Update makefile (#12)

Author: Xin Li

Dockerfile

@@ -1,5 +1,6 @@
 # Build the manager binary
-FROM golang:1.13 as builder
+FROM golang:1.14.7 as builder
+ARG GOARCH
 
 WORKDIR /workspace
 # Copy the Go Modules manifests
@@ -15,7 +16,7 @@ COPY api/ api/
 COPY controllers/ controllers/
 
 # Build
-RUN CGO_ENABLED=0 GOOS=linux GOARCH=amd64 GO111MODULE=on go build -a -o namespace-scope-operator-manager main.go
+RUN CGO_ENABLED=0 GOOS=linux GO111MODULE=on go build -a -o namespace-scope-operator-manager main.go
 
 # Use distroless as minimal base image to package the manager binary
 # Refer to https://github.com/GoogleContainerTools/distroless for more details

Makefile

@@ -118,6 +118,10 @@ deploy: manifests ## Deploy controller in the configured Kubernetes cluster in ~
 	cd config/manager && $(KUSTOMIZE) edit set image ibm-namespace-scope-operator=$(IMAGE_REPO)/$(OPERATOR_IMAGE_NAME):$(OPERATOR_VERSION)
 	$(KUSTOMIZE) build config/default | kubectl apply -f -
 
+undeploy: ## Undeploy controller in the configured Kubernetes cluster in ~/.kube/config
+	cd config/manager && $(KUSTOMIZE) edit set image ibm-namespace-scope-operator=$(IMAGE_REPO)/$(OPERATOR_IMAGE_NAME):$(OPERATOR_VERSION)
+	$(KUSTOMIZE) build config/default | kubectl delete -f -
+
 ##@ Generate code and manifests
 
 manifests: ## Generate manifests e.g. CRD, RBAC etc.
@@ -147,7 +151,7 @@ build-operator-image: ## Build the operator image.
 	@echo "Building the $(OPERATOR_IMAGE_NAME) docker image for $(LOCAL_ARCH)..."
 	@docker build -t $(REGISTRY)/$(OPERATOR_IMAGE_NAME)-$(LOCAL_ARCH):$(VERSION) \
 	--build-arg VCS_REF=$(VCS_REF) --build-arg VCS_URL=$(VCS_URL) \
-	--build-arg GOARCH=$(LOCAL_ARCH) --build-arg ARCH=$(LOCAL_ARCH) -f Dockerfile .
+	--build-arg GOARCH=$(LOCAL_ARCH) -f Dockerfile .
 
 ##@ Release
 

config/default/kustomization.yaml

@@ -1,12 +1,12 @@
 # Adds namespace to all resources.
-namespace: ibm-namespace-scope-operator-system
+namespace: ibm-common-services
 
 # Value of this field is prepended to the
 # names of all resources, e.g. a deployment named
 # "wordpress" becomes "alices-wordpress".
 # Note that it should also match with the prefix (text before '-') of the namespace
 # field above.
-namePrefix: ibm-namespace-scope-operator-
+# namePrefix: ibm-namespace-scope-operator-
 
 # Labels to add to all resources and selectors.
 #commonLabels:
@@ -16,6 +16,7 @@ bases:
 - ../crd
 - ../rbac
 - ../manager
+- ../samples
 # [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix including the one in
 # crd/kustomization.yaml
 #- ../webhook
@@ -28,7 +29,7 @@ patchesStrategicMerge:
   # Protect the /metrics endpoint by putting it behind auth.
   # If you want your controller-manager to expose the /metrics
   # endpoint w/o any authn/z, please comment the following line.
-- manager_auth_proxy_patch.yaml
+# - manager_auth_proxy_patch.yaml
 
