Bump k8s to v1.35, automount service account token

.github/workflows/test.yml

@@ -192,9 +192,6 @@ jobs:
           go-version: "1.25"
           cache: true
 
-      - name: Install dependencies
-        run: sudo apt-get update && sudo apt-get install -y jq sshpass
-
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3.12.0
 

AGENTS.md

@@ -5,10 +5,14 @@
 - Don't include comments unless they add meaningful context.
 - Use the `errors` package for sentinel errors.
 - Don't ignore errors by assigning to `_`.
+- Ensure any defaults are the same in deploy/ and charts/
 
 ## Testing instructions
-- Fix any test or type errors until everything succeeds.
 - Add or update tests for the code you change, even if nobody asked.
-- Update Go tests and scripts/e2e-tests.sh as needed.
+- Tests are defined in:
+  - `charts/binarylane-cloud-controller-manager/tests`
+  - `scripts/e2e-tests.sh`
+  - `internal/**/*_test.go`
 - Run deploy-cluster.sh before e2e-tests.sh, and then delete-cluster.sh after.
 - Run golangci-lint locally to ensure no linting errors.
+- Before finishing, run tests and ensure they pass.

README.md

@@ -40,7 +40,7 @@ kubectl create secret generic binarylane-api-token \
 # Install the chart from GitHub Container Registry
 helm install binarylane-ccm \
   oci://ghcr.io/oscarhermoso/charts/binarylane-cloud-controller-manager \
-  --version 0.2.2 \
+  --version 0.2.4 \
   --namespace kube-system \
   --set cloudControllerManager.secret.name="binarylane-api-token"
 ```
@@ -60,13 +60,13 @@ kubectl create secret generic binarylane-api-token \
 2. **Deploy the RBAC configuration:**
 
 ```bash
-kubectl apply -f https://raw.githubusercontent.com/oscarhermoso/binarylane-cloud-controller-manager/main/deploy/kubernetes/rbac.yaml
+kubectl apply -f https://raw.githubusercontent.com/oscarhermoso/binarylane-cloud-controller-manager/v0.2.4/deploy/kubernetes/rbac.yaml
 ```
 
 3. **Deploy the cloud controller manager:**
 
