Merge remote-tracking branch 'upstream/main' into split-deployment

cryostatio · Jan 14, 2025 · 91379a4 · 91379a4
2 parents 0f95870 + c891bbe
commit 91379a4
Show file tree

Hide file tree

Showing 38 changed files with 4,322 additions and 488 deletions.
diff --git a/.github/workflows/build-ci.yml b/.github/workflows/build-ci.yml
@@ -29,12 +29,14 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - uses: actions/checkout@v4
+    - name: Add CRIU PPA
+      run: sudo add-apt-repository ppa:criu/ppa && sudo apt update
     - name: Install podman v4
       run: |
         echo "deb $OPENSUSE_UNOFFICIAL_LIBCONTAINERS_SOURCE_URL/ /" | sudo tee /etc/apt/sources.list.d/devel:kubic:libcontainers:unstable.list
         curl -fsSL $OPENSUSE_UNOFFICIAL_LIBCONTAINERS_KEY_URL | gpg --dearmor | sudo tee /etc/apt/trusted.gpg.d/devel_kubic_libcontainers_unstable.gpg > /dev/null
-        sudo apt update
-        sudo apt install podman
+        sudo apt -y update
+        sudo apt -y satisfy "podman (>= 4.0)"
     - name: Build operator image
       run: |
         IMAGE_NAMESPACE=${{ env.CI_REGISTRY }} SKIP_TESTS=true PLATFORMS=${{ env.CI_PLATFORMS }} MANIFEST_PUSH=false make oci-buildx
@@ -116,12 +118,14 @@ jobs:
         fi
         echo "${CI_SCORECARD_IMG}:${{ steps.get-image-tag.outputs.tag }} exists: $EXIST"
         echo "exist=$EXIST" >> $GITHUB_OUTPUT
+    - name: Add CRIU PPA
+      run: sudo add-apt-repository ppa:criu/ppa && sudo apt update
     - name: Install podman v4
       run: |
         echo "deb $OPENSUSE_UNOFFICIAL_LIBCONTAINERS_SOURCE_URL/ /" | sudo tee /etc/apt/sources.list.d/devel:kubic:libcontainers:unstable.list
         curl -fsSL $OPENSUSE_UNOFFICIAL_LIBCONTAINERS_KEY_URL | gpg --dearmor | sudo tee /etc/apt/trusted.gpg.d/devel_kubic_libcontainers_unstable.gpg > /dev/null
-        sudo apt update
-        sudo apt install podman
+        sudo apt -y update
+        sudo apt -y satisfy "podman (>= 4.0)"
     - name: Build scorecard image
       run: |
         CUSTOM_SCORECARD_IMG=${CI_SCORECARD_IMG}:${{ steps.get-image-tag.outputs.tag }} \

diff --git a/.github/workflows/test-ci-reusable.yml b/.github/workflows/test-ci-reusable.yml
@@ -67,12 +67,14 @@ jobs:
       with:
         repository: ${{ inputs.repository }}
         ref: ${{ inputs.ref }}
+    - name: Add CRIU PPA
+      run: sudo add-apt-repository ppa:criu/ppa && sudo apt update
     - name: Install podman v4
       run: |
         echo "deb $OPENSUSE_UNOFFICIAL_LIBCONTAINERS_SOURCE_URL/ /" | sudo tee /etc/apt/sources.list.d/devel:kubic:libcontainers:unstable.list
         curl -fsSL $OPENSUSE_UNOFFICIAL_LIBCONTAINERS_KEY_URL | gpg --dearmor | sudo tee /etc/apt/trusted.gpg.d/devel_kubic_libcontainers_unstable.gpg
         sudo apt -y update
-        sudo apt -y install podman
+        sudo apt -y satisfy "podman (>= 4.0)"
     - name: Build scorecard image for test
       run: |
         CUSTOM_SCORECARD_IMG=ghcr.io/${{ github.repository_owner }}/cryostat-operator-scorecard:${{ inputs.tag }} \

diff --git a/Dockerfile b/Dockerfile
@@ -1,9 +1,8 @@
 # Build the manager binary
-FROM docker.io/library/golang:1.22 as builder
+FROM registry.access.redhat.com/ubi9/go-toolset:1.22.9 as builder
 ARG TARGETOS
 ARG TARGETARCH
 
