 | - kind: MutatingWebhookConfiguration 16 | group: admissionregistration.k8s.io 17 | path: webhooks/clientConfig/service/namespace 18 | create: true 19 | - kind: ValidatingWebhookConfiguration 20 | group: admissionregistration.k8s.io 21 | path: webhooks/clientConfig/service/namespace 22 | create: true 23 | 24 | varReference: 25 | - path: metadata/annotations 26 | -------------------------------------------------------------------------------- /config/internal/ferry/webhook/manifests.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubermatic/kubecarrier/51fad0d135894331c312b7628cb87c4c129b53e7/config/internal/ferry/webhook/manifests.yaml -------------------------------------------------------------------------------- /config/internal/ferry/webhook/service.yaml: -------------------------------------------------------------------------------- 1 | 2 | apiVersion: v1 3 | kind: Service 4 | metadata: 5 | name: webhook-service 6 | namespace: system 7 | spec: 8 | ports: 9 | - port: 443 10 | targetPort: 9443 11 | selector: 12 | control-plane: manager 13 | -------------------------------------------------------------------------------- /config/internal/manager/certmanager/certificate.yaml: -------------------------------------------------------------------------------- 1 | # The following manifests contain a self-signed issuer CR and a certificate CR. 2 | # More document can be found at https://docs.cert-manager.io 3 | # WARNING: Targets CertManager 0.11 check https://docs.cert-manager.io/en/latest/tasks/upgrading/index.html for breaking changes 4 | apiVersion: cert-manager.io/v1alpha2 5 | kind: Issuer 6 | metadata: 7 | name: selfsigned-issuer 8 | namespace: system 9 | spec: 10 | selfSigned: {} 11 | --- 12 | apiVersion: cert-manager.io/v1alpha2 13 | kind: Certificate 14 | metadata: 15 | name: serving-cert # this name should match the one appeared in kustomizeconfig.yaml 16 | namespace: system 17 | spec: 18 | # $(SERVICE_NAME) and $(SERVICE_NAMESPACE) will be substituted by kustomize 19 | dnsNames: 20 | - $(SERVICE_NAME).$(SERVICE_NAMESPACE).svc 21 | - $(SERVICE_NAME).$(SERVICE_NAMESPACE).svc.cluster.local 22 | issuerRef: 23 | kind: Issuer 24 | name: selfsigned-issuer 25 | secretName: $(SECRET_NAME)-webhook-service-cert # this secret will not be prefixed, since it's not managed by kustomize 26 | -------------------------------------------------------------------------------- /config/internal/manager/certmanager/kustomization.yaml: -------------------------------------------------------------------------------- 1 | resources: 2 | - certificate.yaml 3 | 4 | configurations: 5 | - kustomizeconfig.yaml 6 | -------------------------------------------------------------------------------- /config/internal/manager/certmanager/kustomizeconfig.yaml: -------------------------------------------------------------------------------- 1 | # This configuration is for teaching kustomize how to update name ref and var substitution 2 | nameReference: 3 | - kind: Issuer 4 | group: cert-manager.io 5 | fieldSpecs: 6 | - kind: Certificate 7 | group: cert-manager.io 8 | path: spec/issuerRef/name 9 | 10 | varReference: 11 | - kind: Certificate 12 | group: cert-manager.io 13 | path: spec/commonName 14 | - kind: Certificate 15 | group: cert-manager.io 16 | path: spec/dnsNames 17 | - kind: Certificate 18 | group: cert-manager.io 19 | path: spec/secretName 20 | -------------------------------------------------------------------------------- /config/internal/manager/crd/kustomizeconfig.yaml: -------------------------------------------------------------------------------- 1 | # This file is for teaching kustomize how to substitute name and namespace reference in CRD 2 | nameReference: 3 | - kind: Service 4 | version: v1 5 | fieldSpecs: 6 | - kind: CustomResourceDefinition 7 | group: apiextensions.k8s.io 8 | path: spec/conversion/webhookClientConfig/service/name 9 | 10 | namespace: 11 | - kind: CustomResourceDefinition 12 | group: apiextensions.k8s.io 13 | path: spec/conversion/webhookClientConfig/service/namespace 14 | create: false 15 | 16 | varReference: 17 | - path: metadata/annotations 18 | -------------------------------------------------------------------------------- /config/internal/manager/crd/patches/cainjection_in_accounts.yaml: -------------------------------------------------------------------------------- 1 | # The following patch adds a directive for certmanager to inject CA into the CRD 2 | # CRD conversion requires k8s 1.13 or later. 3 | apiVersion: apiextensions.k8s.io/v1 4 | kind: CustomResourceDefinition 5 | metadata: 6 | annotations: 7 | cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME) 8 | name: accounts.catalog.kubecarrier.io 9 | -------------------------------------------------------------------------------- /config/internal/manager/crd/patches/cainjection_in_catalogentries.yaml: -------------------------------------------------------------------------------- 1 | # The following patch adds a directive for certmanager to inject CA into the CRD 2 | # CRD conversion requires k8s 1.13 or later. 3 | apiVersion: apiextensions.k8s.io/v1 4 | kind: CustomResourceDefinition 5 | metadata: 6 | annotations: 7 | cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME) 8 | name: catalogentries.catalog.kubecarrier.io 9 | -------------------------------------------------------------------------------- /config/internal/manager/crd/patches/cainjection_in_catalogs.yaml: -------------------------------------------------------------------------------- 1 | # The following patch adds a directive for certmanager to inject CA into the CRD 2 | # CRD conversion requires k8s 1.13 or later. 3 | apiVersion: apiextensions.k8s.io/v1beta1 4 | kind: CustomResourceDefinition 5 | metadata: 6 | annotations: 7 | cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME) 8 | name: catalogs.catalog.kubecarrier.io 9 | -------------------------------------------------------------------------------- /config/internal/manager/crd/patches/cainjection_in_customresourcediscoveries.yaml: -------------------------------------------------------------------------------- 1 | # The following patch adds a directive for certmanager to inject CA into the CRD 2 | # CRD conversion requires k8s 1.13 or later. 3 | apiVersion: apiextensions.k8s.io/v1 4 | kind: CustomResourceDefinition 5 | metadata: 6 | annotations: 7 | cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME) 8 | name: customresourcediscoveries.kubecarrier.io 9 | -------------------------------------------------------------------------------- /config/internal/manager/crd/patches/cainjection_in_derivedcustomresources.yaml: -------------------------------------------------------------------------------- 1 | # The following patch adds a directive for certmanager to inject CA into the CRD 2 | # CRD conversion requires k8s 1.13 or later. 3 | apiVersion: apiextensions.k8s.io/v1 4 | kind: CustomResourceDefinition 5 | metadata: 6 | annotations: 7 | cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME) 8 | name: derivedcustomresources.catalog.kubecarrier.io 9 | -------------------------------------------------------------------------------- /config/internal/manager/crd/patches/cainjection_in_offerings.yaml: -------------------------------------------------------------------------------- 1 | # The following patch adds a directive for certmanager to inject CA into the CRD 2 | # CRD conversion requires k8s 1.13 or later. 3 | apiVersion: apiextensions.k8s.io/v1 4 | kind: CustomResourceDefinition 5 | metadata: 6 | annotations: 7 | cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME) 8 | name: offerings.catalog.kubecarrier.io 9 | -------------------------------------------------------------------------------- /config/internal/manager/crd/patches/cainjection_in_providers.yaml: -------------------------------------------------------------------------------- 1 | # The following patch adds a directive for certmanager to inject CA into the CRD 2 | # CRD conversion requires k8s 1.13 or later. 3 | apiVersion: apiextensions.k8s.io/v1 4 | kind: CustomResourceDefinition 5 | metadata: 6 | annotations: 7 | cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME) 8 | name: providers.catalog.kubecarrier.io 9 | -------------------------------------------------------------------------------- /config/internal/manager/crd/patches/cainjection_in_regions.yaml: -------------------------------------------------------------------------------- 1 | # The following patch adds a directive for certmanager to inject CA into the CRD 2 | # CRD conversion requires k8s 1.13 or later. 3 | apiVersion: apiextensions.k8s.io/v1 4 | kind: CustomResourceDefinition 5 | metadata: 6 | annotations: 7 | cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME) 8 | name: regions.catalog.kubecarrier.io 9 | -------------------------------------------------------------------------------- /config/internal/manager/crd/patches/cainjection_in_serviceclusterassignments.yaml: -------------------------------------------------------------------------------- 1 | # The following patch adds a directive for certmanager to inject CA into the CRD 2 | # CRD conversion requires k8s 1.13 or later. 3 | apiVersion: apiextensions.k8s.io/v1 4 | kind: CustomResourceDefinition 5 | metadata: 6 | annotations: 7 | cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME) 8 | name: serviceclusterassignments.kubecarrier.io 9 | -------------------------------------------------------------------------------- /config/internal/manager/crd/patches/cainjection_in_serviceclusters.yaml: -------------------------------------------------------------------------------- 1 | # The following patch adds a directive for certmanager to inject CA into the CRD 2 | # CRD conversion requires k8s 1.13 or later. 3 | apiVersion: apiextensions.k8s.io/v1 4 | kind: CustomResourceDefinition 5 | metadata: 6 | annotations: 7 | cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME) 8 | name: serviceclusters.kubecarrier.io 9 | -------------------------------------------------------------------------------- /config/internal/manager/crd/patches/cainjection_in_tenants.yaml: -------------------------------------------------------------------------------- 1 | # The following patch adds a directive for certmanager to inject CA into the CRD 2 | # CRD conversion requires k8s 1.13 or later. 3 | apiVersion: apiextensions.k8s.io/v1 4 | kind: CustomResourceDefinition 5 | metadata: 6 | annotations: 7 | cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME) 8 | name: tenants.catalog.kubecarrier.io 9 | -------------------------------------------------------------------------------- /config/internal/manager/crd/patches/webhook_in_accounts.yaml: -------------------------------------------------------------------------------- 1 | # The following patch enables conversion webhook for CRD 2 | # CRD conversion requires k8s 1.13 or later. 3 | apiVersion: apiextensions.k8s.io/v1beta1 4 | kind: CustomResourceDefinition 5 | metadata: 6 | name: accounts.catalog.kubecarrier.io 7 | spec: 8 | conversion: 9 | strategy: Webhook 10 | webhookClientConfig: 11 | # this is "\n" used as a placeholder, otherwise it will be rejected by the apiserver for being blank, 12 | # but we're going to set it later using the cert-manager (or potentially a patch if not using cert-manager) 13 | caBundle: Cg== 14 | service: 15 | namespace: system 16 | name: webhook-service 17 | path: /convert 18 | -------------------------------------------------------------------------------- /config/internal/manager/crd/patches/webhook_in_catalogentries.yaml: -------------------------------------------------------------------------------- 1 | # The following patch enables conversion webhook for CRD 2 | # CRD conversion requires k8s 1.13 or later. 3 | apiVersion: apiextensions.k8s.io/v1beta1 4 | kind: CustomResourceDefinition 5 | metadata: 6 | name: catalogentries.catalog.kubecarrier.io 7 | spec: 8 | conversion: 9 | strategy: Webhook 10 | webhookClientConfig: 11 | # this is "\n" used as a placeholder, otherwise it will be rejected by the apiserver for being blank, 12 | # but we're going to set it later using the cert-manager (or potentially a patch if not using cert-manager) 13 | caBundle: Cg== 14 | service: 15 | namespace: system 16 | name: webhook-service 17 | path: /convert 18 | -------------------------------------------------------------------------------- /config/internal/manager/crd/patches/webhook_in_catalogs.yaml: -------------------------------------------------------------------------------- 1 | # The following patch enables conversion webhook for CRD 2 | # CRD conversion requires k8s 1.13 or later. 3 | apiVersion: apiextensions.k8s.io/v1beta1 4 | kind: CustomResourceDefinition 5 | metadata: 6 | name: catalogs.catalog.kubecarrier.io 7 | spec: 8 | conversion: 9 | strategy: Webhook 10 | webhookClientConfig: 11 | # this is "\n" used as a placeholder, otherwise it will be rejected by the apiserver for being blank, 12 | # but we're going to set it later using the cert-manager (or potentially a patch if not using cert-manager) 13 | caBundle: Cg== 14 | service: 15 | namespace: system 16 | name: webhook-service 17 | path: /convert 18 | -------------------------------------------------------------------------------- /config/internal/manager/crd/patches/webhook_in_offerings.yaml: -------------------------------------------------------------------------------- 1 | # The following patch enables conversion webhook for CRD 2 | # CRD conversion requires k8s 1.13 or later. 3 | apiVersion: apiextensions.k8s.io/v1beta1 4 | kind: CustomResourceDefinition 5 | metadata: 6 | name: offerings.catalog.kubecarrier.io 7 | spec: 8 | conversion: 9 | strategy: Webhook 10 | webhookClientConfig: 11 | # this is "\n" used as a placeholder, otherwise it will be rejected by the apiserver for being blank, 12 | # but we're going to set it later using the cert-manager (or potentially a patch if not using cert-manager) 13 | caBundle: Cg== 14 | service: 15 | namespace: system 16 | name: webhook-service 17 | path: /convert 18 | -------------------------------------------------------------------------------- /config/internal/manager/crd/patches/webhook_in_providers.yaml: -------------------------------------------------------------------------------- 1 | # The following patch enables conversion webhook for CRD 2 | # CRD conversion requires k8s 1.13 or later. 