controller manifest for kustomize (#13)

* controller manifest for kustomize

modify resource names to amazon-network-policy-controller-k8s

* pass go runner image as arg

Dockerfile

@@ -1,9 +1,13 @@
-# Build the manager binary
-FROM golang:1.19 as builder
-ARG TARGETOS
-ARG TARGETARCH
+ARG BASE_IMAGE
+ARG BUILD_IMAGE
+ARG GO_RUNNER_IMAGE
+ARG ARCH=amd64
+# Build the controller binary
+FROM $BUILD_IMAGE as builder
 
 WORKDIR /workspace
+ENV GOPROXY direct
+
 # Copy the Go Modules manifests
 COPY go.mod go.mod
 COPY go.sum go.sum
@@ -12,22 +16,27 @@ COPY go.sum go.sum
 RUN go mod download
 
 # Copy the go source
+COPY .git/ .git/
 COPY cmd/main.go cmd/main.go
 COPY api/ api/
+COPY pkg/ pkg/
 COPY internal/controller/ internal/controller/
 
+# Version package for passing the ldflags
+# TODO: change this to network controller's version
+ENV VERSION_PKG=https://github.com/aws/amazon-network-policy-controller-k8s/pkg/version
 # Build
-# the GOARCH has not a default value to allow the binary be built according to the host where the command
-# was called. For example, if we call make docker-build in a local env which has the Apple Silicon M1 SO
-# the docker BUILDPLATFORM arg will be linux/arm64 when for Apple x86 it will be linux/amd64. Therefore,
-# by leaving it empty we can ensure that the container and binary shipped on it will have the same platform.
-RUN CGO_ENABLED=0 GOOS=${TARGETOS:-linux} GOARCH=${TARGETARCH} go build -a -o manager cmd/main.go
+RUN GIT_VERSION=$(git describe --tags --always) && \
+        GIT_COMMIT=$(git rev-parse HEAD) && \
+        BUILD_DATE=$(date +%Y-%m-%dT%H:%M:%S%z) && \
+        CGO_ENABLED=0 GOOS=linux GOARCH=${ARCH} GO111MODULE=on go build \
+        -ldflags="-X ${VERSION_PKG}.GitVersion=${GIT_VERSION} -X ${VERSION_PKG}.GitCommit=${GIT_COMMIT} -X ${VERSION_PKG}.BuildDate=${BUILD_DATE}" -a -o controller main.go
+
+FROM $BASE_IMAGE
 
-# Use distroless as minimal base image to package the manager binary
-# Refer to https://github.com/GoogleContainerTools/distroless for more details
-FROM gcr.io/distroless/static:nonroot
 WORKDIR /
-COPY --from=builder /workspace/manager .
+COPY --from=$GO_RUNNER_IMAGE /go-runner /usr/local/bin/go-runner
+COPY --from=builder /workspace/controller .
 USER 65532:65532
 
-ENTRYPOINT ["/manager"]
+ENTRYPOINT ["/controller"]

Makefile

@@ -57,14 +57,13 @@ help: ## Display this help.
 
 .PHONY: manifests
 manifests: controller-gen ## Generate WebhookConfiguration, ClusterRole and CustomResourceDefinition objects.
-	$(CONTROLLER_GEN) rbac:roleName=manager-role crd webhook paths="./..." output:crd:artifacts:config=config/crd/bases
+	$(CONTROLLER_GEN) rbac:roleName=controller-k8s crd webhook paths="./..." output:crd:artifacts:config=config/crd/bases
 
 .PHONY: generate
 generate: controller-gen mockgen ## Generate code containing DeepCopy, DeepCopyInto, and DeepCopyObject method implementations.
 	$(CONTROLLER_GEN) object:headerFile="hack/boilerplate.go.txt" paths="./..."
 	MOCKGEN=$(MOCKGEN) ./scripts/gen_mocks.sh
 
-
 .PHONY: fmt
 fmt: ## Run go fmt against code.
 	go fmt ./...
@@ -80,8 +79,8 @@ test: manifests generate fmt vet envtest ## Run tests.
 ##@ Build
 