-WORKDIR /workspace
 # Copy the Go Modules manifests
 COPY go.mod go.mod
 COPY go.sum go.sum
@@ -24,9 +23,9 @@ COPY internal/webhooks/ internal/webhooks/
 # by leaving it empty we can ensure that the container and binary shipped on it will have the same platform.
 RUN CGO_ENABLED=0 GOOS=${TARGETOS:-linux} GOARCH=${TARGETARCH} GO111MODULE=on go build -a -o manager internal/main.go
 
-FROM registry.access.redhat.com/ubi8/ubi-minimal:latest
+FROM registry.access.redhat.com/ubi9/ubi-minimal:latest
 WORKDIR /
-COPY --from=builder /workspace/manager .
+COPY --from=builder /opt/app-root/src/manager .
 USER 65532:65532
 
 ENTRYPOINT ["/manager"]
diff --git a/Makefile b/Makefile
@@ -96,9 +96,13 @@ export STORAGE_IMG ?= $(STORAGE_NAMESPACE)/$(STORAGE_NAME):$(STORAGE_VERSION)
 AGENT_PROXY_NAMESPACE ?= registry.access.redhat.com/ubi8
 AGENT_PROXY_NAME ?= nginx-124
 AGENT_PROXY_VERSION ?= latest
-export AGENT_PROXY_IMG = $(AGENT_PROXY_NAMESPACE)/$(AGENT_PROXY_NAME):$(AGENT_PROXY_VERSION)
+export AGENT_PROXY_IMG ?= $(AGENT_PROXY_NAMESPACE)/$(AGENT_PROXY_NAME):$(AGENT_PROXY_VERSION)
+AGENT_INIT_NAMESPACE ?= $(DEFAULT_NAMESPACE)
+AGENT_INIT_NAME ?= cryostat-agent-init
+AGENT_INIT_VERSION ?= latest
+export AGENT_INIT_IMG ?= $(AGENT_INIT_NAMESPACE)/$(AGENT_INIT_NAME):$(AGENT_INIT_VERSION)
 
-CERT_MANAGER_VERSION ?= 1.11.5
+CERT_MANAGER_VERSION ?= 1.12.14
 CERT_MANAGER_MANIFEST ?= \
 	https://github.com/cert-manager/cert-manager/releases/download/v$(CERT_MANAGER_VERSION)/cert-manager.yaml
 
@@ -396,25 +400,13 @@ ifneq ($(origin SAMPLE_APP_NAMESPACE), undefined)
 SAMPLE_APP_FLAGS += -n $(SAMPLE_APP_NAMESPACE)
 endif
 
-.PHONY: sample_app
-sample_app: undeploy_sample_app ## Deploy sample app.
-	$(CLUSTER_CLIENT) apply $(SAMPLE_APP_FLAGS) -f config/samples/sample-app.yaml
-
 .PHONY: undeploy_sample_app
 undeploy_sample_app: ## Undeploy sample app.
 	- $(CLUSTER_CLIENT) delete $(SAMPLE_APP_FLAGS) --ignore-not-found=$(ignore-not-found) -f config/samples/sample-app.yaml
 
-.PHONY: sample_app_agent
-sample_app_agent: undeploy_sample_app_agent ## Deploy sample app with Cryostat Agent.
-	@if [ -z "${AUTH_TOKEN}" ]; then \
-		if [ "${CLUSTER_CLIENT}" = "oc" ]; then\
-			AUTH_TOKEN=`oc whoami -t`; \
-		else \
-			echo "'AUTH_TOKEN' must be specified."; \
-			exit 1; \
-		fi; \
-	fi; \
-	$(CLUSTER_CLIENT) apply $(SAMPLE_APP_FLAGS) -f config/samples/sample-app-agent.yaml; \
+.PHONY: sample_app
+sample_app: undeploy_sample_app ## Deploy sample app.
+	$(CLUSTER_CLIENT) apply $(SAMPLE_APP_FLAGS) -f config/samples/sample-app.yaml
 
