apiVersion: v1
kind: Namespace
metadata:
labels:
control-plane: controller-manager
name: amlen-system
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
name: amlens.amlen.com
spec:
group: amlen.com
names:
kind: Amlen
listKind: AmlenList
plural: amlens
singular: amlen
scope: Namespaced
versions:
- name: v1alpha1
schema:
openAPIV3Schema:
description: Amlen is the Schema for the amlens API
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: Spec defines the desired state of Amlen
properties:
device_cert_issuer:
properties:
mode:
enum:
- automatic
- manual
type: string
required:
- mode
type: object
x-kubernetes-preserve-unknown-fields: true
ha:
properties:
cert_issuer:
type: object
x-kubernetes-preserve-unknown-fields: true
enabled:
type: boolean
required:
- enabled
- cert_issuer
type: object
x-kubernetes-preserve-unknown-fields: true
ldap:
properties:
cert_issuer:
type: object
x-kubernetes-preserve-unknown-fields: true
enabled:
type: boolean
required:
- enabled
- cert_issuer
type: object
x-kubernetes-preserve-unknown-fields: true
type: object
x-kubernetes-preserve-unknown-fields: true
status:
description: Status defines the observed state of Amlen
type: object
x-kubernetes-preserve-unknown-fields: true
type: object
served: true
storage: true
subresources:
status: {}
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: amlen-controller-manager
namespace: amlen-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: amlen-leader-election-role
namespace: amlen-system
rules:
- apiGroups:
- ""
resources:
- configmaps
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
- apiGroups:
- coordination.k8s.io
resources:
- leases
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
- apiGroups:
- ""
resources:
- events
verbs:
- create
- patch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: amlen-manager-role
rules:
- apiGroups:
- ""
resources:
- secrets
- pods
- pods/exec
- pods/log
- services
- routes
- persistentvolumeclaims
- serviceaccounts
- configmaps
- jobs
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- apps
resources:
- deployments
- daemonsets
- replicasets
- statefulsets
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- amlen.com
resources:
- amlens
- amlens/status
- amlens/finalizers
- jobs
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- batch
resources:
- jobs
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- cert-manager.io
resources:
- certificates
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: amlen-metrics-reader
rules:
- nonResourceURLs:
- /metrics
verbs:
- get
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: amlen-proxy-role
rules:
- apiGroups:
- authentication.k8s.io
resources:
- tokenreviews
verbs:
- create
- apiGroups:
- authorization.k8s.io
resources:
- subjectaccessreviews
verbs:
- create
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: amlen-leader-election-rolebinding
namespace: amlen-system
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: amlen-leader-election-role
subjects:
- kind: ServiceAccount
name: amlen-controller-manager
namespace: amlen-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: amlen-manager-rolebinding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: amlen-manager-role
subjects:
- kind: ServiceAccount
name: amlen-controller-manager
namespace: amlen-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: amlen-proxy-rolebinding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: amlen-proxy-role
subjects:
- kind: ServiceAccount
name: amlen-controller-manager
namespace: amlen-system
---
apiVersion: v1
data:
controller_manager_config.yaml: |
apiVersion: controller-runtime.sigs.k8s.io/v1alpha1
kind: ControllerManagerConfig
health:
healthProbeBindAddress: :6789
metrics:
bindAddress: 127.0.0.1:8080
leaderElection:
leaderElect: true
resourceName: 811c9dc5.amlen.com
kind: ConfigMap
metadata:
name: amlen-manager-config
namespace: amlen-system
---
apiVersion: v1
kind: Service
metadata:
labels:
control-plane: controller-manager
name: amlen-controller-manager-metrics-service
namespace: amlen-system
spec:
ports:
- name: https
port: 8443
protocol: TCP
targetPort: https
selector:
control-plane: controller-manager
---
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
control-plane: controller-manager
name: amlen-controller-manager
namespace: amlen-system
spec:
replicas: 1
selector:
matchLabels:
control-plane: controller-manager
template:
metadata:
annotations:
kubectl.kubernetes.io/default-container: manager
labels:
control-plane: controller-manager
spec:
containers:
- args:
- --secure-listen-address=0.0.0.0:8443
- --upstream=http://127.0.0.1:8080/
- --logtostderr=true
- --v=0
image: gcr.io/kubebuilder/kube-rbac-proxy:v0.11.0
name: kube-rbac-proxy
ports:
- containerPort: 8443
name: https
protocol: TCP
resources:
limits:
cpu: 500m
memory: 128Mi
requests:
cpu: 5m
memory: 64Mi
- args:
- --health-probe-bind-address=:6789
- --metrics-bind-address=127.0.0.1:8080
- --leader-elect
- --leader-election-id=amlen
env:
- name: ANSIBLE_GATHERING
value: explicit
image: quay.io/amlen/operator:main
livenessProbe:
httpGet:
path: /healthz
port: 6789
initialDelaySeconds: 15
periodSeconds: 20
name: manager
readinessProbe:
httpGet:
path: /readyz
port: 6789
initialDelaySeconds: 5
periodSeconds: 10
resources:
limits:
cpu: 500m
memory: 768Mi
requests:
cpu: 10m
memory: 256Mi
securityContext:
allowPrivilegeEscalation: false
securityContext:
runAsNonRoot: true
serviceAccountName: amlen-controller-manager
terminationGracePeriodSeconds: 10