+ *.old

+ FROM fedora:35

+ USER 1001

+ IMAGE := quay.io/fedora-kube-sig/resultsdb:latest

+ .PHONY: image/build image/push image/debug image

+ 

+ # Binaries for programs and plugins

+ *.exe

+ *.exe~

+ *.dll

+ *.so

+ *.dylib

+ bin

+ 

+ # editor and IDE paraphernalia

+ .idea

+ *.swp

+ *.swo

+ *~

+ FROM quay.io/operator-framework/ansible-operator:v1.11.0

+ 

+ COPY requirements.yml ${HOME}/requirements.yml

+ RUN ansible-galaxy collection install -r ${HOME}/requirements.yml \

+  && chmod -R ug+rwx ${HOME}/.ansible

+ 

+ COPY watches.yaml ${HOME}/watches.yaml

+ COPY roles/ ${HOME}/roles/

+ COPY playbooks/ ${HOME}/playbooks/

+ # VERSION defines the project version for the bundle.

+ # Update this value when you upgrade the version of your project.

+ # To re-generate a bundle for another specific version without changing the standard setup, you can:

+ # - use the VERSION as arg of the bundle target (e.g make bundle VERSION=0.0.2)

+ # - use environment variables to overwrite this value (e.g export VERSION=0.0.2)

+ VERSION ?= 0.0.1

+ 

+ # CHANNELS define the bundle channels used in the bundle.

+ # Add a new line here if you would like to change its default config. (E.g CHANNELS = "candidate,fast,stable")

+ # To re-generate a bundle for other specific channels without changing the standard setup, you can:

+ # - use the CHANNELS as arg of the bundle target (e.g make bundle CHANNELS=candidate,fast,stable)

+ # - use environment variables to overwrite this value (e.g export CHANNELS="candidate,fast,stable")

+ ifneq ($(origin CHANNELS), undefined)

+ BUNDLE_CHANNELS := --channels=$(CHANNELS)

+ endif

+ 

+ # DEFAULT_CHANNEL defines the default channel used in the bundle.

+ # Add a new line here if you would like to change its default config. (E.g DEFAULT_CHANNEL = "stable")

+ # To re-generate a bundle for any other default channel without changing the default setup, you can:

+ # - use the DEFAULT_CHANNEL as arg of the bundle target (e.g make bundle DEFAULT_CHANNEL=stable)

+ # - use environment variables to overwrite this value (e.g export DEFAULT_CHANNEL="stable")

+ ifneq ($(origin DEFAULT_CHANNEL), undefined)

+ BUNDLE_DEFAULT_CHANNEL := --default-channel=$(DEFAULT_CHANNEL)

+ endif

+ BUNDLE_METADATA_OPTS ?= $(BUNDLE_CHANNELS) $(BUNDLE_DEFAULT_CHANNEL)

+ 

+ # IMAGE_TAG_BASE defines the docker.io namespace and part of the image name for remote images.

+ # This variable is used to construct full image tags for bundle and catalog images.

+ #

+ # For example, running 'make bundle-build bundle-push catalog-build catalog-push' will build and push both

+ # k8s.apps.fedoraproject.org/operator-bundle:$VERSION and k8s.apps.fedoraproject.org/operator-catalog:$VERSION.

+ IMAGE_TAG_BASE ?= k8s.apps.fedoraproject.org/operator

+ 

+ # BUNDLE_IMG defines the image:tag used for the bundle.

+ # You can use it as an arg. (E.g make bundle-build BUNDLE_IMG=<some-registry>/<project-name-bundle>:<tag>)

+ BUNDLE_IMG ?= $(IMAGE_TAG_BASE)-bundle:v$(VERSION)

+ 

+ # Image URL to use all building/pushing image targets

+ IMG ?= quay.io/fedora-kube-sig/gating-services-operator:latest

+ 

+ all: docker-build

+ 

+ ##@ General

+ 

+ # The help target prints out all targets with their descriptions organized

+ # beneath their categories. The categories are represented by '##@' and the

+ # target descriptions by '##'. The awk commands is responsible for reading the

+ # entire set of makefiles included in this invocation, looking for lines of the

+ # file as xyz: ## something, and then pretty-format the target and help. Then,

+ # if there's a line with ##@ something, that gets pretty-printed as a category.

