Add Kubernetes operator deployment files and certificates

Author: kanadaj

.config/dotnet-tools.json

@@ -3,10 +3,11 @@
   "isRoot": true,
   "tools": {
     "kubeops.cli": {
-      "version": "9.0.0",
+      "version": "9.8.2",
       "commands": [
         "kubeops"
-      ]
+      ],
+      "rollForward": false
     }
   }
 }

Docker/Converters/ContainerConverter.cs

@@ -287,7 +287,7 @@ protected virtual V1PodSpec GeneratePodSpec(string name, DockerService service,
     {
         if ((sentryDeployment.Spec.Resources?.TryGetValue(name, out var resource) ?? false) && resource.Requests != null)
         {
-            return resource.Requests;
+            return resource.Requests.ToDictionary();
         }
 
         return name switch
@@ -336,7 +336,7 @@ _ when name.Contains("replacer") => sentryDeployment.Spec.Resources?.Replacer?.R
     {
         if ((sentryDeployment.Spec.Resources?.TryGetValue(name, out var resource) ?? false) && resource.Limits != null)
         {
-            return resource.Limits;
+            return resource.Limits.ToDictionary();
         }
 
         return name switch

Entities/SentryDeployment.cs

@@ -67,17 +67,61 @@ public class SentryDeploymentCertificateConfig
     public string[] CustomHosts { get; set; } = Array.Empty<string>();
 }
 
-public class ResourceLimitConfig : Dictionary<string, V1ResourceRequirements>
+public class ResourceLimitConfig : Dictionary<string, ResourceRequirementDefinition>
 {
-    public V1ResourceRequirements? Web { get; set; }
-    public V1ResourceRequirements? Worker { get; set; }
-    public V1ResourceRequirements? Cron { get; set; }
-    public V1ResourceRequirements? Snuba { get; set; }
-    public V1ResourceRequirements? Relay { get; set; }
-    public V1ResourceRequirements? Consumer { get; set; }
-    public V1ResourceRequirements? Ingest { get; set; }
-    public V1ResourceRequirements? Forwarder { get; set; }
-    public V1ResourceRequirements? Replacer { get; set; }
+    public ResourceRequirementDefinition? Web { get; set; }
+    public ResourceRequirementDefinition? Worker { get; set; }
+    public ResourceRequirementDefinition? Cron { get; set; }
+    public ResourceRequirementDefinition? Snuba { get; set; }
+    public ResourceRequirementDefinition? Relay { get; set; }
+    public ResourceRequirementDefinition? Consumer { get; set; }
+    public ResourceRequirementDefinition? Ingest { get; set; }
+    public ResourceRequirementDefinition? Forwarder { get; set; }
+    public ResourceRequirementDefinition? Replacer { get; set; }
     // ReSharper disable once InconsistentNaming
-    public V1ResourceRequirements? GeoIP { get; set; }
+    public ResourceRequirementDefinition? GeoIP { get; set; }
+}
+
+public class ResourceRequirementDefinition
+{
+    public ResourceRequirement? Limits { get; set; }
+    public ResourceRequirement? Requests { get; set; }
+}
+
+public class ResourceRequirement
+{
+    public string? Cpu { get; set; }
+    public string? Memory { get; set; }
+    
+    public ResourceRequirement(string? cpu, string? memory)
+    {
+        Cpu = cpu;
+        Memory = memory;
+    }
+    
+    public ResourceRequirement() {}
+    
+    public static implicit operator Dictionary<string, ResourceQuantity>(ResourceRequirement requirement)
+    {
+        return requirement.ToDictionary();
+    }
+
+    public Dictionary<string, ResourceQuantity> ToDictionary()
+    {
+        var result = new Dictionary<string, ResourceQuantity>();
+        if (Cpu != null)
+        {
+            result["cpu"] = new ResourceQuantity(Cpu);
+        }
+        if (Memory != null)
+        {
+            result["memory"] = new ResourceQuantity(Memory);
+        }
+        return result;
+    }
+    
+    public override string ToString()
+    {
+        return $"Cpu: {Cpu}, Memory: {Memory}";
+    }
 }

config/Dockerfile

@@ -0,0 +1,18 @@
+FROM mcr.microsoft.com/dotnet/sdk:latest as build
+WORKDIR /operator
+
+COPY ./ ./
+RUN dotnet publish -c Release /p:AssemblyName=operator -o out
+
+# The runner for the application
+FROM mcr.microsoft.com/dotnet/aspnet:latest as final
+
+RUN addgroup k8s-operator && useradd -G k8s-operator operator-user
+
+WORKDIR /operator
+COPY --from=build /operator/out/ ./
+RUN chown operator-user:k8s-operator -R .
+
+USER operator-user
+
+ENTRYPOINT [ "dotnet", "operator.dll" ]