 ```bash
-kubectl apply -f https://raw.githubusercontent.com/oscarhermoso/binarylane-cloud-controller-manager/main/deploy/kubernetes/deployment.yaml
+kubectl apply -f https://raw.githubusercontent.com/oscarhermoso/binarylane-cloud-controller-manager/v0.2.4/deploy/kubernetes/deployment.yaml
 ```
 
 ## Configuration

charts/binarylane-cloud-controller-manager/Chart.yaml

@@ -2,8 +2,8 @@ apiVersion: v2
 name: binarylane-cloud-controller-manager
 description: Kubernetes Cloud Controller Manager for BinaryLane
 type: application
-version: 0.2.3
-appVersion: '0.2.3'
+version: 0.2.4
+appVersion: '0.2.4'
 keywords:
   - kubernetes
   - cloud-controller-manager

charts/binarylane-cloud-controller-manager/README.md

@@ -16,9 +16,10 @@ The following table lists the configurable parameters of the chart and their def
 | `image.repository`                   | Image repository                    | `ghcr.io/oscarhermoso/binarylane-cloud-controller-manager` |
 | `image.pullPolicy`                   | Image pull policy                   | `IfNotPresent`                                             |
 | `image.tag`                          | Image tag                           | Chart appVersion                                           |
-| `cloudControllerManager.secret.name` | Name of secret containing API token | `""`                                                       |
+| `cloudControllerManager.secret.name` | Name of secret containing API token | `"binarylane-api-token"`                                   |
 | `cloudControllerManager.secret.key`  | Key in secret for API token         | `api-token`                                                |
 | `serviceAccount.create`              | Create service account              | `true`                                                     |
+| `serviceAccount.automount`           | Automount SA token                  | `true`                                                     |
 | `serviceAccount.name`                | Service account name                | Generated from template                                    |
 | `resources.limits.cpu`               | CPU limit                           | `200m`                                                     |
 | `resources.limits.memory`            | Memory limit                        | `128Mi`                                                    |

charts/binarylane-cloud-controller-manager/templates/deployment.yaml

@@ -41,13 +41,14 @@ spec:
       securityContext:
         {{- toYaml .Values.podSecurityContext | nindent 8 }}
       containers:
-        - name: cloud-controller-manager
+        - name: binarylane-cloud-controller-manager
           securityContext:
             {{- toYaml .Values.securityContext | nindent 12 }}
           image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
           imagePullPolicy: {{ .Values.image.pullPolicy }}
           command:
             - /binarylane-cloud-controller-manager
+            - --allow-untagged-cloud
             - --cloud-provider=binarylane
             - --leader-elect=true
             - --use-service-account-credentials=true
@@ -66,14 +67,24 @@ spec:
             {{- end }}
           resources:
             {{- toYaml .Values.resources | nindent 12 }}
-          {{- with .Values.extraVolumeMounts }}
           volumeMounts:
+            - mountPath: /etc/kubernetes/
+              name: k8s
+            - mountPath: /etc/kubernetes/config
+              name: cloud-config
+            {{- with .Values.extraVolumeMounts }}
             {{- toYaml . | nindent 12 }}
-          {{- end }}
-      {{- with .Values.extraVolumes }}
+            {{- end }}
       volumes:
+        - name: k8s
+          hostPath:
+            path: /etc/kubernetes
+        - name: cloud-config
+          hostPath:
+            path: /etc/kubernetes/config
+        {{- with .Values.extraVolumes }}
         {{- toYaml . | nindent 8 }}
-      {{- end }}
+        {{- end }}
       {{- with .Values.nodeSelector }}
       nodeSelector:
         {{- toYaml . | nindent 8 }}

charts/binarylane-cloud-controller-manager/tests/deployment_test.yaml

@@ -2,6 +2,7 @@ suite: test deployment
 templates:
   - deployment.yaml
   - rbac.yaml
+  - serviceaccount.yaml
   - test-secret.yaml
 tests:
   - it: should create a deployment with correct replicas
@@ -191,3 +192,80 @@ tests:
       - equal:
           path: spec.template.spec.containers[0].resources.requests.cpu
           value: '200m'
+
+  - it: should set automountServiceAccountToken by default
+    template: serviceaccount.yaml
+    set:
+      cloudControllerManager.secret.name: 'binarylane-api-token'
+    asserts:
+      - equal:
+          path: automountServiceAccountToken
+          value: true
+
+  - it: should set automountServiceAccountToken when configured
+    template: serviceaccount.yaml
+    set:
+      cloudControllerManager.secret.name: 'binarylane-api-token'
+      serviceAccount.automount: false
+    asserts:
+      - equal:
+          path: automountServiceAccountToken
+          value: false
+
+  - it: should use correct container name
+    template: deployment.yaml
+    set:
+      cloudControllerManager.secret.name: 'binarylane-api-token'
+    asserts:
+      - equal:
+          path: spec.template.spec.containers[0].name
+          value: binarylane-cloud-controller-manager
+
+  - it: should include --allow-untagged-cloud flag
+    template: deployment.yaml
+    set:
+      cloudControllerManager.secret.name: 'binarylane-api-token'
+    asserts:
+      - contains:
+          path: spec.template.spec.containers[0].command
+          content: --allow-untagged-cloud
+
+  - it: should mount kubernetes config volumes
+    template: deployment.yaml
+    set:
+      cloudControllerManager.secret.name: 'binarylane-api-token'
+    asserts:
+      - contains:
+          path: spec.template.spec.volumes
+          content:
+            name: k8s
