Initial commit

.dockerignore

@@ -0,0 +1,3 @@
+dist/
+test/
+.tmp/

.github/dependabot.yml

@@ -0,0 +1,15 @@
+# To get started with Dependabot version updates, you'll need to specify which
+# package ecosystems to update and where the package manifests are located.
+# Please see the documentation for all configuration options:
+# https://docs.github.com/github/administering-a-repository/configuration-options-for-dependency-updates
+
+version: 2
+updates:
+  - package-ecosystem: "gomod"
+    directory: "/"
+    schedule:
+      interval: "daily"
+  - package-ecosystem: "docker"
+    directory: "/"
+    schedule:
+      interval: "daily"

.github/workflows/release.yml

@@ -0,0 +1,28 @@
+name: release
+on:
+ push:
+    tags:
+    - "*"
+jobs:
+  release:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/setup-go@v3
+      with:
+        go-version: 1.20.x
+    - uses: docker/setup-qemu-action@v2
+    - uses: docker/setup-buildx-action@v2
+    - uses: docker/login-action@v2
+      with:
+        registry: ghcr.io
+        username: airfocusio
+        password: ${{ secrets.GITHUB_TOKEN }}
+    - uses: actions/checkout@v3
+      with:
+        fetch-depth: 0
+    - name: Run GoReleaser
+      uses: goreleaser/goreleaser-action@v3
+      with:
+        args: release --clean
+      env:
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/test.yml

@@ -0,0 +1,22 @@
+name: test
+on:
+  push:
+    branches:
+    - main
+  pull_request:
+    branches:
+    - main
+env:
+  GO111MODULE: on
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/setup-go@v2
+      with:
+        go-version: 1.20.x
+    - uses: actions/checkout@v2
+    - name: Build sources
+      run: go build ./...
+    - name: Run tests
+      run: make test

.gitignore

@@ -0,0 +1,2 @@
+dist/
+.tmp/

.goreleaser.yml

@@ -0,0 +1,54 @@
+# This is an example .goreleaser.yml file with some sensible defaults.
+# Make sure to check the documentation at https://goreleaser.com
+project_name: kube-resourceless
+before:
+  hooks:
+  - go mod tidy
+  - ./deploy/kubernetes/manifests.sh {{ .Version }}
+builds:
+- env:
+  - CGO_ENABLED=0
+  goos:
+  - linux
+  goarch:
+  - amd64
+  - arm64
+release:
+  extra_files:
+  - glob: .tmp/manifests/manifests.yaml
+dockers:
+- image_templates:
+  - "ghcr.io/airfocusio/{{ .ProjectName }}:{{ .Version }}-amd64"
+  - "ghcr.io/airfocusio/{{ .ProjectName }}:latest-amd64"
+  use: buildx
+  goarch: amd64
+  dockerfile: Dockerfile
+  build_flag_templates:
+  - "--platform=linux/amd64"
+- image_templates:
+  - "ghcr.io/airfocusio/{{ .ProjectName }}:{{ .Version }}-arm64"
+  - "ghcr.io/airfocusio/{{ .ProjectName }}:latest-arm64"
+  use: buildx
+  goarch: arm64
+  dockerfile: Dockerfile
+  build_flag_templates:
+  - "--platform=linux/arm64"
+docker_manifests:
+- name_template: ghcr.io/airfocusio/{{ .ProjectName }}:{{ .Version }}
+  image_templates:
+  - ghcr.io/airfocusio/{{ .ProjectName }}:{{ .Version }}-amd64
+  - ghcr.io/airfocusio/{{ .ProjectName }}:{{ .Version }}-arm64
+- name_template: ghcr.io/airfocusio/{{ .ProjectName }}:latest
+  image_templates:
+  - ghcr.io/airfocusio/{{ .ProjectName }}:latest-amd64
+  - ghcr.io/airfocusio/{{ .ProjectName }}:latest-arm64
+checksum:
+  name_template: 'checksums.txt'
+snapshot:
+  name_template: "0.0.0-dev"
+changelog:
+  sort: asc
+  filters:
+    exclude:
+    - '^docs:'
+    - '^test:'

