diff --git a/.github/workflows/controllers.yml b/.github/workflows/controllers.yml index 1577b7bf132..0f846527bfc 100644 --- a/.github/workflows/controllers.yml +++ b/.github/workflows/controllers.yml @@ -99,6 +99,7 @@ jobs: - { name: job-heartbeat, path: job/heartbeat } - { name: resources, path: resources } - { name: node, path: node } + - { name: devbox, path: devbox} - { name: objectstorage, path: objectstorage } steps: - name: Checkout @@ -201,6 +202,7 @@ jobs: - { name: job-heartbeat, path: job/heartbeat } - { name: resources, path: resources } - { name: node, path: node } + - { name: devbox, path: devbox } - { name: objectstorage, path: objectstorage } steps: - name: Checkout diff --git a/controllers/devbox/Makefile b/controllers/devbox/Makefile index c0f6ac9a315..eb4c94ee6d5 100644 --- a/controllers/devbox/Makefile +++ b/controllers/devbox/Makefile @@ -65,11 +65,11 @@ test: manifests generate fmt vet envtest ## Run tests. .PHONY: build build: ## Build manager binary. - CGO_ENABLED=0 GOOS=linux GOARCH=${TARGETARCH} go build -ldflags "-s -w" -trimpath -o bin/manager main.go + CGO_ENABLED=0 GOOS=linux GOARCH=${TARGETARCH} go build -ldflags "-s -w" -trimpath -o bin/manager cmd/main.go .PHONY: run run: manifests generate fmt vet ## Run a controller from your host. - go run ./main.go + go run ./cmd/main.go .PHONY: docker-build docker-build: test ## Build docker image with the manager. diff --git a/controllers/devbox/config/crd/bases/devbox.sealos.io_devboxes.yaml b/controllers/devbox/config/crd/bases/devbox.sealos.io_devboxes.yaml index bfb4d3d1eb4..bc56fca4209 100644 --- a/controllers/devbox/config/crd/bases/devbox.sealos.io_devboxes.yaml +++ b/controllers/devbox/config/crd/bases/devbox.sealos.io_devboxes.yaml @@ -17,7 +17,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.15.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: devboxes.devbox.sealos.io spec: group: devbox.sealos.io @@ -90,7 +90,7 @@ spec: Defaults to "TCP". type: string required: - - containerPort + - containerPort type: object type: array type: diff --git a/controllers/devbox/config/crd/bases/devbox.sealos.io_devboxreleases.yaml b/controllers/devbox/config/crd/bases/devbox.sealos.io_devboxreleases.yaml index 54ae4eaa25d..930780f3a77 100644 --- a/controllers/devbox/config/crd/bases/devbox.sealos.io_devboxreleases.yaml +++ b/controllers/devbox/config/crd/bases/devbox.sealos.io_devboxreleases.yaml @@ -17,7 +17,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.15.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: devboxreleases.devbox.sealos.io spec: group: devbox.sealos.io diff --git a/controllers/devbox/config/crd/bases/devbox.sealos.io_operationrequests.yaml b/controllers/devbox/config/crd/bases/devbox.sealos.io_operationrequests.yaml index aae135326bc..df5f0d04011 100644 --- a/controllers/devbox/config/crd/bases/devbox.sealos.io_operationrequests.yaml +++ b/controllers/devbox/config/crd/bases/devbox.sealos.io_operationrequests.yaml @@ -17,7 +17,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.15.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: operationrequests.devbox.sealos.io spec: group: devbox.sealos.io diff --git a/controllers/devbox/config/crd/bases/devbox.sealos.io_runtimeclasses.yaml b/controllers/devbox/config/crd/bases/devbox.sealos.io_runtimeclasses.yaml index 73be0d6c701..e0c611222a1 100644 --- a/controllers/devbox/config/crd/bases/devbox.sealos.io_runtimeclasses.yaml +++ b/controllers/devbox/config/crd/bases/devbox.sealos.io_runtimeclasses.yaml @@ -17,7 +17,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.15.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: runtimeclasses.devbox.sealos.io spec: group: devbox.sealos.io @@ -57,15 +57,15 @@ spec: type: string kind: enum: - - OS - - Language - - Framework + - OS + - Language + - Framework type: string title: type: string required: - - kind - - title + - kind + - title type: object status: description: RuntimeClassStatus defines the observed state of RuntimeClass diff --git a/controllers/devbox/config/crd/bases/devbox.sealos.io_runtimes.yaml b/controllers/devbox/config/crd/bases/devbox.sealos.io_runtimes.yaml index 01b82f5d634..e5741aaf50c 100644 --- a/controllers/devbox/config/crd/bases/devbox.sealos.io_runtimes.yaml +++ b/controllers/devbox/config/crd/bases/devbox.sealos.io_runtimes.yaml @@ -17,7 +17,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.15.