add workload feture, revert dockerfile

Dockerfile

@@ -18,36 +18,12 @@ COPY controllers/ controllers/
 # Build
 RUN CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -ldflags "-s -w -X main.version=${VERSION}" -a -o manager main.go
 
-FROM registry.access.redhat.com/ubi8/ubi-minimal:latest as base
-# temporary fix for CVE-2022-24407
-RUN microdnf --nodocs upgrade -y cyrus-sasl-lib
-ARG VERSION
+# Use distroless as minimal base image to package the manager binary
+# Refer to https://github.com/GoogleContainerTools/distroless for more details
+FROM gcr.io/distroless/static:nonroot
 WORKDIR /
+COPY --from=builder --chown=65532:65532 /workspace/manager .
 COPY config/crd/kic ./config/crd/kic
-COPY LICENSE /licenses/
-
-LABEL name="NGINX Ingress Operator" \
-      maintainer="kubernetes@nginx.com" \
-      vendor="NGINX Inc" \
-      version="${VERSION}" \
-      release="1" \
-      summary="The NGINX Ingress Operator is a Kubernetes/OpenShift component which deploys and manages one or more NGINX/NGINX Plus Ingress Controllers" \
-      description="The NGINX Ingress Operator is a Kubernetes/OpenShift component which deploys and manages one or more NGINX/NGINX Plus Ingress Controllers"
+USER 65532:65532
 
 ENTRYPOINT ["/manager"]
-
-USER 1001
-
-FROM base as goreleaser
-ARG TARGETARCH
-ARG TARGETVARIANT
-
-LABEL org.nginx.kic.image.build.version="goreleaser"
-
-COPY ./dist/nginx-ingress-operator_linux_$TARGETARCH/manager /
-
-FROM base as local
-
-LABEL org.nginx.kic.image.build.version="local"
-
-COPY --from=builder /workspace/manager .

Makefile

@@ -3,7 +3,7 @@
 # To re-generate a bundle for another specific version without changing the standard setup, you can:
 # - use the VERSION as arg of the bundle target (e.g make bundle VERSION=0.0.2)
 # - use environment variables to overwrite this value (e.g export VERSION=0.0.2)
-VERSION ?= 0.5.1
+VERSION ?= 0.5.2
 
 # CHANNELS define the bundle channels used in the bundle.
 # Add a new line here if you would like to change its default config. (E.g CHANNELS = "candidate,fast,stable")
@@ -31,7 +31,7 @@ BUNDLE_METADATA_OPTS ?= $(BUNDLE_CHANNELS) $(BUNDLE_DEFAULT_CHANNEL)
 #
 # For example, running 'make bundle-build bundle-push catalog-build catalog-push' will build and push both
 # nginx/nginx-ingress-operator-bundle:$VERSION and nginx/nginx-ingress-operator-catalog:$VERSION.
-IMAGE_TAG_BASE ?= nginx/nginx-ingress-operator
+IMAGE_TAG_BASE ?= kubegems/nginx-ingress-operator
 
 # BUNDLE_IMG defines the image:tag used for the bundle.
 # You can use it as an arg. (E.g make bundle-build BUNDLE_IMG=<some-registry>/<project-name-bundle>:<tag>)
@@ -128,8 +128,8 @@ run: manifests generate fmt vet ## Run a controller from your host.
 	go run -ldflags "-X main.version=${VERSION}" ./main.go $(ARGS)
 
 .PHONY: docker-build
-docker-build: test ## Build docker image with the manager.
-	docker build -t ${IMG} . --build-arg VERSION=${VERSION} --target local
+docker-build:  ## Build docker image with the manager.
+	docker build -t ${IMG} . --build-arg VERSION=${VERSION}
 
 .PHONY: docker-push
 docker-push: ## Push docker image with the manager.

api/v1alpha1/nginxingresscontroller_types.go

@@ -17,6 +17,7 @@ limitations under the License.
 package v1alpha1
 
 import (
+	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )
 
@@ -73,6 +74,11 @@ type NginxIngressControllerSpec struct {
 	// +nullable
 	// +operator-sdk:csv:customresourcedefinitions:type=spec
 	Service *Service `json:"service"`
+	// The Workload of the Ingress controller.
+	// +kubebuilder:validation:Optional
+	// +nullable
+	// +operator-sdk:gen-csv:customresourcedefinitions.specDescriptors=true
+	Workload *Workload `json:"workload"`
 	// Namespace to watch for Ingress resources. By default the Ingress controller watches all namespaces.
 	// +kubebuilder:validation:Optional
 	// +operator-sdk:csv:customresourcedefinitions:type=spec
@@ -292,6 +298,16 @@ type AppProtectDos struct {
 	Memory int `json:"memory,omitempty"`
 }
 
