apiVersion: v1 kind: ServiceAccount metadata: name: local-controller-manager namespace: alloydb-omni-system --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: local-leader-election-role namespace: alloydb-omni-system rules: - apiGroups: - "" resources: - configmaps verbs: - get - list - watch - create - update - patch - delete - apiGroups: - coordination.k8s.io resources: - leases verbs: - get - list - watch - create - update - patch - delete - apiGroups: - "" resources: - events verbs: - create - patch --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: local-manager-role rules: - apiGroups: - "" resources: - events verbs: - create - patch - apiGroups: - "" resources: - secrets verbs: - delete - get - list - patch - update - watch - apiGroups: - alloydbomni.internal.dbadmin.goog resources: - failovers verbs: - create - delete - get - list - patch - update - watch - apiGroups: - alloydbomni.internal.dbadmin.goog resources: - failovers/status verbs: - get - patch - update - apiGroups: - alloydbomni.internal.dbadmin.goog resources: - instancebackupplans verbs: - create - delete - deletecollection - get - list - patch - update - watch - apiGroups: - alloydbomni.internal.dbadmin.goog resources: - instancebackupplans/finalizers verbs: - update - apiGroups: - alloydbomni.internal.dbadmin.goog resources: - instancebackupplans/status verbs: - create - delete - get - list - patch - update - watch - apiGroups: - alloydbomni.internal.dbadmin.goog resources: - instancebackups verbs: - create - delete - deletecollection - get - list - patch - update - watch - apiGroups: - alloydbomni.internal.dbadmin.goog resources: - instancebackups/finalizers verbs: - update - apiGroups: - alloydbomni.internal.dbadmin.goog resources: - instancebackups/status verbs: - create - delete - get - list - patch - update - watch - apiGroups: - alloydbomni.internal.dbadmin.goog resources: - instancerestores verbs: - create - delete - deletecollection - get - list - patch - update - watch - apiGroups: - alloydbomni.internal.dbadmin.goog resources: - instancerestores/finalizers verbs: - update - apiGroups: - alloydbomni.internal.dbadmin.goog resources: - instancerestores/status verbs: - create - delete - get - list - patch - update - watch - apiGroups: - alloydbomni.internal.dbadmin.goog resources: - instances verbs: - create - delete - get - list - patch - update - watch - apiGroups: - alloydbomni.internal.dbadmin.goog resources: - instances/status verbs: - get - list - patch - update - watch - apiGroups: - alloydbomni.internal.dbadmin.goog resources: - instanceswitchovers verbs: - create - delete - get - list - patch - update - watch - apiGroups: - alloydbomni.internal.dbadmin.goog resources: - instanceswitchovers/status verbs: - get - patch - update - apiGroups: - alloydbomni.internal.dbadmin.goog resources: - lrojobs verbs: - create - delete - get - list - patch - update - watch - apiGroups: - alloydbomni.internal.dbadmin.goog resources: - replicationconfigs verbs: - create - delete - get - list - patch - update - watch - apiGroups: - alloydbomni.internal.dbadmin.goog resources: - replicationconfigs/status verbs: - create - delete - get - list - patch - update - watch - apiGroups: - alloydbomni.internal.dbadmin.goog resources: - sidecars verbs: - get - list - watch - apiGroups: - apps resources: - deployments verbs: - create - delete - deletecollection - get - list - patch - update - watch - apiGroups: - apps resources: - deployments/status verbs: - get - apiGroups: - apps resources: - statefulsets verbs: - create - delete - get - list - patch - update - watch - apiGroups: - apps resources: - statefulsets/status verbs: - get - apiGroups: - cert-manager.io resources: - certificates verbs: - create - delete - deletecollection - get - list - patch - update - watch - apiGroups: - cert-manager.io resources: - issuers verbs: - create - delete - deletecollection - get - list - patch - update - watch - apiGroups: - "" resources: - configmaps verbs: - create - delete - get - list - patch - update - watch - apiGroups: - "" resources: - persistentvolumeclaims verbs: - create - delete - get - list - patch - update - watch - apiGroups: - "" resources: - persistentvolumes verbs: - get - list - patch - update - watch - apiGroups: - "" resources: - pods verbs: - create - delete - get - list - patch - update - watch - apiGroups: - "" resources: - pods/exec verbs: - create - apiGroups: - "" resources: - pods/status verbs: - get - apiGroups: - "" resources: - secrets verbs: - create - delete - get - list - patch - update - watch - apiGroups: - "" resources: - services verbs: - create - delete - get - list - patch - update - watch - apiGroups: - storage.k8s.io resources: - storageclasses verbs: - get - list - watch --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: local-metrics-reader rules: - nonResourceURLs: - /metrics verbs: - get --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: local-proxy-role rules: - apiGroups: - authentication.k8s.io resources: - tokenreviews verbs: - create - apiGroups: - authorization.k8s.io resources: - subjectaccessreviews verbs: - create --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: local-leader-election-rolebinding namespace: alloydb-omni-system roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: local-leader-election-role subjects: - kind: ServiceAccount name: local-controller-manager namespace: alloydb-omni-system --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: local-manager-rolebinding roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: local-manager-role subjects: - kind: ServiceAccount name: local-controller-manager namespace: alloydb-omni-system --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: local-proxy-rolebinding roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: local-proxy-role subjects: - kind: ServiceAccount name: local-controller-manager namespace: alloydb-omni-system --- apiVersion: v1 kind: Service metadata: labels: control-plane: controller-manager name: local-controller-manager-metrics-service namespace: alloydb-omni-system spec: ports: - name: https port: 8443 targetPort: https selector: control-plane: controller-manager --- apiVersion: apps/v1 kind: Deployment metadata: labels: app.kubernetes.io/component: controller local-control-plane: controller-manager name: local-controller-manager namespace: alloydb-omni-system spec: replicas: 1 selector: matchLabels: app.kubernetes.io/component: controller local-control-plane: controller-manager template: metadata: labels: app.kubernetes.io/component: controller local-control-plane: controller-manager spec: containers: - args: - --health-probe-bind-address=:8081 - --metrics-bind-address=127.0.0.1:8080 - --leader-elect - --deployment-platform=generic-k8s image: {{ .Values.image.registry}}/{{ .Values.image.repository}}/operator/local-operator:{{ .Chart.Version }} imagePullPolicy: Always livenessProbe: httpGet: path: /healthz port: 8081 initialDelaySeconds: 15 periodSeconds: 20 name: manager ports: - containerPort: 9443 name: webhook-server protocol: TCP - containerPort: 8080 name: metrics protocol: TCP readinessProbe: httpGet: path: /readyz port: 8081 initialDelaySeconds: 5 periodSeconds: 10 resources: limits: cpu: 500m memory: 1024Mi requests: cpu: 500m memory: 1024Mi securityContext: allowPrivilegeEscalation: false volumeMounts: - mountPath: /tmp/k8s-webhook-server/serving-certs name: cert readOnly: true - args: - --secure-listen-address=0.0.0.0:8443 - --upstream=http://127.0.0.1:8080/ - --logtostderr=true - --v=10 image: {{ .Values.image.registry}}/kubebuilder/kube-rbac-proxy:v0.14.1 name: kube-rbac-proxy ports: - containerPort: 8443 name: https securityContext: runAsNonRoot: true serviceAccountName: local-controller-manager terminationGracePeriodSeconds: 10 volumes: - name: cert secret: defaultMode: 420 secretName: local-webhook-server-cert