3 | apiVersion: apiextensions.k8s.io/v1 4 | kind: CustomResourceDefinition 5 | metadata: 6 | name: providers.catalog.kubecarrier.io 7 | spec: 8 | conversion: 9 | strategy: Webhook 10 | webhookClientConfig: 11 | # this is "\n" used as a placeholder, otherwise it will be rejected by the apiserver for being blank, 12 | # but we're going to set it later using the cert-manager (or potentially a patch if not using cert-manager) 13 | caBundle: Cg== 14 | service: 15 | namespace: system 16 | name: webhook-service 17 | path: /convert 18 | -------------------------------------------------------------------------------- /config/internal/manager/crd/patches/webhook_in_regions.yaml: -------------------------------------------------------------------------------- 1 | # The following patch enables conversion webhook for CRD 2 | # CRD conversion requires k8s 1.13 or later. 3 | apiVersion: apiextensions.k8s.io/v1 4 | kind: CustomResourceDefinition 5 | metadata: 6 | name: regions.catalog.kubecarrier.io 7 | spec: 8 | conversion: 9 | strategy: Webhook 10 | webhookClientConfig: 11 | # this is "\n" used as a placeholder, otherwise it will be rejected by the apiserver for being blank, 12 | # but we're going to set it later using the cert-manager (or potentially a patch if not using cert-manager) 13 | caBundle: Cg== 14 | service: 15 | namespace: system 16 | name: webhook-service 17 | path: /convert 18 | -------------------------------------------------------------------------------- /config/internal/manager/crd/patches/webhook_in_tenants.yaml: -------------------------------------------------------------------------------- 1 | # The following patch enables conversion webhook for CRD 2 | # CRD conversion requires k8s 1.13 or later. 3 | apiVersion: apiextensions.k8s.io/v1 4 | kind: CustomResourceDefinition 5 | metadata: 6 | name: tenants.catalog.kubecarrier.io 7 | spec: 8 | conversion: 9 | strategy: Webhook 10 | webhookClientConfig: 11 | # this is "\n" used as a placeholder, otherwise it will be rejected by the apiserver for being blank, 12 | # but we're going to set it later using the cert-manager (or potentially a patch if not using cert-manager) 13 | caBundle: Cg== 14 | service: 15 | namespace: system 16 | name: webhook-service 17 | path: /convert 18 | -------------------------------------------------------------------------------- /config/internal/manager/default/kustomizeconfig.yaml: -------------------------------------------------------------------------------- 1 | varReference: 2 | - kind: Deployment 3 | group: apps 4 | path: spec/template/spec/volumes/secret 5 | -------------------------------------------------------------------------------- /config/internal/manager/default/manager_webhook_patch.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apps/v1 2 | kind: Deployment 3 | metadata: 4 | name: controller-manager 5 | namespace: system 6 | spec: 7 | template: 8 | spec: 9 | containers: 10 | - name: manager 11 | ports: 12 | - containerPort: 9443 13 | name: webhook-server 14 | protocol: TCP 15 | volumeMounts: 16 | - mountPath: /tmp/k8s-webhook-server/serving-certs 17 | name: cert 18 | readOnly: true 19 | volumes: 20 | - name: cert 21 | secret: 22 | defaultMode: 420 23 | secretName: $(SECRET_NAME)-webhook-service-cert 24 | -------------------------------------------------------------------------------- /config/internal/manager/default/webhookcainjection_patch.yaml: -------------------------------------------------------------------------------- 1 | # This patch add annotation to admission webhook config and 2 | # Enable this for mutating webhook 3 | # the variables $(CERTIFICATE_NAMESPACE) and $(CERTIFICATE_NAME) will be substituted by kustomize. 4 | #apiVersion: admissionregistration.k8s.io/v1beta1 5 | #kind: MutatingWebhookConfiguration 6 | #metadata: 7 | # name: mutating-webhook-configuration 8 | # annotations: 9 | # cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME) 10 | --- 11 | apiVersion: admissionregistration.k8s.io/v1beta1 12 | kind: ValidatingWebhookConfiguration 13 | metadata: 14 | name: validating-webhook-configuration 15 | annotations: 16 | cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME) 17 | -------------------------------------------------------------------------------- /config/internal/manager/manager/kustomization.yaml: -------------------------------------------------------------------------------- 1 | resources: 2 | - manager.yaml 3 | -------------------------------------------------------------------------------- /config/internal/manager/manager/manager.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apps/v1 2 | kind: Deployment 3 | metadata: 4 | name: controller-manager 5 | namespace: system 6 | labels: 7 | control-plane: controller-manager 8 | spec: 9 | selector: 10 | matchLabels: 11 | control-plane: controller-manager 12 | replicas: 1 13 | template: 14 | metadata: 15 | labels: 16 | control-plane: controller-manager 17 | spec: 18 | serviceAccountName: sa 19 | containers: 20 | - image: quay.io/kubecarrier/manager:latest 21 | name: manager 22 | args: 23 | - "--cert-dir=$(CERT_DIR)" 24 | - "-v=$(LOG_LEVEL)" 25 | env: 26 | - name: KUBECARRIER_NAMESPACE 27 | valueFrom: 28 | fieldRef: 29 | fieldPath: metadata.namespace 30 | - name: CERT_DIR 31 | value: "/tmp/k8s-webhook-server/serving-certs" 32 | resources: 33 | limits: 34 | cpu: "1" 35 | memory: 100Mi 36 | requests: 37 | cpu: "1" 38 | memory: 100Mi 39 | ports: 40 | - name: readiness-port 41 | containerPort: 9440 42 | protocol: TCP 43 | readinessProbe: 44 | httpGet: 45 | path: /readyz 46 | port: readiness-port 47 | livenessProbe: 48 | httpGet: 49 | path: /healthz 50 | port: readiness-port 51 | 52 | terminationGracePeriodSeconds: 10 53 | -------------------------------------------------------------------------------- /config/internal/manager/prometheus/kustomization.yaml: -------------------------------------------------------------------------------- 1 | resources: 2 | - monitor.yaml 3 | -------------------------------------------------------------------------------- /config/internal/manager/prometheus/monitor.yaml: -------------------------------------------------------------------------------- 1 | 2 | # Prometheus Monitor Service (Metrics) 3 | apiVersion: monitoring.coreos.com/v1 4 | kind: ServiceMonitor 5 | metadata: 6 | labels: 7 | control-plane: controller-manager 8 | name: controller-manager-metrics-monitor 9 | namespace: system 10 | spec: 11 | endpoints: 12 | - path: /metrics 13 | port: https 14 | selector: 15 | control-plane: controller-manager 16 | -------------------------------------------------------------------------------- /config/internal/manager/rbac/agg_role.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | kind: ClusterRole 4 | metadata: 5 | creationTimestamp: null 6 | name: agg-manager-role 7 | aggregationRule: 8 | clusterRoleSelectors: 9 | - matchLabels: 10 | "kubecarrier.io/manager": "true" 11 | - matchLabels: 12 | "kubecarrier.io/role": "manager" 13 | rules: [] 14 | -------------------------------------------------------------------------------- /config/internal/manager/rbac/agg_role_binding.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: ServiceAccount 3 | metadata: 4 | name: sa 5 | --- 6 | apiVersion: rbac.authorization.k8s.io/v1 7 | kind: ClusterRoleBinding 8 | metadata: 9 | name: manager-rolebinding 10 | roleRef: 11 | apiGroup: rbac.authorization.k8s.io 12 | kind: ClusterRole 13 | name: agg-manager-role 14 | subjects: 15 | - kind: ServiceAccount 16 | name: sa 17 | -------------------------------------------------------------------------------- /config/internal/manager/rbac/kustomization.yaml: -------------------------------------------------------------------------------- 1 | resources: 2 | - role.yaml 3 | - agg_role.yaml 4 | - agg_role_binding.yaml 5 | - leader_election_role.yaml 6 | - leader_election_role_binding.yaml 7 | -------------------------------------------------------------------------------- /config/internal/manager/rbac/leader_election_role.yaml: -------------------------------------------------------------------------------- 1 | # permissions to do leader election. 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | kind: Role 4 | metadata: 5 | name: leader-election-role 6 | rules: 7 | - apiGroups: 8 | - "" 9 | resources: 10 | - configmaps 11 | verbs: 12 | - get 13 | - list 14 | - watch 15 | - create 16 | - update 17 | - patch 18 | - delete 19 | - apiGroups: 20 | - "" 21 | resources: 22 | - configmaps/status 23 | verbs: 24 | - get 25 | - update 26 | - patch 27 | - apiGroups: 28 | - "" 29 | resources: 30 | - events 31 | verbs: 32 | - create 33 | -------------------------------------------------------------------------------- /config/internal/manager/rbac/leader_election_role_binding.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: rbac.authorization.k8s.io/v1 2 | kind: RoleBinding 3 | metadata: 4 | name: leader-election-rolebinding 5 | roleRef: 6 | apiGroup: rbac.authorization.k8s.io 7 | kind: Role 8 | name: leader-election-role 9 | subjects: 10 | - kind: ServiceAccount 11 | name: sa 12 | -------------------------------------------------------------------------------- /config/internal/manager/webhook/kustomization.yaml: -------------------------------------------------------------------------------- 1 | resources: 2 | - manifests.yaml 3 | - service.yaml 4 | 5 | configurations: 6 | - kustomizeconfig.yaml 7 | -------------------------------------------------------------------------------- /config/internal/manager/webhook/kustomizeconfig.yaml: -------------------------------------------------------------------------------- 1 | # the following config is for teaching kustomize where to look at when substituting vars. 2 | # It requires kustomize v2.1.0 or newer to work properly. 3 | nameReference: 4 | - kind: Service 5 | version: v1 6 | fieldSpecs: 7 | - kind: MutatingWebhookConfiguration 8 | group: admissionregistration.k8s.io 9 | path: webhooks/clientConfig/service/name 10 | - kind: ValidatingWebhookConfiguration 11 | group: admissionregistration.k8s.io 12 | path: webhooks/clientConfig/service/name 13 | 14 | namespace: 15 | - kind: MutatingWebhookConfiguration 16 | group: admissionregistration.k8s.io 17 | path: webhooks/clientConfig/service/namespace 18 | create: true 19 | - kind: ValidatingWebhookConfiguration 20 | group: admissionregistration.k8s.io 21 | path: webhooks/clientConfig/service/namespace 22 | create: true 23 | 24 | varReference: 25 | - path: metadata/annotations 26 | -------------------------------------------------------------------------------- /config/internal/manager/webhook/service.yaml: -------------------------------------------------------------------------------- 1 | 2 | apiVersion: v1 3 | kind: Service 4 | metadata: 5 | name: webhook-service 6 | namespace: system 7 | spec: 8 | ports: 9 | - port: 443 10 | targetPort: 9443 11 | selector: 12 | control-plane: controller-manager 13 | -------------------------------------------------------------------------------- /config/operator/certmanager/certificate.yaml: -------------------------------------------------------------------------------- 1 | # The following manifests contain a self-signed issuer CR and a certificate CR. 2 | # More document can be found at https://docs.cert-manager.io 3 | # WARNING: Targets CertManager 0.11 check https://docs.cert-manager.io/en/latest/tasks/upgrading/index.html for breaking changes 4 | apiVersion: cert-manager.io/v1alpha2 5 | kind: Issuer 6 | metadata: 7 | name: selfsigned-issuer 8 | namespace: system 9 | spec: 10 | selfSigned: {} 11 | --- 12 | apiVersion: cert-manager.io/v1alpha2 13 | kind: Certificate 14 | metadata: 15 | name: serving-cert # this name should match the one appeared in kustomizeconfig.yaml 16 | namespace: system 17 | spec: 18 | # $(SERVICE_NAME) and $(SERVICE_NAMESPACE) will be substituted by kustomize 19 | dnsNames: 20 | - $(SERVICE_NAME).$(SERVICE_NAMESPACE).svc 21 | - $(SERVICE_NAME).$(SERVICE_NAMESPACE).svc.cluster.local 22 | issuerRef: 23 | kind: Issuer 24 | name: selfsigned-issuer 25 | secretName: $(SECRET_NAME)-webhook-service-cert # this secret will not be prefixed, since it's not managed by kustomize 26 | -------------------------------------------------------------------------------- /config/operator/certmanager/kustomization.yaml: -------------------------------------------------------------------------------- 1 | resources: 2 | - certificate.yaml 3 | 4 | configurations: 5 | - kustomizeconfig.yaml 6 | -------------------------------------------------------------------------------- /config/operator/certmanager/kustomizeconfig.yaml: -------------------------------------------------------------------------------- 1 | # This configuration is for teaching kustomize how to update name ref and var substitution 2 | nameReference: 3 | - kind: Issuer 4 | group: cert-manager.io 5 | fieldSpecs: 6 | - kind: Certificate 7 | group: cert-manager.io 8 | path: spec/issuerRef/name 9 | 10 | varReference: 11 | - kind: Certificate 12 | group: cert-manager.io 13 | path: spec/commonName 14 | - kind: Certificate 15 | group: cert-manager.io 16 | path: spec/dnsNames 17 | - kind: Certificate 18 | group: cert-manager.io 19 | path: spec/secretName 20 | -------------------------------------------------------------------------------- /config/operator/crd/kustomization.yaml: -------------------------------------------------------------------------------- 1 | # This kustomization.yaml is not intended to be run by itself, 2 | # since it depends on service name and namespace that are out of this kustomize package. 