Dockerfile

@@ -0,0 +1,4 @@
+FROM scratch
+ENTRYPOINT ["/bin/kube-resourceless"]
+COPY kube-resourceless /bin/kube-resourceless
+WORKDIR /workdir

Makefile

@@ -0,0 +1,27 @@
+.PHONY: *
+
+test:
+	go test -v ./...
+
+build:
+	goreleaser release --clean --skip-publish --snapshot
+
+release:
+	goreleaser release --clean
+
+
+kind-start:
+	kind delete cluster --name=kube-resourceless
+	kind create cluster --name=kube-resourceless
+	kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.12.3/cert-manager.yaml
+
+kind-stop:
+	kind delete cluster --name=kube-resourceless
+
+kind: build
+	kubectl -n kube-resourceless delete deployment -l app=kube-resourceless --wait
+	kind load docker-image ghcr.io/airfocusio/kube-resourceless:0.0.0-dev-amd64 --name kube-resourceless
+	kubectl apply -k test/deploy/kubernetes
+	sleep 10
+	kubectl delete -k test/examples || true
+	while ! kubectl apply -k test/examples; do sleep 1; done

cmd/root.go

@@ -0,0 +1,54 @@
+package cmd
+
+import (
+	"io/ioutil"
+	"log"
+	"os"
+	"os/signal"
+	"syscall"
+
+	"github.com/airfocusio/kube-resourceless/internal"
+	"github.com/spf13/cobra"
+)
+
+var (
+	verbose        bool
+	rootCmdTLSCert string
+	rootCmdTLSKey  string
+	rootCmd        = &cobra.Command{
+		Use: "kube-resourceless",
+		RunE: func(cmd *cobra.Command, args []string) error {
+			service, err := internal.NewService(internal.ServiceOpts{
+				TLSCertFile: rootCmdTLSCert,
+				TLSKeyFile:  rootCmdTLSKey,
+			})
+			if err != nil {
+				return err
+			}
+
+			term := make(chan os.Signal, 1)
+			signal.Notify(term, syscall.SIGTERM)
+			signal.Notify(term, syscall.SIGINT)
+			if err := service.Run(term); err != nil {
+				return err
+			}
+			return nil
+		},
+		PersistentPreRun: func(cmd *cobra.Command, args []string) {
+			if !verbose {
+				internal.Debug = log.New(ioutil.Discard, "", log.LstdFlags)
+			}
+		},
+	}
+)
+
+func Execute() error {
+	return rootCmd.Execute()
+}
+
+func init() {
+	rootCmd.PersistentFlags().BoolVarP(&verbose, "verbose", "v", false, "")
+	rootCmd.Flags().StringVar(&rootCmdTLSCert, "tls-cert", "/etc/certs/tls.crt", "Path to the TLS certificate")
+	rootCmd.Flags().StringVar(&rootCmdTLSKey, "tls-key", "/etc/certs/tls.key", "Path to the TLS key")
+	rootCmd.AddCommand(versionCmd)
+}

cmd/version.go

@@ -0,0 +1,44 @@
+package cmd
+
+import (
+	"fmt"
+	"os"
+	"runtime/debug"
+
+	"github.com/spf13/cobra"
+)
+
+var Version FullVersion
+
+var (
+	versionCmd = &cobra.Command{
+		Use: "version",
+		Run: func(cmd *cobra.Command, args []string) {
+			os.Stdout.Write([]byte(Version.ToString() + "\n"))
+		},
+	}
+)
+
+type FullVersion struct {
+	Version string
+	Commit  string
+	Date    string
+	BuiltBy string
+}
+
+func (v FullVersion) ToString() string {
+	result := v.Version
+	if v.Commit != "" {
+		result = fmt.Sprintf("%s\ncommit: %s", result, v.Commit)
+	}
+	if v.Date != "" {
+		result = fmt.Sprintf("%s\nbuilt at: %s", result, v.Date)
+	}
+	if v.BuiltBy != "" {
+		result = fmt.Sprintf("%s\nbuilt by: %s", result, v.BuiltBy)
+	}
+	if info, ok := debug.ReadBuildInfo(); ok && info.Main.Sum != "" {
+		result = fmt.Sprintf("%s\nmodule version: %s, checksum: %s", result, info.Main.Version, info.Main.Sum)
+	}
+	return result
+}