config/ca.pem

@@ -0,0 +1,11 @@
+-----BEGIN CERTIFICATE-----
+MIIBljCCATugAwIBAgIIIFBZeo8c6QAwCgYIKoZIzj0EAwQwPjETMBEGA1UEBxMK
+S3ViZXJuZXRlczEMMAoGA1UEBhMDREVWMRkwFwYDVQQDExBPcGVyYXRvciBSb290
+IENBMB4XDTI1MDYyNDAwMDAwMFoXDTMwMDYyNDAwMDAwMFowPjETMBEGA1UEBxMK
+S3ViZXJuZXRlczEMMAoGA1UEBhMDREVWMRkwFwYDVQQDExBPcGVyYXRvciBSb290
+IENBMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEXZS0HVIV3WM0BLzrsL86npUk
+w0jOfB/UmlJNowlBBCaa1tzCiNt2mpARiX8peMm2pzvkcZkYEoXR578r+ttGnqMj
+MCEwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCASYwCgYIKoZIzj0EAwQD
+SQAwRgIhAPNoj/wfQ9ZEqY50ai8yP8YmDXhDgl248I2lFDCh83lvAiEA4QuA2M7C
+AuAad+ugXoFGHQWk2ZleltKhS5mTfC15L94=
+-----END CERTIFICATE-----

config/deployment.yaml

@@ -0,0 +1,53 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    operator-deployment: kubernetes-operator
+  name: operator
+spec:
+  replicas: 1
+  revisionHistoryLimit: 0
+  selector:
+    matchLabels:
+      operator-deployment: kubernetes-operator
+  template:
+    metadata:
+      labels:
+        operator-deployment: kubernetes-operator
+    spec:
+      containers:
+      - env:
+        - name: POD_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        envFrom:
+        - configMapRef:
+            name: webhook-config
+        image: operator
+        name: operator
+        ports:
+        - containerPort: 5001
+          name: https
+        resources:
+          limits:
+            cpu: 100m
+            memory: 128Mi
+          requests:
+            cpu: 100m
+            memory: 64Mi
+        volumeMounts:
+        - mountPath: /certs
+          name: certificates
+          readOnly: true
+        - mountPath: /ca
+          name: ca-certificates
+          readOnly: true
+      terminationGracePeriodSeconds: 10
+      volumes:
+      - name: certificates
+        secret:
+          secretName: webhook-cert
+      - name: ca-certificates
+        secret:
+          secretName: webhook-ca

config/kustomization.yaml

@@ -0,0 +1,36 @@
+namespace: sentryoperator-system
+namePrefix: sentryoperator-
+labels:
+- includeSelectors: true
+  pairs:
+    operator: sentryoperator
+resources:
+- operator-role.yaml
+- operator-role-binding.yaml
+- deployment.yaml
+- service.yaml
+- validators.yaml
+- sentrydeployments_sentry_io.yaml
+- namespace.yaml
+images:
+- name: operator
+  newName: accessible-docker-image
+  newTag: latest
+configMapGenerator:
+- name: webhook-config
+  literals:
+  - KESTREL__ENDPOINTS__HTTP__URL=http://0.0.0.0:5000
+  - KESTREL__ENDPOINTS__HTTPS__URL=https://0.0.0.0:5001
+  - KESTREL__ENDPOINTS__HTTPS__CERTIFICATE__PATH=/certs/svc.pem
+  - KESTREL__ENDPOINTS__HTTPS__CERTIFICATE__KEYPATH=/certs/svc-key.pem
+secretGenerator:
+- name: webhook-ca
+  files:
+  - ca.pem
+  - ca-key.pem
+- name: webhook-cert
+  files:
+  - svc.pem
+  - svc-key.pem
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization

config/namespace.yaml

@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: system

config/operator-role-binding.yaml

@@ -0,0 +1,12 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: operator-role-binding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: operator-role
+subjects:
+- kind: ServiceAccount
+  name: default
+  namespace: system

config/operator-role.yaml

@@ -0,0 +1,99 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: operator-role
+rules:
+- apiGroups:
+  - cert-manager.io
+  nonResourceURLs: []
+  resources:
+  - certificates
+  verbs:
+  - get
+  - create
+  - patch
+  - delete
+- apiGroups:
+  - sentry.io
+  resources:
+  - sentrydeployments
+  verbs:
+  - '*'
+- apiGroups:
+  - ""
+  resources:
+  - pods
+  - services
+  - secrets
+  - configmaps
+  verbs:
+  - get
+  - list
+  - create
+  - update
+  - patch
+  - delete
+- apiGroups:
+  - apps
+  resources:
+  - deployments
+  verbs:
+  - get
+  - list
+  - create
+  - update
+  - patch
+  - delete
+- apiGroups:
+  - ""
+  resources:
+  - events
+  verbs:
+  - get
+  - list
+  - create
+  - update
+- apiGroups:
+  - coordination.k8s.io
+  resources:
+  - leases
+  verbs:
+  - get
+  - list
+  - watch
+  - create
+  - update
+  - patch
+  - delete
+- apiGroups:
+  - sentry.io
+  resources:
+  - sentrydeployments/status
+  verbs:
+  - get
+  - update
+  - patch
+- apiGroups:
+  - ""
+  resources:
+  - pods/status
+  verbs:
+  - get
+  - update
+  - patch
+- apiGroups:
+  - apps
+  resources:
+  - deployments/status
+  verbs:
+  - get
+  - update
+  - patch
+- apiGroups:
+  - ""
+  resources:
+  - services/status
+  verbs:
+  - get
+  - update
+  - patch