 .PHONY: build
-build: manifests generate fmt vet ## Build manager binary.
-	go build -o bin/manager cmd/main.go
+build: manifests generate fmt vet ## Build controller binary.
+	go build -o bin/controller cmd/main.go
 
 .PHONY: run
 run: manifests generate fmt vet ## Run a controller from your host.
@@ -98,16 +97,6 @@ image-push: ko
 	BUILD_DATE=$(shell date +%Y-%m-%dT%H:%M:%S%z) \
 	$(KO) build --tags $(word 2,$(subst :, ,${IMG})) --platform=${PLATFORM} --bare --sbom ${IMG_SBOM} ./cmd
 
-.PHONY: docker-buildx
-docker-buildx: test ## Build and push docker image for the manager for cross-platform support
-	# copy existing Dockerfile and insert --platform=${BUILDPLATFORM} into Dockerfile.cross, and preserve the original Dockerfile
-	sed -e '1 s/\(^FROM\)/FROM --platform=\$$\{BUILDPLATFORM\}/; t' -e ' 1,// s//FROM --platform=\$$\{BUILDPLATFORM\}/' Dockerfile > Dockerfile.cross
-	- docker buildx create --name project-v3-builder
-	docker buildx use project-v3-builder
-	- docker buildx build --push --platform=$(PLATFORMS) --tag ${IMG} -f Dockerfile.cross .
-	- docker buildx rm project-v3-builder
-	rm Dockerfile.cross
-
 ##@ Deployment
 
 ifndef ignore-not-found
@@ -124,7 +113,7 @@ uninstall: manifests kustomize ## Uninstall CRDs from the K8s cluster specified
 
 .PHONY: deploy
 deploy: manifests kustomize ## Deploy controller to the K8s cluster specified in ~/.kube/config.
-	cd config/manager && $(KUSTOMIZE) edit set image controller=${IMG}
+	cd config/controller && $(KUSTOMIZE) edit set image controller=${IMG}
 	$(KUSTOMIZE) build config/default | kubectl apply -f -
 
 .PHONY: undeploy
@@ -179,3 +168,11 @@ $(KO): $(LOCALBIN)
 mockgen: $(MOCKGEN)
 $(MOCKGEN): $(LOCALBIN)
 	test -s $(MOCKGEN) || GOBIN=$(LOCALBIN) go install github.com/golang/mock/mockgen@v1.6.0
+
+GOARCH=amd64
+BUILD_IMAGE=public.ecr.aws/docker/library/golang:1.20.5
+BASE_IMAGE=public.ecr.aws/eks-distro-build-tooling/eks-distro-minimal-base-nonroot:latest.2
+GO_RUNNER_IMAGE=public.ecr.aws/eks-distro/kubernetes/go-runner:v0.15.0-eks-1-27-3
+.PHONY: docker-buildx
+docker-buildx: test
+	docker buildx build --platform=$(PLATFORMS) -t $(IMG)-$(GOARCH) --build-arg BASE_IMAGE=$(BASE_IMAGE) --build-arg BUILD_IMAGE=$(BUILD_IMAGE) --build-arg $(GOARCH) --load .

config/controller/controller.yaml

@@ -0,0 +1,40 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: controller-k8s
+  labels:
+    app.kubernetes.io/component: controller
+spec:
+  selector:
+    matchLabels:
+      app.kubernetes.io/component: controller
+  replicas: 1
+  template:
+    metadata:
+      annotations:
+        kubectl.kubernetes.io/default-container: controller
+      labels:
+        app.kubernetes.io/component: controller
+    spec:
+      containers:
+        - image: controller:latest
+          name: controller
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - "ALL"
+          livenessProbe:
+            httpGet:
+              path: /healthz
+              port: 8081
+            initialDelaySeconds: 15
+            periodSeconds: 20
+          readinessProbe:
+            httpGet:
+              path: /readyz
+              port: 8081
+            initialDelaySeconds: 5
+            periodSeconds: 10
+      serviceAccountName: controller-k8s
+      terminationGracePeriodSeconds: 10

config/controller/kustomization.yaml

@@ -0,0 +1,8 @@
+resources:
+- controller.yaml
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+images:
+- name: controller
+  newName: public.ecr.aws/eks/amazon-network-policy-controller-k8s
+  newTag: v0.5.0

config/crd/kustomization.yaml

@@ -11,7 +11,7 @@ patchesStrategicMerge:
 #- patches/webhook_in_policyendpoints.yaml
 #+kubebuilder:scaffold:crdkustomizewebhookpatch
 
