Merge remote-tracking branch 'origin/dev' into account-id

Author: Martin Linkhorst

cluster/cluster.yaml

@@ -1589,7 +1589,7 @@ Resources:
   DeploymentControllerRole:
     Type: AWS::IAM::Role
     Properties:
-      RoleName: "{{.Cluster.LocalID}}-deployment-service-controller"
+      RoleName: "{{.Cluster.ConfigItems.deployment_service_controller_role_name}}"
       AssumeRolePolicyDocument: !Sub
         - |
           {
@@ -1654,11 +1654,11 @@ Resources:
                   - 'sts:AssumeRole'
                 Effect: Allow
                 Resource:
-                  - !Sub "arn:aws:iam::${AWS::AccountId}:role/{{.Cluster.LocalID}}-deployment-service-deployment"
+                  - !Sub "arn:aws:iam::${AWS::AccountId}:role/{{.Cluster.ConfigItems.deployment_service_deployment_role_name}}"
   DeploymentControllerDeploymentRole:
     Type: AWS::IAM::Role
     Properties:
-      RoleName: "{{.Cluster.LocalID}}-deployment-service-deployment"
+      RoleName: "{{.Cluster.ConfigItems.deployment_service_deployment_role_name}}"
       AssumeRolePolicyDocument:
         Version: "2012-10-17"
         Statement:
@@ -1692,7 +1692,7 @@ Resources:
   DeploymentStatusServiceRole:
     Type: AWS::IAM::Role
     Properties:
-      RoleName: "{{.Cluster.LocalID}}-deployment-service-status-service"
+      RoleName: "{{.Cluster.ConfigItems.deployment_service_status_service_role_name}}"
       AssumeRolePolicyDocument: !Sub
         - |
           {

cluster/config-defaults.yaml

@@ -1040,6 +1040,9 @@ deployment_service_tokeninfo_url: ""
 deployment_service_lightstep_token: ""
 deployment_service_ml_experiments_enabled: "true"
 deployment_service_ml_experiments_role_name: "{{ .Cluster.LocalID }}-deployment-service-ml-experiment-deployment"
+deployment_service_controller_role_name: "{{ .Cluster.LocalID }}-deployment-service-controller"
+deployment_service_deployment_role_name: "{{ .Cluster.LocalID }}-deployment-service-deployment"
+deployment_service_status_service_role_name: "{{ .Cluster.LocalID }}-deployment-service-status-service"
 deployment_service_cf_auto_expand_enabled: "false"
 deployment_service_cf_update_source_branch_changes: "true"
 deployment_service_executor_cdp_permissions: "false"
@@ -1288,3 +1291,6 @@ aws_vpc_cni_network_policy_enforcing_mode: "standard"
 # aws-load-balancer-controller resource settings
 aws_load_balancer_controller_cpu: "100m"
 aws_load_balancer_controller_mem_max: "4Gi"
+
+# configure if sandbox-controller should be deployed
+sandbox_controller_enabled: "false" 

cluster/manifests/01-coredns-local/daemonset-coredns.yaml

@@ -180,6 +180,8 @@ spec:
         operator: Exists
       - key: dedicated
         operator: Exists
+      - key: "zalando.org/dedicated"
+        operator: Exists
       - key: aws.amazon.com/spot
         operator: Exists
       - key: zalando.org/node-not-ready

cluster/manifests/deletions.yaml

@@ -297,6 +297,11 @@ post_apply:
   kind : Deployment
   namespace: wiz
 {{- end }}
+{{ if ne .Cluster.ConfigItems.sandbox_controller_enabled "true" }}
+- name: sandbox-controller
+  namespace: kube-system
+  kind: Deployment
+{{ end }}
 {{- if and (ne .Cluster.ConfigItems.wiz_enable_runtime_connector_broker "true") (ne .Cluster.ConfigItems.wiz_enable_runtime_connector "true") }}
 - name: wiz-connector-connector
   kind : Secret

cluster/manifests/deployment-service/01-config.yaml

@@ -19,7 +19,7 @@ data:
   s3-bucket-name: "{{ .Cluster.ConfigItems.deployment_service_bucket_name }}"
   status-service-url: "https://depl-status-{{.Cluster.Alias}}.{{.Values.hosted_zone}}"
   status-service-url-local: "http://deployment-status-service.ingress.cluster.local."
-  deployment-role-arn: "arn:aws:iam::{{.Cluster.InfrastructureAccountID}}:role/{{.Cluster.LocalID}}-deployment-service-deployment"
+  deployment-role-arn: "arn:aws:iam::{{.Cluster.InfrastructureAccountID}}:role/{{.Cluster.ConfigItems.deployment_service_deployment_role_name}}"
 {{- if eq .Cluster.ConfigItems.deployment_service_ml_experiments_enabled "true"}}
   ml-experiment-deployment-role-arn: "arn:aws:iam::{{.Cluster.InfrastructureAccountID}}:role/{{ .Cluster.ConfigItems.deployment_service_ml_experiments_role_name }}"
 {{- end }}