+ # More info on the usage of ANSI control characters for terminal formatting:

+ # https://en.wikipedia.org/wiki/ANSI_escape_code#SGR_parameters

+ # More info on the awk command:

+ # http://linuxcommand.org/lc3_adv_awk.php

+ 

+ help: ## Display this help.

+ 	@awk 'BEGIN {FS = ":.*##"; printf "\nUsage:\n  make \033[36m<target>\033[0m\n"} /^[a-zA-Z_0-9-]+:.*?##/ { printf "  \033[36m%-15s\033[0m %s\n", $$1, $$2 } /^##@/ { printf "\n\033[1m%s\033[0m\n", substr($$0, 5) } ' $(MAKEFILE_LIST)

+ 

+ ##@ Build

+ 

+ run: ansible-operator ## Run against the configured Kubernetes cluster in ~/.kube/config

+ 	ANSIBLE_ROLES_PATH="$(ANSIBLE_ROLES_PATH):$(shell pwd)/roles" $(ANSIBLE_OPERATOR) run

+ 

+ docker-build: ## Build docker image with the manager.

+ 	docker build -t ${IMG} .

+ 

+ docker-push: ## Push docker image with the manager.

+ 	docker push ${IMG}

+ 

+ ##@ Deployment

+ 

+ install: kustomize ## Install CRDs into the K8s cluster specified in ~/.kube/config.

+ 	$(KUSTOMIZE) build config/crd | kubectl apply -f -

+ 

+ uninstall: kustomize ## Uninstall CRDs from the K8s cluster specified in ~/.kube/config.

+ 	$(KUSTOMIZE) build config/crd | kubectl delete -f -

+ 

+ deploy: kustomize ## Deploy controller to the K8s cluster specified in ~/.kube/config.

+ 	cd config/manager && $(KUSTOMIZE) edit set image controller=${IMG}

+ 	$(KUSTOMIZE) build config/default | kubectl apply -f -

+ 

+ undeploy: ## Undeploy controller from the K8s cluster specified in ~/.kube/config.

+ 	$(KUSTOMIZE) build config/default | kubectl delete -f -

+ 

+ OS := $(shell uname -s | tr '[:upper:]' '[:lower:]')

+ ARCH := $(shell uname -m | sed 's/x86_64/amd64/')

+ 

+ .PHONY: kustomize

+ KUSTOMIZE = $(shell pwd)/bin/kustomize

+ kustomize: ## Download kustomize locally if necessary.

+ ifeq (,$(wildcard $(KUSTOMIZE)))

+ ifeq (,$(shell which kustomize 2>/dev/null))

+ 	@{ \

+ 	set -e ;\

+ 	mkdir -p $(dir $(KUSTOMIZE)) ;\

+ 	curl -sSLo - https://github.com/kubernetes-sigs/kustomize/releases/download/kustomize/v3.8.7/kustomize_v3.8.7_$(OS)_$(ARCH).tar.gz | \

+ 	tar xzf - -C bin/ ;\

+ 	}

+ else

+ KUSTOMIZE = $(shell which kustomize)

+ endif

+ endif

+ 

+ .PHONY: ansible-operator

+ ANSIBLE_OPERATOR = $(shell pwd)/bin/ansible-operator

+ ansible-operator: ## Download ansible-operator locally if necessary, preferring the $(pwd)/bin path over global if both exist.

+ ifeq (,$(wildcard $(ANSIBLE_OPERATOR)))

+ ifeq (,$(shell which ansible-operator 2>/dev/null))

+ 	@{ \

+ 	set -e ;\

+ 	mkdir -p $(dir $(ANSIBLE_OPERATOR)) ;\

+ 	curl -sSLo $(ANSIBLE_OPERATOR) https://github.com/operator-framework/operator-sdk/releases/download/v1.11.0/ansible-operator_$(OS)_$(ARCH) ;\

+ 	chmod +x $(ANSIBLE_OPERATOR) ;\

+ 	}

+ else

+ ANSIBLE_OPERATOR = $(shell which ansible-operator)

+ endif

+ endif

+ 

+ .PHONY: bundle

+ bundle: kustomize ## Generate bundle manifests and metadata, then validate generated files.