3 | # It should be run by config/default 4 | resources: 5 | - bases/operator.kubecarrier.io_apiservers.yaml 6 | - bases/operator.kubecarrier.io_catapults.yaml 7 | - bases/operator.kubecarrier.io_elevators.yaml 8 | - bases/operator.kubecarrier.io_ferries.yaml 9 | - bases/operator.kubecarrier.io_kubecarriers.yaml 10 | # +kubebuilder:scaffold:crdkustomizeresource 11 | 12 | patchesStrategicMerge: 13 | # [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix. 14 | # patches here are for enabling the conversion webhook for each CRD 15 | #- patches/webhook_in_kubecarriers.yaml 16 | # +kubebuilder:scaffold:crdkustomizewebhookpatch 17 | 18 | # [CERTMANAGER] To enable webhook, uncomment all the sections with [CERTMANAGER] prefix. 19 | # patches here are for enabling the CA injection for each CRD 20 | - patches/cainjection_in_kubecarriers.yaml 21 | # +kubebuilder:scaffold:crdkustomizecainjectionpatch 22 | 23 | # the following config is for teaching kustomize how to do kustomization for CRDs. 24 | configurations: 25 | - kustomizeconfig.yaml 26 | -------------------------------------------------------------------------------- /config/operator/crd/kustomizeconfig.yaml: -------------------------------------------------------------------------------- 1 | # This file is for teaching kustomize how to substitute name and namespace reference in CRD 2 | nameReference: 3 | - kind: Service 4 | version: v1 5 | fieldSpecs: 6 | - kind: CustomResourceDefinition 7 | group: apiextensions.k8s.io 8 | path: spec/conversion/webhookClientConfig/service/name 9 | 10 | namespace: 11 | - kind: CustomResourceDefinition 12 | group: apiextensions.k8s.io 13 | path: spec/conversion/webhookClientConfig/service/namespace 14 | create: false 15 | 16 | varReference: 17 | - path: metadata/annotations 18 | -------------------------------------------------------------------------------- /config/operator/crd/patches/cainjection_in_kubecarriers.yaml: -------------------------------------------------------------------------------- 1 | # The following patch adds a directive for certmanager to inject CA into the CRD 2 | # CRD conversion requires k8s 1.13 or later. 3 | apiVersion: apiextensions.k8s.io/v1 4 | kind: CustomResourceDefinition 5 | metadata: 6 | annotations: 7 | cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME) 8 | name: kubecarriers.operator.kubecarrier.io 9 | -------------------------------------------------------------------------------- /config/operator/crd/patches/webhook_in_kubecarriers.yaml: -------------------------------------------------------------------------------- 1 | # The following patch enables conversion webhook for CRD 2 | # CRD conversion requires k8s 1.13 or later. 3 | apiVersion: apiextensions.k8s.io/v1 4 | kind: CustomResourceDefinition 5 | metadata: 6 | name: kubecarriers.operator.kubecarrier.io 7 | spec: 8 | conversion: 9 | strategy: Webhook 10 | webhookClientConfig: 11 | # this is "\n" used as a placeholder, otherwise it will be rejected by the apiserver for being blank, 12 | # but we're going to set it later using the cert-manager (or potentially a patch if not using cert-manager) 13 | caBundle: Cg== 14 | service: 15 | namespace: system 16 | name: webhook-service 17 | path: /convert 18 | -------------------------------------------------------------------------------- /config/operator/default/kustomizeconfig.yaml: -------------------------------------------------------------------------------- 1 | varReference: 2 | - kind: Deployment 3 | group: apps 4 | path: spec/template/spec/volumes/secret 5 | -------------------------------------------------------------------------------- /config/operator/default/manager_webhook_patch.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apps/v1 2 | kind: Deployment 3 | metadata: 4 | name: manager 5 | namespace: system 6 | spec: 7 | template: 8 | spec: 9 | containers: 10 | - name: manager 11 | ports: 12 | - containerPort: 9443 13 | name: webhook-server 14 | protocol: TCP 15 | volumeMounts: 16 | - mountPath: /tmp/k8s-webhook-server/serving-certs 17 | name: cert 18 | readOnly: true 19 | volumes: 20 | - name: cert 21 | secret: 22 | defaultMode: 420 23 | secretName: $(SECRET_NAME)-webhook-service-cert 24 | -------------------------------------------------------------------------------- /config/operator/default/webhookcainjection_patch.yaml: -------------------------------------------------------------------------------- 1 | # This patch add annotation to admission webhook config and 2 | # the variables $(CERTIFICATE_NAMESPACE) and $(CERTIFICATE_NAME) will be substituted by kustomize. 3 | # Enable this for MutatingWebhook 4 | apiVersion: admissionregistration.k8s.io/v1beta1 5 | kind: MutatingWebhookConfiguration 6 | metadata: 7 | name: mutating-webhook-configuration 8 | annotations: 9 | cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME) 10 | # --- 11 | # apiVersion: admissionregistration.k8s.io/v1beta1 12 | # kind: ValidatingWebhookConfiguration 13 | # metadata: 14 | # name: validating-webhook-configuration 15 | # annotations: 16 | # cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME) 17 | -------------------------------------------------------------------------------- /config/operator/manager/kustomization.yaml: -------------------------------------------------------------------------------- 1 | resources: 2 | - manager.yaml 3 | -------------------------------------------------------------------------------- /config/operator/manager/manager.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apps/v1 2 | kind: Deployment 3 | metadata: 4 | name: manager 5 | namespace: system 6 | labels: 7 | control-plane: operator 8 | spec: 9 | selector: 10 | matchLabels: 11 | control-plane: operator 12 | replicas: 1 13 | template: 14 | metadata: 15 | labels: 16 | control-plane: operator 17 | spec: 18 | serviceAccountName: sa 19 | containers: 20 | - image: quay.io/kubecarrier/operator:lastest 21 | name: manager 22 | args: 23 | - "--cert-dir=$(CERT_DIR)" 24 | - "-v=$(LOG_LEVEL)" 25 | env: 26 | - name: CERT_DIR 27 | value: "/tmp/k8s-webhook-server/serving-certs" 28 | resources: 29 | limits: 30 | cpu: "1" 31 | memory: 100Mi 32 | requests: 33 | cpu: "1" 34 | memory: 100Mi 35 | ports: 36 | - name: readiness-port 37 | containerPort: 9440 38 | protocol: TCP 39 | readinessProbe: 40 | httpGet: 41 | path: /readyz 42 | port: readiness-port 43 | livenessProbe: 44 | httpGet: 45 | path: /healthz 46 | port: readiness-port 47 | terminationGracePeriodSeconds: 10 48 | -------------------------------------------------------------------------------- /config/operator/prometheus/kustomization.yaml: -------------------------------------------------------------------------------- 1 | resources: 2 | - monitor.yaml 3 | -------------------------------------------------------------------------------- /config/operator/prometheus/monitor.yaml: -------------------------------------------------------------------------------- 1 | 2 | # Prometheus Monitor Service (Metrics) 3 | apiVersion: monitoring.coreos.com/v1 4 | kind: ServiceMonitor 5 | metadata: 6 | labels: 7 | control-plane: operator 8 | name: operator-metrics-monitor 9 | namespace: system 10 | spec: 11 | endpoints: 12 | - path: /metrics 13 | port: https 14 | selector: 15 | control-plane: operator 16 | -------------------------------------------------------------------------------- /config/operator/rbac/kustomization.yaml: -------------------------------------------------------------------------------- 1 | resources: 2 | - role.yaml 3 | - role_binding.yaml 4 | - leader_election_role.yaml 5 | - leader_election_role_binding.yaml 6 | -------------------------------------------------------------------------------- /config/operator/rbac/leader_election_role.yaml: -------------------------------------------------------------------------------- 1 | # permissions to do leader election. 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | kind: Role 4 | metadata: 5 | name: leader-election-role 6 | rules: 7 | - apiGroups: 8 | - "" 9 | resources: 10 | - configmaps 11 | verbs: 12 | - get 13 | - list 14 | - watch 15 | - create 16 | - update 17 | - patch 18 | - delete 19 | - apiGroups: 20 | - "" 21 | resources: 22 | - configmaps/status 23 | verbs: 24 | - get 25 | - update 26 | - patch 27 | - apiGroups: 28 | - "" 29 | resources: 30 | - events 31 | verbs: 32 | - create 33 | -------------------------------------------------------------------------------- /config/operator/rbac/leader_election_role_binding.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: rbac.authorization.k8s.io/v1 2 | kind: RoleBinding 3 | metadata: 4 | name: leader-election-rolebinding 5 | roleRef: 6 | apiGroup: rbac.authorization.k8s.io 7 | kind: Role 8 | name: leader-election-role 9 | subjects: 10 | - kind: ServiceAccount 11 | name: sa 12 | -------------------------------------------------------------------------------- /config/operator/rbac/role_binding.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: ServiceAccount 3 | metadata: 4 | name: sa 5 | --- 6 | apiVersion: rbac.authorization.k8s.io/v1 7 | kind: ClusterRoleBinding 8 | metadata: 9 | name: manager-rolebinding 10 | roleRef: 11 | apiGroup: rbac.authorization.k8s.io 12 | kind: ClusterRole 13 | name: manager-role 14 | subjects: 15 | - kind: ServiceAccount 16 | name: sa 17 | -------------------------------------------------------------------------------- /config/operator/webhook/kustomization.yaml: -------------------------------------------------------------------------------- 1 | resources: 2 | - manifests.yaml 3 | - service.yaml 4 | 5 | configurations: 6 | - kustomizeconfig.yaml 7 | -------------------------------------------------------------------------------- /config/operator/webhook/kustomizeconfig.yaml: -------------------------------------------------------------------------------- 1 | # the following config is for teaching kustomize where to look at when substituting vars. 2 | # It requires kustomize v2.1.0 or newer to work properly. 3 | nameReference: 4 | - kind: Service 5 | version: v1 6 | fieldSpecs: 7 | - kind: MutatingWebhookConfiguration 8 | group: admissionregistration.k8s.io 9 | path: webhooks/clientConfig/service/name 10 | - kind: ValidatingWebhookConfiguration 11 | group: admissionregistration.k8s.io 12 | path: webhooks/clientConfig/service/name 13 | 14 | namespace: 15 | - kind: MutatingWebhookConfiguration 16 | group: admissionregistration.k8s.io 17 | path: webhooks/clientConfig/service/namespace 18 | create: true 19 | - kind: ValidatingWebhookConfiguration 20 | group: admissionregistration.k8s.io 21 | path: webhooks/clientConfig/service/namespace 22 | create: true 23 | 24 | varReference: 25 | - path: metadata/annotations 26 | -------------------------------------------------------------------------------- /config/operator/webhook/service.yaml: -------------------------------------------------------------------------------- 1 | 2 | apiVersion: v1 3 | kind: Service 4 | metadata: 5 | name: webhook-service 6 | namespace: system 7 | spec: 8 | ports: 9 | - port: 443 10 | targetPort: 9443 11 | selector: 12 | control-plane: operator 13 | -------------------------------------------------------------------------------- /config/serviceCluster/e2e-role.yaml: -------------------------------------------------------------------------------- 1 | 2 | --- 3 | apiVersion: rbac.authorization.k8s.io/v1 4 | kind: ClusterRole 5 | metadata: 6 | name: kubecarrier:e2e-clusterrole 7 | rules: 8 | - apiGroups: 9 | - "test.kubecarrier.io" 10 | - "fake.kubecarrier.io" 11 | - "scenarios-simple.test.kubecarrier.io" 12 | resources: 13 | - '*' 14 | verbs: 15 | - '*' 16 | -------------------------------------------------------------------------------- /config/serviceCluster/e2e-rolebinding.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | kind: ClusterRoleBinding 4 | metadata: 5 | name: kubecarrier:service-cluster-admin-e2e 6 | roleRef: 7 | apiGroup: rbac.authorization.k8s.io 8 | kind: ClusterRole 9 | name: kubecarrier:e2e-clusterrole 10 | subjects: 11 | - kind: ServiceAccount 12 | name: kubecarrier 13 | namespace: default 14 | -------------------------------------------------------------------------------- /config/serviceCluster/role.yaml: -------------------------------------------------------------------------------- 1 | 2 | --- 3 | apiVersion: rbac.authorization.k8s.io/v1 4 | kind: ClusterRole 5 | metadata: 6 | creationTimestamp: null 7 | name: kubecarrier:service-cluster-admin 8 | rules: 9 | - apiGroups: 10 | - "" 11 | resources: 12 | - namespaces 13 | verbs: 14 | - create 15 | - delete 16 | - get 17 | - list 18 | - patch 19 | - update 20 | - watch 21 | - apiGroups: 22 | - apiextensions.k8s.io 23 | resources: 24 | - customresourcedefinitions 25 | verbs: 26 | - get 27 | - list 28 | - update 29 | - watch 30 | -------------------------------------------------------------------------------- /config/swagger/favicon-16x16.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubermatic/kubecarrier/51fad0d135894331c312b7628cb87c4c129b53e7/config/swagger/favicon-16x16.png -------------------------------------------------------------------------------- /config/swagger/favicon-32x32.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubermatic/kubecarrier/51fad0d135894331c312b7628cb87c4c129b53e7/config/swagger/favicon-32x32.png -------------------------------------------------------------------------------- /config/swagger/index.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | Swagger UI 8 | 9 | 10 | 11 | 29 | 30 | 31 | 32 |