cluster/manifests/deployment-service/controller-rbac.yaml

@@ -8,9 +8,9 @@ metadata:
     component: "controller"
   annotations:
     {{- if eq .Cluster.Provider "zalando-eks" }}
-    eks.amazonaws.com/role-arn: "arn:aws:iam::{{.Cluster.InfrastructureAccountID}}:role/{{.Cluster.LocalID}}-deployment-service-controller"
+    eks.amazonaws.com/role-arn: "arn:aws:iam::{{.Cluster.InfrastructureAccountID}}:role/{{.Cluster.ConfigItems.deployment_service_controller_role_name}}"
     {{- else }}
-    iam.amazonaws.com/role: "{{.Cluster.LocalID}}-deployment-service-controller"
+    iam.amazonaws.com/role: "{{.Cluster.ConfigItems.deployment_service_controller_role_name}}"
     {{- end }}
 ---
 kind: ClusterRole

cluster/manifests/deployment-service/status-service-rbac.yaml

@@ -8,9 +8,9 @@ metadata:
     component: "status-service"
   annotations:
     {{- if eq .Cluster.Provider "zalando-eks" }}
-    eks.amazonaws.com/role-arn: "arn:aws:iam::{{.Cluster.InfrastructureAccountID}}:role/{{.Cluster.LocalID}}-deployment-service-status-service"
+    eks.amazonaws.com/role-arn: "arn:aws:iam::{{.Cluster.InfrastructureAccountID}}:role/{{.Cluster.ConfigItems.deployment_service_status_service_role_name}}"
     {{- else }}
-    iam.amazonaws.com/role: "{{.Cluster.LocalID}}-deployment-service-status-service"
+    iam.amazonaws.com/role: "{{.Cluster.ConfigItems.deployment_service_status_service_role_name}}"
     {{- end }}
 ---
 kind: ClusterRole

cluster/manifests/sandbox-controller/10-sandbox_crd.yaml

@@ -0,0 +1,38 @@
+{{ if eq .Cluster.ConfigItems.sandbox_controller_enabled "true" }}
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  name: sandboxes.zalando.org
+spec:
+  group: zalando.org
+  names:
+    kind: Sandbox
+    plural: sandboxes
+    singular: sandbox
+    shortNames:
+      - sb
+  scope: Namespaced
+  versions:
+    - name: v1
+      served: true
+      storage: true
+      schema:
+        openAPIV3Schema:
+          type: object
+          properties:
+            spec:
+              type: object
+              required:
+                - testContext
+                - sourceHosts
+                - target
+              properties:
+                testContext:
+                  type: string
+                sourceHosts:
+                  type: array
+                  items:
+                    type: string
+                target:
+                  type: string
+{{ end }}

cluster/manifests/sandbox-controller/20-rbac.yaml

@@ -0,0 +1,68 @@
+{{ if eq .Cluster.ConfigItems.sandbox_controller_enabled "true" }}
+
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: sandbox-controller
+  namespace: kube-system
+  labels:
+    application: sandbox-controller
+    component: sandbox-controller
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: sandbox-controller
+  labels:
+    application: sandbox-controller
+    component: sandbox-controller
+rules:
+  - apiGroups:
+      - zalando.org
+    resources:
+      - sandboxes
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - zalando.org
+    resources:
+      - routegroups
+    verbs:
+      - list
+      - watch
+      - get
+      - create
+      - update
+      - patch
+      - delete
+  - apiGroups:
+      - networking.k8s.io
+    resources:
+      - ingresses
+    verbs:
+      - list
+      - watch
+      - get
+      - create
+      - update
+      - patch
+      - delete
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: sandbox-controller
+  labels:
+    application: sandbox-controller
+    component: sandbox-controller
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: sandbox-controller
+subjects:
+  - kind: ServiceAccount
+    name: sandbox-controller
+    namespace: kube-system
+{{ end }}

cluster/manifests/sandbox-controller/30-deployment.yaml

@@ -0,0 +1,44 @@
+# {{ $image := "container-registry.zalando.net/gwproxy/sandbox-controller:main-8" }}
+# {{ $version := index (split $image ":") 1 }}
+
+{{ if eq .Cluster.ConfigItems.sandbox_controller_enabled "true" }}
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: sandbox-controller
+  namespace: kube-system
+  labels:
+    application: sandbox-controller
+    version: "{{ $version }}"
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      application: sandbox-controller
+  template:
+    metadata:
+      labels:
+        application: sandbox-controller
+        version: "{{ $version }}"
+      annotations:
+        kubernetes-log-watcher/scalyr-parser: |
+          [{"container": "controller", "parser": "keyValue"}]
+        logging/destination: "{{ .Cluster.ConfigItems.log_destination_both }}"
+        # no metrics exposed so far
+        # prometheus.io/path: /metrics
+        # prometheus.io/port: "7979"
+        # prometheus.io/scrape: "true"
+    spec:
+      priorityClassName: "{{ .Cluster.ConfigItems.system_priority_class }}"
+      serviceAccountName: sandbox-controller
+      containers:
+        - name: controller
+          image: "{{ $image }}"
+          resources:
+            limits:
+              cpu: 50m
+              memory: 0.3Gi
+            requests:
+              cpu: 50m
+              memory: 0.3Gi
+{{ end }}