feat: add k8s-resources

Signed-off-by: Christian Kotzbauer <[email protected]>

deploy/deployment.yaml

@@ -0,0 +1,111 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app.kubernetes.io/name: vulnerability-operator
+  name: vulnerability-operator
+  namespace: default
+spec:
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: vulnerability-operator
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: vulnerability-operator
+    spec:
+      containers:
+      - image: ghcr.io/ckotzbauer/vulnerability-operator:latest
+        imagePullPolicy: Always
+        name: operator
+        env:
+          - name: VULN_GIT_ACCESS_TOKEN
+            valueFrom:
+              secretKeyRef:
+                name: "vulnerability-operator"
+                key: "accessToken"
+        args:
+          # example values
+          - --cron="0 30 * * * *"
+          - --git-repository=https://github.com/myorg/my-sbom-repo
+          - --git-path=dev-cluster/sboms
+          - --targets=metrics
+        ports:
+        - containerPort: 8080
+          name: http
+          protocol: TCP
+        securityContext:
+          capabilities:
+            drop:
+            - ALL
+          allowPrivilegeEscalation: false
+          privileged: false
+          readOnlyRootFilesystem: true
+          runAsNonRoot: true
+          runAsUser: 101
+        volumeMounts:
+          - mountPath: /work
+            name: work
+          - mountPath: /tmp
+            name: tmp
+        resources:
+          limits:
+            cpu: 500m
+            memory: 250Mi
+          requests:
+            cpu: 100m
+            memory: 100Mi
+        livenessProbe:
+          timeoutSeconds: 3
+          httpGet:
+            path: "/health"
+            port: 8080
+        readinessProbe:
+          timeoutSeconds: 3
+          httpGet:
+            path: "/health"
+            port: 8080
+      volumes:
+        - name: work
+          emptyDir: {}
+        - name: tmp
+          emptyDir: {}
+      securityContext:
+        fsGroup: 101
+      serviceAccountName: vulnerability-operator
+---
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    app.kubernetes.io/name: vulnerability-operator
+  name: vulnerability-operator
+  namespace: default
+spec:
+  type: ClusterIP
+  ports:
+  - name: http
+    port: 8080
+    targetPort: 8080
+    protocol: TCP
+  selector:
+    app.kubernetes.io/name: vulnerability-operator
+---
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+  labels:
+    app.kubernetes.io/name: vulnerability-operator
+    release: prometheus
+  name: vulnerability-operator
+  namespace: default
+spec:
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: vulnerability-operator
+  namespaceSelector:
+    matchNames:
+      - default
+  endpoints:
+    - path: /metrics
+      port: http

deploy/rbac.yaml

@@ -0,0 +1,30 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: vulnerability-operator
+  namespace: default
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: vulnerability-operator
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - pods
+  verbs:
+  - list
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: vulnerability-operator
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: vulnerability-operator
+subjects:
+- kind: ServiceAccount
+  name: vulnerability-operator
+  namespace: default