kubernetes-operator v0.2.0 (#26)

Author: mohamed-essam

.github/workflows/test-chart-netbird-operator-config.yaml

@@ -0,0 +1,64 @@
+name: Test netbird-operator-config Chart
+
+on:
+  push:
+  pull_request:
+
+jobs:
+  test-e2e:
+    name: Run on Ubuntu
+    runs-on: ubuntu-latest
+    steps:
+      - name: Clone the code
+        uses: actions/checkout@v4
+
+      - name: Install the latest version of kind
+        run: |
+          curl -Lo ./kind https://kind.sigs.k8s.io/dl/latest/kind-linux-amd64
+          chmod +x ./kind
+          sudo mv ./kind /usr/local/bin/kind
+
+      - name: Verify kind installation
+        run: kind version
+
+      - name: Create kind cluster
+        run: kind create cluster
+
+      - name: Install Helm
+        run: |
+          curl https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3 | bash
+
+      - name: Verify Helm installation
+        run: helm version
+
+      - name: Lint Helm Chart
+        run: |
+          helm lint ./charts/kubernetes-operator
+
+      - name: Install cert-manager via Helm
+        run: |
+          helm repo add jetstack https://charts.jetstack.io
+          helm repo update
+          helm install cert-manager jetstack/cert-manager --namespace cert-manager --create-namespace --set installCRDs=true
+ 
+      - name: Wait for cert-manager to be ready
+        run: |
+          kubectl wait --namespace cert-manager --for=condition=available --timeout=300s deployment/cert-manager
+          kubectl wait --namespace cert-manager --for=condition=available --timeout=300s deployment/cert-manager-cainjector
+          kubectl wait --namespace cert-manager --for=condition=available --timeout=300s deployment/cert-manager-webhook
+ 
+      - name: Install Helm chart for project
+        run: |
+          helm install test-chart --create-namespace --namespace netbird --set 'operator.image.tag=debug' ./charts/kubernetes-operator
+
+      - name: Check Helm release status
+        run: |
+          helm status test-chart --namespace netbird
+
+      - name: Install config chart for project
+        run: |
+          helm install test-chart-config --create-namespace --namespace netbird ./charts/netbird-operator-config
+ 
+      - name: Check config release status
+        run: |
+          helm status test-chart-config --namespace netbird

charts/kubernetes-operator/Chart.yaml

@@ -2,5 +2,5 @@ apiVersion: v2
 name: kubernetes-operator
 description: NetBird Kubernetes Operator
 type: application
-version: 0.1.15
-appVersion: "0.1.5"
+version: 0.2.0
+appVersion: "0.2.0"

charts/kubernetes-operator/secretingress.yaml

@@ -0,0 +1,17 @@
+fullnameOverride: "netbird-api-gateway"
+
+controller:
+  replicaCount: 1
+  allowSnippetAnnotations: true
+  nodeSelector:
+    kubernetes.io/os: null
+  service:
+    type: ClusterIP
+  admissionWebhooks:
+    enabled: false
+  ingressClassResource:
+    name: netbird-api-gateway
+    controllerValue: k8s.io/netbird-api-gateway
+  ingressClass: netbird-api-gateway
+  config:
+    ssl-redirect: "true"

charts/kubernetes-operator/templates/_helpers.tpl

@@ -40,6 +40,11 @@ helm.sh/chart: {{ include "kubernetes-operator.chart" . }}
 app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
 {{- end }}
 app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- if .Values.general.labels }}
+{{- range $key, $val := .Values.general.labels }}
+{{ $key }}: "{{ $val }}"
+{{- end }}
+{{- end }}
 {{- end }}
 
