operator [CI] ecr-secret-operator (0.4.1)

Author: datianshi

operators/ecr-secret-operator/0.4.1/ecr-secret-operator-controller-manager-metrics-service_v1_service.yaml

@@ -0,0 +1,17 @@
+apiVersion: v1
+kind: Service
+metadata:
+  creationTimestamp: null
+  labels:
+    control-plane: controller-manager
+  name: ecr-secret-operator-controller-manager-metrics-service
+spec:
+  ports:
+  - name: https
+    port: 8443
+    protocol: TCP
+    targetPort: https
+  selector:
+    control-plane: controller-manager
+status:
+  loadBalancer: {}

operators/ecr-secret-operator/0.4.1/ecr-secret-operator-manager-config_v1_configmap.yaml

@@ -0,0 +1,17 @@
+apiVersion: v1
+data:
+  controller_manager_config.yaml: |
+    apiVersion: controller-runtime.sigs.k8s.io/v1alpha1
+    kind: ControllerManagerConfig
+    health:
+      healthProbeBindAddress: :8081
+    metrics:
+      bindAddress: 127.0.0.1:8080
+    webhook:
+      port: 9443
+    leaderElection:
+      leaderElect: true
+      resourceName: bc9c1120.mobb.redhat.com
+kind: ConfigMap
+metadata:
+  name: ecr-secret-operator-manager-config

operators/ecr-secret-operator/0.4.1/ecr-secret-operator-metrics-reader_rbac.authorization.k8s.io_v1_clusterrole.yaml

@@ -0,0 +1,10 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  creationTimestamp: null
+  name: ecr-secret-operator-metrics-reader
+rules:
+- nonResourceURLs:
+  - /metrics
+  verbs:
+  - get

operators/ecr-secret-operator/0.4.1/ecr-secret-operator.clusterserviceversion.yaml