33 | 34 | 35 | 36 | 57 | 58 | 59 | 60 | -------------------------------------------------------------------------------- /docs/img/KubeCarrier-old.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubermatic/kubecarrier/51fad0d135894331c312b7628cb87c4c129b53e7/docs/img/KubeCarrier-old.png -------------------------------------------------------------------------------- /docs/img/KubeCarrier.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubermatic/kubecarrier/51fad0d135894331c312b7628cb87c4c129b53e7/docs/img/KubeCarrier.png -------------------------------------------------------------------------------- /docs/manifests/accounts.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: catalog.kubecarrier.io/v1alpha1 2 | kind: Account 3 | metadata: 4 | name: team-a 5 | spec: 6 | metadata: 7 | displayName: The A Team 8 | shortDescription: In 1972, a crack commando unit was sent to prison by a military court... 9 | roles: 10 | - Provider 11 | subjects: 12 | - kind: User 13 | name: hannibal 14 | apiGroup: rbac.authorization.k8s.io 15 | - kind: User 16 | name: team-a-member 17 | apiGroup: rbac.authorization.k8s.io 18 | --- 19 | apiVersion: catalog.kubecarrier.io/v1alpha1 20 | kind: Account 21 | metadata: 22 | name: team-b 23 | spec: 24 | metadata: 25 | displayName: The B Team 26 | shortDescription: In 1972, a crack commando unit was sent to prison by a military court... 27 | roles: 28 | - Tenant 29 | subjects: 30 | - kind: User 31 | name: team-b-member 32 | apiGroup: rbac.authorization.k8s.io 33 | -------------------------------------------------------------------------------- /docs/manifests/catalog.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: catalog.kubecarrier.io/v1alpha1 2 | kind: Catalog 3 | metadata: 4 | name: default 5 | spec: 6 | tenantSelector: {} 7 | catalogEntrySelector: {} 8 | -------------------------------------------------------------------------------- /docs/manifests/couchdb.eu-west-1.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: eu-west-1.team-a/v1alpha1 2 | kind: CouchDB 3 | metadata: 4 | name: db1 5 | spec: 6 | username: hans 7 | password: hans2000 8 | -------------------------------------------------------------------------------- /docs/manifests/images/couchdb_icon.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubermatic/kubecarrier/51fad0d135894331c312b7628cb87c4c129b53e7/docs/manifests/images/couchdb_icon.png -------------------------------------------------------------------------------- /docs/manifests/images/couchdb_logo.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubermatic/kubecarrier/51fad0d135894331c312b7628cb87c4c129b53e7/docs/manifests/images/couchdb_logo.png -------------------------------------------------------------------------------- /docs/manifests/servicecluster.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kubecarrier.io/v1alpha1 2 | kind: ServiceCluster 3 | metadata: 4 | name: eu-west-1 5 | spec: 6 | metadata: 7 | displayName: EU West 1 8 | kubeconfigSecret: 9 | name: eu-west-1-kubeconfig 10 | -------------------------------------------------------------------------------- /go.mod: -------------------------------------------------------------------------------- 1 | module k8c.io/kubecarrier 2 | 3 | go 1.14 4 | 5 | replace k8s.io/client-go => k8s.io/client-go v0.18.5 6 | 7 | require ( 8 | github.com/Masterminds/sprig v2.22.0+incompatible 9 | github.com/coreos/go-oidc v2.1.0+incompatible 10 | github.com/desertbit/timer v0.0.0-20180107155436-c41aec40b27f // indirect 11 | github.com/gernest/wow v0.1.0 12 | github.com/ghodss/yaml v1.0.0 13 | github.com/go-logr/logr v0.1.0 14 | github.com/gobuffalo/flect v0.2.0 15 | github.com/golang/protobuf v1.3.5 16 | github.com/google/go-cmp v0.5.0 17 | github.com/gorilla/handlers v1.4.2 18 | github.com/grpc-ecosystem/go-grpc-middleware v1.2.0 19 | github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0 20 | github.com/grpc-ecosystem/grpc-gateway v1.14.3 21 | github.com/improbable-eng/grpc-web v0.12.0 22 | github.com/jetstack/cert-manager v0.13.0 23 | github.com/rs/cors v1.7.0 // indirect 24 | github.com/spf13/cobra v1.0.0 25 | github.com/spf13/pflag v1.0.5 26 | github.com/stretchr/testify v1.4.0 27 | github.com/tg123/go-htpasswd v1.0.0 28 | github.com/thetechnick/statik v0.1.8 29 | golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e 30 | google.golang.org/genproto v0.0.0-20200424135956-bca184e23272 31 | google.golang.org/grpc v1.28.0 32 | k8c.io/utils v0.0.0-20200731080835-39ab8a8d6830 33 | k8s.io/api v0.18.5 34 | k8s.io/apiextensions-apiserver v0.18.5 35 | k8s.io/apimachinery v0.18.5 36 | k8s.io/apiserver v0.18.5 37 | k8s.io/cli-runtime v0.18.5 38 | k8s.io/client-go v11.0.0+incompatible 39 | k8s.io/component-base v0.18.5 40 | sigs.k8s.io/controller-runtime v0.6.0 41 | sigs.k8s.io/krew v0.3.4 42 | sigs.k8s.io/kustomize/v3 v3.3.1 43 | sigs.k8s.io/yaml v1.2.0 44 | ) 45 | -------------------------------------------------------------------------------- /hack/audit.yaml: -------------------------------------------------------------------------------- 1 | # https://kubernetes.io/docs/tasks/debug-application-cluster/audit/#audit-policy 2 | apiVersion: audit.k8s.io/v1 3 | kind: Policy 4 | rules: 5 | # ignore pod log requests 6 | - level: None 7 | resources: 8 | - group: "" 9 | resources: 10 | - "pods/log" 11 | - "pods/status" 12 | - level: Request 13 | resources: 14 | - group: "rbac.authorization.k8s.io" 15 | - level: RequestResponse 16 | resources: 17 | - group: "authorization.k8s.io" 18 | resources: 19 | - "subjectaccessreviews" 20 | omitStages: 21 | - "RequestReceived" 22 | # ignore all kube-system namespace originating requests 23 | - level: None 24 | namespaces: 25 | - "kube-system" 26 | - level: Metadata 27 | # A bit quality of life, only log completed requests with their reponse 28 | omitStages: 29 | - "RequestReceived" 30 | -------------------------------------------------------------------------------- /hack/boilerplate/boilerplate.Dockerfile.txt: -------------------------------------------------------------------------------- 1 | # Copyright YEAR The KubeCarrier Authors. 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | -------------------------------------------------------------------------------- /hack/boilerplate/boilerplate.Makefile.txt: -------------------------------------------------------------------------------- 1 | # Copyright YEAR The KubeCarrier Authors. 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | -------------------------------------------------------------------------------- /hack/boilerplate/boilerplate.bzl.txt: -------------------------------------------------------------------------------- 1 | # Copyright YEAR The KubeCarrier Authors. 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | -------------------------------------------------------------------------------- /hack/boilerplate/boilerplate.generatego.txt: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright YEAR The KubeCarrier Authors. 3 | 4 | Licensed under the Apache License, Version 2.0 (the "License"); 5 | you may not use this file except in compliance with the License. 6 | You may obtain a copy of the License at 7 | 8 | http://www.apache.org/licenses/LICENSE-2.0 9 | 10 | Unless required by applicable law or agreed to in writing, software 11 | distributed under the License is distributed on an "AS IS" BASIS, 12 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | See the License for the specific language governing permissions and 14 | limitations under the License. 15 | */ 16 | -------------------------------------------------------------------------------- /hack/boilerplate/boilerplate.go.txt: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright YEAR The KubeCarrier Authors. 3 | 4 | Licensed under the Apache License, Version 2.0 (the "License"); 5 | you may not use this file except in compliance with the License. 6 | You may obtain a copy of the License at 7 | 8 | http://www.apache.org/licenses/LICENSE-2.0 9 | 10 | Unless required by applicable law or agreed to in writing, software 11 | distributed under the License is distributed on an "AS IS" BASIS, 12 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | See the License for the specific language governing permissions and 14 | limitations under the License. 15 | */ 16 | -------------------------------------------------------------------------------- /hack/boilerplate/boilerplate.proto.txt: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright YEAR The KubeCarrier Authors. 3 | 4 | Licensed under the Apache License, Version 2.0 (the "License"); 5 | you may not use this file except in compliance with the License. 6 | You may obtain a copy of the License at 7 | 8 | http://www.apache.org/licenses/LICENSE-2.0 9 | 10 | Unless required by applicable law or agreed to in writing, software 11 | distributed under the License is distributed on an "AS IS" BASIS, 12 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | See the License for the specific language governing permissions and 14 | limitations under the License. 15 | */ 16 | -------------------------------------------------------------------------------- /hack/boilerplate/boilerplate.py.txt: -------------------------------------------------------------------------------- 1 | # Copyright YEAR The KubeCarrier Authors. 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | -------------------------------------------------------------------------------- /hack/boilerplate/boilerplate.sh.txt: -------------------------------------------------------------------------------- 1 | # Copyright YEAR The KubeCarrier Authors. 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | -------------------------------------------------------------------------------- /hack/impersonate/impersonate.go: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright 2019 The KubeCarrier Authors. 3 | 4 | Licensed under the Apache License, Version 2.0 (the "License"); 5 | you may not use this file except in compliance with the License. 6 | You may obtain a copy of the License at 7 | 8 | http://www.apache.org/licenses/LICENSE-2.0 9 | 10 | Unless required by applicable law or agreed to in writing, software 11 | distributed under the License is distributed on an "AS IS" BASIS, 12 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | See the License for the specific language governing permissions and 14 | limitations under the License. 15 | */ 16 | 17 | package main 18 | 19 | import ( 20 | "fmt" 21 | 22 | "github.com/spf13/pflag" 23 | "k8s.io/client-go/tools/clientcmd" 24 | ) 25 | 26 | var ( 27 | kubeconfig = pflag.String("kubeconfig", "", "kubeconfig location") 28 | as = pflag.String("as", "", "as which user should the impersonation work") 29 | ) 30 | 31 | func main() { 32 | pflag.Parse() 33 | loader := clientcmd.NewDefaultClientConfigLoadingRules() 34 | loader.ExplicitPath = *kubeconfig 35 | clientConfig := clientcmd.NewNonInteractiveDeferredLoadingClientConfig( 36 | loader, 37 | &clientcmd.ConfigOverrides{}, 38 | ) 39 | cfg, err := clientConfig.RawConfig() 40 | if err != nil { 41 | panic(err) 42 | } 43 | kubeconfigContext := cfg.Contexts[cfg.CurrentContext] 44 | cfg.AuthInfos[kubeconfigContext.AuthInfo].Impersonate = *as 45 | if err := clientcmd.WriteToFile(cfg, *kubeconfig); err != nil { 46 | panic(fmt.Errorf("marshall raw cfg: %w", err)) 47 | } 48 | } 49 | -------------------------------------------------------------------------------- /hack/install-deps.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | # Copyright 2019 The KubeCarrier Authors. 4 | # 5 | # Licensed under the Apache License, Version 2.0 (the "License"); 6 | # you may not use this file except in compliance with the License. 7 | # You may obtain a copy of the License at 8 | # 9 | # http://www.apache.org/licenses/LICENSE-2.0 10 | # 11 | # Unless required by applicable law or agreed to in writing, software 12 | # distributed under the License is distributed on an "AS IS" BASIS, 13 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 14 | # See the License for the specific language governing permissions and 15 | # limitations under the License. 16 | 17 | set -euo pipefail 18 | 19 | DIR=$(dirname $(readlink -f $0)) 20 | source ${DIR}/lib.sh 21 | 22 | command -v protoc >/dev/null || ( 23 | curl -sL --output /tmp/protoc.zip https://github.com/google/protobuf/releases/download/v${PROTOC_VERSION}/protoc-${PROTOC_VERSION}-linux-x86_64.zip && unzip /tmp/protoc.zip -d /usr && rm /tmp/protoc.zip 24 | ) 25 | go get -u github.com/grpc-ecosystem/grpc-gateway/protoc-gen-grpc-gateway@v${PROTOC_GATEWAY_VERSION} 26 | go get -u github.com/grpc-ecosystem/grpc-gateway/protoc-gen-swagger@v${PROTOC_GATEWAY_VERSION} 27 | go get -u github.com/golang/protobuf/protoc-gen-go@v${PROTOC_GEN_GO_VERSION} 28 | -------------------------------------------------------------------------------- /hack/kind-config.yaml: -------------------------------------------------------------------------------- 1 | kind: Cluster 2 | apiVersion: kind.x-k8s.io/v1alpha4 3 | nodes: 4 | - role: control-plane 5 | kubeadmConfigPatches: 6 | - | 7 | kind: ClusterConfiguration 8 | apiServer: 9 | extraArgs: 10 | audit-log-path: "/var/log/kube-apiserver-audit.log" 11 | audit-policy-file: /var/run/hack/audit.yaml 12 | extraVolumes: 13 | - name: "hack" 14 | hostPath: "/var/run/hack" 15 | mountPath: "/var/run/hack" 16 | readOnly: true 17 | pathType: Directory 18 | - name: "log" 19 | hostPath: "/var/log" 20 | mountPath: "/var/log" 21 | readOnly: false 22 | pathType: Directory 23 | extraMounts: 24 | - containerPath: /var/run/hack 25 | hostPath: /tmp/kubecarrier-hack 26 | readOnly: true 27 | -------------------------------------------------------------------------------- /hack/lib.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | # Copyright 2019 The KubeCarrier Authors. 4 | # 5 | # Licensed under the Apache License, Version 2.0 (the "License"); 6 | # you may not use this file except in compliance with the License. 7 | # You may obtain a copy of the License at 8 | # 9 | # http://www.apache.org/licenses/LICENSE-2.0 10 | # 11 | # Unless required by applicable law or agreed to in writing, software 12 | # distributed under the License is distributed on an "AS IS" BASIS, 13 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 14 | # See the License for the specific language governing permissions and 15 | # limitations under the License. 16 | 17 | set -euo pipefail 18 | 19 | PROTOC_VERSION="3.11.4" 20 | PROTOC_GATEWAY_VERSION="1.14.3" 21 | PROTOC_GEN_GO_VERSION="1.3.5" 22 | -------------------------------------------------------------------------------- /hack/tf/.gitignore: -------------------------------------------------------------------------------- 1 | .terraform/ 2 | terraform.tfstate* 3 | -------------------------------------------------------------------------------- /hack/tf/e2e_logs.tf: -------------------------------------------------------------------------------- 1 | variable "bucket_name" { 2 | description = "bucket_name" 3 | type = string 4 | } 5 | 6 | resource "aws_s3_bucket" "logs" { 7 | bucket = var.bucket_name 8 | acl = "private" 9 | 10 | lifecycle_rule { 11 | id = "log" 12 | enabled = true 13 | expiration { 14 | days = 30 15 | } 16 | } 17 | } 18 | 19 | resource "aws_iam_user" "writer" { 20 | name = "${var.bucket_name}_writer" 21 | } 22 | 23 | resource "aws_iam_user_policy" "policy" { 24 | name = "${var.bucket_name}.fill" 25 | user = aws_iam_user.writer.name 26 | 27 | policy = < labels = 7; 31 | map annotations = 8; 32 | int64 generation = 9; 33 | } 34 | 35 | message ListMeta { 36 | string continue = 1; 37 | string resourceVersion = 2; 38 | } 39 | -------------------------------------------------------------------------------- /pkg/apiserver/api/v1/request.proto: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright 2019 The KubeCarrier Authors. 