+ 	operator-sdk generate kustomize manifests -q

+ 	cd config/manager && $(KUSTOMIZE) edit set image controller=$(IMG)

+ 	$(KUSTOMIZE) build config/manifests | operator-sdk generate bundle -q --overwrite --version $(VERSION) $(BUNDLE_METADATA_OPTS)

+ 	operator-sdk bundle validate ./bundle

+ 

+ .PHONY: bundle-build

+ bundle-build: ## Build the bundle image.

+ 	docker build -f bundle.Dockerfile -t $(BUNDLE_IMG) .

+ 

+ .PHONY: bundle-push

+ bundle-push: ## Push the bundle image.

+ 	$(MAKE) docker-push IMG=$(BUNDLE_IMG)

+ 

+ .PHONY: opm

+ OPM = ./bin/opm

+ opm: ## Download opm locally if necessary.

+ ifeq (,$(wildcard $(OPM)))

+ ifeq (,$(shell which opm 2>/dev/null))

+ 	@{ \

+ 	set -e ;\

+ 	mkdir -p $(dir $(OPM)) ;\

+ 	curl -sSLo $(OPM) https://github.com/operator-framework/operator-registry/releases/download/v1.15.1/$(OS)-$(ARCH)-opm ;\

+ 	chmod +x $(OPM) ;\

+ 	}

+ else

+ OPM = $(shell which opm)

+ endif

+ endif

+ 

+ # A comma-separated list of bundle images (e.g. make catalog-build BUNDLE_IMGS=example.com/operator-bundle:v0.1.0,example.com/operator-bundle:v0.2.0).

+ # These images MUST exist in a registry and be pull-able.

+ BUNDLE_IMGS ?= $(BUNDLE_IMG)

+ 

+ # The image tag given to the resulting catalog image (e.g. make catalog-build CATALOG_IMG=example.com/operator-catalog:v0.2.0).

+ CATALOG_IMG ?= $(IMAGE_TAG_BASE)-catalog:v$(VERSION)

+ 

+ # Set CATALOG_BASE_IMG to an existing catalog image tag to add $BUNDLE_IMGS to that image.

+ ifneq ($(origin CATALOG_BASE_IMG), undefined)

+ FROM_INDEX_OPT := --from-index $(CATALOG_BASE_IMG)

+ endif

+ 

+ # Build a catalog image by adding bundle images to an empty catalog using the operator package manager tool, 'opm'.

+ # This recipe invokes 'opm' in 'semver' bundle add mode. For more information on add modes, see:

+ # https://github.com/operator-framework/community-operators/blob/7f1438c/docs/packaging-operator.md#updating-your-existing-operator

+ .PHONY: catalog-build

+ catalog-build: opm ## Build a catalog image.

+ 	$(OPM) index add --container-tool docker --mode semver --tag $(CATALOG_IMG) --bundles $(BUNDLE_IMGS) $(FROM_INDEX_OPT)

+ 

+ # Push the catalog image.

+ .PHONY: catalog-push

+ catalog-push: ## Push a catalog image.

+ 	$(MAKE) docker-push IMG=$(CATALOG_IMG)

+ domain: k8s.apps.fedoraproject.org

+ layout:

+ - ansible.sdk.operatorframework.io/v1

+ plugins:

+   manifests.sdk.operatorframework.io/v2: {}

+   scorecard.sdk.operatorframework.io/v2: {}

+ projectName: operator

+ resources:

+ - api:

+     crdVersion: v1

+     namespaced: true

+   domain: k8s.apps.fedoraproject.org

+   group: gating

+   kind: ResultsDB

+   version: v1alpha1

+ version: "3"

+ apiVersion: networking.k8s.io/v1

+ kind: Ingress

+ metadata:

+   name: resultsdb-sample

+   annotations:

+     nginx.ingress.kubernetes.io/secure-backends: "true"

