Merge pull request #34 from telekom/update-manifests

Various fixes around manifests and rbac, and a few dependency updates
telekom · Aug 2, 2024 · eed7cb2 · eed7cb2
2 parents d7f346f + 2548258
commit eed7cb2
Show file tree

Hide file tree

Showing 8 changed files with 106 additions and 63 deletions.
diff --git a/config/manager/manager.yaml b/config/manager/manager.yaml
@@ -38,6 +38,12 @@ spec:
               fieldPath: metadata.namespace
         securityContext:
           allowPrivilegeEscalation: false
+          readOnlyRootFilesystem: true
+          capabilities:
+            drop:
+              - ALL
+          runAsUser: 65532
+          runAsGroup: 65532
         livenessProbe:
           httpGet:
             path: /healthz
@@ -61,3 +67,5 @@ spec:
             memory: 64Mi
       serviceAccountName: controller-manager
       terminationGracePeriodSeconds: 10
+      securityContext:
+        runAsNonRoot: true
diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml
@@ -12,6 +12,14 @@ rules:
   - get
   - list
   - watch
+- apiGroups:
+  - cluster.x-k8s.io
+  resources:
+  - clusters
+  verbs:
+  - get
+  - list
+  - watch
 - apiGroups:
   - infrastructure.cluster.x-k8s.io
   resources:

diff --git a/config/webhook/manifests.yaml b/config/webhook/manifests.yaml
@@ -14,7 +14,7 @@ webhooks:
       path: /mutate-ipam-cluster-x-k8s-io-v1alpha1-infobloxippool
   failurePolicy: Fail
   matchPolicy: Equivalent
-  name: default.inclusterippool.ipam.cluster.x-k8s.io
+  name: default.infobloxippool.ipam.cluster.x-k8s.io
   rules:
   - apiGroups:
     - ipam.cluster.x-k8s.io
@@ -24,7 +24,7 @@ webhooks:
     - CREATE
     - UPDATE
     resources:
-    - inclusterippools
+    - infobloxippools
   sideEffects: None
 ---
 apiVersion: admissionregistration.k8s.io/v1
@@ -42,7 +42,7 @@ webhooks:
       path: /validate-ipam-cluster-x-k8s-io-v1alpha1-infobloxippool
   failurePolicy: Fail
   matchPolicy: Equivalent
-  name: validation.inclusterippool.ipam.cluster.x-k8s.io
+  name: validation.infobloxippool.ipam.cluster.x-k8s.io
   rules:
   - apiGroups:
     - ipam.cluster.x-k8s.io
@@ -53,5 +53,5 @@ webhooks:
     - UPDATE
     - DELETE
     resources:
-    - inclusterippools
+    - infobloxippools
   sideEffects: None
diff --git a/go.mod b/go.mod
@@ -7,18 +7,18 @@ toolchain go1.22.3
 require (
 	github.com/golang/mock v1.6.0
 	github.com/infobloxopen/infoblox-go-client/v2 v2.6.0
-	github.com/onsi/ginkgo/v2 v2.19.0
-	github.com/onsi/gomega v1.33.1
+	github.com/onsi/ginkgo/v2 v2.19.1
+	github.com/onsi/gomega v1.34.1
 	github.com/pkg/errors v0.9.1
 	go.uber.org/mock v0.4.0
-	k8s.io/api v0.30.1
-	k8s.io/apimachinery v0.30.1
-	k8s.io/client-go v0.30.1
-	k8s.io/klog/v2 v2.120.1
-	k8s.io/utils v0.0.0-20240502163921-fe8a2dddb1d0
-	sigs.k8s.io/cluster-api v1.7.2
+	k8s.io/api v0.30.3
+	k8s.io/apimachinery v0.30.3
+	k8s.io/client-go v0.30.3
+	k8s.io/klog/v2 v2.130.1
+	k8s.io/utils v0.0.0-20240711033017-18e509b52bc8
+	sigs.k8s.io/cluster-api v1.8.0-rc.0
 	sigs.k8s.io/cluster-api-ipam-provider-in-cluster v0.1.0
-	sigs.k8s.io/cluster-api-provider-vsphere v1.10.0
+	sigs.k8s.io/cluster-api-provider-vsphere v1.10.2
 	sigs.k8s.io/controller-runtime v0.18.4
 )
 
