Kustomize Deployment Manifests
Reference documentation for the config/ directory structure and Kustomize overlays used to deploy the memcached-operator, its CRDs, RBAC, webhooks, and supporting resources to a Kubernetes cluster.
Source: config/, Makefile
Overview
The operator uses Kustomize to compose Kubernetes manifests from modular bases. The config/ directory follows the standard Kubebuilder v4 layout, with each subdirectory providing a self-contained Kustomize base. The config/default/ overlay aggregates all bases and applies patches for the production deployment.
This design allows deploying individual components in isolation (e.g. CRDs only for local development) or the full stack in one command.
Directory Structure
config/
├── certmanager/ # cert-manager Issuer + Certificate for webhook TLS
│ ├── certificate.yaml
│ ├── kustomizeconfig.yaml
│ └── kustomization.yaml
├── crd/ # CRD manifests generated by controller-gen
│ ├── bases/
│ │ └── memcached.c5c3.io_memcacheds.yaml
│ ├── thirdparty/ # Third-party CRDs for envtest only (not deployed)
│ └── kustomization.yaml
├── default/ # Aggregation overlay — full deployment
│ ├── kustomization.yaml
│ ├── manager_metrics_patch.yaml
│ ├── manager_webhook_patch.yaml
│ └── webhookcainjection_patch.yaml
├── manager/ # Controller manager Deployment + Namespace
│ ├── manager.yaml
│ └── kustomization.yaml
├── namespace-scoped/ # Overlay to convert ClusterRole/Binding to Role/Binding
│ ├── kustomization.yaml
│ └── role_patch.yaml
├── network-policy/ # NetworkPolicy for metrics ingress
│ ├── allow-metrics-traffic.yaml
│ └── kustomization.yaml
├── prometheus/ # ServiceMonitor for operator metrics
│ ├── monitor.yaml
│ └── kustomization.yaml
├── rbac/ # ServiceAccount, Roles, RoleBindings
│ ├── kustomization.yaml
│ ├── role.yaml
│ ├── role_binding.yaml
│ ├── leader_election_role.yaml
│ ├── leader_election_role_binding.yaml
│ ├── metrics_auth_role.yaml
│ ├── metrics_auth_role_binding.yaml
│ ├── metrics_reader_role.yaml
│ └── service_account.yaml
├── samples/ # Example Memcached CR
│ ├── memcached_v1alpha1_memcached.yaml
│ └── kustomization.yaml
└── webhook/ # Admission webhook configurations + Service
├── manifests.yaml
├── service.yaml
└── kustomization.yamlComponent Bases
config/crd/
Contains the generated CRD manifest for the Memcached custom resource.
| File | Description |
|---|---|
bases/memcached.c5c3.io_memcacheds.yaml | CRD generated by controller-gen from api/v1alpha1/memcached_types.go |
thirdparty/ | Third-party CRDs (e.g. ServiceMonitor) used by envtest only — not included in kustomization.yaml |
Build independently: kustomize build config/crd — produces only the CRD, useful for local development without deploying the operator.
config/rbac/
RBAC manifests generated from +kubebuilder:rbac markers on the reconciler.
| File | Kind | Description |
|---|---|---|
service_account.yaml | ServiceAccount | Identity for the controller manager pod |
role.yaml | ClusterRole (manager-role) | Permissions for memcacheds, deployments, services, PDBs, ServiceMonitors, NetworkPolicies |
role_binding.yaml | ClusterRoleBinding | Binds manager-role to the ServiceAccount |
leader_election_role.yaml | Role | Leader election lease permissions |
leader_election_role_binding.yaml | RoleBinding | Binds leader election role |
metrics_auth_role.yaml | ClusterRole | Authentication delegator for metrics endpoint |
metrics_auth_role_binding.yaml | ClusterRoleBinding | Binds metrics auth role |
metrics_reader_role.yaml | ClusterRole | Read-only access to /metrics |
config/namespace-scoped/
Overlay that converts the operator's cluster-scoped RBAC resources to namespace-scoped equivalents. Use this when deploying with --watch-namespaces to match RBAC scope to cache scope.
| File | Kind | Description |
|---|---|---|
kustomization.yaml | (overlay) | References ../rbac, patches ClusterRole and ClusterRoleBinding |
role_patch.yaml | (patch) | JSON patch converting ClusterRole to Role |
The overlay converts ClusterRole/manager-role to a Role and ClusterRoleBinding/manager-rolebinding to a RoleBinding (with roleRef.kind: Role). Leader-election and metrics RBAC resources are not modified.
Build independently: kustomize build config/namespace-scoped — produces namespace-scoped RBAC resources.
config/manager/
Controller manager Deployment and its Namespace.
| File | Kinds | Description |
|---|---|---|
manager.yaml | Namespace, Deployment | Defines the system Namespace and controller-manager Deployment |
The Deployment uses image: controller:latest as a placeholder. Use kustomize edit set image controller=<real-image> to substitute the actual image before building.
