Merge pull request #9149 from ameukam/kops-discovery-server-deploy

deploy kops discovery server

Author: k8s-ci-robot

kubernetes/apps/kops-discovery.yaml

@@ -0,0 +1,19 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: kops-discovery
+spec:
+  destination:
+    namespace: kops-discovery
+    server: https://kubernetes.default.svc
+  project: default
+  source:
+    path: kubernetes/gke-utility/kops-discovery
+    repoURL: https://github.com/kubernetes/k8s.io
+    targetRevision: main
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true

kubernetes/gke-utility/kops-discovery/deployment.yaml

@@ -0,0 +1,65 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: kops-discovery
+  labels:
+    app: kops-discovery
+spec:
+  replicas: 2
+  selector:
+    matchLabels:
+      app: kops-discovery
+  strategy:
+    rollingUpdate:
+      maxSurge: 1
+      maxUnavailable: 1
+    type: RollingUpdate
+  template:
+    metadata:
+      labels:
+        app: kops-discovery
+    spec:
+      serviceAccountName: kops-discovery
+      terminationGracePeriodSeconds: 30
+      securityContext:
+        runAsNonRoot: true
+        seccompProfile:
+          type: RuntimeDefault
+      containers:
+        - name: discovery-server
+          image: registry.k8s.io/kops/discovery-server:1.35.0-beta.1
+          args:
+            - --listen=:8443
+            - --storage=memory
+          ports:
+            - name: https
+              containerPort: 8443
+              protocol: TCP
+          resources:
+            requests:
+              cpu: 100m
+              memory: 128Mi
+            limits:
+              cpu: 500m
+              memory: 256Mi
+          securityContext:
+            allowPrivilegeEscalation: false
+            readOnlyRootFilesystem: true
+            capabilities:
+              drop:
+                - ALL
+          # Note: kops discovery server has no health endpoints, using TCP probe
+          livenessProbe:
+            tcpSocket:
+              port: 8443
+            initialDelaySeconds: 10
+            periodSeconds: 10
+            timeoutSeconds: 5
+            failureThreshold: 3
+          readinessProbe:
+            tcpSocket:
+              port: 8443
+            initialDelaySeconds: 5
+            periodSeconds: 5
+            timeoutSeconds: 3
+            failureThreshold: 3

kubernetes/gke-utility/kops-discovery/kustomization.yaml

@@ -0,0 +1,8 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: kops-discovery
+
+resources:
+  - rbac.yaml
+  - deployment.yaml
+  - service.yaml

kubernetes/gke-utility/kops-discovery/rbac.yaml

@@ -0,0 +1,27 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: kops-discovery
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: kops-discovery
+rules:
+  # Minimal permissions - discovery server uses in-memory storage
+  # Add permissions here if external storage integration is needed
+  - apiGroups: [""]
+    resources: ["configmaps"]
+    verbs: ["get", "list", "watch"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: kops-discovery
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: kops-discovery
+subjects:
+  - kind: ServiceAccount
+    name: kops-discovery

kubernetes/gke-utility/kops-discovery/service.yaml

@@ -0,0 +1,15 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: kops-discovery
+  labels:
+    app: kops-discovery
+spec:
+  type: ClusterIP
+  ports:
+    - name: https
+      port: 443
+      targetPort: 8443
+      protocol: TCP
+  selector:
+    app: kops-discovery