refactor(deploy) consolidate kustomize sources (#1682)

* feat(codegen) remove Role from RBAC template

Remove Role generation from the RBAC template. This was intended to
generate a template role for use with --watch-namespace. However, the
Role doesn't differ from the ClusterRole at all beyond the API kind, and
isn't that useful. We either:

- Handle the conversion from ClusterRole to Role in Helm chart
  templates.
- Instruct users to edit the resource kind and add namespaces as needed
  when creating the Role.

The Role template always required some manual editing anyway (to set the
namespace) and requires that we pre-process the generated role.yaml to
remove it when we don't want to include it (in the single manifests), so
removing it simplifies our generator code without much impact to end
deliverables.

* chore(deploy) move base and variant manifests

Move the various manifests under deploy/manifests/base,
deploy/manifests/enterprise-k8s/ deploy/manifests/enterprise, and
deploy/manifests/postgres to config/base and config/variants.

* chore(deploy) remove unused configuration

Remove the v1 CRDs, RBAC, and kustomizations under deploy/manifests.

* refactor(deploy) remove RBAC preprocessing

Remove steps to pre-process RBAC resources and point kustomization
directly to original RBAC resources.

* chore(deploy) remove 2.x-specific patch

Add all content in the 2.x patch directly to
config/base/kong-ingress-dbless.yaml. Remove the 2.x patch and
associated kustomize patch configuration.

Regenerate manifests. Some content moved due to kustomize's patch
handling versus base handling, but there are no meaningful changes.

* refactor(deploy) simplify single manifest script

Remove staging directory for building single manifests.

Rework kustomizations to allow building single manifests directly from
the sources under config.

Disable auth proxy in RBAC kustomization.yaml. We aren't using it yet;
previously we had to copy only RBAC configuration we use into the
staging directory.

config/base/kong-ingress-dbless.yaml

@@ -0,0 +1,131 @@
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app: ingress-kong
+  name: ingress-kong
+  namespace: kong
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: ingress-kong
+  template:
+    metadata:
+      annotations:
+        traffic.sidecar.istio.io/includeInboundPorts: ""
+        kuma.io/gateway: enabled
+      labels:
+        app: ingress-kong
+    spec:
+      serviceAccountName: kong-serviceaccount
+      containers:
+      - name: proxy
+        image: kong:2.4
+        env:
+          # servers
+        - name: KONG_PROXY_LISTEN
+          value: 0.0.0.0:8000, 0.0.0.0:8443 ssl http2
+        - name: KONG_PORT_MAPS
+          value: "80:8000, 443:8443"
+        - name: KONG_ADMIN_LISTEN
+          value: 127.0.0.1:8444 ssl
+        - name: KONG_STATUS_LISTEN
+          value: 0.0.0.0:8100
+          # DB
+        - name: KONG_DATABASE
+          value: "off"
+          # runtime tweaks
+        - name: KONG_NGINX_WORKER_PROCESSES
+          value: "2"
+          # logging
+        - name: KONG_ADMIN_ACCESS_LOG
+          value: /dev/stdout
+        - name: KONG_ADMIN_ERROR_LOG
+          value: /dev/stderr
+        # - name: KONG_PROXY_ACCESS_LOG
+        # - value: /dev/stdout
+        - name: KONG_PROXY_ERROR_LOG
+          value: /dev/stderr
+        lifecycle:
+          preStop:
+            exec:
+              command: [ "/bin/sh", "-c", "kong quit" ]
+        ports:
+        - name: proxy
+          containerPort: 8000
+          protocol: TCP
+        - name: proxy-ssl
+          containerPort: 8443
+          protocol: TCP
+        - name: metrics
+          containerPort: 8100
+          protocol: TCP
+        livenessProbe:
+          httpGet:
+            path: /status
+            port: 8100
+            scheme: HTTP
+          initialDelaySeconds: 5
+          timeoutSeconds: 1
+          periodSeconds: 10
+          successThreshold: 1
+          failureThreshold: 3
+        readinessProbe:
+          httpGet:
+            path: /status
+            port: 8100
+            scheme: HTTP
+          initialDelaySeconds: 5
+          timeoutSeconds: 1
+          periodSeconds: 10
+          successThreshold: 1
+          failureThreshold: 3
+      - name: ingress-controller
+        env:
+        - name: CONTROLLER_KONG_ADMIN_URL
+          value: "https://127.0.0.1:8444"
+        - name: CONTROLLER_KONG_ADMIN_TLS_SKIP_VERIFY
+          value: "true"
+        - name: CONTROLLER_PUBLISH_SERVICE
+          value: "kong/kong-proxy"
+        - name: POD_NAME
+          valueFrom:
+            fieldRef:
+              apiVersion: v1
+              fieldPath: metadata.name
+        - name: POD_NAMESPACE
+          valueFrom:
+            fieldRef:
+              apiVersion: v1
+              fieldPath: metadata.namespace
+        image: kong/kubernetes-ingress-controller:2.0.0-beta.1
+        imagePullPolicy: IfNotPresent
+        ports:
+        - name: webhook
+          containerPort: 8080
+          protocol: TCP
+        - name: cmetrics
+          containerPort: 10255
+          protocol: TCP
+        livenessProbe:
+          httpGet:
+            path: /healthz
+            port: 10254
+            scheme: HTTP
+          initialDelaySeconds: 5
+          timeoutSeconds: 1
+          periodSeconds: 10
+          successThreshold: 1
+          failureThreshold: 3
+        readinessProbe:
+          httpGet:
+            path: /readyz
+            port: 10254
+            scheme: HTTP
+          initialDelaySeconds: 5
+          timeoutSeconds: 1
+          periodSeconds: 10
+          successThreshold: 1
+          failureThreshold: 3