+     nginx.ingress.kubernetes.io/ssl-passthrough: "true"

+     nginx.ingress.kubernetes.io/ssl-redirect: "false"

+     nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"

+ spec:

+   tls:

+   rules:

+   - host: resultsdb.testing

+     http:

+       paths:

+         - path: /

+           pathType: Prefix

+           backend:

+             service:

+               name: resultsdb-sample-http

+               port:

+                 number: 5001

+ apiVersion: v1

+ kind: Secret

+ metadata:

+   name: postgres

+   labels:

+     app: postgres

+ stringData:

+   POSTGRES_HOST: postgres

+   POSTGRES_PORT: "5432"

+   POSTGRES_DB: resultsdb

+   POSTGRES_USER: resultsdb

+   POSTGRES_PASSWORD: resultsdb

+ apiVersion: apps/v1

+ kind: Deployment

+ metadata:

+   name: postgres

+ spec:

+   replicas: 1

+   selector:

+     matchLabels:

+       app: postgres

+   template:

+     metadata:

+       labels:

+         app: postgres

+     spec:

+       volumes:

+         - name: data

+           emptyDir: {}

+       containers:

+         - name: postgres

+           volumeMounts:

+             - mountPath: /var/lib/postgresql

+               name: data

+           image: quay.io/fedora-kube-sig/postgres:10.4-devel

+           imagePullPolicy: Always

+           ports:

+             - containerPort: 5432

+           envFrom:

+             - secretRef:

+                 name: postgres

+ apiVersion: v1

+ kind: Service

+ metadata:

+   name: postgres

+   labels:

+     app: postgres

+ spec:

+   type: NodePort

+   ports:

+     - port: 5432

+   selector:

+     app: postgres

+ ---

+ apiVersion: apiextensions.k8s.io/v1

+ kind: CustomResourceDefinition

+ metadata:

+   name: resultsdbs.gating.k8s.apps.fedoraproject.org

+ spec:

+   group: gating.k8s.apps.fedoraproject.org

+   names:

+     kind: ResultsDB

+     listKind: ResultsDBList

+     plural: resultsdbs

+     singular: resultsdb

+   scope: Namespaced

+   versions:

+   - name: v1alpha1

+     schema:

+       openAPIV3Schema:

+         description: ResultsDB is the Schema for the resultsdbs API

+         properties:

+           apiVersion:

+             description: 'APIVersion defines the versioned schema of this representation

+               of an object. Servers should convert recognized schemas to the latest

+               internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'

+             type: string

+           kind:

+             description: 'Kind is a string value representing the REST resource this

+               object represents. Servers may infer this from the endpoint the client

+               submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'

+             type: string

+           metadata:

+             type: object

+           spec:

+             description: Spec defines the desired state of ResultsDB

+             type: object

+             x-kubernetes-preserve-unknown-fields: true

+           status:

+             description: Status defines the observed state of ResultsDB

+             type: object

+             x-kubernetes-preserve-unknown-fields: true

+         type: object

+     served: true

+     storage: true

+     subresources:

+       status: {}

+ # This kustomization.yaml is not intended to be run by itself,

+ # since it depends on service name and namespace that are out of this kustomize package.

+ # It should be run by config/default

+ resources:

+ - bases/gating.k8s.apps.fedoraproject.org_resultsdbs.yaml

+ #+kubebuilder:scaffold:crdkustomizeresource

+ # Adds namespace to all resources.

+ namespace: operator-system

+ 

+ # Value of this field is prepended to the

+ # names of all resources, e.g. a deployment named

+ # "wordpress" becomes "alices-wordpress".

+ # Note that it should also match with the prefix (text before '-') of the namespace

+ # field above.

+ namePrefix: operator-

+ 

+ # Labels to add to all resources and selectors.

+ #commonLabels:

+ #  someName: someValue

+ 

+ bases:

+ - ../crd

+ - ../rbac

+ - ../manager

+ # [PROMETHEUS] To enable prometheus monitor, uncomment all sections with 'PROMETHEUS'.

+ #- ../prometheus

+ 

+ patchesStrategicMerge:

+ # Protect the /metrics endpoint by putting it behind auth.

