feat: add configs (#41)

config/namespace.yaml

@@ -0,0 +1,11 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  labels:
+    control-plane: resourceconsist-manager
+    app.kubernetes.io/name: namespace
+    app.kubernetes.io/instance: system
+    app.kubernetes.io/component: manager
+    app.kubernetes.io/created-by: resourceconsist
+    app.kubernetes.io/part-of: resourceconsist
+  name: resourceconsist

config/rbac/rbac.yaml

@@ -0,0 +1,192 @@
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: resourceconsist-manager
+  namespace: resourceconsist
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: resourceconsist-leader-election-role
+  namespace: resourceconsist
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - configmaps
+    verbs:
+      - get
+      - list
+      - watch
+      - create
+      - update
+      - patch
+      - delete
+  - apiGroups:
+      - coordination.k8s.io
+    resources:
+      - leases
+    verbs:
+      - get
+      - list
+      - watch
+      - create
+      - update
+      - patch
+      - delete
+  - apiGroups:
+      - ""
+    resources:
+      - events
+    verbs:
+      - create
+      - patch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  creationTimestamp: null
+  name: resourceconsist-manager-role
+rules:
+  - apiGroups:
+      - apps
+    resources:
+      - controllerrevisions
+    verbs:
+      - create
+      - delete
+      - get
+      - list
+      - patch
+      - update
+      - watch
+  - apiGroups:
+      - apps.kusionstack.io
+    resources:
+      - "*"
+      - "*/status"
+      - "*/finalizers"
+    verbs:
+      - "*"
+  - apiGroups:
+      - ""
+    resources:
+      - events
+    verbs:
+      - create
+      - patch
+      - update
+  - apiGroups:
+      - ""
+    resources:
+      - pods
+    verbs:
+      - create
+      - delete
+      - get
+      - list
+      - patch
+      - update
+      - watch
+  - apiGroups:
+      - ""
+    resources:
+      - pods/status
+    verbs:
+      - get
+      - patch
+      - update
+  - apiGroups:
+      - ""
+    resources:
+      - services
+      - persistentvolumeclaims
+    verbs:
+      - create
+      - delete
+      - get
+      - list
+      - patch
+      - update
+      - watch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  creationTimestamp: null
+  name: resourceconsist-webhook-role
+rules:
+  - apiGroups:
+      - admissionregistration.k8s.io
+    resources:
+      - mutatingwebhookconfigurations
+      - validatingwebhookconfigurations
+    verbs:
+      - create
+      - delete
+      - get
+      - list
+      - patch
+      - update
+      - watch
+  - apiGroups:
+      - ""
+    resources:
+      - secrets
+    verbs:
+      - create
+      - delete
+      - get
+      - list
+      - patch
+      - update
+      - watch
+  - apiGroups:
+      - ""
+    resources:
+      - secrets/status
+    verbs:
+      - get
+      - patch
+      - update
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: resourceconsist-leader-election-rolebinding
+  namespace: resourceconsist
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: resourceconsist-leader-election-role
+subjects:
+  - kind: ServiceAccount
+    name: resourceconsist-manager
+    namespace: resourceconsist
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: resourceconsist-manager-rolebinding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: resourceconsist-manager-role
+subjects:
+  - kind: ServiceAccount
+    name: resourceconsist-manager
+    namespace: resourceconsist
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: resourceconsist-webhook-rolebinding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: resourceconsist-webhook-role
+subjects:
+  - kind: ServiceAccount
+    name: resourceconsist-manager
+    namespace: resourceconsist

config/statefulset.yaml

@@ -0,0 +1,63 @@
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  labels:
+    control-plane: resourceconsist-manager
+  name: resourceconsist-manager
+  namespace: resourceconsist
+spec:
+  replicas: 3
+  selector:
+    matchLabels:
+      control-plane: resourceconsist-manager
+  serviceName: resourceconsist-manager
+  template:
+    metadata:
+      labels:
+        control-plane: resourceconsist-manager
+    spec:
+      containers:
+        - args:
+            - --leader-elect=true
+            - --cert-dir=/webhook-certs
+            - --dns-name=resourceconsist-manager.resourceconsist.svc
+            - --health-probe-bind-address=:8081
+            - --metrics-bind-address=127.0.0.1:8080
+            - -v=4
+          command:
+            - /manager
+          env:
+            - name: POD_NAMESPACE
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.namespace
+          image: kusionstack/resourceconsist:v0.1.0
+          imagePullPolicy: IfNotPresent
+          livenessProbe:
+            httpGet:
+              path: /healthz
+              port: 8081
+            initialDelaySeconds: 15
+            periodSeconds: 20
+          name: manager
+          readinessProbe:
+            httpGet:
+              path: /readyz
+              port: 8081
+            initialDelaySeconds: 5
+            periodSeconds: 10
+          resources:
+            limits:
+              cpu: 500m
+              memory: 128Mi
+            requests:
+              cpu: 10m
+              memory: 64Mi
+      serviceAccountName: resourceconsist-manager
+      terminationGracePeriodSeconds: 0
+      volumes:
+        - name: webhook-certs
+          secret:
+            secretName: webhook-certs
+updateStrategy:
+  type: OnDelete

config/webhook/service.yaml

@@ -0,0 +1,12 @@
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: resourceconsist-manager
+  namespace: resourceconsist
+spec:
+  ports:
+    - port: 443
+      targetPort: 9443
+  selector:
+    control-plane: resourceconsist-manager

config/webhook/webhook.yaml

@@ -0,0 +1,71 @@
+---
+apiVersion: admissionregistration.k8s.io/v1
+kind: MutatingWebhookConfiguration
+metadata:
+  name: resourceconsist-manager-mutating
+webhooks:
+  - admissionReviewVersions:
+      - v1
+      - v1beta1
+    clientConfig:
+      service:
+        namespace: resourceconsist
+        name: resourceconsist-manager
+        path: /mutating-generic
+    failurePolicy: Fail
+    name: mutating-pod.apps.kusionstack.io
+    objectSelector:
+      matchExpressions:
+        - key: kusionstack.io/control
+          operator: In
+          values:
+            - "true"
+    rules:
+      - apiGroups:
+          - '*'
+        apiVersions:
+          - v1
+        operations:
+          - CREATE
+          - UPDATE
+          - DELETE
+        resources:
+          - pods
+          - pods/status
+        scope: '*'
+    sideEffects: None
+---
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingWebhookConfiguration
+metadata:
+  name: resourceconsist-manager-validating
+webhooks:
+  - admissionReviewVersions:
+      - v1
+      - v1beta1
+    clientConfig:
+      service:
+        namespace: resourceconsist
+        name: resourceconsist-manager
+        path: /validating-generic
+    failurePolicy: Fail
+    name: validating-pod.apps.kusionstack.io
+    objectSelector:
+      matchExpressions:
+        - key: kusionstack.io/control
+          operator: In
+          values:
+            - "true"
+    rules:
+      - apiGroups:
+          - '*'
+        apiVersions:
+          - v1
+        operations:
+          - CREATE
+          - UPDATE
+          - DELETE
+        resources:
+          - pods
+        scope: '*'
+    sideEffects: None