 # [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix including the one in
 # crd/kustomization.yaml

config/manager/manager.yaml

@@ -1,42 +1,73 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: ibm-common-services
 ---
 apiVersion: apps/v1
 kind: Deployment
 metadata:
-  name: controller-manager
-  namespace: system
+  name: ibm-namespace-scope-operator
+  namespace: ibm-common-services
   labels:
-    control-plane: controller-manager
+    app.kubernetes.io/instance: "ibm-namespace-scope-operator"
+    app.kubernetes.io/managed-by: "ibm-namespace-scope-operator"
+    app.kubernetes.io/name: "ibm-namespace-scope-operator"
 spec:
   selector:
     matchLabels:
-      control-plane: controller-manager
+      name: ibm-namespace-scope-operator
   replicas: 1
   template:
     metadata:
       labels:
-        control-plane: controller-manager
+        name: ibm-namespace-scope-operator
+        app.kubernetes.io/instance: ibm-namespace-scope-operator
+        app.kubernetes.io/managed-by: "ibm-namespace-scope-operator"
+        app.kubernetes.io/name: "ibm-namespace-scope-operator"
+      annotations:
+        productName: "IBM Cloud Platform Common Services"
+        productID: "068a62892a1e4db39641342e592daa25"
+        productMetric: "FREE"
     spec:
       serviceAccountName: ibm-namespace-scope-operator
+      affinity:
+        nodeAffinity:
+          requiredDuringSchedulingIgnoredDuringExecution:
+            nodeSelectorTerms:
+            - matchExpressions:
+              - key: beta.kubernetes.io/arch
+                operator: In
+                values:
+                - amd64
+                - ppc64le
+                - s390x
       containers:
       - command:
         - /namespace-scope-operator-manager
+        image: danielxlee/ibm-namespace-scope-operator:1.0.0
+        imagePullPolicy: Always
+        name: ibm-namespace-scope-operator
         env:
         - name: OPERATOR_NAME
-          value: ibm-namespace-scope-operator
+          value: "ibm-namespace-scope-operator"
         - name: OPERATOR_NAMESPACE
           valueFrom:
             fieldRef:
               apiVersion: v1
               fieldPath: metadata.namespace
-        args:
-        - --enable-leader-election
-        image: ibm-namespace-scope-operator:latest
-        name: manager
         resources:
           limits:
-            cpu: 100m
-            memory: 30Mi
+            cpu: 500m
+            memory: 512Mi
           requests:
             cpu: 100m
-            memory: 20Mi
+            memory: 200Mi
+        securityContext:
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+            - ALL
+          privileged: false
+          readOnlyRootFilesystem: true
+          runAsNonRoot: true
       terminationGracePeriodSeconds: 10

config/rbac/cluster_role.yaml

@@ -0,0 +1,37 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: ibm-namespace-scope-operator
+rules:
+- apiGroups:
+  - operator.ibm.com
+  resources:
+  - namespacescopes
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - operator.ibm.com
+  resources:
+  - namespacescopes/status
+  verbs:
+  - get
+- apiGroups:
+  - ""
+  resources:
+  - pods
+  - configmaps
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch

config/rbac/cluster_rolebinding.yaml

@@ -0,0 +1,12 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: ibm-namespace-scope-operator
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: ibm-namespace-scope-operator
+subjects:
+- kind: ServiceAccount
+  name: ibm-namespace-scope-operator

config/rbac/kustomization.yaml

@@ -1,12 +1,6 @@
 resources:
 - role.yaml
 - role_binding.yaml
-- leader_election_role.yaml
-- leader_election_role_binding.yaml
-# Comment the following 4 lines if you want to disable
-# the auth proxy (https://github.com/brancz/kube-rbac-proxy)
-# which protects your /metrics endpoint.
-- auth_proxy_service.yaml
-- auth_proxy_role.yaml
-- auth_proxy_role_binding.yaml
-- auth_proxy_client_clusterrole.yaml
+# - cluster_role.yaml
+# - cluster_rolebinding.yaml
+- service_account.yaml

config/rbac/role.yaml

@@ -1,4 +1,3 @@
-
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role