diff --git a/.gitea/workflows/publish.yaml b/.gitea/workflows/publish.yaml index 3e6f004..d366da8 100644 --- a/.gitea/workflows/publish.yaml +++ b/.gitea/workflows/publish.yaml @@ -6,28 +6,29 @@ on: jobs: build: runs-on: ubuntu-latest - container: golang:1.24 + container: golang:1.24-bookworm steps: + - name: Install dependencies + run: apt update && apt -y install nodejs bash - name: Setup SSH run: | mkdir -p ~/.ssh echo "${{ secrets.SSH_PRIVATE_KEY }}" > ~/.ssh/id_rsa chmod 600 ~/.ssh/id_rsa ssh-keyscan gitea-ssh.engen.priv.no >> ~/.ssh/known_hosts - - name: Install node and go - run: apt update && apt -y install nodejs - name: Check out repository code uses: actions/checkout@v4 - name: ssh repo run: git config --global url.git@gitea-ssh.engen.priv.no:.insteadOf https://gitea.engen.priv.no/ - name: Install ko run: go install github.com/google/ko@latest - - name: Extract tag - id: get_tag + - name: Extract tag (outside container) + shell: bash run: | - echo "tag=${GITEA_REF##refs/tags/}" >> "$GITEA_OUTPUT" + echo "TAG=${GITHUB_REF#refs/tags/}" >> $GITHUB_ENV + env - name: Build env: KO_DOCKER_REPO: registry.engen.priv.no/unifi-network-operator-controller - PATH: /go/bin:$PATH - run: ko publish ./cmd --tags "${{ steps.get_tag.outputs.tag }},latest" + run: | + ko publish ./cmd --tags "$TAG,latest" --bare diff --git a/dist/install.yaml b/dist/install.yaml new file mode 100644 index 0000000..00f21bd --- /dev/null +++ b/dist/install.yaml @@ -0,0 +1,952 @@ +apiVersion: v1 +kind: Namespace +metadata: + labels: + app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/name: unifi-network-operator + control-plane: controller-manager + name: unifi-network-operator-system +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.17.2 + name: firewallpolicies.unifi.engen.priv.no +spec: + group: unifi.engen.priv.no + names: + kind: FirewallPolicy + listKind: FirewallPolicyList + plural: firewallpolicies + singular: firewallpolicy + scope: Namespaced + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + description: FirewallPolicy is the Schema for the firewallpolicies API. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + properties: + destination: + properties: + firewall_groups: + items: + properties: + name: + type: string + namespace: + type: string + type: object + type: array + services: + items: + properties: + name: + type: string + namespace: + type: string + type: object + type: array + type: object + match_firewall_groups_in_all_namespaces: + type: boolean + match_services_in_all_namespaces: + type: boolean + name: + type: string + source: + properties: + from_networks: + items: + properties: + name: + type: string + namespace: + type: string + type: object + type: array + from_zones: + items: + properties: + name: + type: string + namespace: + type: string + type: object + type: array + type: object + required: + - destination + - name + - source + type: object + status: + description: FirewallPolicyStatus defines the observed state of FirewallPolicy. + properties: + resources_managed: + properties: + firewall_groups_managed: + items: + properties: + name: + type: string + namespace: + type: string + type: object + type: array + firewall_policies_managed: + items: + properties: + from: + type: string + tcpipv4_id: + type: string + tcpipv6_id: + type: string + to: + type: string + udpipv4_id: + type: string + udpipv6_id: + type: string + required: + - from + - tcpipv4_id + - tcpipv6_id + - to + - udpipv4_id + - udpipv6_id + type: object + type: array + type: object + type: object + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.17.2 + name: firewallzones.unifi.engen.priv.no +spec: + group: unifi.engen.priv.no + names: + kind: FirewallZone + listKind: FirewallZoneList + plural: firewallzones + singular: firewallzone + scope: Namespaced + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + description: FirewallZone is the Schema for the firewallzones API. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: FirewallZoneSpec defines the desired state of FirewallZone. + properties: + _id: + type: string + default_zone: + type: boolean + name: + type: string + network_ids: + items: + type: string + type: array + zone_key: + type: string + type: object + status: + description: FirewallZoneStatus defines the observed state of FirewallZone. + properties: + resources_managed: + properties: + firewall_zones_managed: + items: + properties: + id: + type: string + name: + type: string + type: object + type: array + type: object + type: object + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.17.2 + name: networkconfigurations.unifi.engen.priv.no +spec: + group: unifi.engen.priv.no + names: + kind: Networkconfiguration + listKind: NetworkconfigurationList + plural: networkconfigurations + singular: networkconfiguration + scope: Namespaced + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + description: Networkconfiguration is the Schema for the networkconfigurations + API. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: NetworkconfigurationSpec defines the desired state of Networkconfiguration. + properties: + _id: + description: Foo is an example field of Networkconfiguration. Edit + networkconfiguration_types.go to remove/update + type: string + enabled: + type: boolean + firewall_zone: + type: string + gateway_type: + type: string + ip_subnet: + type: string + ipv6_interface_type: + type: string + ipv6_pd_auto_prefixid_enabled: + type: boolean + ipv6_ra_enabled: + type: boolean + ipv6_setting_preference: + type: string + ipv6_subnet: + type: string + name: + type: string + networkgroup: + type: string + purpose: + type: string + setting_preference: + type: string + vlan: + format: int64 + type: integer + vlan_enabled: + type: boolean + required: + - name + type: object + status: + description: NetworkconfigurationStatus defines the observed state of + Networkconfiguration. + properties: + firewall_zone_id: + description: |- + INSERT ADDITIONAL STATUS FIELD - define observed state of cluster + Important: Run "make" to regenerate code after modifying this file + type: string + ipv6_subnet_status: + type: string + lastSyncTime: + description: LastSyncTime is the last time the object was synced + format: date-time + type: string + resources_managed: + properties: + networks_managed: + items: + properties: + id: + type: string + name: + type: string + type: object + type: array + type: object + syncedWithUnifi: + description: SyncedWithUnifi indicates whether the addresses are successfully + pushed + type: boolean + type: object + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.17.2 + name: portforwards.unifi.engen.priv.no +spec: + group: unifi.engen.priv.no + names: + kind: PortForward + listKind: PortForwardList + plural: portforwards + singular: portforward + scope: Namespaced + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + description: |- + PortForward is a placeholder type to allow future CRD support if needed. + Right now, port forwards are managed entirely through annotations on Services. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + type: object + status: + type: object + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/name: unifi-network-operator + name: unifi-network-operator-controller-manager + namespace: unifi-network-operator-system +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + labels: + app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/name: unifi-network-operator + name: unifi-network-operator-leader-election-role + namespace: unifi-network-operator-system +rules: +- apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/name: unifi-network-operator + name: unifi-network-operator-firewallpolicy-admin-role +rules: +- apiGroups: + - unifi.engen.priv.no + resources: + - firewallpolicies + verbs: + - '*' +- apiGroups: + - unifi.engen.priv.no + resources: + - firewallpolicies/status + verbs: + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/name: unifi-network-operator + name: unifi-network-operator-firewallpolicy-editor-role +rules: +- apiGroups: + - unifi.engen.priv.no + resources: + - firewallpolicies + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - unifi.engen.priv.no + resources: + - firewallpolicies/status + verbs: + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/name: unifi-network-operator + name: unifi-network-operator-firewallpolicy-viewer-role +rules: +- apiGroups: + - unifi.engen.priv.no + resources: + - firewallpolicies + verbs: + - get + - list + - watch +- apiGroups: + - unifi.engen.priv.no + resources: + - firewallpolicies/status + verbs: + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/name: unifi-network-operator + name: unifi-network-operator-firewallzone-admin-role +rules: +- apiGroups: + - unifi.engen.priv.no + resources: + - firewallzones + verbs: + - '*' +- apiGroups: + - unifi.engen.priv.no + resources: + - firewallzones/status + verbs: + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/name: unifi-network-operator + name: unifi-network-operator-firewallzone-editor-role +rules: +- apiGroups: + - unifi.engen.priv.no + resources: + - firewallzones + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - unifi.engen.priv.no + resources: + - firewallzones/status + verbs: + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/name: unifi-network-operator + name: unifi-network-operator-firewallzone-viewer-role +rules: +- apiGroups: + - unifi.engen.priv.no + resources: + - firewallzones + verbs: + - get + - list + - watch +- apiGroups: + - unifi.engen.priv.no + resources: + - firewallzones/status + verbs: + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: unifi-network-operator-manager-role +rules: +- apiGroups: + - "" + resources: + - configmaps + - services + verbs: + - get + - list + - watch +- apiGroups: + - unifi.engen.priv.no + resources: + - firewallgroups + - firewallpolicies + - firewallzones + - networkconfigurations + - portforwards + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - unifi.engen.priv.no + resources: + - firewallgroups/finalizers + - firewallpolicies/finalizers + - firewallzones/finalizers + - networkconfigurations/finalizers + - portforwards/finalizers + verbs: + - update +- apiGroups: + - unifi.engen.priv.no + resources: + - firewallgroups/status + - firewallpolicies/status + - firewallzones/status + - networkconfigurations/status + - portforwards/status + verbs: + - get + - patch + - update +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: unifi-network-operator-metrics-auth-role +rules: +- apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create +- apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: unifi-network-operator-metrics-reader +rules: +- nonResourceURLs: + - /metrics + verbs: + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/name: unifi-network-operator + name: unifi-network-operator-networkconfiguration-admin-role +rules: +- apiGroups: + - unifi.engen.priv.no + resources: + - networkconfigurations + verbs: + - '*' +- apiGroups: + - unifi.engen.priv.no + resources: + - networkconfigurations/status + verbs: + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/name: unifi-network-operator + name: unifi-network-operator-networkconfiguration-editor-role +rules: +- apiGroups: + - unifi.engen.priv.no + resources: + - networkconfigurations + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - unifi.engen.priv.no + resources: + - networkconfigurations/status + verbs: + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/name: unifi-network-operator + name: unifi-network-operator-networkconfiguration-viewer-role +rules: +- apiGroups: + - unifi.engen.priv.no + resources: + - networkconfigurations + verbs: + - get + - list + - watch +- apiGroups: + - unifi.engen.priv.no + resources: + - networkconfigurations/status + verbs: + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/name: unifi-network-operator + name: unifi-network-operator-portforward-admin-role +rules: +- apiGroups: + - unifi.engen.priv.no + resources: + - portforwards + verbs: + - '*' +- apiGroups: + - unifi.engen.priv.no + resources: + - portforwards/status + verbs: + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/name: unifi-network-operator + name: unifi-network-operator-portforward-editor-role +rules: +- apiGroups: + - unifi.engen.priv.no + resources: + - portforwards + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - unifi.engen.priv.no + resources: + - portforwards/status + verbs: + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/name: unifi-network-operator + name: unifi-network-operator-portforward-viewer-role +rules: +- apiGroups: + - unifi.engen.priv.no + resources: + - portforwards + verbs: + - get + - list + - watch +- apiGroups: + - unifi.engen.priv.no + resources: + - portforwards/status + verbs: + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + labels: + app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/name: unifi-network-operator + name: unifi-network-operator-leader-election-rolebinding + namespace: unifi-network-operator-system +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: unifi-network-operator-leader-election-role +subjects: +- kind: ServiceAccount + name: unifi-network-operator-controller-manager + namespace: unifi-network-operator-system +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/name: unifi-network-operator + name: unifi-network-operator-manager-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: unifi-network-operator-manager-role +subjects: +- kind: ServiceAccount + name: unifi-network-operator-controller-manager + namespace: unifi-network-operator-system +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: unifi-network-operator-metrics-auth-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: unifi-network-operator-metrics-auth-role +subjects: +- kind: ServiceAccount + name: unifi-network-operator-controller-manager + namespace: unifi-network-operator-system +--- +apiVersion: v1 +kind: Service +metadata: + labels: + app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/name: unifi-network-operator + control-plane: controller-manager + name: unifi-network-operator-controller-manager-metrics-service + namespace: unifi-network-operator-system +spec: + ports: + - name: https + port: 8443 + protocol: TCP + targetPort: 8443 + selector: + app.kubernetes.io/name: unifi-network-operator + control-plane: controller-manager +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/name: unifi-network-operator + control-plane: controller-manager + name: unifi-network-operator-controller-manager + namespace: unifi-network-operator-system +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: unifi-network-operator + control-plane: controller-manager + template: + metadata: + annotations: + kubectl.kubernetes.io/default-container: manager + labels: + app.kubernetes.io/name: unifi-network-operator + control-plane: controller-manager + spec: + containers: + - args: + - --metrics-bind-address=:8443 + - --leader-elect + - --health-probe-bind-address=:8081 + env: + - name: UNIFI_URL + valueFrom: + secretKeyRef: + key: UNIFI_URL + name: unifi-configuration + - name: UNIFI_SITE + valueFrom: + secretKeyRef: + key: UNIFI_SITE + name: unifi-configuration + - name: UNIFI_USER + valueFrom: + secretKeyRef: + key: UNIFI_USERNAME + name: unifi-configuration + - name: UNIFI_PASSWORD + valueFrom: + secretKeyRef: + key: UNIFI_PASSWORD + name: unifi-configuration + image: registry.engen.priv.no/unifi-network-operator-controller:latest + livenessProbe: + httpGet: + path: /healthz + port: 8081 + initialDelaySeconds: 15 + periodSeconds: 20 + name: manager + ports: [] + readinessProbe: + httpGet: + path: /readyz + port: 8081 + initialDelaySeconds: 5 + periodSeconds: 10 + resources: + limits: + cpu: 500m + memory: 128Mi + requests: + cpu: 10m + memory: 64Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + volumeMounts: [] + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + serviceAccountName: unifi-network-operator-controller-manager + terminationGracePeriodSeconds: 10 + volumes: [] diff --git a/main b/main new file mode 100755 index 0000000..1ec7499 Binary files /dev/null and b/main differ