3 | 4 | Licensed under the Apache License, Version 2.0 (the "License"); 5 | you may not use this file except in compliance with the License. 6 | You may obtain a copy of the License at 7 | 8 | http://www.apache.org/licenses/LICENSE-2.0 9 | 10 | Unless required by applicable law or agreed to in writing, software 11 | distributed under the License is distributed on an "AS IS" BASIS, 12 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | See the License for the specific language governing permissions and 14 | limitations under the License. 15 | */ 16 | 17 | syntax = "proto3"; 18 | package kubecarrier.api.v1; 19 | option go_package = "v1"; 20 | 21 | message GetRequest { 22 | string name = 1; 23 | string account = 2; 24 | } 25 | 26 | message ListRequest { 27 | string account = 1; 28 | string labelSelector = 2; 29 | int64 limit = 3; 30 | string continue = 4; 31 | } 32 | 33 | message WatchRequest { 34 | string account = 1; 35 | string labelSelector = 2; 36 | string resourceVersion = 3; 37 | } 38 | -------------------------------------------------------------------------------- /pkg/apiserver/api/v1/types.proto: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright 2019 The KubeCarrier Authors. 3 | 4 | Licensed under the Apache License, Version 2.0 (the "License"); 5 | you may not use this file except in compliance with the License. 6 | You may obtain a copy of the License at 7 | 8 | http://www.apache.org/licenses/LICENSE-2.0 9 | 10 | Unless required by applicable law or agreed to in writing, software 11 | distributed under the License is distributed on an "AS IS" BASIS, 12 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | See the License for the specific language governing permissions and 14 | limitations under the License. 15 | */ 16 | 17 | syntax = "proto3"; 18 | package kubecarrier.api.v1; 19 | option go_package = "v1"; 20 | 21 | message ObjectReference { string name = 1; } 22 | 23 | message CRDInformation { 24 | string name = 1; 25 | string apiGroup = 2; 26 | string kind = 3; 27 | string plural = 4; 28 | repeated CRDVersion versions = 5; 29 | ObjectReference region = 6; 30 | } 31 | 32 | message CRDVersion { 33 | // name is the version name, e.g. “v1”, “v2beta1”, etc. 34 | string name = 1; 35 | // schema describes the schema used for validation, pruning, and defaulting of this version of the custom resource. 36 | string schema = 2; 37 | // storage indicates this version should be used when persisting custom resources to storage. 38 | // There must be exactly one version with storage=true. 39 | bool storage = 3; 40 | } 41 | 42 | message Image { 43 | string mediaType = 1; 44 | bytes data = 2; 45 | } 46 | 47 | message ConditionStatus { 48 | string status = 1; 49 | } 50 | -------------------------------------------------------------------------------- /pkg/apiserver/authorizer/authorizer.go: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright 2019 The KubeCarrier Authors. 3 | 4 | Licensed under the Apache License, Version 2.0 (the "License"); 5 | you may not use this file except in compliance with the License. 6 | You may obtain a copy of the License at 7 | 8 | http://www.apache.org/licenses/LICENSE-2.0 9 | 10 | Unless required by applicable law or agreed to in writing, software 11 | distributed under the License is distributed on an "AS IS" BASIS, 12 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | See the License for the specific language governing permissions and 14 | limitations under the License. 15 | */ 16 | 17 | package authorizer 18 | 19 | import ( 20 | authv1 "k8s.io/api/authorization/v1" 21 | "k8s.io/apimachinery/pkg/runtime/schema" 22 | ) 23 | 24 | type RequestOperation string 25 | 26 | const ( 27 | RequestGet RequestOperation = "get" 28 | RequestList RequestOperation = "list" 29 | RequestWatch RequestOperation = "watch" 30 | RequestCreate RequestOperation = "create" 31 | RequestDelete RequestOperation = "delete" 32 | ) 33 | 34 | type AuthorizationOption struct { 35 | Name string 36 | Namespace string 37 | Verb RequestOperation 38 | } 39 | 40 | func (a AuthorizationOption) Apply(review *authv1.SubjectAccessReview) { 41 | review.Spec.ResourceAttributes.Name = a.Name 42 | review.Spec.ResourceAttributes.Namespace = a.Namespace 43 | review.Spec.ResourceAttributes.Verb = string(a.Verb) 44 | } 45 | 46 | type AuthRequest interface { 47 | GetAuthOption() AuthorizationOption 48 | GetGVR(server interface{}) schema.GroupVersionResource 49 | } 50 | -------------------------------------------------------------------------------- /pkg/apiserver/internal/auth/anonymous/anonymous.go: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright 2019 The KubeCarrier Authors. 3 | 4 | Licensed under the Apache License, Version 2.0 (the "License"); 5 | you may not use this file except in compliance with the License. 6 | You may obtain a copy of the License at 7 | 8 | http://www.apache.org/licenses/LICENSE-2.0 9 | 10 | Unless required by applicable law or agreed to in writing, software 11 | distributed under the License is distributed on an "AS IS" BASIS, 12 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | See the License for the specific language governing permissions and 14 | limitations under the License. 15 | */ 16 | 17 | package anonymous 18 | 19 | import ( 20 | "context" 21 | 22 | "github.com/spf13/pflag" 23 | "k8s.io/apiserver/pkg/authentication/user" 24 | 25 | "k8c.io/kubecarrier/pkg/apiserver/auth" 26 | ) 27 | 28 | type Auth struct{} 29 | 30 | var _ auth.Provider = (*Auth)(nil) 31 | 32 | func init() { 33 | auth.RegisterAuthProvider(auth.ProviderAnynymous, &Auth{}) 34 | } 35 | 36 | func (a Auth) AddFlags(fs *pflag.FlagSet) {} 37 | 38 | func (a Auth) Init() error { 39 | return nil 40 | } 41 | 42 | func (a Auth) Authenticate(ctx context.Context) (user.Info, error) { 43 | return &user.DefaultInfo{ 44 | Name: "system:anonymous", 45 | Groups: []string{"system:unauthenticated"}, 46 | }, nil 47 | } 48 | -------------------------------------------------------------------------------- /pkg/apiserver/internal/util/util.go: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright 2020 The KubeCarrier Authors. 3 | 4 | Licensed under the Apache License, Version 2.0 (the "License"); 5 | you may not use this file except in compliance with the License. 6 | You may obtain a copy of the License at 7 | 8 | http://www.apache.org/licenses/LICENSE-2.0 9 | 10 | Unless required by applicable law or agreed to in writing, software 11 | distributed under the License is distributed on an "AS IS" BASIS, 12 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | See the License for the specific language governing permissions and 14 | limitations under the License. 15 | */ 16 | 17 | package util 18 | 19 | import ( 20 | "github.com/golang/protobuf/ptypes" 21 | "github.com/golang/protobuf/ptypes/timestamp" 22 | metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" 23 | ) 24 | 25 | func TimestampProto(t *metav1.Time) (*timestamp.Timestamp, error) { 26 | if t.IsZero() { 27 | return nil, nil 28 | } 29 | return ptypes.TimestampProto(t.Time) 30 | } 31 | -------------------------------------------------------------------------------- /pkg/apiserver/internal/v1/apiserver_test.go: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright 2019 The KubeCarrier Authors. 3 | 4 | Licensed under the Apache License, Version 2.0 (the "License"); 5 | you may not use this file except in compliance with the License. 6 | You may obtain a copy of the License at 7 | 8 | http://www.apache.org/licenses/LICENSE-2.0 9 | 10 | Unless required by applicable law or agreed to in writing, software 11 | distributed under the License is distributed on an "AS IS" BASIS, 12 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | See the License for the specific language governing permissions and 14 | limitations under the License. 15 | */ 16 | 17 | package v1 18 | 19 | import ( 20 | "k8s.io/apimachinery/pkg/runtime" 21 | utilruntime "k8s.io/apimachinery/pkg/util/runtime" 22 | clientgoscheme "k8s.io/client-go/kubernetes/scheme" 23 | 24 | catalogv1alpha1 "k8c.io/kubecarrier/pkg/apis/catalog/v1alpha1" 25 | ) 26 | 27 | var testScheme = runtime.NewScheme() 28 | 29 | func init() { 30 | // setup scheme for all tests 31 | utilruntime.Must(clientgoscheme.AddToScheme(testScheme)) 32 | utilruntime.Must(catalogv1alpha1.AddToScheme(testScheme)) 33 | } 34 | -------------------------------------------------------------------------------- /pkg/apiserver/internal/v1/z_init.go: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright 2019 The KubeCarrier Authors. 3 | 4 | Licensed under the Apache License, Version 2.0 (the "License"); 5 | you may not use this file except in compliance with the License. 6 | You may obtain a copy of the License at 7 | 8 | http://www.apache.org/licenses/LICENSE-2.0 9 | 10 | Unless required by applicable law or agreed to in writing, software 11 | distributed under the License is distributed on an "AS IS" BASIS, 12 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | See the License for the specific language governing permissions and 14 | limitations under the License. 15 | */ 16 | 17 | package v1 18 | 19 | import ( 20 | "net/http" 21 | 22 | statikfs "github.com/thetechnick/statik/fs" 23 | ) 24 | 25 | // vfs is a virtual file system to access the operator config. 26 | var vfs http.FileSystem 27 | 28 | // don't rename this file! 29 | // this init() function must be called after statik.go 30 | func init() { 31 | var err error 32 | vfs, err = statikfs.New() 33 | if err != nil { 34 | panic(err) 35 | } 36 | } 37 | -------------------------------------------------------------------------------- /pkg/catapult/internal/controllers/controller_test.go: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright 2019 The KubeCarrier Authors. 3 | 4 | Licensed under the Apache License, Version 2.0 (the "License"); 5 | you may not use this file except in compliance with the License. 6 | You may obtain a copy of the License at 7 | 8 | http://www.apache.org/licenses/LICENSE-2.0 9 | 10 | Unless required by applicable law or agreed to in writing, software 11 | distributed under the License is distributed on an "AS IS" BASIS, 12 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | See the License for the specific language governing permissions and 14 | limitations under the License. 15 | */ 16 | 17 | package controllers 18 | 19 | import ( 20 | corev1 "k8s.io/api/core/v1" 21 | "k8s.io/apimachinery/pkg/runtime" 22 | "k8s.io/apimachinery/pkg/runtime/schema" 23 | 24 | corev1alpha1 "k8c.io/kubecarrier/pkg/apis/core/v1alpha1" 25 | ) 26 | 27 | var ( 28 | testScheme = runtime.NewScheme() 29 | 30 | managementClusterGVK = schema.GroupVersionKind{ 31 | Kind: "CouchDBInternal", 32 | Version: "v1alpha1", 33 | Group: "eu-west-1.provider", 34 | } 35 | 36 | serviceClusterGVK = schema.GroupVersionKind{ 37 | Kind: "CouchDB", 38 | Version: "v1alpha1", 39 | Group: "couchdb.io", 40 | } 41 | 42 | providerNamespace = "extreme-cloud" 43 | ) 44 | 45 | func init() { 46 | // setup scheme for all tests 47 | if err := corev1.AddToScheme(testScheme); err != nil { 48 | panic(err) 49 | } 50 | if err := corev1alpha1.AddToScheme(testScheme); err != nil { 51 | panic(err) 52 | } 53 | } 54 | -------------------------------------------------------------------------------- /pkg/cli/cli.go: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright 2019 The KubeCarrier Authors. 3 | 4 | Licensed under the Apache License, Version 2.0 (the "License"); 5 | you may not use this file except in compliance with the License. 6 | You may obtain a copy of the License at 7 | 8 | http://www.apache.org/licenses/LICENSE-2.0 9 | 10 | Unless required by applicable law or agreed to in writing, software 11 | distributed under the License is distributed on an "AS IS" BASIS, 12 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | See the License for the specific language governing permissions and 14 | limitations under the License. 15 | */ 16 | 17 | package cli 18 | 19 | import ( 20 | // https://krew.sigs.k8s.io/docs/developer-guide/develop/best-practices/ 21 | _ "k8s.io/client-go/plugin/pkg/client/auth" 22 | 23 | "k8c.io/kubecarrier/pkg/cli/internal/cmd" 24 | ) 25 | 26 | // NewKubecarrierCLI returns the KubeCarrier CLI root command with all subcommands initialized. 27 | var NewKubecarrierCLI = cmd.NewKubecarrierCLI 28 | -------------------------------------------------------------------------------- /pkg/cli/internal/cmd/preflight/checkers/checkers_test.go: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright 2019 The KubeCarrier Authors. 3 | 4 | Licensed under the Apache License, Version 2.0 (the "License"); 5 | you may not use this file except in compliance with the License. 6 | You may obtain a copy of the License at 7 | 8 | http://www.apache.org/licenses/LICENSE-2.0 9 | 10 | Unless required by applicable law or agreed to in writing, software 11 | distributed under the License is distributed on an "AS IS" BASIS, 12 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | See the License for the specific language governing permissions and 14 | limitations under the License. 15 | */ 16 | 17 | package checkers 18 | 19 | import ( 20 | apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1" 21 | "k8s.io/apimachinery/pkg/runtime" 22 | utilruntime "k8s.io/apimachinery/pkg/util/runtime" 23 | ) 24 | 25 | var ( 26 | testScheme = runtime.NewScheme() 27 | ) 28 | 29 | func init() { 30 | utilruntime.Must(apiextensionsv1.AddToScheme(testScheme)) 31 | } 32 | -------------------------------------------------------------------------------- /pkg/cli/internal/cmd/preflight/preflight.go: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright 2019 The KubeCarrier Authors. 