-# [CERTMANAGER] To enable cert-manager, uncomment all the sections with [CERTMANAGER] prefix.
+# [CERTMANAGER] To enable cert-controller, uncomment all the sections with [CERTMANAGER] prefix.
 # patches here are for enabling the CA injection for each CRD
 #- patches/cainjection_in_policyendpoints.yaml
 #+kubebuilder:scaffold:crdkustomizecainjectionpatch

config/default/kustomization.yaml

@@ -1,122 +1,121 @@
 # Adds namespace to all resources.
-namespace: amazon-network-policy-controller-k8s-system
+namespace: kube-system
 
 # Value of this field is prepended to the
 # names of all resources, e.g. a deployment named
 # "wordpress" becomes "alices-wordpress".
 # Note that it should also match with the prefix (text before '-') of the namespace
 # field above.
-namePrefix: amazon-network-policy-controller-k8s-
+namePrefix: amazon-network-policy-
 
 # Labels to add to all resources and selectors.
-#labels:
-#- includeSelectors: true
-#  pairs:
-#    someName: someValue
+# Labels to add to all resources and selectors.
+commonLabels:
+  app.kubernetes.io/name: amazon-network-policy-controller-k8s
 
 resources:
 - ../crd
 - ../rbac
-- ../manager
+- ../controller
 # [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix including the one in
 # crd/kustomization.yaml
 #- ../webhook
-# [CERTMANAGER] To enable cert-manager, uncomment all sections with 'CERTMANAGER'. 'WEBHOOK' components are required.
+# [CERTMANAGER] To enable cert-controller, uncomment all sections with 'CERTMANAGER'. 'WEBHOOK' components are required.
 #- ../certmanager
 # [PROMETHEUS] To enable prometheus monitor, uncomment all sections with 'PROMETHEUS'.
 #- ../prometheus
 
 patchesStrategicMerge:
 # Protect the /metrics endpoint by putting it behind auth.
-# If you want your controller-manager to expose the /metrics
+# If you want your controller-controller to expose the /metrics
 # endpoint w/o any authn/z, please comment the following line.
-- manager_auth_proxy_patch.yaml
+# - manager_auth_proxy_patch.yaml
 
 
 
 # [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix including the one in
 # crd/kustomization.yaml
 #- manager_webhook_patch.yaml
 
-# [CERTMANAGER] To enable cert-manager, uncomment all sections with 'CERTMANAGER'.
+# [CERTMANAGER] To enable cert-controller, uncomment all sections with 'CERTMANAGER'.
 # Uncomment 'CERTMANAGER' sections in crd/kustomization.yaml to enable the CA injection in the admission webhooks.
 # 'CERTMANAGER' needs to be enabled to use ca injection
 #- webhookcainjection_patch.yaml
 