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: runtimes.devbox.sealos.io spec: group: devbox.sealos.io diff --git a/controllers/devbox/config/manager/kustomization.yaml b/controllers/devbox/config/manager/kustomization.yaml index 19fb240209f..79a3fdde809 100644 --- a/controllers/devbox/config/manager/kustomization.yaml +++ b/controllers/devbox/config/manager/kustomization.yaml @@ -18,5 +18,5 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization images: - name: controller - newName: docker.io/lingdie/sealos-devbox-controller + newName: ghcr.io/labring/sealos-devbox-controller newTag: latest diff --git a/controllers/devbox/config/rbac/role.yaml b/controllers/devbox/config/rbac/role.yaml index 12816b7c53f..00059012667 100644 --- a/controllers/devbox/config/rbac/role.yaml +++ b/controllers/devbox/config/rbac/role.yaml @@ -19,9 +19,9 @@ metadata: name: manager-role rules: - apiGroups: - - devbox.sealos.io + - "" resources: - - devboxes + - pods verbs: - create - delete @@ -31,23 +31,41 @@ rules: - update - watch - apiGroups: - - devbox.sealos.io + - "" resources: - - devboxes/finalizers + - pods/status verbs: + - get + - patch - update - apiGroups: - - devbox.sealos.io + - "" resources: - - devboxes/status + - secrets verbs: + - create + - delete - get + - list - patch - update + - watch +- apiGroups: + - "" + resources: + - services + verbs: + - create + - delete + - get + - list + - patch + - update + - watch - apiGroups: - devbox.sealos.io resources: - - devboxreleases + - devboxes verbs: - create - delete @@ -59,13 +77,13 @@ rules: - apiGroups: - devbox.sealos.io resources: - - devboxreleases/finalizers + - devboxes/finalizers verbs: - update - apiGroups: - devbox.sealos.io resources: - - devboxreleases/status + - devboxes/status verbs: - get - patch @@ -73,7 +91,7 @@ rules: - apiGroups: - devbox.sealos.io resources: - - operationrequests + - devboxreleases verbs: - create - delete @@ -85,13 +103,13 @@ rules: - apiGroups: - devbox.sealos.io resources: - - operationrequests/finalizers + - devboxreleases/finalizers verbs: - update - apiGroups: - devbox.sealos.io resources: - - operationrequests/status + - devboxreleases/status verbs: - get - patch diff --git a/controllers/devbox/deploy/Kubefile b/controllers/devbox/deploy/Kubefile new file mode 100644 index 00000000000..d39f86ee1b9 --- /dev/null +++ b/controllers/devbox/deploy/Kubefile @@ -0,0 +1,13 @@ +FROM scratch + +USER 65532:65532 + +COPY registry registry +COPY manifests manifests + +ENV registryAddr="sealos.hub:5000" +ENV registryUser=admin +ENV registryPassword=passw0rd +ENV authAddr="sealos.hub:5000" + +CMD ["kubectl apply -f manifests"] diff --git a/controllers/devbox/deploy/manifests/deploy.yaml.tmpl b/controllers/devbox/deploy/manifests/deploy.yaml.tmpl new file mode 100644 index 00000000000..3026a4b1bc5 --- /dev/null +++ b/controllers/devbox/deploy/manifests/deploy.yaml.tmpl @@ -0,0 +1,974 @@ +apiVersion: v1 +kind: Namespace +metadata: + labels: + app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/name: devbox + control-plane: controller-manager + name: devbox-system +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.14.0 + name: devboxes.devbox.sealos.io +spec: + group: devbox.sealos.io + names: + kind: Devbox + listKind: DevboxList + plural: devboxes + singular: devbox + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: Devbox is the Schema for the devboxes API + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: DevboxSpec defines the desired state of Devbox + properties: + network: + properties: + extraPorts: + items: + description: ContainerPort represents a network port in a single + container. + properties: + containerPort: + description: |- + Number of port to expose on the pod's IP address. + This must be a valid port number, 0 < x < 65536. + format: int32 + type: integer + hostIP: + description: What host IP to bind the external port to. + type: string + hostPort: + description: |- + Number of port to expose on the host. + If specified, this must be a valid port number, 0 < x < 65536. + If HostNetwork is specified, this must match ContainerPort. + Most containers do not need this. + format: int32 + type: integer + name: + description: |- + If specified, this must be an IANA_SVC_NAME and unique within the pod. Each + named port in a pod must have a unique name. Name for the port that can be + referred to by services. + type: string + protocol: + default: TCP + description: |- + Protocol for port. Must be UDP, TCP, or SCTP. + Defaults to "TCP". + type: string + required: + - containerPort + type: object + type: array + type: + enum: + - NodePort + - Tailnet + type: string + required: + - type + type: object + resource: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + runtimeRef: + properties: + name: + type: string + required: + - name + type: object + squash: + default: false + type: boolean + state: + enum: + - Running + - Stopped + type: string + required: + - network + - resource + - runtimeRef + - state + type: object + status: + description: DevboxStatus defines the observed state of Devbox + properties: + commitHistory: + items: + properties: + image: + type: string + pod: + type: string + status: + type: string + time: + format: date-time + type: string + required: + - image + - pod + - status + - time + type: object + type: array + network: + properties: + nodePort: + format: int32 + type: integer + tailnet: + description: todo TailNet + type: string + type: + default: NodePort + enum: + - NodePort + - Tailnet + type: string + required: + - type + type: object + podPhase: + description: PodPhase is a label for the condition of a pod at the + current time. + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.14.0 + name: devboxreleases.devbox.sealos.io +spec: + group: devbox.sealos.io + names: + kind: DevBoxRelease + listKind: DevBoxReleaseList + plural: devboxreleases + singular: devboxrelease + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: DevBoxRelease is the Schema for the devboxreleases API + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: DevBoxReleaseSpec defines the desired state of DevBoxRelease + properties: + devboxName: + type: string + newTag: + type: string + notes: + type: string + required: + - devboxName + - newTag + type: object + status: + description: DevBoxReleaseStatus defines the observed state of DevBoxRelease + properties: + phase: + default: Pending + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.14.0 + name: operationrequests.devbox.sealos.io +spec: + group: devbox.sealos.io + names: + kind: OperationRequest + listKind: OperationRequestList + plural: operationrequests + singular: operationrequest + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: OperationRequest is the Schema for the operationrequests API + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: OperationRequestSpec defines the desired state of OperationRequest + type: object + status: + description: OperationRequestStatus defines the observed state of OperationRequest + type: object + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.14.0 + name: runtimeclasses.devbox.sealos.io +spec: + group: devbox.sealos.io + names: + kind: RuntimeClass + listKind: RuntimeClassList + plural: runtimeclasses + singular: runtimeclass + scope: Cluster + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: RuntimeClass is the Schema for the runtimeclasses API + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: RuntimeClassSpec defines the desired state of RuntimeClass + properties: + description: + type: string + kind: + enum: + - OS + - Language + - Framework + type: string + title: + type: string + required: + - kind + - title + type: object + status: + description: RuntimeClassStatus defines the observed state of RuntimeClass + type: object + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.14.0 + name: runtimes.devbox.sealos.io +spec: + group: devbox.sealos.io + names: + kind: Runtime + listKind: RuntimeList + plural: runtimes + singular: runtime + scope: Cluster + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: Runtime is the Schema for the runtimes API + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: RuntimeSpec defines the desired state of Runtime + properties: + category: + items: + type: string + type: array + classRef: + type: string + description: + type: string + image: + type: string + title: + type: string + required: + - classRef + - description + - image + - title + type: object + status: + description: RuntimeStatus defines the observed state of Runtime + type: object + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/name: devbox + name: devbox-controller-manager + namespace: devbox-system +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + labels: + app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/name: devbox + name: devbox-leader-election-role + namespace: devbox-system +rules: +- apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/name: devbox + name: devbox-devbox-editor-role +rules: +- apiGroups: + - devbox.sealos.io + resources: + - devboxes + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - devbox.sealos.io + resources: + - devboxes/status + verbs: + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/name: devbox + name: devbox-devbox-viewer-role +rules: +- apiGroups: + - devbox.sealos.io + resources: + - devboxes + verbs: + - get + - list + - watch +- apiGroups: + - devbox.sealos.io + resources: + - devboxes/status + verbs: + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/name: devbox + name: devbox-devboxrelease-editor-role +rules: +- apiGroups: + - devbox.sealos.io + resources: + - devboxreleases + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - devbox.sealos.io + resources: + - devboxreleases/status + verbs: + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/name: devbox + name: devbox-devboxrelease-viewer-role +rules: +- apiGroups: + - devbox.sealos.io + resources: + - devboxreleases + verbs: + - get + - list + - watch +- apiGroups: + - devbox.sealos.io + resources: + - devboxreleases/status + verbs: + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: devbox-manager-role +rules: +- apiGroups: + - "" + resources: + - pods + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - "" + resources: + - pods/status + verbs: + - get + - patch + - update +- apiGroups: + - "" + resources: + - secrets + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - "" + resources: + - services + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - devbox.sealos.io + resources: + - devboxes + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - devbox.sealos.io + resources: + - devboxes/finalizers + verbs: + - update +- apiGroups: + - devbox.sealos.io + resources: + - devboxes/status + verbs: + - get + - patch + - update +- apiGroups: + - devbox.sealos.io + resources: + - devboxreleases + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - devbox.sealos.io + resources: + - devboxreleases/finalizers + verbs: + - update +- apiGroups: + - devbox.sealos.io + resources: + - devboxreleases/status + verbs: + - get + - patch + - update +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: devbox-metrics-auth-role +rules: +- apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create +- apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: devbox-metrics-reader +rules: +- nonResourceURLs: + - /metrics + verbs: + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/name: devbox + name: devbox-operationrequest-editor-role +rules: +- apiGroups: + - devbox.sealos.io + resources: + - operationrequests + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - devbox.sealos.io + resources: + - operationrequests/status + verbs: + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/name: devbox + name: devbox-operationrequest-viewer-role +rules: +- apiGroups: + - devbox.sealos.io + resources: + - operationrequests + verbs: + - get + - list + - watch +- apiGroups: + - devbox.sealos.io + resources: + - operationrequests/status + verbs: + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/name: devbox + name: devbox-runtime-editor-role +rules: +- apiGroups: + - devbox.sealos.io + resources: + - runtimes + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - devbox.sealos.io + resources: + - runtimes/status + verbs: + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/name: devbox + name: devbox-runtime-viewer-role +rules: +- apiGroups: + - devbox.sealos.io + resources: + - runtimes + verbs: + - get + - list + - watch +- apiGroups: + - devbox.sealos.io + resources: + - runtimes/status + verbs: + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/name: devbox + name: devbox-runtimeclass-editor-role +rules: +- apiGroups: + - devbox.sealos.io + resources: + - runtimeclasses + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - devbox.sealos.io + resources: + - runtimeclasses/status + verbs: + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/name: devbox + name: devbox-runtimeclass-viewer-role +rules: +- apiGroups: + - devbox.sealos.io + resources: + - runtimeclasses + verbs: + - get + - list + - watch +- apiGroups: + - devbox.sealos.io + resources: + - runtimeclasses/status + verbs: + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + labels: + app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/name: devbox + name: devbox-leader-election-rolebinding + namespace: devbox-system +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: devbox-leader-election-role +subjects: +- kind: ServiceAccount + name: devbox-controller-manager + namespace: devbox-system +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/name: devbox + name: devbox-manager-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: devbox-manager-role +subjects: +- kind: ServiceAccount + name: devbox-controller-manager + namespace: devbox-system +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: devbox-metrics-auth-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: devbox-metrics-auth-role +subjects: +- kind: ServiceAccount + name: devbox-controller-manager + namespace: devbox-system +--- +apiVersion: v1 +kind: Service +metadata: + labels: + app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/name: devbox + control-plane: controller-manager + name: devbox-controller-manager-metrics-service + namespace: devbox-system +spec: + ports: + - name: https + port: 8443 + protocol: TCP + targetPort: 8443 + selector: + control-plane: controller-manager +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/name: devbox + control-plane: controller-manager + name: devbox-controller-manager + namespace: devbox-system +spec: + replicas: 1 + selector: + matchLabels: + control-plane: controller-manager + template: + metadata: + annotations: + kubectl.kubernetes.io/default-container: manager + labels: + control-plane: controller-manager + spec: + containers: + - args: + - --metrics-bind-address=:8443 + - --leader-elect + - --health-probe-bind-address=:8081 + - --registry-addr={{ .registryAddr }} + - --registry-user={{ .registryUser }} + - --registry-password={{ .registryPassword }} + - --auth-addr={{ .authAddr }} + command: + - /manager + image: ghcr.io/labring/sealos-devbox-controller:latest + livenessProbe: + httpGet: + path: /healthz + port: 8081 + initialDelaySeconds: 15 + periodSeconds: 20 + name: manager + readinessProbe: + httpGet: + path: /readyz + port: 8081 + initialDelaySeconds: 5 + periodSeconds: 10 + resources: + limits: + cpu: 500m + memory: 128Mi + requests: + cpu: 10m + memory: 64Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + serviceAccountName: devbox-controller-manager + terminationGracePeriodSeconds: 10 diff --git a/controllers/devbox/go.mod b/controllers/devbox/go.mod index 301f814bd61..a2af53dda3a 100644 --- a/controllers/devbox/go.mod +++ b/controllers/devbox/go.mod @@ -7,6 +7,7 @@ require ( github.com/google/go-containerregistry v0.20.2 github.com/onsi/ginkgo/v2 v2.17.1 github.com/onsi/gomega v1.32.0 + golang.org/x/crypto v0.21.0 k8s.io/api v0.30.1 k8s.io/apimachinery v0.30.1 k8s.io/client-go v0.30.1 diff --git a/controllers/devbox/go.sum b/controllers/devbox/go.sum index 2781ffe0c04..75d20f5afd4 100644 --- a/controllers/devbox/go.sum +++ b/controllers/devbox/go.sum @@ -159,6 +159,8 @@ go.uber.org/zap v1.26.0/go.mod h1:dtElttAiwGvoJ/vj4IwHBS/gXsEu/pZ50mUIRWuG0so= golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= +golang.org/x/crypto v0.21.0 h1:X31++rzVUdKhX5sWmSOFZxx8UW/ldWx55cbf08iNAMA= +golang.org/x/crypto v0.21.0/go.mod h1:0BP7YvVV9gBbVKyeTG0Gyn+gZm94bibOW5BjDEYAOMs= golang.org/x/exp v0.0.0-20220722155223-a9213eeb770e h1:+WEEuIdZHnUeJJmEUjyYC2gfUMj69yZXw17EnHg/otA= golang.org/x/exp v0.0.0-20220722155223-a9213eeb770e/go.mod h1:Kr81I6Kryrl9sr8s2FK3vxD90NdsKWRuOIl2O4CvYbA= golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= diff --git a/controllers/devbox/internal/controller/devbox_controller.go b/controllers/devbox/internal/controller/devbox_controller.go index e3335b1fe3b..8b01753d88e 100644 --- a/controllers/devbox/internal/controller/devbox_controller.go +++ b/controllers/devbox/internal/controller/devbox_controller.go @@ -58,6 +58,10 @@ type DevboxReconciler struct { // +kubebuilder:rbac:groups=devbox.sealos.io,resources=devboxes,verbs=get;list;watch;create;update;patch;delete // +kubebuilder:rbac:groups=devbox.sealos.io,resources=devboxes/status,verbs=get;update;patch // +kubebuilder:rbac:groups=devbox.sealos.io,resources=devboxes/finalizers,verbs=update +// +kubebuilder:rbac:groups=core,resources=pods,verbs=get;list;watch;create;update;patch;delete +// +kubebuilder:rbac:groups=core,resources=pods/status,verbs=get;update;patch +// +kubebuilder:rbac:groups=core,resources=services,verbs=get;list;watch;create;update;patch;delete +// +kubebuilder:rbac:groups=core,resources=secrets,verbs=get;list;watch;create;update;patch;delete func (r *DevboxReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error) { logger := log.FromContext(ctx, "devbox", req.NamespacedName) diff --git a/controllers/go.work.sum b/controllers/go.work.sum index 4d3a7d0b581..9dc87898ef1 100644 --- a/controllers/go.work.sum +++ b/controllers/go.work.sum @@ -1420,6 +1420,7 @@ k8s.io/code-generator v0.28.3 h1:I847QvdpYx7xKiG2KVQeCSyNF/xU9TowaDAg601mvlw= k8s.io/component-helpers v0.28.2/go.mod h1:pF1R5YWQ+sgf0i6EbVm+MQCzkYuqutDUibdrkvAa6aI= k8s.io/component-helpers v0.28.3 h1:te9ieTGzcztVktUs92X53P6BamAoP73MK0qQP0WmDqc= k8s.io/component-helpers v0.28.3/go.mod h1:oJR7I9ist5UAQ3y/CTdbw6CXxdMZ1Lw2Ua/EZEwnVLs= +k8s.io/cri-api v0.27.1 h1:KWO+U8MfI9drXB/P4oU9VchaWYOlwDglJZVHWMpTT3Q= k8s.io/cri-api v0.27.1/go.mod h1:+Ts/AVYbIo04S86XbTD73UPp/DkTiYxtsFeOFEu32L0= k8s.io/cri-api v0.28.3 h1:84ifk56rAy7yYI1zYqTjLLishpFgs3q7BkCKhoLhmFA= k8s.io/cri-api v0.28.3/go.mod h1:MTdJO2fikImnX+YzE2Ccnosj3Hw2Cinw2fXYV3ppUIE=