docs: add ./examples dir with k8s manifests

.github/workflows/release.yaml

@@ -6,6 +6,7 @@ on:
     paths-ignore:
       - README.md
       - doc/**
+      - examples/**
       - .github/**
       - renovate.json5
   workflow_dispatch:

README.md

@@ -2,6 +2,10 @@
 
 A Kubernetes controller that watches Kubernetes Nodes and copies labels from the node to the cloud provider's VM as tags (AWS) or labels (GCP).
 
+## Deployment
+
+See the [./examples](./examples) directory for example manifests. These are just examples, please read them carefully and adjust if needed.
+
 ## Testing
 
 - lint: `make lint`

examples/ciliumnetworkpolicy.yaml

@@ -0,0 +1,54 @@
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: k8s-node-tagger
+specs:
+  - description: Allow access to AWS STS API
+    endpointSelector:
+      matchLabels:
+        app: k8s-node-tagger
+    egress:
+      - toFQDNs:
+          - matchName: sts.amazonaws.com
+          - matchPattern: sts.*.amazonaws.com
+        toPorts:
+          - ports:
+              - port: "443"
+                protocol: TCP
+
+  - description: Allow access to AWS EC2 API
+    endpointSelector:
+      matchLabels:
+        app: k8s-node-tagger
+    egress:
+      - toFQDNs:
+          - matchName: ec2.amazonaws.com
+          - matchPattern: ec2.*.amazonaws.com
+        toPorts:
+          - ports:
+              - port: "443"
+                protocol: TCP
+
+  - description: Allow access to GCP GCE instance metadata service
+    endpointSelector:
+      matchLabels:
+        app: k8s-node-tagger
+    egress:
+      - toCIDR:
+          - 169.254.169.254/32
+        toPorts:
+          - ports:
+              - port: "80"
+                protocol: TCP
+
+  - description: Allow access to GCP GCE API
+    endpointSelector:
+      matchLabels:
+        app: k8s-node-tagger
+    egress:
+      - toFQDNs:
+          - matchName: compute.googleapis.com
+        toPorts:
+          - ports:
+              - port: "443"
+                protocol: TCP

examples/deployment.yaml

@@ -0,0 +1,44 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: k8s-node-tagger
+spec:
+  # NOTE: we could do replicas: 2 here. If so, add the '-enable-leader-election' flag
+  replicas: 1
+
+  selector:
+    matchLabels:
+      app: k8s-node-tagger
+  template:
+    metadata:
+      labels:
+        app: k8s-node-tagger
+    spec:
+      serviceAccountName: k8s-node-tagger
+      containers:
+        - name: k8s-node-tagger
+          image: ghcr.io/planetscale/k8s-node-tagger:v0.0.15@sha256:7e5074b10cc113afaf6ea17465ad8de2b9b08acf24cc55e98f4eb5aafe4e1982
+          imagePullPolicy: IfNotPresent
+          args:
+            - -cloud=aws
+            # - -cloud=gcp
+            - -labels=database-branch-id,psdb.co/shard,psdb.co/cluster,psdb.co/keyspace,psdb.co/component,psdb.co/size
+            - -json
+          ports:
+            - name: http
+              containerPort: 8080
+              protocol: TCP
+            - name: metrics
+              containerPort: 8081
+              protocol: TCP
+          livenessProbe:
+            httpGet:
+              path: /healthz
+              port: http
+          readinessProbe:
+            httpGet:
+              path: /healthz
+              port: http
+          resources:
+            requests:
+              memory: 64Mi

examples/rbac.yaml

@@ -0,0 +1,62 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: k8s-node-tagger
+
+# clusterrole for k8s-node-tagger to read/watch nodes
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: k8s-node-tagger
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - nodes
+    verbs:
+      - get
+      - list
+      - watch
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: k8s-node-tagger
+subjects:
+  - kind: ServiceAccount
+    name: k8s-node-tagger
+    namespace: k8s-node-tagger
+roleRef:
+  kind: ClusterRole
+  name: k8s-node-tagger
+  apiGroup: rbac.authorization.k8s.io
+
+# namespace role for k8s-node-tagger to use the lease API. Shouldn't be needed if leader election is disabled.
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: k8s-node-tagger
+rules:
+  - apiGroups:
+      - coordination.k8s.io
+    resources:
+      - leases
+    verbs:
+      - create
+      - get
+      - update
+---
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: k8s-node-tagger
+subjects:
+  - kind: ServiceAccount
+    name: k8s-node-tagger
+    namespace: k8s-node-tagger
+roleRef:
+  kind: Role
+  name: k8s-node-tagger
+  apiGroup: rbac.authorization.k8s.io

examples/service.yaml

@@ -0,0 +1,17 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: k8s-node-tagger
+  labels:
+    app: k8s-node-tagger
+spec:
+  type: ClusterIP
+  ports:
+    - name: http
+      port: 8080
+      targetPort: http
+    - name: metrics
+      port: 8081
+      targetPort: metrics
+  selector:
+    app: k8s-node-tagger

examples/servicemonitor.yaml

@@ -0,0 +1,14 @@
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+  name: k8s-node-tagger
+spec:
+  endpoints:
+    - port: metrics
+  jobLabel: jobLabel
+  namespaceSelector:
+    matchNames:
+      - k8s-node-tagger
+  selector:
+    matchLabels:
+      app: k8s-node-tagger