@@ -0,0 +1,339 @@
+apiVersion: operators.coreos.com/v1alpha1
+kind: ClusterServiceVersion
+metadata:
+  annotations:
+    alm-examples: |-
+      [
+        {
+          "apiVersion": "ecr.mobb.redhat.com/v1alpha1",
+          "kind": "Secret",
+          "metadata": {
+            "name": "ecr-secret-sample",
+            "namespace": "test-ecr-secret-operator"
+          },
+          "spec": {
+            "ecr_registry": "ACCOUNT_ID.dkr.ecr.us-east-2.amazonaws.com",
+            "frequency": "10h",
+            "generated_secret_name": "ecr-docker-secret",
+            "region": "us-east-2"
+          }
+        },
+        {
+          "apiVersion": "ecr.mobb.redhat.com/v1alpha1",
+          "kind": "ArgoHelmRepoSecret",
+          "metadata": {
+            "labels": {
+              "app.kubernetes.io/created-by": "ecr-secret-operator",
+              "app.kubernetes.io/instance": "argohelmreposecret-sample",
+              "app.kubernetes.io/managed-by": "kustomize",
+              "app.kubernetes.io/name": "argohelmreposecret",
+              "app.kubernetes.io/part-of": "ecr-secret-operator"
+            },
+            "name": "argohelmreposecret-sample"
+          },
+          "spec": null
+        }
+      ]
+    capabilities: Basic Install
+    categories: Integration & Delivery
+    containerImage: quay.io/mobb/ecr-secret-operator:v0.4.1
+    createdAt: "2023-04-14T14:52:13Z"
+    operatorframework.io/suggested-namespace: ecr-secret-operator
+    operators.operatorframework.io/builder: operator-sdk-v1.28.0
+    operators.operatorframework.io/project_layout: go.kubebuilder.io/v3
+    repository: https://github.com/rh-mobb/ecr-secret-operator
+    support: Managed Openshift Black Belt
+  name: ecr-secret-operator.v0.4.1
+  namespace: placeholder
+spec:
+  apiservicedefinitions: {}
+  customresourcedefinitions:
+    owned:
+    - description: ArgoHelmRepoSecret is the Schema for the argohelmreposecrets API
+      displayName: Argo Helm Repo Secret
+      kind: ArgoHelmRepoSecret
+      name: argohelmreposecrets.ecr.mobb.redhat.com
+      version: v1alpha1
+    - description: Secret is the Schema for the secrets API
+      displayName: Secret
+      kind: Secret
+      name: secrets.ecr.mobb.redhat.com
+      version: v1alpha1
+  description: "# ECR Secret Operator\n\nAmazon Elastic Container Registry [Private
+    Registry Authentication](https://docs.aws.amazon.com/AmazonECR/latest/userguide/registry_auth.html)
+    provides a temporary token that is valid only for 12 hours. It is a challenge
+    for automatic container image build process to refresh the token or secret in
+    a timely manner.\n\nThis operators frequently talks with AWS ECR GetAuthroization
+    Token and create/update the secret, so that the service account can perform docker
+    image build.\n\n\n## How to use this operator\n\n### Prerequisites\n\n* [Create
+    an ECR private repository](https://docs.aws.amazon.com/AmazonECR/latest/userguide/repository-create.html)\n*
+    Create An Openshift Cluster\n* Provide AWS Authentication to the operator. Two
+    Options:\n  **Note: You have to provide a secret aws-ecr-cloud-credentials in
+    the installed namespace**\n  * [IAM User](https://github.com/rh-mobb/ecr-secret-operator/tree/main/docs/iam_user.md)\n
+    \ * [STS Assume Role](https://github.com/rh-mobb/ecr-secret-operator/tree/main/docs/iam_assume_role.md)\n\n###
+    Install the operator\n\n### Create the ECR Secret CRD\n\n```\napiVersion: ecr.mobb.redhat.com/v1alpha1\nkind:
+    Secret\nmetadata:\n  name: ecr-secret\n  namespace: test-ecr-secret-operator\nspec:\n
+    \ generated_secret_name: ecr-docker-secret\n  ecr_registry: [ACCOUNT_ID].dkr.ecr.us-east-2.amazonaws.com\n
+    \ frequency: 10h\n  region: us-east-2\n```\n\n```\noc create -f CRD_FILE\n```\n\nA
+    docker registry secret is created by the operator momentally and the token is
+    patched every 10 hours\n\n```\noc get secret ecr-docker-secret   \nNAME                TYPE
+    \                            DATA   AGE\necr-docker-secret   kubernetes.io/dockerconfigjson
+    \  1      16h\n```\n\n### A sample build process with generated secret\n\n\nLink
+    the secret to builder\n\n```\noc secrets link builder ecr-docker-secret \n```\n\nConfigure
+    [build config](https://github.com/rh-mobb/ecr-secret-operator/tree/main/samples/build-config.yaml)
+    to point to your ECR Container repository\n\n```\noc create imagestream ruby\noc
+    tag openshift/ruby:2.5-ubi8 ruby:2.5\noc create -f samples/build-config.yaml\noc
+    start-build ruby-sample-build --wait\n```\n\nBuild should succeed and push the
+    image to the the private ECR Container repository\n\n"
+  displayName: ECR Secret Operator
+  icon:
+  - base64data: /9j/4AAQSkZJRgABAQAAAQABAAD/2wCEAAkGBwgHBgkIBwgKCgkLDRYPDQwMDRsUFRAWIB0iIiAdHx8kKDQsJCYxJx8fLT0tMTU3Ojo6Iys/RD84QzQ5OjcBCgoKDQwNGg8PGjclHyU3Nzc3Nzc3Nzc3Nzc3Nzc3Nzc3Nzc3Nzc3Nzc3Nzc3Nzc3Nzc3Nzc3Nzc3Nzc3Nzc3N//AABEIAH8AfwMBIgACEQEDEQH/xAAcAAEAAgIDAQAAAAAAAAAAAAAABwgFBgEDBAL/xABEEAABAwIDBQQGBAsJAQAAAAABAAIDBBEFBiEHEjFBYRMiUaEUMkJxgZGCscHCFRYjMzRSYnKy0fAXJCVjhJKiw+EI/8QAFAEBAAAAAAAAAAAAAAAAAAAAAP/EABQRAQAAAAAAAAAAAAAAAAAAAAD/2gAMAwEAAhEDEQA/AJxREQEREBERAREQEREBERAREQEREBERAREQEREBERAREQEREBERAREQeSXE6GGtjoZqynjq5G77IHyAPe29rgcSvWoG2+Qg5qoXPaHNfQANDuj3X+sLTMOzPmDDAG0GM18LRwZ2xe0fRdceSC1iKt9PtUzhTtAdiUM1uc1Owny3VkafbNmdlu1psLlA4/3d7SfiJCPJBP6KD2bb8Vb+cwOjd1E0jfulehu3Ke1n5ciJ6YgW/wDUgmhFXar2u5prJ5XU89NRxb53IooQ/cby7zr73U6a8gulu1bOMbHbtfBIf8ymZp8gEFj0VZDtLzfIe1/D8zQdbCGGw/4LN4Htox6j3hi1LS4hFwbd/o8oPUgEH3WQWARQq/brNbuZdhB64g4/VEvPJtxxQ/m8Eo2++WR/3QgnJFX2fbPmp9+yp8NiHK1K8kf7pLLG1O1PONSLDE2wdYYIm/WHILKLy0uJUVZNPDSVcE8tOQ2ZkUgcYyeAdbgqs4hmTHsUYWYjjFdUMd6zHTO3T9EWFvgpP/8AnuLcjxx7Rus3oWgAWFwHn7UGzbS8gy5wNHU0VZHTVlKx7AJmFzJGusbEjUWI42PHgopxDZdm+ivu4ZFVNHtUk7XeTi0+SsiiCqNVlrMFF+kYJicf+me76gVipWPidadj2OHESMsR87K4Vlrmds24ZlXDu2rrTVEgPo9ICN6U/Y0czy6mwQVba9h9UsP7rb/DQprIO9o0m26NR/79SyuYcbrMw4m/EK7c3nd2OOJu61jb8Gjw8TxPyWNtbU+4W59B0QcOO7Z/6ujtb6Hjqvs3BsbXHD7P5Lc9n2zypze91VWPkpcJYCztWDvSu4bsd9NObvgOdstiuxfH6dxOF11FXRWsO1LoZOmliD8wgjC1pAL9094Dxd/XLxC553Bs7xvxHgf60W5f2WZzdMIvwOxoDvzjqqIs8nb3jy5rU54JqaolgqIpIp4nlj43izmuHEHqPMIOouGtwRY2ILiV8mVgdbejv4G1/MrMZbxj8B4tDX+iU1XGzuywTxhzXsPIEg26Hl7lZfLlRgmNYVBiOEQUxp5RpuxNaWHm0gcCOYQVWggnndamp5JHeEUW8fK6y1JlXMtZ+j4HiTwfGBzP4gFawAAWAsOi5QVyw7ZPm+tLe2pKeiaeLqqoFx8G7ymDZ3k78TsLnpn1Iqqipl7WWRrNxos0AAC54W49VtqICIsfjuL0eBYVUYliMvZ08Dd5x5uPJo8STYAdUGLzzm6jyjhJqZx2tVLdlLTA2Mr7eTRxJ+0gKtmNYtXY9iUuI4nMZ6iY68hYcGtHJg10+u+vqzTmCszPjM+J15I3u7HEDcQsvpGPtPM+WJ4ak6273QeAQcG2t9fvHwC3jZrkGbNlV6diAfFgsTt1zmktdUuHFjDyaPad8Bre3k2dZLnzdix7YPiwumI9Jlbpfn2bT+seZ5C3iFZCjpIKGlipaSFkNPCwMjjYLBrRwACDmlpoKWnip6WJkMETQyOONoa1rRwAA4BdyIgKKtsmRhiFLJmHCoT6bC0GrjYNZox7YH6zR8wLa2ClVcEXCCnYN9QdOPTX7CtpyBnGpyhinagPlw+cgVVONSf2h+2PMaeFvbtWyl+LWPmakithleXPhAHdjd7cf3h0uOS0q4HMkcb+I5FBb2hrKevo4aujmZNTzMD45GG4c08Cu9QTsZzicLrxl/EZQKKqefRnOOkUxPq/uv8A4vep2ugIiIBNlXva3nA5ixg4bQSf4bQSFocOE0wuHP6gageOp8FYKRjZGFjhdrhYjoq8bRsgS5Tl9LoA+XBpHbrHnV1MTwY48xyDvgdbEhotuFhw9UeJ8VkcvYNVZhximwygF5pneuRcRtHrSO6AedhzC8BGuugt8gp62L5XGE4CcYqo7VmJAOYCNY4PYHx9Y+8Dkg3XL2CUeX8Ip8Mw+Pdghba54vdzc48yTqVkkRAREQEREGDznl2DNGXqrDJiGSPbvQSkX7KUatd8+PS6q3NBNS1MtNVRGGohkcySN3FjwbOargKDNuuXPQ8VpsfpWWirbQ1Fho2Zo7rvpNBH0Qgi8aAEEgjhY2Nv5hWN2V5u/GbA+xrJAcTog2Oo8ZR7MnxHHqD0Vc+rR1C2TZ5W4lh+cMPlwankqZ3u7OSBntwuI37+AGhueYCCzyIOCIC6aumgrKaWmqoWTQTNLJI5BdrmniCF3IggrE9lFZBnGipKNj5sAqZw90xNzBGO86N/vA3Qed9dQpzja1jA1gAaNABwAX0iAiIgIiICIiAsHnbA25iyviGG2HayREwk+zK3Vh+YCziIKv5NyhiubqgNoI/R6Vp/L1crTuR+IA9p3QfGysFlPKeFZWofR8Nh/KvA7apeAZJj4uPh4DgFm4omQs3ImNY0ahrRYL7QEREBERAREQEREBERAREQEREBERAREQf/2Q==