-# [CERTMANAGER] To enable cert-manager, uncomment all sections with 'CERTMANAGER' prefix.
-# Uncomment the following replacements to add the cert-manager CA injection annotations
+# [CERTMANAGER] To enable cert-controller, uncomment all sections with 'CERTMANAGER' prefix.
+# Uncomment the following replacements to add the cert-controller CA injection annotations
 #replacements:
-#  - source: # Add cert-manager annotation to ValidatingWebhookConfiguration, MutatingWebhookConfiguration and CRDs
+#  - source: # Add cert-controller annotation to ValidatingWebhookConfiguration, MutatingWebhookConfiguration and CRDs
 #      kind: Certificate
-#      group: cert-manager.io
+#      group: cert-controller.io
 #      version: v1
 #      name: serving-cert # this name should match the one in certificate.yaml
 #      fieldPath: .metadata.namespace # namespace of the certificate CR
 #    targets:
 #      - select:
 #          kind: ValidatingWebhookConfiguration
 #        fieldPaths:
-#          - .metadata.annotations.[cert-manager.io/inject-ca-from]
+#          - .metadata.annotations.[cert-controller.io/inject-ca-from]
 #        options:
 #          delimiter: '/'
 #          index: 0
 #          create: true
 #      - select:
 #          kind: MutatingWebhookConfiguration
 #        fieldPaths:
-#          - .metadata.annotations.[cert-manager.io/inject-ca-from]
+#          - .metadata.annotations.[cert-controller.io/inject-ca-from]
 #        options:
 #          delimiter: '/'
 #          index: 0
 #          create: true
 #      - select:
 #          kind: CustomResourceDefinition
 #        fieldPaths:
-#          - .metadata.annotations.[cert-manager.io/inject-ca-from]
+#          - .metadata.annotations.[cert-controller.io/inject-ca-from]
 #        options:
 #          delimiter: '/'
 #          index: 0
 #          create: true
 #  - source:
 #      kind: Certificate
-#      group: cert-manager.io
+#      group: cert-controller.io
 #      version: v1
 #      name: serving-cert # this name should match the one in certificate.yaml
 #      fieldPath: .metadata.name
 #    targets:
 #      - select:
 #          kind: ValidatingWebhookConfiguration
 #        fieldPaths:
-#          - .metadata.annotations.[cert-manager.io/inject-ca-from]
+#          - .metadata.annotations.[cert-controller.io/inject-ca-from]
 #        options:
 #          delimiter: '/'
 #          index: 1
 #          create: true
 #      - select:
 #          kind: MutatingWebhookConfiguration
 #        fieldPaths:
-#          - .metadata.annotations.[cert-manager.io/inject-ca-from]
+#          - .metadata.annotations.[cert-controller.io/inject-ca-from]
 #        options:
 #          delimiter: '/'
 #          index: 1
 #          create: true
 #      - select:
 #          kind: CustomResourceDefinition
 #        fieldPaths:
-#          - .metadata.annotations.[cert-manager.io/inject-ca-from]
+#          - .metadata.annotations.[cert-controller.io/inject-ca-from]
 #        options:
 #          delimiter: '/'
 #          index: 1
 #          create: true
-#  - source: # Add cert-manager annotation to the webhook Service
+#  - source: # Add cert-controller annotation to the webhook Service
 #      kind: Service
 #      version: v1
 #      name: webhook-service
 #      fieldPath: .metadata.name # namespace of the service
 #    targets:
 #      - select:
 #          kind: Certificate
-#          group: cert-manager.io
+#          group: cert-controller.io
 #          version: v1
 #        fieldPaths:
 #          - .spec.dnsNames.0
@@ -133,7 +132,7 @@ patchesStrategicMerge:
 #    targets:
 #      - select:
 #          kind: Certificate
-#          group: cert-manager.io
+#          group: cert-controller.io
 #          version: v1
 #        fieldPaths:
 #          - .spec.dnsNames.0

config/default/manager_auth_proxy_patch.yaml

@@ -1,9 +1,9 @@
 # This patch inject a sidecar container which is a HTTP proxy for the
-# controller manager, it performs RBAC authorization against the Kubernetes API using SubjectAccessReviews.
+# controller controller, it performs RBAC authorization against the Kubernetes API using SubjectAccessReviews.
 apiVersion: apps/v1
 kind: Deployment
 metadata:
-  name: controller-manager
+  name: controller-controller
   namespace: system
 spec:
   template:
@@ -48,7 +48,7 @@ spec:
           requests:
             cpu: 5m
             memory: 64Mi
-      - name: manager
+      - name: controller
         args:
         - "--health-probe-bind-address=:8081"
         - "--metrics-bind-address=127.0.0.1:8080"

config/default/manager_config_patch.yaml

@@ -1,10 +1,10 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
-  name: controller-manager
+  name: controller-controller
   namespace: system
 spec:
   template:
     spec:
       containers:
-      - name: manager
+      - name: controller