Add kustomization for resource list extension

Add kustomization resources for the new Deployment, Service, APIService
and cert-manager configuration for the resource list extension.

Author: cmurphy

config/apiextension/apiextension.yaml

@@ -0,0 +1,51 @@
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app: resourcelist-apiextension
+  name: resourcelist-apiextension
+  namespace: system
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: resourcelist-apiextension
+  template:
+    metadata:
+      labels:
+        app: resourcelist-apiextension
+    spec:
+      securityContext:
+        fsGroup: 2000
+        runAsNonRoot: true
+        runAsUser: 1000
+      containers:
+      - image: controller:latest # this is usually overridden by kustomize
+        name: resourcelist
+        command:
+        - /apiextension
+        args:
+        - "--cert=/certs/tls.crt"
+        - "--key=/certs/tls.key"
+        imagePullPolicy: IfNotPresent
+        volumeMounts:
+        - name: certs
+          mountPath: /certs
+        securityContext:
+          allowPrivilegeEscalation: false
+          readOnlyRootFilesystem: true
+          runAsNonRoot: true
+          seccompProfile:
+            type: RuntimeDefault
+          capabilities:
+            drop: ["ALL"]
+        ports:
+        - containerPort: 7443
+          name: server
+          protocol: TCP
+      volumes:
+      - secret:
+          defaultMode: 420
+          secretName: hnc-resourcelist-apiextension
+        name: certs

config/apiextension/apiservice.yaml

@@ -0,0 +1,14 @@
+---
+apiVersion: apiregistration.k8s.io/v1
+kind: APIService
+metadata:
+  name: v1alpha2.resources.hnc.x-k8s.io
+spec:
+  group: resources.hnc.x-k8s.io
+  version: v1alpha2
+  groupPriorityMinimum: 10
+  versionPriority: 10
+  service:
+    namespace: hnc-system
+    name: resourcelist
+    port: 7443

config/apiextension/kustomization.yaml

@@ -0,0 +1,4 @@
+resources:
+- apiextension.yaml
+- service.yaml
+- apiservice.yaml

config/apiextension/service.yaml

@@ -0,0 +1,14 @@
+---
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    app: resourcelist
+  name: resourcelist
+spec:
+  ports:
+  - port: 7443
+    protocol: TCP
+    targetPort: 7443
+  selector:
+    app: resourcelist

config/certmanager/certificate.yaml

@@ -23,3 +23,16 @@ spec:
     kind: Issuer
     name: selfsigned-issuer
   secretName: webhook-server-cert # this secret will not be prefixed, since it's not managed by kustomize
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: resourcelist
+spec:
+  dnsNames:
+  - $(APIEXT_SERVICE_NAME).$(SERVICE_NAMESPACE).svc.cluster.local
+  - $(APIEXT_SERVICE_NAME).$(SERVICE_NAMESPACE).svc
+  issuerRef:
+    kind: Issuer
+    name: selfsigned-issuer
+  secretName: hnc-resourcelist

config/internalcert/manifests.yaml

@@ -1,5 +1,12 @@
+---
 apiVersion: v1
 kind: Secret
 metadata:
   name: webhook-server-cert
   namespace: system
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: resourcelist
+  namespace: system

config/rbac/kustomization.yaml

@@ -6,3 +6,5 @@ resources:
 - aggregate_to_admin.yaml
 - leader_election_role.yaml
 - leader_election_role_binding.yaml
+- resourcelist_role.yaml
+- resourcelist_rolebinding.yaml

config/rbac/resourcelist_role.yaml

@@ -0,0 +1,15 @@
+# Allow the resourcelist-apiextension deployment to read resources in order to re-register them as HNC resources.
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: resourcelist
+rules:
+- apiGroups:
+  - "*"
+  resources:
+  - "*"
+  verbs:
+  - get
+  - list
+  - watch

config/rbac/resourcelist_rolebinding.yaml

@@ -0,0 +1,14 @@
+# Allow the resourcelist-apiextension deployment to read resources in order to re-register them as HNC resources.
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: resourcelist
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: resourcelist
+subjects:
+- kind: ServiceAccount
+  name: default
+  namespace: hnc-system

config/variants/default-cc/kustomization.yaml

@@ -14,6 +14,7 @@ bases:
 - ../../manager
 - ../../rbac
 - ../../webhook
+- ../../apiextension
 
 patches:
 - patch: |-

config/variants/default-cm/apiservicecainjection_patch.yaml

@@ -0,0 +1,7 @@
+---
+apiVersion: apiregistration.k8s.io/v1
+kind: APIService
+metadata:
+  name: v1alpha2.resources.hnc.x-k8s.io
+  annotations:
+    cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(APIEXT_CERTIFICATE_NAME)

config/variants/default-cm/kustomization.yaml

@@ -14,9 +14,11 @@ bases:
 - ../../manager
 - ../../rbac
 - ../../webhook
+- ../../apiextension
 
 patchesStrategicMerge:
 - webhookcainjection_patch.yaml
+- apiservicecainjection_patch.yaml
 
 vars:
 - name: CERTIFICATE_NAMESPACE # namespace of the certificate CR
@@ -45,3 +47,14 @@ vars:
     kind: Service
     version: v1
     name: webhook-service
+- name: APIEXT_SERVICE_NAME
+  objref:
+    kind: Service
+    version: v1
+    name: resourcelist
+- name: APIEXT_CERTIFICATE_NAME
+  objref:
+    kind: Certificate
+    group: cert-manager.io
+    version: v1
+    name: resourcelist

config/variants/hrq/kustomization.yaml

@@ -14,6 +14,7 @@ bases:
 - ../../manager
 - ../../rbac
 - ../../webhook
+- ../../apiextension
 
 patchesStrategicMerge:
 - webhook_patch.yaml