apiVersion: v1 kind: Namespace metadata: labels: control-plane: controller-manager name: amlen-system --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: name: amlens.amlen.com spec: group: amlen.com names: kind: Amlen listKind: AmlenList plural: amlens singular: amlen scope: Namespaced versions: - name: v1alpha1 schema: openAPIV3Schema: description: Amlen is the Schema for the amlens API properties: apiVersion: description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' type: string kind: description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string metadata: type: object spec: description: Spec defines the desired state of Amlen properties: device_cert_issuer: properties: mode: enum: - automatic - manual type: string required: - mode type: object x-kubernetes-preserve-unknown-fields: true ha: properties: cert_issuer: type: object x-kubernetes-preserve-unknown-fields: true enabled: type: boolean required: - enabled - cert_issuer type: object x-kubernetes-preserve-unknown-fields: true ldap: properties: cert_issuer: type: object x-kubernetes-preserve-unknown-fields: true enabled: type: boolean required: - enabled - cert_issuer type: object x-kubernetes-preserve-unknown-fields: true type: object x-kubernetes-preserve-unknown-fields: true status: description: Status defines the observed state of Amlen type: object x-kubernetes-preserve-unknown-fields: true type: object served: true storage: true subresources: status: {} --- apiVersion: v1 kind: ServiceAccount metadata: name: amlen-controller-manager namespace: amlen-system --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: amlen-leader-election-role namespace: amlen-system rules: - apiGroups: - "" resources: - configmaps verbs: - get - list - watch - create - update - patch - delete - apiGroups: - coordination.k8s.io resources: - leases verbs: - get - list - watch - create - update - patch - delete - apiGroups: - "" resources: - events verbs: - create - patch --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: amlen-manager-role rules: - apiGroups: - "" resources: - secrets - pods - pods/exec - pods/log - services - routes - persistentvolumeclaims - serviceaccounts - configmaps - jobs verbs: - create - delete - get - list - patch - update - watch - apiGroups: - apps resources: - deployments - daemonsets - replicasets - statefulsets verbs: - create - delete - get - list - patch - update - watch - apiGroups: - amlen.com resources: - amlens - amlens/status - amlens/finalizers - jobs verbs: - create - delete - get - list - patch - update - watch - apiGroups: - batch resources: - jobs verbs: - create - delete - get - list - patch - update - watch - apiGroups: - cert-manager.io resources: - certificates verbs: - create - delete - get - list - patch - update - watch --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: amlen-metrics-reader rules: - nonResourceURLs: - /metrics verbs: - get --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: amlen-proxy-role rules: - apiGroups: - authentication.k8s.io resources: - tokenreviews verbs: - create - apiGroups: - authorization.k8s.io resources: - subjectaccessreviews verbs: - create --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: amlen-leader-election-rolebinding namespace: amlen-system roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: amlen-leader-election-role subjects: - kind: ServiceAccount name: amlen-controller-manager namespace: amlen-system --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: amlen-manager-rolebinding roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: amlen-manager-role subjects: - kind: ServiceAccount name: amlen-controller-manager namespace: amlen-system --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: amlen-proxy-rolebinding roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: amlen-proxy-role subjects: - kind: ServiceAccount name: amlen-controller-manager namespace: amlen-system --- apiVersion: v1 data: controller_manager_config.yaml: | apiVersion: controller-runtime.sigs.k8s.io/v1alpha1 kind: ControllerManagerConfig health: healthProbeBindAddress: :6789 metrics: bindAddress: 127.0.0.1:8080 leaderElection: leaderElect: true resourceName: 811c9dc5.amlen.com kind: ConfigMap metadata: name: amlen-manager-config namespace: amlen-system --- apiVersion: v1 kind: Service metadata: labels: control-plane: controller-manager name: amlen-controller-manager-metrics-service namespace: amlen-system spec: ports: - name: https port: 8443 protocol: TCP targetPort: https selector: control-plane: controller-manager --- apiVersion: apps/v1 kind: Deployment metadata: labels: control-plane: controller-manager name: amlen-controller-manager namespace: amlen-system spec: replicas: 1 selector: matchLabels: control-plane: controller-manager template: metadata: annotations: kubectl.kubernetes.io/default-container: manager labels: control-plane: controller-manager spec: containers: - args: - --secure-listen-address=0.0.0.0:8443 - --upstream=http://127.0.0.1:8080/ - --logtostderr=true - --v=0 image: gcr.io/kubebuilder/kube-rbac-proxy:v0.11.0 name: kube-rbac-proxy ports: - containerPort: 8443 name: https protocol: TCP resources: limits: cpu: 500m memory: 128Mi requests: cpu: 5m memory: 64Mi - args: - --health-probe-bind-address=:6789 - --metrics-bind-address=127.0.0.1:8080 - --leader-elect - --leader-election-id=amlen env: - name: ANSIBLE_GATHERING value: explicit image: quay.io/amlen/operator:main livenessProbe: httpGet: path: /healthz port: 6789 initialDelaySeconds: 15 periodSeconds: 20 name: manager readinessProbe: httpGet: path: /readyz port: 6789 initialDelaySeconds: 5 periodSeconds: 10 resources: limits: cpu: 500m memory: 768Mi requests: cpu: 10m memory: 256Mi securityContext: allowPrivilegeEscalation: false securityContext: runAsNonRoot: true serviceAccountName: amlen-controller-manager terminationGracePeriodSeconds: 10