+            hostPath:
+              path: /etc/kubernetes
+      - contains:
+          path: spec.template.spec.volumes
+          content:
+            name: cloud-config
+            hostPath:
+              path: /etc/kubernetes/config
+      - contains:
+          path: spec.template.spec.containers[0].volumeMounts
+          content:
+            mountPath: /etc/kubernetes/
+            name: k8s
+      - contains:
+          path: spec.template.spec.containers[0].volumeMounts
+          content:
+            mountPath: /etc/kubernetes/config
+            name: cloud-config
+
+  - it: should use default secret name
+    template: deployment.yaml
+    asserts:
+      - contains:
+          path: spec.template.spec.containers[0].env
+          content:
+            name: BINARYLANE_API_TOKEN
+            valueFrom:
+              secretKeyRef:
+                name: binarylane-api-token
+                key: api-token

charts/binarylane-cloud-controller-manager/values-example.yaml

@@ -60,6 +60,8 @@ nodeSelector:
 
 # Tolerations - allow scheduling on control plane nodes
 tolerations:
+  - key: CriticalAddonsOnly
+    operator: Exists
   - effect: NoSchedule
     key: node-role.kubernetes.io/control-plane
     operator: Exists

charts/binarylane-cloud-controller-manager/values.yaml

@@ -21,7 +21,7 @@ cloudControllerManager:
   # Name of secret containing BinaryLane API token
   # Create: kubectl create secret generic binarylane-api-token --from-literal=api-token="YOUR_TOKEN" -n kube-system
   secret:
-    name: ''
+    name: 'binarylane-api-token'
     key: 'api-token'
 
 serviceAccount:
@@ -53,19 +53,22 @@ securityContext:
   readOnlyRootFilesystem: true
 
 resources:
-  limits:
-    cpu: 200m
-    memory: 128Mi
   requests:
     cpu: 100m
     memory: 64Mi
+  limits:
+    cpu: 500m
+    memory: 1Gi
 
 # Node selector for pod assignment
 nodeSelector:
   node-role.kubernetes.io/control-plane: ''
 
 # Tolerations for pod assignment
 tolerations:
+  # Tolerate CriticalAddonsOnly taint
+  - key: CriticalAddonsOnly
+    operator: Exists
   # Tolerate control-plane taint (Kubernetes 1.24+)
   - effect: NoSchedule
     key: node-role.kubernetes.io/control-plane

deploy/kubernetes/deployment.yaml

@@ -5,35 +5,48 @@ metadata:
   namespace: kube-system
   labels:
     app.kubernetes.io/name: binarylane-cloud-controller-manager
+    app.kubernetes.io/instance: binarylane-cloud-controller-manager
+    app.kubernetes.io/version: '0.2.4'
     app.kubernetes.io/component: cloud-controller-manager
     app.kubernetes.io/part-of: kubernetes
 spec:
   replicas: 1 # Adjust the number of replicas as needed
-  revisionHistoryLimit: 2
   strategy:
     type: Recreate
   selector:
     matchLabels:
       app.kubernetes.io/name: binarylane-cloud-controller-manager
+      app.kubernetes.io/instance: binarylane-cloud-controller-manager
   template:
     metadata:
       labels:
         app.kubernetes.io/name: binarylane-cloud-controller-manager
+        app.kubernetes.io/instance: binarylane-cloud-controller-manager
+        app.kubernetes.io/version: '0.2.4'
         app.kubernetes.io/component: cloud-controller-manager
         app.kubernetes.io/part-of: kubernetes
     spec:
       dnsPolicy: Default
       hostNetwork: true
-      serviceAccountName: cloud-controller-manager
+      serviceAccountName: binarylane-cloud-controller-manager
       priorityClassName: system-cluster-critical
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 65532
+        fsGroup: 65532
+        seccompProfile:
+          type: RuntimeDefault
       affinity:
         podAntiAffinity:
           requiredDuringSchedulingIgnoredDuringExecution:
             - topologyKey: kubernetes.io/hostname
               labelSelector:
                 matchLabels:
                   app.kubernetes.io/name: binarylane-cloud-controller-manager
+                  app.kubernetes.io/instance: binarylane-cloud-controller-manager
       tolerations:
+        - key: CriticalAddonsOnly
+          operator: Exists
         - effect: NoSchedule
           key: node-role.kubernetes.io/control-plane
           operator: Exists
@@ -54,16 +67,25 @@ spec:
         - effect: NoSchedule
           key: node.kubernetes.io/not-ready
           operator: Exists
+      nodeSelector:
+        node-role.kubernetes.io/control-plane: ''
       containers:
         - name: binarylane-cloud-controller-manager
-          image: ghcr.io/oscarhermoso/binarylane-cloud-controller-manager:latest
+          image: ghcr.io/oscarhermoso/binarylane-cloud-controller-manager:0.2.4
           imagePullPolicy: IfNotPresent
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            readOnlyRootFilesystem: true
           command:
-            - '/binarylane-cloud-controller-manager'
-            - '--cloud-provider=binarylane'
-            - '--leader-elect=true'
-            - '--use-service-account-credentials=true'
-            - '--v=2'
+            - /binarylane-cloud-controller-manager
+            - --allow-untagged-cloud
+            - --cloud-provider=binarylane
+            - --leader-elect=true
+            - --use-service-account-credentials=true
+            - --v=2
           env:
             - name: BINARYLANE_API_TOKEN
               valueFrom:
@@ -73,7 +95,19 @@ spec:
           resources:
             requests:
               cpu: 100m
-              memory: 50Mi
+              memory: 64Mi
             limits:
-              cpu: 200m
-              memory: 100Mi
+              cpu: 500m
+              memory: 1Gi
+          volumeMounts:
+            - mountPath: /etc/kubernetes/
+              name: k8s
+            - mountPath: /etc/kubernetes/config
+              name: cloud-config
+      volumes:
+        - name: k8s
+          hostPath:
+            path: /etc/kubernetes
+        - name: cloud-config
+          hostPath:
+            path: /etc/kubernetes/config