deploy/kubernetes/certificate.yaml

@@ -0,0 +1,14 @@
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: kube-resourceless
+  namespace: kube-resourceless
+  labels:
+    app: kube-resourceless
+spec:
+  secretName: kube-resourceless-tls
+  dnsNames:
+  - kube-resourceless
+  - kube-resourceless.kube-resourceless.svc
+  issuerRef:
+    name: selfsigned

deploy/kubernetes/deployment.yaml

@@ -0,0 +1,30 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: kube-resourceless
+  namespace: kube-resourceless
+  labels:
+    app: kube-resourceless
+spec:
+  selector:
+    matchLabels:
+      app: kube-resourceless
+  replicas: 1
+  template:
+    metadata:
+      labels:
+        app: kube-resourceless
+    spec:
+      containers:
+      - name: kube-resourceless
+        image: ghcr.io/airfocusio/kube-resourceless:latest
+        volumeMounts:
+        - name: tls
+          mountPath: "/etc/certs"
+          readOnly: true
+      terminationGracePeriodSeconds: 3
+      volumes:
+      - name: tls
+        secret:
+          secretName: kube-resourceless-tls
+          optional: false

deploy/kubernetes/issuer.yaml

@@ -0,0 +1,9 @@
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: selfsigned
+  namespace: kube-resourceless
+  labels:
+    app: kube-resourceless
+spec:
+  selfSigned: {}

deploy/kubernetes/kustomization.yaml

@@ -0,0 +1,7 @@
+resources:
+- namespace.yaml
+- issuer.yaml
+- certificate.yaml
+- service.yaml
+- deployment.yaml
+- mutatingwebhookconfiguration.yaml

deploy/kubernetes/manifests.sh

@@ -0,0 +1,13 @@
+#!/bin/bash
+set -euo pipefail
+
+rm -rf .tmp/manifests
+mkdir -p .tmp/manifests
+cat > .tmp/manifests/kustomization.yaml << EOF
+resources:
+- ../../deploy/kubernetes
+images:
+- name: 'ghcr.io/airfocusio/kube-resourceless'
+  newTag: '${1}'
+EOF
+kustomize build .tmp/manifests > .tmp/manifests/manifests.yaml

deploy/kubernetes/mutatingwebhookconfiguration.yaml

@@ -0,0 +1,37 @@
+apiVersion: admissionregistration.k8s.io/v1
+kind: MutatingWebhookConfiguration
+metadata:
+  name: kube-resourceless
+  labels:
+    app: kube-resourceless
+  annotations:
+    cert-manager.io/inject-ca-from: kube-resourceless/kube-resourceless
+webhooks:
+- admissionReviewVersions:
+  - v1
+  clientConfig:
+    service:
+      namespace: kube-resourceless
+      name: kube-resourceless
+      port: 8443
+      path: "/mutate"
+  failurePolicy: Fail
+  name: kube-resourceless.airfocus.io
+  namespaceSelector:
+    matchExpressions:
+    - key: kubernetes.io/metadata.name
+      operator: NotIn
+      values:
+      - "kube-system"
+      - "kube-resourceless"
+  rules:
+  - apiGroups:
+    - ""
+    apiVersions:
+    - v1
+    operations:
+    - CREATE
+    - UPDATE
+    resources:
+    - pods
+  sideEffects: None

deploy/kubernetes/namespace.yaml

@@ -0,0 +1,6 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: kube-resourceless
+  labels:
+    app: kube-resourceless