feat: manual sleep (#49)

* move helm related code to another file * move network policy related code to another file * add comments for reconciliation of ucluster * feat: manual sleep * set controller ref on network policy * improvement: set host for ingress if available in the CR * ci: update roles in helm based on roles generated by operator-sdk * examples: for manual sleep * use spaces instead of indentation for the yaml fnr * improvement: add cluster role for pods
UffizziCloud · Sep 8, 2023 · 119cdc3 · 119cdc3
1 parent c6a9693
commit 119cdc3
Showing 12 changed files with 827 additions and 692 deletions.
diff --git a/Makefile b/Makefile
@@ -167,9 +167,21 @@ undeploy: ## Undeploy controller from the K8s cluster specified in ~/.kube/confi
 
 .PHONY: build-helm-chart
 build-helm-chart: manifests generate fmt vet kustomize ## Deploy controller to the K8s cluster specified in ~/.kube/config.
+	# update the crd
 	$(KUSTOMIZE) build config/crd > chart/templates/uffizziclusters.uffizzi.com_customresourcedefinition.yaml
 	yq e -i '.appVersion = "v${VERSION}"' chart/Chart.yaml
 	sed -i'' -e 's/labels:/labels: {{ include "common.labels.standard" . | nindent 4 }}/' chart/templates/uffizziclusters.uffizzi.com_customresourcedefinition.yaml
+	# copy roles config
+	cp config/rbac/role.yaml chart/templates/manager-role_clusterrole.yaml
+	sed -i'' -e 's/labels:/labels: {{ include "common.labels.standard" . | nindent 4 }}/' chart/templates/manager-role_clusterrole.yaml
+	sed -i'' -e 's/apiVersion: rbac.authorization.k8s.io\/v1/apiVersion: {{ include "common.capabilities.rbac.apiVersion" . }}/' chart/templates/manager-role_clusterrole.yaml
+	sed -i'' -e '/creationTimestamp: null/d' chart/templates/manager-role_clusterrole.yaml
+	sed -i'' -e 's/name: manager-role/name: {{ include "common.names.fullname" . }}-manager-role/' chart/templates/manager-role_clusterrole.yaml
+	sed -i'' -e '/metadata:/a\
+	  labels: {{ include "common.labels.standard" . | nindent 4 }}\
+	    app.kubernetes.io/component: rbac\
+	    app.kubernetes.io/part-of: uffizzi' chart/templates/manager-role_clusterrole.yaml
+
 
 ##@ Build Dependencies
 

diff --git a/api/v1alpha1/uffizzicluster_types.go b/api/v1alpha1/uffizzicluster_types.go
@@ -149,6 +149,7 @@ type UffizziClusterSpec struct {
 	Manifests     *string                      `json:"manifests,omitempty"`
 	ResourceQuota *UffizziClusterResourceQuota `json:"resourceQuota,omitempty"`
 	LimitRange    *UffizziClusterLimitRange    `json:"limitRange,omitempty"`
+	Sleep         bool                         `json:"sleep,omitempty"`
 }
 
 // UffizziClusterStatus defines the observed state of UffizziCluster

diff --git a/chart/templates/manager-role_clusterrole.yaml b/chart/templates/manager-role_clusterrole.yaml
@@ -1,3 +1,4 @@
+---
 apiVersion: {{ include "common.capabilities.rbac.apiVersion" . }}
 kind: ClusterRole
 metadata:
@@ -6,6 +7,18 @@ metadata:
     app.kubernetes.io/part-of: uffizzi
   name: {{ include "common.names.fullname" . }}-manager-role
 rules:
+- apiGroups:
+  - ""
+  resources:
+  - pods
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
 - apiGroups:
   - ""
   resources:
@@ -30,6 +43,18 @@ rules:
   - patch
   - update
   - watch
+- apiGroups:
+  - apps
+  resources:
+  - statefulsets
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
 - apiGroups:
   - helm.toolkit.fluxcd.io
   resources:

diff --git a/chart/templates/uffizziclusters.uffizzi.com_customresourcedefinition.yaml b/chart/templates/uffizziclusters.uffizzi.com_customresourcedefinition.yaml
@@ -189,6 +189,8 @@ spec:
                 required:
                 - enabled
                 type: object
+              sleep:
+                type: boolean
               ttl:
                 type: string
             type: object