+ # If you want your controller-manager to expose the /metrics

+ # endpoint w/o any authn/z, please comment the following line.

+ - manager_auth_proxy_patch.yaml

+ 

+ # Mount the controller config file for loading manager configurations

+ # through a ComponentConfig type

+ #- manager_config_patch.yaml

+ # This patch inject a sidecar container which is a HTTP proxy for the

+ # controller manager, it performs RBAC authorization against the Kubernetes API using SubjectAccessReviews.

+ apiVersion: apps/v1

+ kind: Deployment

+ metadata:

+   name: controller-manager

+   namespace: system

+ spec:

+   template:

+     spec:

+       containers:

+       - name: kube-rbac-proxy

+         image: gcr.io/kubebuilder/kube-rbac-proxy:v0.8.0

+         args:

+         - "--secure-listen-address=0.0.0.0:8443"

+         - "--upstream=http://127.0.0.1:8080/"

+         - "--logtostderr=true"

+         - "--v=10"

+         ports:

+         - containerPort: 8443

+           protocol: TCP

+           name: https

+       - name: manager

+         args:

+         - "--health-probe-bind-address=:6789"

+         - "--metrics-bind-address=127.0.0.1:8080"

+         - "--leader-elect"

+         - "--leader-election-id=operator"

+ apiVersion: apps/v1

+ kind: Deployment

+ metadata:

+   name: controller-manager

+   namespace: system

+ spec:

+   template:

+     spec:

+       containers:

+       - name: manager

+         args:

+         - "--config=controller_manager_config.yaml"

+         volumeMounts:

+         - name: manager-config

+           mountPath: /controller_manager_config.yaml

+           subPath: controller_manager_config.yaml

+       volumes:

+       - name: manager-config

+         configMap:

+           name: manager-config

+ apiVersion: controller-runtime.sigs.k8s.io/v1alpha1

+ kind: ControllerManagerConfig

+ health:

+   healthProbeBindAddress: :6789

+ metrics:

+   bindAddress: 127.0.0.1:8080

+ 

+ leaderElection:

+   leaderElect: true

+   resourceName: 811c9dc5.k8s.apps.fedoraproject.org

+ resources:

+ - manager.yaml

+ 

+ generatorOptions:

+   disableNameSuffixHash: true

+ 

+ configMapGenerator:

+ - name: manager-config

+   files:

+   - controller_manager_config.yaml

+ apiVersion: v1

+ kind: Namespace

+ metadata:

+   labels:

+     control-plane: controller-manager

+   name: system

+ ---

+ apiVersion: apps/v1

+ kind: Deployment

+ metadata:

+   name: controller-manager

+   namespace: system

+   labels:

+     control-plane: controller-manager

+ spec:

+   selector:

+     matchLabels:

+       control-plane: controller-manager

+   replicas: 1

+   template:

+     metadata:

+       labels:

+         control-plane: controller-manager

+     spec:

+       securityContext:

+         runAsNonRoot: true

+       containers:

+       - args:

+         - --leader-elect

+         - --leader-election-id=operator

+         image: controller:latest

+         name: manager

+         env:

+         - name: ANSIBLE_GATHERING

+           value: explicit

+         securityContext:

+           allowPrivilegeEscalation: false

+         livenessProbe:

+           httpGet:

+             path: /healthz

+             port: 6789

+           initialDelaySeconds: 15

+           periodSeconds: 20

+         readinessProbe:

+           httpGet:

+             path: /readyz

+             port: 6789

+           initialDelaySeconds: 5

+           periodSeconds: 10

+       serviceAccountName: controller-manager

+       terminationGracePeriodSeconds: 10

+ # These resources constitute the fully configured set of manifests

+ # used to generate the 'manifests/' directory in a bundle.