+// Workload of the Ingress controller.
+type Workload struct {
+	// Specifies resource request and limit of the nginx container
+	// +kubebuilder:validation:Optional
+	Resources corev1.ResourceRequirements `json:"resources,omitempty"`
+	// Specifies extra labels of the workload(deployment or daemonset) of nginx.
+	// +kubebuilder:validation:Optional
+	ExtraLabels map[string]string `json:"extraLabels,omitempty"`
+}
+
 // Service defines the Service for the Ingress Controller.
 type Service struct {
 	// Specifies extra labels of the service.

config/crd/bases/k8s.nginx.org_nginxingresscontrollers.yaml

@@ -4,7 +4,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.7.0
+    controller-gen.kubebuilder.io/version: v0.4.1
   creationTimestamp: null
   name: nginxingresscontrollers.k8s.nginx.org
 spec:
@@ -305,6 +305,44 @@ spec:
                   Kubernetes API, the Ingress Controller will fail to start. Format
                   is namespace/name.
                 type: string
+              workload:
+                description: The Workload of the Ingress controller.
+                nullable: true
+                properties:
+                  extraLabels:
+                    additionalProperties:
+                      type: string
+                    description: Specifies extra labels of the workload(deployment
+                      or daemonset) of nginx.
+                    type: object
+                  resources:
+                    description: Specifies resource request and limit of the nginx
+                      container
+                    properties:
+                      limits:
+                        additionalProperties:
+                          anyOf:
+                          - type: integer
+                          - type: string
+                          pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+                          x-kubernetes-int-or-string: true
+                        description: 'Limits describes the maximum amount of compute
+                          resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/'
+                        type: object
+                      requests:
+                        additionalProperties:
+                          anyOf:
+                          - type: integer
+                          - type: string
+                          pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+                          x-kubernetes-int-or-string: true
+                        description: 'Requests describes the minimum amount of compute
+                          resources required. If Requests is omitted for a container,
+                          it defaults to Limits if that is explicitly specified, otherwise
+                          to an implementation-defined value. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/'
+                        type: object
+                    type: object
+                type: object
             required:
             - image
             - serviceType

controllers/daemonset.go

@@ -1,6 +1,8 @@
 package controllers
 
 import (
+	"reflect"
+
 	k8sv1alpha1 "github.com/nginxinc/nginx-ingress-operator/api/v1alpha1"
 	appsv1 "k8s.io/api/apps/v1"
 	corev1 "k8s.io/api/core/v1"
@@ -14,11 +16,15 @@ func daemonSetForNginxIngressController(instance *k8sv1alpha1.NginxIngressContro
 	allowPrivilegeEscalation := new(bool)
 	*runAsUser = 101
 	*allowPrivilegeEscalation = true
+	if instance.Spec.Workload == nil {
+		instance.Spec.Workload = &k8sv1alpha1.Workload{}
+	}
 
 	dep := &appsv1.DaemonSet{
 		ObjectMeta: v1.ObjectMeta{
 			Name:      instance.Name,
 			Namespace: instance.Namespace,
+			Labels:    instance.Spec.Workload.ExtraLabels,
 		},
 		Spec: appsv1.DaemonSetSpec{
 			Selector: &v1.LabelSelector{
@@ -28,7 +34,7 @@ func daemonSetForNginxIngressController(instance *k8sv1alpha1.NginxIngressContro
 				ObjectMeta: v1.ObjectMeta{
 					Name:      instance.Name,
 					Namespace: instance.Namespace,
-					Labels:    map[string]string{"app": instance.Name},
+					Labels:    mergeLabels(map[string]string{"app": instance.Name}, instance.Spec.Workload.ExtraLabels),
 				},
 				Spec: corev1.PodSpec{
 					ServiceAccountName: instance.Name,
@@ -74,6 +80,7 @@ func daemonSetForNginxIngressController(instance *k8sv1alpha1.NginxIngressContro
 									},
 								},
 							},
+							Resources: instance.Spec.Workload.Resources,
 						},
 					},
 				},
@@ -97,11 +104,25 @@ func hasDaemonSetChanged(ds *appsv1.DaemonSet, instance *k8sv1alpha1.NginxIngres
 		return true
 	}
 