config/base/kustomization.yaml

@@ -1,14 +1,9 @@
 resources:
 - namespace.yaml
-- crd
-- manager-role.yaml
-- manager-rolebinding.yaml
-- leader-election-role.yaml
-- leader-election-rolebinding.yaml
+- ../crd
+- ../rbac
 - service.yaml
 - serviceaccount.yaml
 - validation-service.yaml
 - kong-ingress-dbless.yaml
-patchesStrategicMerge:
-- kong-ingress-2x.yaml
 namespace: kong

config/base/namespace.yaml

@@ -0,0 +1,6 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: kong
+

config/base/service.yaml

@@ -0,0 +1,32 @@
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: kong-proxy
+  namespace: kong
+  annotations:
+    # Cloud-provider specific annotations
+    # GKE
+    # GKE creates a L4 LB for any service of type LoadBalancer
+    # TODO figure out how to enable Proxy Protocol on an L4 LB for GKE
+    # AWS
+    # Use NLB over ELB
+    service.beta.kubernetes.io/aws-load-balancer-type: nlb
+    # Use L4 LB so that Kong can do TLS termination
+    service.beta.kubernetes.io/aws-load-balancer-backend-protocol: tcp
+    # Enable Proxy Protocol when Kong is listening for proxy-protocol
+    #service.beta.kubernetes.io/aws-load-balancer-proxy-protocol: '*'
+spec:
+  type: LoadBalancer
+  ports:
+  - name: proxy
+    port: 80
+    targetPort: 8000
+    protocol: TCP
+  - name: proxy-ssl
+    port: 443
+    targetPort: 8443
+    protocol: TCP
+  selector:
+    app: ingress-kong
+

config/base/validation-service.yaml

@@ -0,0 +1,14 @@
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: kong-validation-webhook
+  namespace: kong
+spec:
+  ports:
+  - name: webhook
+    port: 443
+    protocol: TCP
+    targetPort: 8080
+  selector:
+    app: ingress-kong

config/rbac/kustomization.yaml

@@ -6,7 +6,7 @@ resources:
 # Comment the following 4 lines if you want to disable
 # the auth proxy (https://github.com/brancz/kube-rbac-proxy)
 # which protects your /metrics endpoint.
-- auth_proxy_service.yaml
-- auth_proxy_role.yaml
-- auth_proxy_role_binding.yaml
-- auth_proxy_client_clusterrole.yaml
+# - auth_proxy_service.yaml
+# - auth_proxy_role.yaml
+# - auth_proxy_role_binding.yaml
+# - auth_proxy_client_clusterrole.yaml