diff --git a/config/crd/bases/uffizzi.com_uffizziclusters.yaml b/config/crd/bases/uffizzi.com_uffizziclusters.yaml
@@ -196,6 +196,8 @@ spec:
                 required:
                 - enabled
                 type: object
+              sleep:
+                type: boolean
               ttl:
                 type: string
             type: object

diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml
@@ -5,6 +5,18 @@ metadata:
   creationTimestamp: null
   name: manager-role
 rules:
+- apiGroups:
+  - ""
+  resources:
+  - pods
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
 - apiGroups:
   - ""
   resources:
@@ -29,6 +41,18 @@ rules:
   - patch
   - update
   - watch
+- apiGroups:
+  - apps
+  resources:
+  - statefulsets
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
 - apiGroups:
   - helm.toolkit.fluxcd.io
   resources:

diff --git a/controllers/helm.go b/controllers/helm.go
diff --git a/controllers/ingress.go b/controllers/ingress.go
@@ -5,5 +5,9 @@ import (
 )
 
 func BuildVClusterIngressHost(uCluster *v1alpha1.UffizziCluster) string {
-	return uCluster.Name + "-" + uCluster.Spec.Ingress.Host
+	host := ""
+	if uCluster.Spec.Ingress.Host != "" {
+		host = uCluster.Name + "-" + uCluster.Spec.Ingress.Host
+	}
+	return host
 }
diff --git a/controllers/networkpolicy.go b/controllers/networkpolicy.go
@@ -1 +1,65 @@
 package controllers
+
+import (
+	"fmt"
+	uclusteruffizzicomv1alpha1 "github.com/UffizziCloud/uffizzi-cluster-operator/api/v1alpha1"
+	corev1 "k8s.io/api/core/v1"
+	networkingv1 "k8s.io/api/networking/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/util/intstr"
+)
+
+func (r *UffizziClusterReconciler) buildEgressPolicy(uCluster *uclusteruffizzicomv1alpha1.UffizziCluster) *networkingv1.NetworkPolicy {
+	port443 := intstr.FromInt(443)
+	port80 := intstr.FromInt(80)
+	TCP := corev1.ProtocolTCP
+	uClusterHelmReleaseName := BuildVClusterHelmReleaseName(uCluster)
+	egressPolicy := &networkingv1.NetworkPolicy{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      fmt.Sprintf("%s-workloads-ingress", uClusterHelmReleaseName),
+			Namespace: uCluster.Namespace,
+		},
+		Spec: networkingv1.NetworkPolicySpec{
+			Egress: []networkingv1.NetworkPolicyEgressRule{
+				{
+					Ports: []networkingv1.NetworkPolicyPort{
+						{
+							Port:     &port443,
+							Protocol: &TCP,
+						},
+						{
+							Port:     &port80,
+							Protocol: &TCP,
+						},
+					},
+					To: []networkingv1.NetworkPolicyPeer{
+						{
+							PodSelector: &metav1.LabelSelector{
+								MatchLabels: map[string]string{
+									"app.kubernetes.io/component": "controller",
+									"app.kubernetes.io/name":      "ingress-nginx",
+								},
+							},
+						},
+						{
+							NamespaceSelector: &metav1.LabelSelector{
+								MatchLabels: map[string]string{
+									"kubernetes.io/metadata.name": "uffizzi",
+								},
+							},
+						},
+					},
+				},
+			},
+			PodSelector: metav1.LabelSelector{
+				MatchLabels: map[string]string{
+					"vcluster.loft.sh/managed-by": uClusterHelmReleaseName,
+				},
+			},
+			PolicyTypes: []networkingv1.PolicyType{
+				networkingv1.PolicyTypeEgress,
+			},
+		},
+	}
+	return egressPolicy
+}
diff --git a/controllers/uffizzicluster_controller.go b/controllers/uffizzicluster_controller.go
diff --git a/examples/basic-sleep.yml b/examples/basic-sleep.yml
@@ -0,0 +1,6 @@
+kind: UffizziCluster
+apiVersion: uffizzi.com/v1alpha1
+metadata:
+  name: basic-sleep-1
+spec:
+  sleep: false
diff --git a/examples/testnode-ucluster.yml b/examples/testnode-ucluster.yml