mirror of
https://github.com/ansible/awx-operator.git
synced 2026-03-26 21:33:14 +00:00
5fb6bb7519
Bump operator-sdk, ansible-operator, and OPM binaries to align with the OCP 4.20 / AAP 2.7 target. Replace the deprecated kube-rbac-proxy sidecar (removed in operator-sdk v1.38.0) with controller-runtime's built-in WithAuthenticationAndAuthorization for metrics endpoint protection. Changes: - Makefile: operator-sdk v1.36.1 → v1.40.0, OPM v1.26.0 → v1.55.0 - Dockerfile: ansible-operator base image v1.36.1 → v1.40.0 - Remove kube-rbac-proxy sidecar and auth_proxy_* RBAC manifests - Add metrics_auth_role, metrics_reader, and metrics_service resources - Add --metrics-secure, --metrics-require-rbac, --metrics-bind-address flags via JSON patch to serve metrics directly from the manager on port 8443 with TLS and RBAC authentication Ref: AAP-65254 Authored By: Christian M. Adams <chadams@redhat.com> Assisted By: Claude
83 lines
2.4 KiB
YAML
83 lines
2.4 KiB
YAML
---
|
|
apiVersion: v1
|
|
kind: Namespace
|
|
metadata:
|
|
labels:
|
|
control-plane: controller-manager
|
|
name: system
|
|
---
|
|
apiVersion: apps/v1
|
|
kind: Deployment
|
|
metadata:
|
|
name: controller-manager
|
|
namespace: system
|
|
labels:
|
|
control-plane: controller-manager
|
|
spec:
|
|
selector:
|
|
matchLabels:
|
|
control-plane: controller-manager
|
|
replicas: 1
|
|
template:
|
|
metadata:
|
|
annotations:
|
|
kubectl.kubernetes.io/default-container: awx-manager
|
|
labels:
|
|
control-plane: controller-manager
|
|
spec:
|
|
securityContext:
|
|
runAsNonRoot: true
|
|
# For common cases that do not require escalating privileges
|
|
# it is recommended to ensure that all your Pods/Containers are restrictive.
|
|
# More info: https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted
|
|
# Please uncomment the following code if your project does NOT have to work on old Kubernetes
|
|
# versions < 1.19 or on vendors versions which do NOT support this field by default (i.e. Openshift < 4.11 ).
|
|
# seccompProfile:
|
|
# type: RuntimeDefault
|
|
containers:
|
|
- args:
|
|
- --leader-elect
|
|
- --leader-election-id=awx-operator
|
|
- --health-probe-bind-address=:6789
|
|
image: controller:latest
|
|
imagePullPolicy: IfNotPresent
|
|
name: awx-manager
|
|
env:
|
|
- name: ANSIBLE_GATHERING
|
|
value: explicit
|
|
- name: ANSIBLE_DEBUG_LOGS
|
|
value: 'false'
|
|
- name: WATCH_NAMESPACE
|
|
valueFrom:
|
|
fieldRef:
|
|
fieldPath: metadata.namespace
|
|
securityContext:
|
|
allowPrivilegeEscalation: false
|
|
capabilities:
|
|
drop:
|
|
- "ALL"
|
|
livenessProbe:
|
|
httpGet:
|
|
path: /healthz
|
|
port: 6789
|
|
initialDelaySeconds: 15
|
|
periodSeconds: 20
|
|
readinessProbe:
|
|
httpGet:
|
|
path: /readyz
|
|
port: 6789
|
|
initialDelaySeconds: 5
|
|
periodSeconds: 10
|
|
# More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
|
|
resources:
|
|
requests:
|
|
memory: "32Mi"
|
|
cpu: "50m"
|
|
limits:
|
|
memory: "4000Mi"
|
|
cpu: "2000m"
|
|
serviceAccountName: controller-manager
|
|
imagePullSecrets:
|
|
- name: redhat-operators-pull-secret
|
|
terminationGracePeriodSeconds: 10
|