+ resources:

+ - bases/operator.clusterserviceversion.yaml

+ - ../default

+ - ../samples

+ - ../scorecard

+ resources:

+ - monitor.yaml

+ 

+ # Prometheus Monitor Service (Metrics)

+ apiVersion: monitoring.coreos.com/v1

+ kind: ServiceMonitor

+ metadata:

+   labels:

+     control-plane: controller-manager

+   name: controller-manager-metrics-monitor

+   namespace: system

+ spec:

+   endpoints:

+     - path: /metrics

+       port: https

+       scheme: https

+       bearerTokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token

+       tlsConfig:

+         insecureSkipVerify: true

+   selector:

+     matchLabels:

+       control-plane: controller-manager

+ apiVersion: rbac.authorization.k8s.io/v1

+ kind: ClusterRole

+ metadata:

+   name: metrics-reader

+ rules:

+ - nonResourceURLs:

+   - "/metrics"

+   verbs:

+   - get

+ apiVersion: rbac.authorization.k8s.io/v1

+ kind: ClusterRole

+ metadata:

+   name: proxy-role

+ rules:

+ - apiGroups:

+   - authentication.k8s.io

+   resources:

+   - tokenreviews

+   verbs:

+   - create

+ - apiGroups:

+   - authorization.k8s.io

+   resources:

+   - subjectaccessreviews

+   verbs:

+   - create

+ apiVersion: rbac.authorization.k8s.io/v1

+ kind: ClusterRoleBinding

+ metadata:

+   name: proxy-rolebinding

+ roleRef:

+   apiGroup: rbac.authorization.k8s.io

+   kind: ClusterRole

+   name: proxy-role

+ subjects:

+ - kind: ServiceAccount

+   name: controller-manager

+   namespace: system

+ apiVersion: v1

+ kind: Service

+ metadata:

+   labels:

+     control-plane: controller-manager

+   name: controller-manager-metrics-service

+   namespace: system

+ spec:

+   ports:

+   - name: https

+     port: 8443

+     protocol: TCP

+     targetPort: https

+   selector:

+     control-plane: controller-manager

+ resources:

+ # All RBAC will be applied under this service account in

+ # the deployment namespace. You may comment out this resource

+ # if your manager will use a service account that exists at

+ # runtime. Be sure to update RoleBinding and ClusterRoleBinding

+ # subjects if changing service account names.

+ - service_account.yaml

+ - role.yaml

+ - role_binding.yaml

+ - leader_election_role.yaml

+ - leader_election_role_binding.yaml

+ # Comment the following 4 lines if you want to disable

+ # the auth proxy (https://github.com/brancz/kube-rbac-proxy)

+ # which protects your /metrics endpoint.

+ - auth_proxy_service.yaml

+ - auth_proxy_role.yaml

+ - auth_proxy_role_binding.yaml

+ - auth_proxy_client_clusterrole.yaml

+ # permissions to do leader election.

+ apiVersion: rbac.authorization.k8s.io/v1

+ kind: Role

+ metadata:

+   name: leader-election-role

+ rules:

+ - apiGroups:

+   - ""

+   resources:

+   - configmaps

+   verbs:

+   - get

+   - list

+   - watch

+   - create

+   - update

+   - patch

+   - delete

+ - apiGroups:

+   - coordination.k8s.io

+   resources:

+   - leases

+   verbs:

+   - get

+   - list

+   - watch

+   - create

+   - update

+   - patch

+   - delete

+ - apiGroups:

+   - ""

+   resources:

+   - events

+   verbs:

+   - create

+   - patch

+ apiVersion: rbac.authorization.k8s.io/v1

+ kind: RoleBinding

+ metadata:

+   name: leader-election-rolebinding

+ roleRef:

+   apiGroup: rbac.authorization.k8s.io

+   kind: Role

+   name: leader-election-role

+ subjects:

+ - kind: ServiceAccount

+   name: controller-manager

+   namespace: system

+ # permissions for end users to edit resultsdbs.

+ apiVersion: rbac.authorization.k8s.io/v1

+ kind: ClusterRole

+ metadata:

+   name: resultsdb-editor-role

+ rules:

+ - apiGroups:

+   - gating.k8s.apps.fedoraproject.org

+   resources:

+   - resultsdbs

+   verbs:

+   - create

+   - delete

+   - get

+   - list

+   - patch

+   - update

+   - watch

+ - apiGroups:

+   - gating.k8s.apps.fedoraproject.org