@@ -31,7 +31,7 @@ require (
 	github.com/google/gnostic-models v0.6.8 // indirect
 	github.com/metal3-io/ip-address-manager/api v1.7.0 // indirect
 	github.com/shopspring/decimal v1.4.0 // indirect
-	golang.org/x/exp v0.0.0-20240506185415-9bf2ced13842 // indirect
+	golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56 // indirect
 	google.golang.org/genproto/googleapis/api v0.0.0-20240515191416-fc5f0ca64291 // indirect
 	google.golang.org/genproto/googleapis/rpc v0.0.0-20240515191416-fc5f0ca64291 // indirect
 )
@@ -72,23 +72,21 @@ require (
 	github.com/spf13/pflag v1.0.5 // indirect
 	go.uber.org/multierr v1.11.0 // indirect
 	go.uber.org/zap v1.27.0 // indirect
-	golang.org/x/net v0.26.0 // indirect
+	golang.org/x/net v0.27.0 // indirect
 	golang.org/x/oauth2 v0.21.0 // indirect
-	golang.org/x/sys v0.21.0 // indirect
-	golang.org/x/term v0.21.0 // indirect
+	golang.org/x/sys v0.22.0 // indirect
+	golang.org/x/term v0.22.0 // indirect
 	golang.org/x/text v0.16.0 // indirect
 	golang.org/x/time v0.5.0 // indirect
-	golang.org/x/tools v0.21.1-0.20240508182429-e35e4ccd0d2d // indirect
+	golang.org/x/tools v0.23.0 // indirect
 	gomodules.xyz/jsonpatch/v2 v2.4.0 // indirect
 	google.golang.org/protobuf v1.34.1 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
-	k8s.io/apiextensions-apiserver v0.30.1 // indirect
+	k8s.io/apiextensions-apiserver v0.30.3 // indirect
 	k8s.io/kube-openapi v0.0.0-20240430033511-f0e62f92d13f // indirect
 	sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect
 	sigs.k8s.io/structured-merge-diff/v4 v4.4.1 // indirect
 	sigs.k8s.io/yaml v1.4.0 // indirect
 )
-
-replace sigs.k8s.io/cluster-api => sigs.k8s.io/cluster-api v1.7.0-rc.0.0.20240614160147-9a2d8cdc5ad6
diff --git a/go.sum b/go.sum
diff --git a/internal/controllers/ipaddressclaim.go b/internal/controllers/ipaddressclaim.go
@@ -105,6 +105,7 @@ func (r *InfobloxProviderAdapter) ClaimHandlerFor(cl client.Client, claim *ipamv
 //+kubebuilder:rbac:groups=ipam.cluster.x-k8s.io,resources=ipaddresses,verbs=get;list;watch;create;update;patch;delete
 //+kubebuilder:rbac:groups=ipam.cluster.x-k8s.io,resources=ipaddressclaims/status;ipaddresses/status,verbs=get;update;patch
 //+kubebuilder:rbac:groups=ipam.cluster.x-k8s.io,resources=ipaddressclaims/status;ipaddresses/finalizers,verbs=update
+//+kubebuilder:rbac:groups=cluster.x-k8s.io,resources=clusters,verbs=get;list;watch
 
 // for resolving hostnames
 //+kubebuilder:rbac:groups=infrastructure.cluster.x-k8s.io,resources=metal3datas;metal3machines,verbs=get;list;watch
@@ -277,7 +278,7 @@ func (h *InfobloxClaimHandler) getHostname(ctx context.Context) (string, error)
 	return hn, nil
 }
 