3 | 4 | Licensed under the Apache License, Version 2.0 (the "License"); 5 | you may not use this file except in compliance with the License. 6 | You may obtain a copy of the License at 7 | 8 | http://www.apache.org/licenses/LICENSE-2.0 9 | 10 | Unless required by applicable law or agreed to in writing, software 11 | distributed under the License is distributed on an "AS IS" BASIS, 12 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | See the License for the specific language governing permissions and 14 | limitations under the License. 15 | */ 16 | 17 | package preflight 18 | 19 | import ( 20 | "time" 21 | 22 | "github.com/gernest/wow" 23 | "github.com/gernest/wow/spin" 24 | "github.com/go-logr/logr" 25 | "github.com/spf13/cobra" 26 | "k8s.io/cli-runtime/pkg/genericclioptions" 27 | 28 | "k8c.io/kubecarrier/pkg/cli/internal/cmd/preflight/checkers" 29 | ) 30 | 31 | // NewPreflightCommand returns the preflight checking subcommand for KubeCarrier CLI. 32 | func NewPreflightCommand(log logr.Logger) *cobra.Command { 33 | flags := genericclioptions.NewConfigFlags(false) 34 | cmd := &cobra.Command{ 35 | Args: cobra.NoArgs, 36 | Use: "preflight", 37 | Short: "preflight checks for KubeCarrier", 38 | Long: "preflight checks for KubeCarrier", 39 | RunE: func(cmd *cobra.Command, args []string) (err error) { 40 | cfg, err := flags.ToRESTConfig() 41 | if err != nil { 42 | return err 43 | } 44 | s := wow.New(cmd.OutOrStdout(), spin.Get(spin.Dots), "") 45 | startTime := time.Now() 46 | return checkers.RunChecks(cfg, s, startTime, log) 47 | }, 48 | } 49 | return cmd 50 | } 51 | -------------------------------------------------------------------------------- /pkg/fakeoperator/internal/webhooks/controller_test.go: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright 2019 The KubeCarrier Authors. 3 | 4 | Licensed under the Apache License, Version 2.0 (the "License"); 5 | you may not use this file except in compliance with the License. 6 | You may obtain a copy of the License at 7 | 8 | http://www.apache.org/licenses/LICENSE-2.0 9 | 10 | Unless required by applicable law or agreed to in writing, software 11 | distributed under the License is distributed on an "AS IS" BASIS, 12 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | See the License for the specific language governing permissions and 14 | limitations under the License. 15 | */ 16 | 17 | package webhooks 18 | 19 | import ( 20 | corev1 "k8s.io/api/core/v1" 21 | apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1" 22 | "k8s.io/apimachinery/pkg/runtime" 23 | 24 | catalogv1alpha1 "k8c.io/kubecarrier/pkg/apis/catalog/v1alpha1" 25 | corev1alpha1 "k8c.io/kubecarrier/pkg/apis/core/v1alpha1" 26 | fakev1alpha1 "k8c.io/kubecarrier/pkg/apis/fake/v1alpha1" 27 | ) 28 | 29 | var testScheme = runtime.NewScheme() 30 | 31 | func init() { 32 | // setup scheme for all tests 33 | if err := corev1.AddToScheme(testScheme); err != nil { 34 | panic(err) 35 | } 36 | if err := catalogv1alpha1.AddToScheme(testScheme); err != nil { 37 | panic(err) 38 | } 39 | if err := fakev1alpha1.AddToScheme(testScheme); err != nil { 40 | panic(err) 41 | } 42 | if err := apiextensionsv1.AddToScheme(testScheme); err != nil { 43 | panic(err) 44 | } 45 | if err := corev1alpha1.AddToScheme(testScheme); err != nil { 46 | panic(err) 47 | } 48 | } 49 | -------------------------------------------------------------------------------- /pkg/ferry/internal/controllers/controller_test.go: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright 2019 The KubeCarrier Authors. 3 | 4 | Licensed under the Apache License, Version 2.0 (the "License"); 5 | you may not use this file except in compliance with the License. 6 | You may obtain a copy of the License at 7 | 8 | http://www.apache.org/licenses/LICENSE-2.0 9 | 10 | Unless required by applicable law or agreed to in writing, software 11 | distributed under the License is distributed on an "AS IS" BASIS, 12 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | See the License for the specific language governing permissions and 14 | limitations under the License. 15 | */ 16 | 17 | package controllers 18 | 19 | import ( 20 | apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1" 21 | "k8s.io/apimachinery/pkg/runtime" 22 | "k8s.io/client-go/kubernetes/scheme" 23 | 24 | corev1alpha1 "k8c.io/kubecarrier/pkg/apis/core/v1alpha1" 25 | ) 26 | 27 | var testScheme = runtime.NewScheme() 28 | 29 | func init() { 30 | if err := scheme.AddToScheme(testScheme); err != nil { 31 | panic(err) 32 | } 33 | if err := corev1alpha1.AddToScheme(testScheme); err != nil { 34 | panic(err) 35 | } 36 | if err := apiextensionsv1.AddToScheme(testScheme); err != nil { 37 | panic(err) 38 | } 39 | } 40 | -------------------------------------------------------------------------------- /pkg/internal/constants/kubecarrier.go: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright 2019 The KubeCarrier Authors. 3 | 4 | Licensed under the Apache License, Version 2.0 (the "License"); 5 | you may not use this file except in compliance with the License. 6 | You may obtain a copy of the License at 7 | 8 | http://www.apache.org/licenses/LICENSE-2.0 9 | 10 | Unless required by applicable law or agreed to in writing, software 11 | distributed under the License is distributed on an "AS IS" BASIS, 12 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | See the License for the specific language governing permissions and 14 | limitations under the License. 15 | */ 16 | 17 | package constants 18 | 19 | const ( 20 | KubeCarrierDefaultName = "kubecarrier" 21 | 22 | KubeCarrierDefaultNamespace = "kubecarrier-system" 23 | 24 | InternalAPIGroupPrefix = "internal" 25 | ) 26 | -------------------------------------------------------------------------------- /pkg/internal/kustomize/doc.go: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright 2019 The KubeCarrier Authors. 3 | 4 | Licensed under the Apache License, Version 2.0 (the "License"); 5 | you may not use this file except in compliance with the License. 6 | You may obtain a copy of the License at 7 | 8 | http://www.apache.org/licenses/LICENSE-2.0 9 | 10 | Unless required by applicable law or agreed to in writing, software 11 | distributed under the License is distributed on an "AS IS" BASIS, 12 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | See the License for the specific language governing permissions and 14 | limitations under the License. 15 | */ 16 | 17 | // Package kustomize is a wrapper to call Kustomize directly from Go. 18 | package kustomize 19 | -------------------------------------------------------------------------------- /pkg/internal/reconcile/doc.go: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright 2019 The KubeCarrier Authors. 3 | 4 | Licensed under the Apache License, Version 2.0 (the "License"); 5 | you may not use this file except in compliance with the License. 6 | You may obtain a copy of the License at 7 | 8 | http://www.apache.org/licenses/LICENSE-2.0 9 | 10 | Unless required by applicable law or agreed to in writing, software 11 | distributed under the License is distributed on an "AS IS" BASIS, 12 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | See the License for the specific language governing permissions and 14 | limitations under the License. 15 | */ 16 | 17 | // Package reconcile implements reconcile functions for common Kubernetes types. 18 | package reconcile 19 | -------------------------------------------------------------------------------- /pkg/internal/reconcile/reconcile_test.go: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright 2019 The KubeCarrier Authors. 3 | 4 | Licensed under the Apache License, Version 2.0 (the "License"); 5 | you may not use this file except in compliance with the License. 6 | You may obtain a copy of the License at 7 | 8 | http://www.apache.org/licenses/LICENSE-2.0 9 | 10 | Unless required by applicable law or agreed to in writing, software 11 | distributed under the License is distributed on an "AS IS" BASIS, 12 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | See the License for the specific language governing permissions and 14 | limitations under the License. 15 | */ 16 | 17 | package reconcile 18 | 19 | import ( 20 | corev1 "k8s.io/api/core/v1" 21 | apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1" 22 | "k8s.io/apimachinery/pkg/runtime" 23 | utilruntime "k8s.io/apimachinery/pkg/util/runtime" 24 | 25 | catalogv1alpha1 "k8c.io/kubecarrier/pkg/apis/catalog/v1alpha1" 26 | corev1alpha1 "k8c.io/kubecarrier/pkg/apis/core/v1alpha1" 27 | operatorv1alpha1 "k8c.io/kubecarrier/pkg/apis/operator/v1alpha1" 28 | ) 29 | 30 | var testScheme = runtime.NewScheme() 31 | 32 | func init() { 33 | // setup scheme for all tests 34 | utilruntime.Must(corev1.AddToScheme(testScheme)) 35 | utilruntime.Must(catalogv1alpha1.AddToScheme(testScheme)) 36 | utilruntime.Must(operatorv1alpha1.AddToScheme(testScheme)) 37 | utilruntime.Must(apiextensionsv1.AddToScheme(testScheme)) 38 | utilruntime.Must(corev1alpha1.AddToScheme(testScheme)) 39 | } 40 | -------------------------------------------------------------------------------- /pkg/internal/resources/apiserver/z_init.go: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright 2019 The KubeCarrier Authors. 3 | 4 | Licensed under the Apache License, Version 2.0 (the "License"); 5 | you may not use this file except in compliance with the License. 6 | You may obtain a copy of the License at 7 | 8 | http://www.apache.org/licenses/LICENSE-2.0 9 | 10 | Unless required by applicable law or agreed to in writing, software 11 | distributed under the License is distributed on an "AS IS" BASIS, 12 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | See the License for the specific language governing permissions and 14 | limitations under the License. 15 | */ 16 | 17 | package apiserver 18 | 19 | import ( 20 | "net/http" 21 | 22 | statikfs "github.com/thetechnick/statik/fs" 23 | ) 24 | 25 | // vfs is a virtual file system to access the operator config. 26 | var vfs http.FileSystem 27 | 28 | // don't rename this file! 29 | // this init() function must be called after statik.go 30 | func init() { 31 | var err error 32 | vfs, err = statikfs.New() 33 | if err != nil { 34 | panic(err) 35 | } 36 | } 37 | -------------------------------------------------------------------------------- /pkg/internal/resources/catapult/z_init.go: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright 2019 The KubeCarrier Authors. 3 | 4 | Licensed under the Apache License, Version 2.0 (the "License"); 5 | you may not use this file except in compliance with the License. 6 | You may obtain a copy of the License at 7 | 8 | http://www.apache.org/licenses/LICENSE-2.0 9 | 10 | Unless required by applicable law or agreed to in writing, software 11 | distributed under the License is distributed on an "AS IS" BASIS, 12 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | See the License for the specific language governing permissions and 14 | limitations under the License. 15 | */ 16 | 17 | package catapult 18 | 19 | import ( 20 | "net/http" 21 | 22 | statikfs "github.com/thetechnick/statik/fs" 23 | ) 24 | 25 | // vfs is a virtual file system to access the catapult config. 26 | var vfs http.FileSystem 27 | 28 | // don't rename this file! 29 | // this init() function must be called after statik.go 30 | func init() { 31 | var err error 32 | vfs, err = statikfs.New() 33 | if err != nil { 34 | panic(err) 35 | } 36 | } 37 | -------------------------------------------------------------------------------- /pkg/internal/resources/constants/labels.go: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright 2019 The KubeCarrier Authors. 3 | 4 | Licensed under the Apache License, Version 2.0 (the "License"); 5 | you may not use this file except in compliance with the License. 6 | You may obtain a copy of the License at 7 | 8 | http://www.apache.org/licenses/LICENSE-2.0 9 | 10 | Unless required by applicable law or agreed to in writing, software 11 | distributed under the License is distributed on an "AS IS" BASIS, 12 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | See the License for the specific language governing permissions and 14 | limitations under the License. 15 | */ 16 | 17 | package constants 18 | 19 | const ( 20 | // Kubernetes recommended labels labels: https://kubernetes.io/docs/concepts/overview/working-with-objects/common-labels/#labels 21 | NameLabel = "app.kubernetes.io/name" 22 | InstanceLabel = "app.kubernetes.io/instance" 23 | VersionLabel = "app.kubernetes.io/version" 24 | ManagedByLabel = "app.kubernetes.io/managed-by" 25 | 26 | ManagedByKubeCarrierOperator = "kubecarrier-operator" 27 | ) 28 | -------------------------------------------------------------------------------- /pkg/internal/resources/elevator/z_init.go: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright 2019 The KubeCarrier Authors. 3 | 4 | Licensed under the Apache License, Version 2.0 (the "License"); 5 | you may not use this file except in compliance with the License. 6 | You may obtain a copy of the License at 7 | 8 | http://www.apache.org/licenses/LICENSE-2.0 9 | 10 | Unless required by applicable law or agreed to in writing, software 11 | distributed under the License is distributed on an "AS IS" BASIS, 12 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | See the License for the specific language governing permissions and 14 | limitations under the License. 15 | */ 16 | 17 | package elevator 18 | 19 | import ( 20 | "net/http" 21 | 22 | statikfs "github.com/thetechnick/statik/fs" 23 | ) 24 | 25 | // vfs is a virtual file system to access the catapult config. 26 | var vfs http.FileSystem 27 | 28 | // don't rename this file! 29 | // this init() function must be called after statik.go 30 | func init() { 31 | var err error 32 | vfs, err = statikfs.New() 33 | if err != nil { 34 | panic(err) 35 | } 36 | } 37 | -------------------------------------------------------------------------------- /pkg/internal/resources/fakeoperator/fakeoperator_test.go: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright 2019 The KubeCarrier Authors. 