+	if instance.Spec.Workload == nil {
+		instance.Spec.Workload = &k8sv1alpha1.Workload{}
+	}
+	if !reflect.DeepEqual(ds.Labels, instance.Spec.Workload.ExtraLabels) {
+		return true
+	}
+
+	if HasDifferentResources(container.Resources, instance.Spec.Workload.Resources) {
+		return true
+	}
+
 	return hasDifferentArguments(container, instance)
 }
 
 func updateDaemonSet(ds *appsv1.DaemonSet, instance *k8sv1alpha1.NginxIngressController) *appsv1.DaemonSet {
 	ds.Spec.Template.Spec.Containers[0].Image = generateImage(instance.Spec.Image.Repository, instance.Spec.Image.Tag)
 	ds.Spec.Template.Spec.Containers[0].Args = generatePodArgs(instance)
+	ds.Spec.Template.Spec.Containers[0].Resources = instance.Spec.Workload.Resources
+	ds.Labels = instance.Spec.Workload.ExtraLabels
+	ds.Spec.Template.Labels = mergeLabels(map[string]string{"app": instance.Name}, instance.Spec.Workload.ExtraLabels)
 	return ds
 }

controllers/deployment.go

@@ -1,6 +1,8 @@
 package controllers
 
 import (
+	"reflect"
+
 	k8sv1alpha1 "github.com/nginxinc/nginx-ingress-operator/api/v1alpha1"
 	appsv1 "k8s.io/api/apps/v1"
 	corev1 "k8s.io/api/core/v1"
@@ -14,11 +16,15 @@ func deploymentForNginxIngressController(instance *k8sv1alpha1.NginxIngressContr
 	allowPrivilegeEscalation := new(bool)
 	*runAsUser = 101
 	*allowPrivilegeEscalation = true
+	if instance.Spec.Workload == nil {
+		instance.Spec.Workload = &k8sv1alpha1.Workload{}
+	}
 
 	dep := &appsv1.Deployment{
 		ObjectMeta: v1.ObjectMeta{
 			Name:      instance.Name,
 			Namespace: instance.Namespace,
+			Labels:    instance.Spec.Workload.ExtraLabels,
 		},
 		Spec: appsv1.DeploymentSpec{
 			Selector: &v1.LabelSelector{
@@ -29,7 +35,7 @@ func deploymentForNginxIngressController(instance *k8sv1alpha1.NginxIngressContr
 				ObjectMeta: v1.ObjectMeta{
 					Name:      instance.Name,
 					Namespace: instance.Namespace,
-					Labels:    map[string]string{"app": instance.Name},
+					Labels:    mergeLabels(map[string]string{"app": instance.Name}, instance.Spec.Workload.ExtraLabels),
 				},
 				Spec: corev1.PodSpec{
 					ServiceAccountName: instance.Name,
@@ -75,6 +81,7 @@ func deploymentForNginxIngressController(instance *k8sv1alpha1.NginxIngressContr
 									},
 								},
 							},
+							Resources: instance.Spec.Workload.Resources,
 						},
 					},
 				},
@@ -104,6 +111,17 @@ func hasDeploymentChanged(dep *appsv1.Deployment, instance *k8sv1alpha1.NginxIng
 		return true
 	}
 
+	if instance.Spec.Workload == nil {
+		instance.Spec.Workload = &k8sv1alpha1.Workload{}
+	}
+	if !reflect.DeepEqual(dep.Labels, instance.Spec.Workload.ExtraLabels) {
+		return true
+	}
+
+	if HasDifferentResources(container.Resources, instance.Spec.Workload.Resources) {
+		return true
+	}
+
 	return hasDifferentArguments(container, instance)
 }
 
@@ -116,5 +134,8 @@ func updateDeployment(dep *appsv1.Deployment, instance *k8sv1alpha1.NginxIngress
 	}
 	dep.Spec.Template.Spec.Containers[0].Image = generateImage(instance.Spec.Image.Repository, instance.Spec.Image.Tag)
 	dep.Spec.Template.Spec.Containers[0].Args = generatePodArgs(instance)
+	dep.Spec.Template.Spec.Containers[0].Resources = instance.Spec.Workload.Resources
+	dep.Labels = instance.Spec.Workload.ExtraLabels
+	dep.Spec.Template.Labels = mergeLabels(map[string]string{"app": instance.Name}, instance.Spec.Workload.ExtraLabels)
 	return dep
 }