-func getHostnameResolver(cl client.Client, claim *ipamv1.IPAddressClaim) (hostname.Resolver, error) {
+func getHostnameResolver(cl client.Client, _ *ipamv1.IPAddressClaim) (hostname.Resolver, error) {
 	return &hostname.SearchOwnerReferenceResolver{
 		Client:    cl,
 		SearchFor: metav1.GroupKind{Group: "cluster.x-k8s.io", Kind: "Machine"},

diff --git a/internal/webhooks/infobloxippool.go b/internal/webhooks/infobloxippool.go
@@ -59,8 +59,8 @@ func (webhook *InfobloxIPPool) SetupWebhookWithManager(mgr ctrl.Manager) error {
 		Complete()
 }
 
-// +kubebuilder:webhook:verbs=create;update;delete,path=/validate-ipam-cluster-x-k8s-io-v1alpha1-infobloxippool,mutating=false,failurePolicy=fail,matchPolicy=Equivalent,groups=ipam.cluster.x-k8s.io,resources=inclusterippools,versions=v1alpha2,name=validation.inclusterippool.ipam.cluster.x-k8s.io,sideEffects=None,admissionReviewVersions=v1;v1beta1
-// +kubebuilder:webhook:verbs=create;update,path=/mutate-ipam-cluster-x-k8s-io-v1alpha1-infobloxippool,mutating=true,failurePolicy=fail,matchPolicy=Equivalent,groups=ipam.cluster.x-k8s.io,resources=inclusterippools,versions=v1alpha2,name=default.inclusterippool.ipam.cluster.x-k8s.io,sideEffects=None,admissionReviewVersions=v1;v1beta1
+// +kubebuilder:webhook:verbs=create;update;delete,path=/validate-ipam-cluster-x-k8s-io-v1alpha1-infobloxippool,mutating=false,failurePolicy=fail,matchPolicy=Equivalent,groups=ipam.cluster.x-k8s.io,resources=infobloxippools,versions=v1alpha2,name=validation.infobloxippool.ipam.cluster.x-k8s.io,sideEffects=None,admissionReviewVersions=v1;v1beta1
+// +kubebuilder:webhook:verbs=create;update,path=/mutate-ipam-cluster-x-k8s-io-v1alpha1-infobloxippool,mutating=true,failurePolicy=fail,matchPolicy=Equivalent,groups=ipam.cluster.x-k8s.io,resources=infobloxippools,versions=v1alpha2,name=default.infobloxippool.ipam.cluster.x-k8s.io,sideEffects=None,admissionReviewVersions=v1;v1beta1
 
 // InfobloxIPPool implements a validating and defaulting webhook for InfobloxIPPool.
 type InfobloxIPPool struct {

diff --git a/main.go b/main.go
@@ -23,8 +23,6 @@ import (
 	"log"
 	"os"
 
-	//+kubebuilder:scaffold:imports
-	metal3v1 "github.com/metal3-io/cluster-api-provider-metal3/api/v1beta1"
 	"github.com/telekom/cluster-api-ipam-provider-infoblox/api/v1alpha1"
 	"github.com/telekom/cluster-api-ipam-provider-infoblox/internal/controllers"
 	"github.com/telekom/cluster-api-ipam-provider-infoblox/internal/index"
@@ -38,7 +36,6 @@ import (
 	"k8s.io/klog/v2"
 	inclusterv1a2 "sigs.k8s.io/cluster-api-ipam-provider-in-cluster/api/v1alpha2"
 	"sigs.k8s.io/cluster-api-ipam-provider-in-cluster/pkg/ipamutil"
-	vspherev1 "sigs.k8s.io/cluster-api-provider-vsphere/apis/v1beta1"
 	clusterv1 "sigs.k8s.io/cluster-api/api/v1beta1"
 	ipamv1 "sigs.k8s.io/cluster-api/exp/ipam/api/v1beta1"
 	ctrl "sigs.k8s.io/controller-runtime"
@@ -62,8 +59,6 @@ func init() {
 	utilruntime.Must(inclusterv1a2.AddToScheme(scheme))
 	utilruntime.Must(inclusterv1a2.AddToScheme(scheme))
 	utilruntime.Must(v1alpha1.AddToScheme(scheme))
-	utilruntime.Must(metal3v1.AddToScheme(scheme))
-	utilruntime.Must(vspherev1.AddToScheme(scheme))
 
 	//+kubebuilder:scaffold:scheme
 }