 {{/*

charts/kubernetes-operator/templates/deployment.yaml

@@ -66,6 +66,13 @@ spec:
           {{- if .Values.routingClientImage }}
           - --netbird-client-image={{.Values.routingClientImage}}
           {{- end }}
+          {{- if .Values.general.labels }}
+          {{- $list := list }}
+          {{- range $k, $v := .Values.general.labels }}
+          {{- $list = append $list (printf "%s=%s" $k $v) }}
+          {{- end }}
+          - --default-labels="{{ join ", " $list }}"
+          {{- end }}
           ports:
             - name: webhook-server
               containerPort: {{ .Values.webhook.service.port }}

charts/kubernetes-operator/templates/kubernetes-nbresource.yaml

@@ -27,15 +27,15 @@ spec:
     spec:
       initContainers:
       - name: wait-network-ready
-        image: {{ .Values.ingress.kubernetesAPI.customKubectlImage | default "registry.suse.com/suse/kubectl:latest"}}
+        image: "netbirdio/kubectl:latest"
         command:
-        - bash
+        - sh
         - -c
         args:
-        - kubectl wait --for 'jsonpath={.status.networkID}' -n {{ $routerNS }} nbroutingpeer router; 
+        - kubectl wait --for 'jsonpath={.status.networkID}' -n {{ $routerNS }} nbroutingpeer router;
       containers:
       - name: apply-nbresource
-        image: {{ .Values.ingress.kubernetesAPI.customKubectlImage | default "registry.suse.com/suse/kubectl:latest"}}
+        image: "netbirdio/kubectl:latest"
         env:
         - name: NBRESOURCE_VALUE
           value: |
@@ -62,7 +62,7 @@ spec:
               tcpPorts:
               - 443
         command:
-        - bash
+        - sh
         - -c
         args:
         - kubectl delete NBResource --ignore-not-found -n default kubernetes; export NETWORK_ID=$(kubectl get NBRoutingPeer -n {{ $routerNS }} router -o 'jsonpath={.status.networkID}'); echo "$NBRESOURCE_VALUE" | envsubst | kubectl apply -f -

charts/kubernetes-operator/templates/nbpolicies.yaml

@@ -8,6 +8,8 @@ metadata:
   labels:
     app.kubernetes.io/component: operator
     {{- include "kubernetes-operator.labels" $ | nindent 4 }}
+  annotations:
+    helm.sh/resource-policy: keep
   name: {{ $k }}
 spec:
   name: {{ $v.name }}

charts/kubernetes-operator/templates/nbroutingpeers.yaml

@@ -10,6 +10,8 @@ metadata:
   labels:
     app.kubernetes.io/component: operator
     {{- include "kubernetes-operator.labels" $ | nindent 4 }}
+  annotations:
+    helm.sh/resource-policy: keep
   name: router
   namespace: {{ $k }}
 {{ $spec := merge $defaults $v }}
@@ -51,6 +53,8 @@ metadata:
   labels:
     app.kubernetes.io/component: operator
     {{- include "kubernetes-operator.labels" $ | nindent 4 }}
+  annotations:
+    helm.sh/resource-policy: keep
   name: router
 {{- if or (or (or .replicas .resources) (or .labels .annotations)) (or .nodeSelector .tolerations) }}
 spec:

charts/kubernetes-operator/templates/pre-delete.yaml

@@ -1,69 +1,41 @@
-apiVersion: batch/v1
-kind: Job
-metadata:
-  name: {{ include "kubernetes-operator.fullname" . }}-delete-routers
-  labels:
-    app.kubernetes.io/component: operator
-    {{- include "kubernetes-operator.labels" . | nindent 4 }}
-  annotations:
-    helm.sh/hook: pre-delete
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
-spec:
-  backoffLimit: 3
-  template:
-    metadata:
-      name: {{ include "kubernetes-operator.fullname" . }}
-      labels:
-        app.kubernetes.io/component: operator
-        {{- include "kubernetes-operator.labels" . | nindent 8 }}
-        {{- with .Values.operator.podLabels }}
-        {{- toYaml . | nindent 8 }}
-        {{- end }}
-    spec:
-      containers:
-      - name: pre-delete
-        image: {{ .Values.ingress.kubernetesAPI.customKubectlImage | default "registry.suse.com/suse/kubectl:latest"}}
-        args:
-        - delete
-        - --all
-        - -A
-        - --cascade=foreground
-        - --ignore-not-found
-        - NBRoutingPeer
-      serviceAccountName: {{ include "kubernetes-operator.serviceAccountName" . }}
-      restartPolicy: Never
----
-apiVersion: batch/v1
-kind: Job
-metadata:
-  name: {{ include "kubernetes-operator.fullname" . }}-delete-policies
-  labels:
-    app.kubernetes.io/component: operator
-    {{- include "kubernetes-operator.labels" . | nindent 4 }}
-  annotations:
-    helm.sh/hook: pre-delete
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
-spec:
-  backoffLimit: 3
-  template:
-    metadata:
-      name: {{ include "kubernetes-operator.fullname" . }}
-      labels:
-        app.kubernetes.io/component: operator
-        {{- include "kubernetes-operator.labels" . | nindent 8 }}
-        {{- with .Values.operator.podLabels }}
-        {{- toYaml . | nindent 8 }}
-        {{- end }}
-    spec:
-      containers:
-      - name: pre-delete
-        image: {{ .Values.ingress.kubernetesAPI.customKubectlImage | default "registry.suse.com/suse/kubectl:latest"}}
-        args:
-        - delete
-        - --all
-        - --cascade=foreground
-        - --ignore-not-found
-        - NBPolicy
-      serviceAccountName: {{ include "kubernetes-operator.serviceAccountName" . }}
-      restartPolicy: Never
----
+{{/*apiVersion: batch/v1*/}}
+{{/*kind: Job*/}}
+{{/*metadata:*/}}
+{{/*  name: {{ include "kubernetes-operator.fullname" . }}-delete-router-deployments*/}}
+{{/*  labels:*/}}
+{{/*    app.kubernetes.io/component: operator*/}}
+{{/*    {{- include "kubernetes-operator.labels" . | nindent 4 }}*/}}
+{{/*  annotations:*/}}
+{{/*    helm.sh/hook: pre-delete*/}}
+{{/*    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded*/}}
+{{/*spec:*/}}
+{{/*  backoffLimit: 3*/}}
+{{/*  template:*/}}
+{{/*    metadata:*/}}
+{{/*      name: {{ include "kubernetes-operator.fullname" . }}*/}}
+{{/*      labels:*/}}
+{{/*        app.kubernetes.io/component: operator*/}}
+{{/*        {{- include "kubernetes-operator.labels" . | nindent 8 }}*/}}
+{{/*        {{- with .Values.operator.podLabels }}*/}}
+{{/*        {{- toYaml . | nindent 8 }}*/}}
+{{/*        {{- end }}*/}}
+{{/*    spec:*/}}
+{{/*      containers:*/}}
+{{/*      - name: pre-delete*/}}
+{{/*        image: "netbirdio/kubectl:latest"*/}}
+{{/*        imagePullPolicy: {{ .Values.operator.image.pullPolicy }}*/}}
+{{/*        command:*/}}
+{{/*          - sh*/}}
+{{/*          - -c*/}}
+{{/*        args:*/}}
+{{/*          - kubectl get NBRoutingPeer -A --no-headers -o custom-columns=NAMESPACE:.metadata.namespace,NAME:.metadata.name | while read "L"; do kubectl patch --type=json -p '[{"op":"replace","path":"/spec/disableDeployment","value":true}]' NBRoutingPeer -n $(echo "$L" | awk '{print $1}') $(echo "$L" | awk '{print $2}'); done*/}}
+{{/*      - name: delete-wait*/}}
+{{/*        image: "netbirdio/kubectl:latest"*/}}
+{{/*        imagePullPolicy: {{ .Values.operator.image.pullPolicy }}*/}}
+{{/*        command:*/}}
+{{/*          - sh*/}}
+{{/*          - -c*/}}
+{{/*        args:*/}}
+{{/*          - kubectl get NBRoutingPeer -A --no-headers -o custom-columns=NAMESPACE:.metadata.namespace,NAME:.metadata.name | while read "L"; do kubectl wait --for=delete deployment -n $(echo "$L" | awk '{print $1}') $(echo "$L" | awk '{print $2}'); done*/}}
+{{/*      serviceAccountName: {{ include "kubernetes-operator.serviceAccountName" . }}*/}}
+{{/*      restartPolicy: Never*/}}

