introduce default labels that are propagted from parent

This PR adds a new label, with key `environment` which is propgated from the parent down the hierarchy, if it exists. Also, CI was broken so this fixes it since health checks were missing Signed-off-by: mzeevi <meytar80@gmail.com>
dana-team · Apr 14, 2024 · b75c5b6 · b75c5b6
1 parent 12f4e1b
commit b75c5b6
Show file tree

Hide file tree

Showing 19 changed files with 91 additions and 1,284 deletions.
diff --git a/.github/workflows/pr.yaml b/.github/workflows/pr.yaml
@@ -51,3 +51,6 @@ jobs:
 
       - name: Run e2e tests
         run: make test-e2e
+
+      - name: Undeploy HNS
+        run: make undeploy
diff --git a/api/v1/types.go b/api/v1/types.go
@@ -10,6 +10,7 @@ const (
 )
 
 var DefaultAnnotations = []string{"scheduler.alpha.kubernetes.io/defaultTolerations", "openshift.io/node-selector"}
+var DefaultLabels = []string{"environment"}
 
 const (
 	Missing    Phase = "Missing"

diff --git a/api/v1/zz_generated.deepcopy.go b/api/v1/zz_generated.deepcopy.go
diff --git a/cmd/main.go b/cmd/main.go
@@ -18,6 +18,8 @@ import (
 	"flag"
 	"os"
 
+	"sigs.k8s.io/controller-runtime/pkg/healthz"
+
 	"github.com/dana-team/hns/internal/metrics"
 
 	userv1 "github.com/openshift/api/user/v1"
@@ -113,6 +115,15 @@ func main() {
 	// Register the HNS specific metrics
 	metrics.InitializeHNSMetrics()
 
+	if err := mgr.AddHealthzCheck("healthz", healthz.Ping); err != nil {
+		setupLog.Error(err, "unable to set up health check")
+		os.Exit(1)
+	}
+	if err := mgr.AddReadyzCheck("readyz", healthz.Ping); err != nil {
+		setupLog.Error(err, "unable to set up ready check")
+		os.Exit(1)
+	}
+
 	setupLog.Info("starting manager")
 	if err := mgr.Start(ctrl.SetupSignalHandler()); err != nil {
 		setupLog.Error(err, "problem running manager")

diff --git a/config/default/manager_auth_proxy_patch.yaml b/config/default/manager_auth_proxy_patch.yaml
@@ -37,3 +37,4 @@ spec:
         - "--health-probe-bind-address=:8081"
         - "--metrics-bind-address=127.0.0.1:8080"
         - "--leader-elect"
+        - "--max-sns=250"
diff --git a/config/dev/manager_auth_proxy_patch.yaml b/config/dev/manager_auth_proxy_patch.yaml
@@ -1,4 +1,4 @@
-# This patch inject a sidecar container which is a HTTP proxy for the 
+# This patch inject a sidecar container which is a HTTP proxy for the
 # controller manager, it performs RBAC authorization against the Kubernetes API using SubjectAccessReviews.
 apiVersion: apps/v1
 kind: Deployment
@@ -9,17 +9,32 @@ spec:
   template:
     spec:
       containers:
-      - name: kube-rbac-proxy
-        image: gcr.io/kubebuilder/kube-rbac-proxy:v0.11.0
-        args:
-        - "--secure-listen-address=0.0.0.0:8443"
-        - "--upstream=http://127.0.0.1:8080/"
-        - "--logtostderr=true"
-        - "--v=10"
-        ports:
-        - containerPort: 8443
-          name: https
-      - name: manager
-        args:
-        - "--metrics-addr=127.0.0.1:8080"
-        - "--enable-leader-election"
+        - name: kube-rbac-proxy
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - "ALL"
+          image: gcr.io/kubebuilder/kube-rbac-proxy:v0.15.0
+          args:
+            - "--secure-listen-address=0.0.0.0:8443"
+            - "--upstream=http://127.0.0.1:8080/"
+            - "--logtostderr=true"
+            - "--v=0"
+          ports:
+            - containerPort: 8443
+              protocol: TCP
+              name: https
+          resources:
+            limits:
+              cpu: 500m
+              memory: 128Mi
+            requests:
+              cpu: 5m
+              memory: 64Mi
+        - name: manager
+          args:
+            - "--health-probe-bind-address=:8081"
+            - "--metrics-bind-address=127.0.0.1:8080"
+            - "--leader-elect"
+            - "--max-sns=250"
diff --git a/config/dev/manager_server_patch.yaml b/config/dev/manager_server_patch.yaml
diff --git a/config/manager/kustomization.yaml b/config/manager/kustomization.yaml
@@ -7,6 +7,6 @@ images:
   newName: controller
   newTag: latest
 configMapGenerator:
-  - literals:
-      - PERMITTED_GROUPS='test'
-    name: permitted-groups-cm
+- literals:
+  - PERMITTED_GROUPS='test'
+  name: permitted-groups-cm
diff --git a/config/rbac/auth_proxy_role_binding.yaml b/config/rbac/auth_proxy_role_binding.yaml
@@ -8,5 +8,5 @@ roleRef:
   name: proxy-role
 subjects:
 - kind: ServiceAccount
-  name: default
+  name: controller-manager
   namespace: system
diff --git a/config/rbac/kustomization.yaml b/config/rbac/kustomization.yaml
@@ -1,14 +1,13 @@
 resources:
-- role.yaml
-- role_binding.yaml
-- leader_election_role.yaml
-- leader_election_role_binding.yaml
 - admin_sns.yaml
-- template_cluster_admin.yaml
-# Comment the following 4 lines if you want to disable
-# the auth proxy (https://github.com/brancz/kube-rbac-proxy)
-# which protects your /metrics endpoint.
-- auth_proxy_service.yaml
-- auth_proxy_role.yaml
-- auth_proxy_role_binding.yaml
 - auth_proxy_client_clusterrole.yaml
+- auth_proxy_role_binding.yaml
+- auth_proxy_role.yaml
+- auth_proxy_service.yaml
+- leader_election_role_binding.yaml
+- leader_election_role.yaml
+- role_binding.yaml
+- role.yaml
+- service_account.yaml
+- subnamespace_editor_role.yaml
+- subnamespace_viewer_role.yaml
diff --git a/config/rbac/leader_election_role_binding.yaml b/config/rbac/leader_election_role_binding.yaml
@@ -8,5 +8,5 @@ roleRef:
   name: leader-election-role
 subjects:
 - kind: ServiceAccount
-  name: default
+  name: controller-manager
   namespace: system
diff --git a/config/rbac/role_binding.yaml b/config/rbac/role_binding.yaml
@@ -8,5 +8,5 @@ roleRef:
   name: manager-role
 subjects:
 - kind: ServiceAccount
-  name: default
+  name: controller-manager
   namespace: system
diff --git a/config/rbac/template_cluster_admin.yaml b/config/rbac/template_cluster_admin.yaml
-Original file line number
+Diff line change
@@ Expand Up / @@ -10,6 +10,7 @@ const ( @@
     )
     var DefaultAnnotations = []string{"scheduler.alpha.kubernetes.io/defaultTolerations", "openshift.io/node-selector"}
+    var DefaultLabels = []string{"environment"}
     const (
     	Missing    Phase = "Missing"
@@ Expand Down @@