3 | 4 | Licensed under the Apache License, Version 2.0 (the "License"); 5 | you may not use this file except in compliance with the License. 6 | You may obtain a copy of the License at 7 | 8 | http://www.apache.org/licenses/LICENSE-2.0 9 | 10 | Unless required by applicable law or agreed to in writing, software 11 | distributed under the License is distributed on an "AS IS" BASIS, 12 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | See the License for the specific language governing permissions and 14 | limitations under the License. 15 | */ 16 | 17 | package fakeoperator 18 | 19 | import ( 20 | "io/ioutil" 21 | "os" 22 | "testing" 23 | 24 | "github.com/google/go-cmp/cmp" 25 | "github.com/stretchr/testify/require" 26 | "sigs.k8s.io/yaml" 27 | 28 | "k8c.io/utils/pkg/testutil" 29 | ) 30 | 31 | func TestManifests(t *testing.T) { 32 | const ( 33 | goldenFile = "fakeoperator.golden.yaml" 34 | ) 35 | c := Config{ 36 | Namespace: "test3000", 37 | } 38 | 39 | manifests, err := Manifests(c) 40 | require.NoError(t, err, "unexpected error") 41 | yManifest, err := yaml.Marshal(manifests) 42 | require.NoError(t, err, "cannot marshall given manifests") 43 | 44 | if _, present := os.LookupEnv(testutil.OverrideGoldenEnv); present { 45 | require.NoError(t, ioutil.WriteFile(goldenFile, yManifest, 0640)) 46 | } 47 | 48 | yGoldenManifest, err := ioutil.ReadFile(goldenFile) 49 | require.NoError(t, err) 50 | if string(yManifest) != string(yGoldenManifest) { 51 | t.Logf("generated manifests differ from the golden file:\n%s", cmp.Diff( 52 | string(yGoldenManifest), string(yManifest))) 53 | t.FailNow() 54 | } 55 | } 56 | -------------------------------------------------------------------------------- /pkg/internal/resources/fakeoperator/z_init.go: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright 2019 The KubeCarrier Authors. 3 | 4 | Licensed under the Apache License, Version 2.0 (the "License"); 5 | you may not use this file except in compliance with the License. 6 | You may obtain a copy of the License at 7 | 8 | http://www.apache.org/licenses/LICENSE-2.0 9 | 10 | Unless required by applicable law or agreed to in writing, software 11 | distributed under the License is distributed on an "AS IS" BASIS, 12 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | See the License for the specific language governing permissions and 14 | limitations under the License. 15 | */ 16 | 17 | package fakeoperator 18 | 19 | import ( 20 | "net/http" 21 | 22 | statikfs "github.com/thetechnick/statik/fs" 23 | ) 24 | 25 | // vfs is a virtual file system to access the operator config. 26 | var vfs http.FileSystem 27 | 28 | // don't rename this file! 29 | // this init() function must be called after statik.go 30 | func init() { 31 | var err error 32 | vfs, err = statikfs.New() 33 | if err != nil { 34 | panic(err) 35 | } 36 | } 37 | -------------------------------------------------------------------------------- /pkg/internal/resources/ferry/z_init.go: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright 2019 The KubeCarrier Authors. 3 | 4 | Licensed under the Apache License, Version 2.0 (the "License"); 5 | you may not use this file except in compliance with the License. 6 | You may obtain a copy of the License at 7 | 8 | http://www.apache.org/licenses/LICENSE-2.0 9 | 10 | Unless required by applicable law or agreed to in writing, software 11 | distributed under the License is distributed on an "AS IS" BASIS, 12 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | See the License for the specific language governing permissions and 14 | limitations under the License. 15 | */ 16 | 17 | package ferry 18 | 19 | import ( 20 | "net/http" 21 | 22 | statikfs "github.com/thetechnick/statik/fs" 23 | ) 24 | 25 | // vfs is a virtual file system to access the operator config. 26 | var vfs http.FileSystem 27 | 28 | // don't rename this file! 29 | // this init() function must be called after statik.go 30 | func init() { 31 | var err error 32 | vfs, err = statikfs.New() 33 | if err != nil { 34 | panic(err) 35 | } 36 | } 37 | -------------------------------------------------------------------------------- /pkg/internal/resources/manager/manager_test.go: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright 2019 The KubeCarrier Authors. 3 | 4 | Licensed under the Apache License, Version 2.0 (the "License"); 5 | you may not use this file except in compliance with the License. 6 | You may obtain a copy of the License at 7 | 8 | http://www.apache.org/licenses/LICENSE-2.0 9 | 10 | Unless required by applicable law or agreed to in writing, software 11 | distributed under the License is distributed on an "AS IS" BASIS, 12 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | See the License for the specific language governing permissions and 14 | limitations under the License. 15 | */ 16 | 17 | package manager 18 | 19 | import ( 20 | "io/ioutil" 21 | "os" 22 | "testing" 23 | 24 | "github.com/google/go-cmp/cmp" 25 | "github.com/stretchr/testify/require" 26 | "sigs.k8s.io/yaml" 27 | 28 | "k8c.io/utils/pkg/testutil" 29 | ) 30 | 31 | func TestManifests(t *testing.T) { 32 | const ( 33 | goldenFile = "manager.golden.yaml" 34 | ) 35 | c := Config{ 36 | Namespace: "test3000", 37 | Name: "kubecarrier-test", 38 | } 39 | 40 | manifests, err := Manifests(c) 41 | require.NoError(t, err, "unexpected error") 42 | yManifest, err := yaml.Marshal(manifests) 43 | require.NoError(t, err, "cannot marshall given manifests") 44 | 45 | if _, present := os.LookupEnv(testutil.OverrideGoldenEnv); present { 46 | require.NoError(t, ioutil.WriteFile(goldenFile, yManifest, 0640)) 47 | } 48 | 49 | yGoldenManifest, err := ioutil.ReadFile(goldenFile) 50 | require.NoError(t, err) 51 | if string(yManifest) != string(yGoldenManifest) { 52 | t.Logf("generated manifests differ from the golden file:\n%s", cmp.Diff( 53 | string(yGoldenManifest), string(yManifest))) 54 | t.FailNow() 55 | } 56 | } 57 | -------------------------------------------------------------------------------- /pkg/internal/resources/manager/z_init.go: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright 2019 The KubeCarrier Authors. 3 | 4 | Licensed under the Apache License, Version 2.0 (the "License"); 5 | you may not use this file except in compliance with the License. 6 | You may obtain a copy of the License at 7 | 8 | http://www.apache.org/licenses/LICENSE-2.0 9 | 10 | Unless required by applicable law or agreed to in writing, software 11 | distributed under the License is distributed on an "AS IS" BASIS, 12 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | See the License for the specific language governing permissions and 14 | limitations under the License. 15 | */ 16 | 17 | package manager 18 | 19 | import ( 20 | "net/http" 21 | 22 | statikfs "github.com/thetechnick/statik/fs" 23 | ) 24 | 25 | // vfs is a virtual file system to access the manager config. 26 | var vfs http.FileSystem 27 | 28 | // don't rename this file! 29 | // this init() function must be called after statik.go 30 | func init() { 31 | var err error 32 | vfs, err = statikfs.New() 33 | if err != nil { 34 | panic(err) 35 | } 36 | } 37 | -------------------------------------------------------------------------------- /pkg/internal/resources/operator/operator_test.go: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright 2019 The KubeCarrier Authors. 3 | 4 | Licensed under the Apache License, Version 2.0 (the "License"); 5 | you may not use this file except in compliance with the License. 6 | You may obtain a copy of the License at 7 | 8 | http://www.apache.org/licenses/LICENSE-2.0 9 | 10 | Unless required by applicable law or agreed to in writing, software 11 | distributed under the License is distributed on an "AS IS" BASIS, 12 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | See the License for the specific language governing permissions and 14 | limitations under the License. 15 | */ 16 | 17 | package operator 18 | 19 | import ( 20 | "io/ioutil" 21 | "os" 22 | "testing" 23 | 24 | "github.com/google/go-cmp/cmp" 25 | "github.com/stretchr/testify/require" 26 | "sigs.k8s.io/yaml" 27 | 28 | "k8c.io/utils/pkg/testutil" 29 | ) 30 | 31 | func TestManifests(t *testing.T) { 32 | const ( 33 | goldenFile = "operator.golden.yaml" 34 | ) 35 | c := Config{ 36 | Namespace: "test3000", 37 | } 38 | 39 | manifests, err := Manifests(c) 40 | require.NoError(t, err, "unexpected error") 41 | yManifest, err := yaml.Marshal(manifests) 42 | require.NoError(t, err, "cannot marshall given manifests") 43 | 44 | if _, present := os.LookupEnv(testutil.OverrideGoldenEnv); present { 45 | require.NoError(t, ioutil.WriteFile(goldenFile, yManifest, 0640)) 46 | } 47 | 48 | yGoldenManifest, err := ioutil.ReadFile(goldenFile) 49 | require.NoError(t, err) 50 | if string(yManifest) != string(yGoldenManifest) { 51 | t.Logf("generated manifests differ from the golden file:\n%s", cmp.Diff( 52 | string(yGoldenManifest), string(yManifest))) 53 | t.FailNow() 54 | } 55 | } 56 | -------------------------------------------------------------------------------- /pkg/internal/resources/operator/z_init.go: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright 2019 The KubeCarrier Authors. 3 | 4 | Licensed under the Apache License, Version 2.0 (the "License"); 5 | you may not use this file except in compliance with the License. 6 | You may obtain a copy of the License at 7 | 8 | http://www.apache.org/licenses/LICENSE-2.0 9 | 10 | Unless required by applicable law or agreed to in writing, software 11 | distributed under the License is distributed on an "AS IS" BASIS, 12 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | See the License for the specific language governing permissions and 14 | limitations under the License. 15 | */ 16 | 17 | package operator 18 | 19 | import ( 20 | "net/http" 21 | 22 | statikfs "github.com/thetechnick/statik/fs" 23 | ) 24 | 25 | // vfs is a virtual file system to access the operator config. 26 | var vfs http.FileSystem 27 | 28 | // don't rename this file! 29 | // this init() function must be called after statik.go 30 | func init() { 31 | var err error 32 | vfs, err = statikfs.New() 33 | if err != nil { 34 | panic(err) 35 | } 36 | } 37 | -------------------------------------------------------------------------------- /pkg/internal/version/version_test.go: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright 2019 The KubeCarrier Authors. 3 | 4 | Licensed under the Apache License, Version 2.0 (the "License"); 5 | you may not use this file except in compliance with the License. 6 | You may obtain a copy of the License at 7 | 8 | http://www.apache.org/licenses/LICENSE-2.0 9 | 10 | Unless required by applicable law or agreed to in writing, software 11 | distributed under the License is distributed on an "AS IS" BASIS, 12 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | See the License for the specific language governing permissions and 14 | limitations under the License. 15 | */ 16 | 17 | package version 18 | 19 | import ( 20 | "strconv" 21 | "testing" 22 | 23 | "github.com/stretchr/testify/assert" 24 | ) 25 | 26 | func TestDefault(t *testing.T) { 27 | assert.Equal(t, Version, empty) 28 | assert.Equal(t, Branch, empty) 29 | assert.Equal(t, Commit, empty) 30 | assert.Equal(t, BuildDate, empty) 31 | 32 | } 33 | 34 | func TestGet(t *testing.T) { 35 | Version = "1.2.3" 36 | Branch = "branch" 37 | Commit = "commit" 38 | BuildDate = "1573126751" 39 | 40 | v := Get() 41 | assert.Equal(t, Version, v.Version) 42 | assert.Equal(t, Branch, v.Branch) 43 | assert.Equal(t, Commit, v.Commit) 44 | assert.Equal(t, BuildDate, strconv.Itoa(int(v.BuildDate.Unix()))) 45 | } 46 | -------------------------------------------------------------------------------- /pkg/manager/internal/controllers/controller_test.go: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright 2019 The KubeCarrier Authors. 3 | 4 | Licensed under the Apache License, Version 2.0 (the "License"); 5 | you may not use this file except in compliance with the License. 6 | You may obtain a copy of the License at 7 | 8 | http://www.apache.org/licenses/LICENSE-2.0 9 | 10 | Unless required by applicable law or agreed to in writing, software 11 | distributed under the License is distributed on an "AS IS" BASIS, 12 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | See the License for the specific language governing permissions and 14 | limitations under the License. 15 | */ 16 | 17 | package controllers 18 | 19 | import ( 20 | apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1" 21 | "k8s.io/apimachinery/pkg/runtime" 22 | utilruntime "k8s.io/apimachinery/pkg/util/runtime" 23 | clientgoscheme "k8s.io/client-go/kubernetes/scheme" 24 | 25 | catalogv1alpha1 "k8c.io/kubecarrier/pkg/apis/catalog/v1alpha1" 26 | corev1alpha1 "k8c.io/kubecarrier/pkg/apis/core/v1alpha1" 27 | operatorv1alpha1 "k8c.io/kubecarrier/pkg/apis/operator/v1alpha1" 28 | ) 29 | 30 | var testScheme = runtime.NewScheme() 31 | 32 | func init() { 33 | // setup scheme for all tests 34 | utilruntime.Must(clientgoscheme.AddToScheme(testScheme)) 35 | utilruntime.Must(apiextensionsv1.AddToScheme(testScheme)) 36 | utilruntime.Must(corev1alpha1.AddToScheme(testScheme)) 37 | utilruntime.Must(catalogv1alpha1.AddToScheme(testScheme)) 38 | utilruntime.Must(operatorv1alpha1.AddToScheme(testScheme)) 39 | } 40 | -------------------------------------------------------------------------------- /pkg/manager/internal/controllers/util.go: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright 2019 The KubeCarrier Authors. 3 | 4 | Licensed under the Apache License, Version 2.0 (the "License"); 5 | you may not use this file except in compliance with the License. 6 | You may obtain a copy of the License at 7 | 8 | http://www.apache.org/licenses/LICENSE-2.0 9 | 10 | Unless required by applicable law or agreed to in writing, software 11 | distributed under the License is distributed on an "AS IS" BASIS, 12 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | See the License for the specific language governing permissions and 14 | limitations under the License. 