charts/kubernetes-operator/templates/webhook.yaml

@@ -96,84 +96,6 @@ webhooks:
 apiVersion: admissionregistration.k8s.io/v1
 kind: ValidatingWebhookConfiguration
 metadata:
-{{- if $.Values.webhook.enableCertManager }}
-  annotations:
-    cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ template "kubernetes-operator.fullname" . }}-serving-cert
-{{- end }}
-  name: {{ include "kubernetes-operator.fullname" . }}-vnbresource-webhook
-  labels:
-    {{- include "kubernetes-operator.labels" . | nindent 4 }}
-webhooks:
-- clientConfig:
-    {{- if not $.Values.webhook.enableCertManager }}
-    caBundle: {{ $tls.caCert }}
-    {{ end }}
-    service:
-      name: {{ template "kubernetes-operator.webhookService" . }}
-      namespace: {{ $.Release.Namespace }}
-      path: /validate-netbird-io-v1-nbresource
-  failurePolicy: {{ .Values.webhook.failurePolicy }}
-  name: vnbresource-v1.netbird.io
-  admissionReviewVersions:
-  - v1
-  {{- if .Values.webhook.namespaceSelectors }}
-  namespaceSelector:
-    matchExpressions:
-    {{ toYaml .Values.webhook.namespaceSelectors | nindent 4 }}
-  {{ end }}
-  rules:
-  - apiGroups:
-    - netbird.io
-    apiVersions:
-    - v1
-    operations:
-    - DELETE
-    resources:
-    - "nbresources"
-  sideEffects: None
----
-apiVersion: admissionregistration.k8s.io/v1
-kind: ValidatingWebhookConfiguration
-metadata:
-{{- if $.Values.webhook.enableCertManager }}
-  annotations:
-    cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ template "kubernetes-operator.fullname" . }}-serving-cert
-{{- end }}
-  name: {{ include "kubernetes-operator.fullname" . }}-vnbroutingpeer-webhook
-  labels:
-    {{- include "kubernetes-operator.labels" . | nindent 4 }}
-webhooks:
-- clientConfig:
-    {{- if not $.Values.webhook.enableCertManager }}
-    caBundle: {{ $tls.caCert }}
-    {{ end }}
-    service:
-      name: {{ template "kubernetes-operator.webhookService" . }}
-      namespace: {{ $.Release.Namespace }}
-      path: /validate-netbird-io-v1-nbroutingpeer
-  failurePolicy: {{ .Values.webhook.failurePolicy }}
-  name: vnbroutingpeer-v1.netbird.io
-  admissionReviewVersions:
-  - v1
-  {{- if .Values.webhook.namespaceSelectors }}
-  namespaceSelector:
-    matchExpressions:
-    {{ toYaml .Values.webhook.namespaceSelectors | nindent 4 }}
-  {{ end }}
-  rules:
-  - apiGroups:
-    - netbird.io
-    apiVersions:
-    - v1
-    operations:
-    - DELETE
-    resources:
-    - "nbroutingpeers"
-  sideEffects: None
----
-apiVersion: admissionregistration.k8s.io/v1
-kind: ValidatingWebhookConfiguration
-metadata:
 {{- if $.Values.webhook.enableCertManager }}
   annotations:
     cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ template "kubernetes-operator.fullname" . }}-serving-cert