 .PHONY: undeploy_sample_app_agent_proxy
 undeploy_sample_app_agent_proxy: ## Undeploy sample app with Cryostat Agent configured for TLS client auth on nginx proxy.
@@ -437,6 +429,19 @@ sample_app_agent_proxy: undeploy_sample_app_agent_proxy ## Deploy sample app wit
 undeploy_sample_app_agent: ## Undeploy sample app with Cryostat Agent.
 	- $(CLUSTER_CLIENT) delete $(SAMPLE_APP_FLAGS) --ignore-not-found=$(ignore-not-found) -f config/samples/sample-app-agent.yaml
 
+.PHONY: sample_app_agent
+sample_app_agent: undeploy_sample_app_agent ## Deploy sample app with Cryostat Agent.
+	$(CLUSTER_CLIENT) apply $(SAMPLE_APP_FLAGS) -f config/samples/sample-app-agent.yaml
+
+.PHONY: undeploy_sample_app_agent_injected
+undeploy_sample_app_agent_injected: ## Undeploy sample app with Cryostat Agent deployed by Operator injection.
+	- $(CLUSTER_CLIENT) delete $(SAMPLE_APP_FLAGS) --ignore-not-found=$(ignore-not-found) -f config/samples/sample-app-agent-injected.yaml
+
+.PHONY: sample_app_agent_injected
+sample_app_agent_injected: undeploy_sample_app_agent_injected ## Deploy sample app with Cryostat Agent deployed by Operator injection.
+	$(CLUSTER_CLIENT) apply $(SAMPLE_APP_FLAGS) -f config/samples/sample-app-agent-injected.yaml
+	$(CLUSTER_CLIENT) patch --type=merge -p "{\"spec\":{\"template\":{\"metadata\":{\"labels\":{\"cryostat.io/namespace\":\"${DEPLOY_NAMESPACE}\"}}}}}" deployment/quarkus-cryostat-agent
+
 .PHONY: cert_manager
 cert_manager: remove_cert_manager ## Install cert manager.
 	$(CLUSTER_CLIENT) create --validate=false -f $(CERT_MANAGER_MANIFEST)

diff --git a/README.md b/README.md
@@ -172,7 +172,7 @@ eyJhbGciOiJSUzI1NiIsImtpZCI6IkhYZC13eDdGVGwyQzdGNVpZVndScEZ2VmRxWTlzbnBUUG9HRkJp
 ## BUILDING
 
 ### Requirements
-- `go` v1.21+
+- `go` v1.22+
 - [`operator-sdk`](https://github.com/operator-framework/operator-sdk) v1.31.0
 - `podman` or `docker`
 - [`jq`](https://stedolan.github.io/jq/) v1.6+

diff --git a/bundle/manifests/cryostat-operator.clusterserviceversion.yaml b/bundle/manifests/cryostat-operator.clusterserviceversion.yaml
@@ -1220,6 +1220,25 @@ spec:
       targetPort: 9443
       type: MutatingAdmissionWebhook
       webhookPath: /mutate-operator-cryostat-io-v1beta2-cryostat
+    - admissionReviewVersions:
+        - v1
+      containerPort: 443
+      deploymentName: cryostat-operator-controller
+      failurePolicy: Ignore
+      generateName: mpod.cryostat.io
+      rules:
+        - apiGroups:
+            - ""
+          apiVersions:
+            - v1
+          operations:
+            - CREATE
+          resources:
+            - pods
+      sideEffects: None
+      targetPort: 9443
+      type: MutatingAdmissionWebhook
+      webhookPath: /mutate--v1-pod
     - admissionReviewVersions:
         - v1
       containerPort: 443