Key Deployment properties:
- Security context:
runAsNonRoot: true,seccompProfile: RuntimeDefault, container dropsALLcapabilities - Health probes: liveness and readiness on port 8081 (
/healthz,/readyz) - Resource limits: 500m CPU / 128Mi memory (requests: 10m / 64Mi)
- Labels:
app.kubernetes.io/name: memcached-operator,app.kubernetes.io/managed-by: kustomize
config/webhook/
Admission webhook configurations and the webhook Service.
| File | Kinds | Description |
|---|---|---|
manifests.yaml | MutatingWebhookConfiguration, ValidatingWebhookConfiguration | Generated webhook registrations |
service.yaml | Service | Routes port 443 to the manager's webhook port 9443 |
Webhook paths:
- Mutating:
/mutate-memcached-c5c3-io-v1beta1-memcached - Validating:
/validate-memcached-c5c3-io-v1beta1-memcached
Both webhooks intercept CREATE and UPDATE operations on memcacheds resources with failurePolicy: Fail.
config/certmanager/
cert-manager resources for automatic webhook TLS certificate provisioning.
| File | Kinds | Description |
|---|---|---|
certificate.yaml | Issuer, Certificate | Self-signed issuer and serving certificate |
kustomizeconfig.yaml | (config) | Teaches kustomize how to update cert-manager name references and var substitutions |
The Certificate creates a TLS secret named webhook-server-cert with DNS names matching the webhook Service (<service>.<namespace>.svc and <service>.<namespace>.svc.cluster.local).
config/samples/
Example Memcached custom resource for testing and development.
Build independently: kustomize build config/samples — produces a sample CR with realistic field values including replicas, memcached configuration, highAvailability, monitoring, and security settings.
config/prometheus/
Prometheus monitoring integration.
| File | Kind | Description |
|---|---|---|
monitor.yaml | ServiceMonitor | Scrapes operator metrics from the /metrics endpoint over HTTPS on port https |
config/network-policy/
Network traffic restriction for the operator namespace.
| File | Kind | Description |
|---|---|---|
allow-metrics-traffic.yaml | NetworkPolicy | Allows TCP ingress on port 8443 (metrics) to controller-manager pods |
The config/default/ Aggregation Overlay
The config/default/ overlay combines all bases into a single deployable unit. Running kustomize build config/default produces the complete set of resources needed to install the operator.
Resources
The overlay references these bases in order:
../crd— CRD../rbac— ServiceAccount, Roles, RoleBindings../manager— Namespace, Deployment../webhook— Webhook configurations, Service../certmanager— Issuer, Certificate
Namespace and Name Prefix
All resources are placed in the memcached-operator-system namespace and receive the memcached-operator- name prefix:
namespace: memcached-operator-system
namePrefix: memcached-operator-Patches
Three strategic merge patches customize the Deployment for production:
| Patch | Target | Effect |
|---|---|---|
manager_metrics_patch.yaml | Deployment controller-manager | Adds --metrics-bind-address=:8443 and --metrics-secure args |
manager_webhook_patch.yaml | Deployment controller-manager | Adds webhook port 9443, volume mount for TLS certs at /tmp/k8s-webhook-server/serving-certs from secret webhook-server-cert |
webhookcainjection_patch.yaml | MutatingWebhookConfiguration, ValidatingWebhookConfiguration | Adds cert-manager.io/inject-ca-from annotation for automatic CA injection |
Kustomize Vars
Four vars enable cert-manager integration by substituting runtime values into the Certificate DNS names and webhook CA injection annotation:
| Var | Source | Used In |
|---|---|---|
CERTIFICATE_NAMESPACE | Certificate serving-cert → metadata.namespace | webhookcainjection_patch.yaml |
CERTIFICATE_NAME | Certificate serving-cert → metadata.name | webhookcainjection_patch.yaml |
SERVICE_NAMESPACE | Service webhook-service → metadata.namespace | Certificate spec.dnsNames |
SERVICE_NAME | Service webhook-service → metadata.name | Certificate spec.dnsNames |
Makefile Targets
The Makefile provides convenience targets that invoke kustomize:
| Target | Command | Description |
|---|---|---|
install | kustomize build config/crd | kubectl apply -f - | Install CRDs only |
uninstall | kustomize build config/crd | kubectl delete --ignore-not-found -f - | Remove CRDs (idempotent) |
deploy | kustomize build config/default | kubectl apply -f - | Deploy full operator stack |
undeploy | kustomize build config/default | kubectl delete --ignore-not-found -f - | Remove operator stack (idempotent) |
build-installer | kustomize build config/default > dist/install.yaml | Generate single-file install manifest |
Both deploy and build-installer run kustomize edit set image controller=${IMG} in config/manager/ before building, substituting the actual container image.
Common Workflows
Deploy operator with webhooks and cert-manager
# Set the image and deploy all resources
make deploy IMG=ghcr.io/c5c3/memcached-operator:v0.2.0Install only the CRD (local development)
make install
# or directly:
kustomize build config/crd | kubectl apply -f -Generate a single install.yaml
make build-installer IMG=ghcr.io/c5c3/memcached-operator:v0.2.0
# Output: dist/install.yaml
kubectl apply -f dist/install.yamlApply the sample CR
kustomize build config/samples | kubectl apply -f -