15 | */ 16 | 17 | package controllers 18 | 19 | import ( 20 | apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1" 21 | metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" 22 | "k8s.io/apimachinery/pkg/runtime" 23 | ) 24 | 25 | const ( 26 | ServiceClusterLabel = "kubecarrier.io/service-cluster" 27 | OriginNamespaceLabel = "kubecarrier.io/origin-namespace" 28 | ) 29 | 30 | func getStorageVersion(crd *apiextensionsv1.CustomResourceDefinition) string { 31 | for _, version := range crd.Spec.Versions { 32 | if version.Storage { 33 | return version.Name 34 | } 35 | } 36 | return "" 37 | } 38 | 39 | // object generic k8s object with metav1 and runtime Object interfaces implemented 40 | type object interface { 41 | runtime.Object 42 | metav1.Object 43 | } 44 | -------------------------------------------------------------------------------- /pkg/manager/internal/webhooks/controller_test.go: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright 2019 The KubeCarrier Authors. 3 | 4 | Licensed under the Apache License, Version 2.0 (the "License"); 5 | you may not use this file except in compliance with the License. 6 | You may obtain a copy of the License at 7 | 8 | http://www.apache.org/licenses/LICENSE-2.0 9 | 10 | Unless required by applicable law or agreed to in writing, software 11 | distributed under the License is distributed on an "AS IS" BASIS, 12 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | See the License for the specific language governing permissions and 14 | limitations under the License. 15 | */ 16 | 17 | package webhooks 18 | 19 | import ( 20 | corev1 "k8s.io/api/core/v1" 21 | apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1" 22 | "k8s.io/apimachinery/pkg/runtime" 23 | 24 | catalogv1alpha1 "k8c.io/kubecarrier/pkg/apis/catalog/v1alpha1" 25 | corev1alpha1 "k8c.io/kubecarrier/pkg/apis/core/v1alpha1" 26 | operatorv1alpha1 "k8c.io/kubecarrier/pkg/apis/operator/v1alpha1" 27 | ) 28 | 29 | var testScheme = runtime.NewScheme() 30 | 31 | func init() { 32 | // setup scheme for all tests 33 | if err := corev1.AddToScheme(testScheme); err != nil { 34 | panic(err) 35 | } 36 | if err := catalogv1alpha1.AddToScheme(testScheme); err != nil { 37 | panic(err) 38 | } 39 | if err := operatorv1alpha1.AddToScheme(testScheme); err != nil { 40 | panic(err) 41 | } 42 | if err := apiextensionsv1.AddToScheme(testScheme); err != nil { 43 | panic(err) 44 | } 45 | if err := corev1alpha1.AddToScheme(testScheme); err != nil { 46 | panic(err) 47 | } 48 | } 49 | -------------------------------------------------------------------------------- /test/installation/e2eoperator.go: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright 2019 The KubeCarrier Authors. 3 | 4 | Licensed under the Apache License, Version 2.0 (the "License"); 5 | you may not use this file except in compliance with the License. 6 | You may obtain a copy of the License at 7 | 8 | http://www.apache.org/licenses/LICENSE-2.0 9 | 10 | Unless required by applicable law or agreed to in writing, software 11 | distributed under the License is distributed on an "AS IS" BASIS, 12 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | See the License for the specific language governing permissions and 14 | limitations under the License. 15 | */ 16 | 17 | package installation 18 | 19 | import ( 20 | "context" 21 | "os/exec" 22 | "testing" 23 | "time" 24 | 25 | "github.com/stretchr/testify/require" 26 | 27 | "k8c.io/kubecarrier/pkg/testutil" 28 | ) 29 | 30 | func newE2EOperator(f *testutil.Framework) func(t *testing.T) { 31 | return func(t *testing.T) { 32 | ctx, cancel := context.WithTimeout(context.Background(), 60*time.Second) 33 | t.Cleanup(cancel) 34 | 35 | c := exec.CommandContext(ctx, "kubectl", "kubecarrier", "e2e-test", "setup-e2e-operator", "--kubeconfig", f.Config().ServiceExternalKubeconfigPath) 36 | out, err := c.CombinedOutput() 37 | t.Log(string(out)) 38 | require.NoError(t, err) 39 | 40 | serviceClient, err := f.ServiceClient(t) 41 | require.NoError(t, err, "creating service client") 42 | testutil.E2EOperatorCheck(ctx, t, serviceClient, f.ServiceScheme) 43 | } 44 | } 45 | -------------------------------------------------------------------------------- /test/installation/installation.go: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright 2019 The KubeCarrier Authors. 3 | 4 | Licensed under the Apache License, Version 2.0 (the "License"); 5 | you may not use this file except in compliance with the License. 6 | You may obtain a copy of the License at 7 | 8 | http://www.apache.org/licenses/LICENSE-2.0 9 | 10 | Unless required by applicable law or agreed to in writing, software 11 | distributed under the License is distributed on an "AS IS" BASIS, 12 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | See the License for the specific language governing permissions and 14 | limitations under the License. 15 | */ 16 | 17 | package installation 18 | 19 | import ( 20 | "testing" 21 | 22 | "k8c.io/kubecarrier/pkg/testutil" 23 | ) 24 | 25 | func NewInstallationSuite(f *testutil.Framework) func(t *testing.T) { 26 | return func(t *testing.T) { 27 | for name, testFn := range map[string]func(f *testutil.Framework) func(t *testing.T){ 28 | "kubeCarrier": newKubeCarrier, 29 | "e2eOperator": newE2EOperator, 30 | } { 31 | name := name 32 | testFn := testFn 33 | 34 | t.Run(name, func(t *testing.T) { 35 | t.Parallel() 36 | testFn(f)(t) 37 | }) 38 | } 39 | } 40 | } 41 | -------------------------------------------------------------------------------- /test/integration/integration.go: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright 2019 The KubeCarrier Authors. 3 | 4 | Licensed under the Apache License, Version 2.0 (the "License"); 5 | you may not use this file except in compliance with the License. 6 | You may obtain a copy of the License at 7 | 8 | http://www.apache.org/licenses/LICENSE-2.0 9 | 10 | Unless required by applicable law or agreed to in writing, software 11 | distributed under the License is distributed on an "AS IS" BASIS, 12 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | See the License for the specific language governing permissions and 14 | limitations under the License. 15 | */ 16 | 17 | package integration 18 | 19 | import ( 20 | "testing" 21 | 22 | "k8c.io/kubecarrier/pkg/testutil" 23 | ) 24 | 25 | // AdminSuite tests administrator operations - notably the management of Tenants and Providers. 26 | func NewIntegrationSuite(f *testutil.Framework) func(t *testing.T) { 27 | return func(t *testing.T) { 28 | t.Parallel() 29 | for name, testFn := range map[string]func(f *testutil.Framework) func(t *testing.T){ 30 | "apiserver": newAPIServer, 31 | "derivedCR": newDerivedCR, 32 | "serviceCluster": newServiceClusterSuite, 33 | "catalog": newCatalogSuite, 34 | "account": newAccount, 35 | "cli": newCLI, 36 | "fakeDB": newFakeDB, 37 | } { 38 | name := name 39 | testFn := testFn 40 | 41 | t.Run(name, func(t *testing.T) { 42 | t.Helper() 43 | t.Parallel() 44 | testFn(f)(t) 45 | }) 46 | } 47 | } 48 | } 49 | -------------------------------------------------------------------------------- /test/scenarios/scenarios.go: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright 2019 The KubeCarrier Authors. 3 | 4 | Licensed under the Apache License, Version 2.0 (the "License"); 5 | you may not use this file except in compliance with the License. 6 | You may obtain a copy of the License at 7 | 8 | http://www.apache.org/licenses/LICENSE-2.0 9 | 10 | Unless required by applicable law or agreed to in writing, software 11 | distributed under the License is distributed on an "AS IS" BASIS, 12 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | See the License for the specific language governing permissions and 14 | limitations under the License. 15 | */ 16 | 17 | package scenarios 18 | 19 | import ( 20 | "testing" 21 | 22 | "k8c.io/kubecarrier/pkg/testutil" 23 | ) 24 | 25 | func NewSuite(f *testutil.Framework) func(t *testing.T) { 26 | return func(t *testing.T) { 27 | t.Parallel() 28 | for name, testFn := range map[string]func(f *testutil.Framework) func(t *testing.T){ 29 | "simple": newSimpleScenario, 30 | } { 31 | name := name 32 | testFn := testFn 33 | 34 | t.Run(name, func(t *testing.T) { 35 | t.Helper() 36 | t.Parallel() 37 | testFn(f)(t) 38 | }) 39 | } 40 | } 41 | } 42 | -------------------------------------------------------------------------------- /test/test.go: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright 2019 The KubeCarrier Authors. 3 | 4 | Licensed under the Apache License, Version 2.0 (the "License"); 5 | you may not use this file except in compliance with the License. 6 | You may obtain a copy of the License at 7 | 8 | http://www.apache.org/licenses/LICENSE-2.0 9 | 10 | Unless required by applicable law or agreed to in writing, software 11 | distributed under the License is distributed on an "AS IS" BASIS, 12 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | See the License for the specific language governing permissions and 14 | limitations under the License. 15 | */ 16 | 17 | package test 18 | 19 | import ( 20 | "fmt" 21 | "testing" 22 | 23 | "k8c.io/kubecarrier/pkg/testutil" 24 | "k8c.io/kubecarrier/test/installation" 25 | "k8c.io/kubecarrier/test/integration" 26 | "k8c.io/kubecarrier/test/scenarios" 27 | "k8c.io/kubecarrier/test/verify" 28 | ) 29 | 30 | func AllTests(config testutil.FrameworkConfig) ([]testing.InternalTest, error) { 31 | f, err := testutil.New(config) 32 | if err != nil { 33 | return nil, fmt.Errorf("creating test framework:%w", err) 34 | } 35 | 36 | var tests []testing.InternalTest 37 | tests = append(tests, 38 | testing.InternalTest{ 39 | Name: "VerifySuite", 40 | F: verify.NewVerifySuite(f), 41 | }, 42 | testing.InternalTest{ 43 | Name: "InstallationSuite", 44 | F: installation.NewInstallationSuite(f), 45 | }, 46 | testing.InternalTest{ 47 | Name: "Integration", 48 | F: integration.NewIntegrationSuite(f), 49 | }, 50 | testing.InternalTest{ 51 | Name: "Scenarios", 52 | F: scenarios.NewSuite(f), 53 | }, 54 | ) 55 | 56 | return tests, nil 57 | } 58 | -------------------------------------------------------------------------------- /test/testdata/00_prereq.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | name: kubecarrier-system 6 | --- 7 | apiVersion: cert-manager.io/v1alpha2 8 | kind: Issuer 9 | metadata: 10 | name: dex 11 | namespace: kubecarrier-system 12 | spec: 13 | selfSigned: {} 14 | --- 15 | apiVersion: cert-manager.io/v1alpha2 16 | kind: Certificate 17 | metadata: 18 | name: dex 19 | namespace: kubecarrier-system 20 | spec: 21 | dnsNames: 22 | - dex.kubecarrier-system.svc 23 | - localhost 24 | isCA: true 25 | issuerRef: 26 | kind: Issuer 27 | name: dex 28 | secretName: dex-web-server 29 | -------------------------------------------------------------------------------- /test/testdata/dex_values.yaml: -------------------------------------------------------------------------------- 1 | grpc: false 2 | https: true 3 | 4 | ports: 5 | web: 6 | servicePort: 443 7 | certs: 8 | web: 9 | create: false 10 | secret: 11 | tlsName: dex-web-server 12 | caName: dex-web-server 13 | config: 14 | issuer: "https://dex.kubecarrier-system.svc" 15 | oauth2: 16 | responseTypes: [ "code", "token", "id_token" ] 17 | staticClients: 18 | - id: e2e-client-id 19 | redirectURIs: 20 | - 'http://dummy.svc/oauth2/callback' 21 | name: "e2e client" 22 | secret: e2e-client-secret 23 | staticPasswords: 24 | - email: "admin@example.com" 25 | username: "admin@kubecarrier.io" 26 | # bcrypt hash of the string "password" 27 | hash: "$2a$10$2b2cU8CPhOTaGrs1HRQuAueS7JTT5ZHsHSzYiFPm1leZck7Mc8T4W" 28 | # userID: "08a8684b-db88-4b73-90a9-3cd1661f5466" 29 | -------------------------------------------------------------------------------- /test/testdata/htpassword-secret.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: "v1" 2 | kind: Secret 3 | metadata: 4 | name: htpasswd-user 5 | namespace: kubecarrier-system 6 | stringData: 7 | auth: | 8 | # user:mickey5 9 | user1:$apr1$gxNb79DX$6wi9QaGNM5TA0kBKiC4710 10 | # team-a-member:password 11 | team-a-member:$2y$10$gzAtay66RjtW6vTBtFUV9eRaMDXteByxgwV2d5ozLxUk6Uq056aJy 12 | # team-b-member:password 13 | team-b-member:$2y$10$gzAtay66RjtW6vTBtFUV9eRaMDXteByxgwV2d5ozLxUk6Uq056aJy 14 | -------------------------------------------------------------------------------- /test/testdata/kubecarrier-config.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: operator.kubecarrier.io/v1alpha1 2 | kind: KubeCarrier 3 | spec: 4 | api: 5 | authentication: 6 | - oidc: 7 | certificateAuthority: 8 | name: dex-web-server 9 | clientID: e2e-client-id 10 | usernameClaim: "name" 11 | issuerURL: "https://dex.kubecarrier-system.svc" 12 | - staticUsers: 13 | htpasswdSecret: 14 | name: "htpasswd-user" 15 | - serviceAccount: {} 16 | - anonymous: {} 17 | -------------------------------------------------------------------------------- /test/testdata/z_init.go: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright 2019 The KubeCarrier Authors. 3 | 4 | Licensed under the Apache License, Version 2.0 (the "License"); 5 | you may not use this file except in compliance with the License. 6 | You may obtain a copy of the License at 7 | 8 | http://www.apache.org/licenses/LICENSE-2.0 9 | 10 | Unless required by applicable law or agreed to in writing, software 11 | distributed under the License is distributed on an "AS IS" BASIS, 12 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | See the License for the specific language governing permissions and 14 | limitations under the License. 15 | */ 16 | 17 | package testdata 18 | 19 | import ( 20 | "net/http" 21 | 22 | statikfs "github.com/thetechnick/statik/fs" 23 | ) 24 | 25 | // Vfs is a virtual file system to access the catapult config. 26 | var Vfs http.FileSystem 27 | 28 | // don't rename this file! 29 | // this init() function must be called after statik.go 30 | func init() { 31 | var err error 32 | Vfs, err = statikfs.New() 33 | if err != nil { 34 | panic(err) 35 | } 36 | } 37 | --------------------------------------------------------------------------------