+    mediatype: image/jpeg
+  install:
+    spec:
+      clusterPermissions:
+      - rules:
+        - apiGroups:
+          - ""
+          resources:
+          - secrets
+          verbs:
+          - create
+          - delete
+          - get
+          - list
+          - patch
+          - update
+          - watch
+        - apiGroups:
+          - ecr.mobb.redhat.com
+          resources:
+          - argohelmreposecrets
+          verbs:
+          - create
+          - delete
+          - get
+          - list
+          - patch
+          - update
+          - watch
+        - apiGroups:
+          - ecr.mobb.redhat.com
+          resources:
+          - argohelmreposecrets/finalizers
+          verbs:
+          - update
+        - apiGroups:
+          - ecr.mobb.redhat.com
+          resources:
+          - argohelmreposecrets/status
+          verbs:
+          - get
+          - patch
+          - update
+        - apiGroups:
+          - ecr.mobb.redhat.com
+          resources:
+          - secrets
+          verbs:
+          - create
+          - delete
+          - get
+          - list
+          - patch
+          - update
+          - watch
+        - apiGroups:
+          - ecr.mobb.redhat.com
+          resources:
+          - secrets/finalizers
+          verbs:
+          - update
+        - apiGroups:
+          - ecr.mobb.redhat.com
+          resources:
+          - secrets/status
+          verbs:
+          - get
+          - patch
+          - update
+        - apiGroups:
+          - authentication.k8s.io
+          resources:
+          - tokenreviews
+          verbs:
+          - create
+        - apiGroups:
+          - authorization.k8s.io
+          resources:
+          - subjectaccessreviews
+          verbs:
+          - create
+        serviceAccountName: ecr-secret-operator-controller-manager
+      deployments:
+      - label:
+          control-plane: controller-manager
+        name: ecr-secret-operator-controller-manager
+        spec:
+          replicas: 1
+          selector:
+            matchLabels:
+              control-plane: controller-manager
+          strategy: {}
+          template:
+            metadata:
+              annotations:
+                kubectl.kubernetes.io/default-container: manager
+              labels:
+                control-plane: controller-manager
+            spec:
+              containers:
+              - args:
+                - --secure-listen-address=0.0.0.0:8443
+                - --upstream=http://127.0.0.1:8080/
+                - --logtostderr=true
+                - --v=0
+                image: gcr.io/kubebuilder/kube-rbac-proxy:v0.8.0
+                name: kube-rbac-proxy
+                ports:
+                - containerPort: 8443
+                  name: https
+                  protocol: TCP
+                resources:
+                  limits:
+                    cpu: 500m
+                    memory: 128Mi
+                  requests:
+                    cpu: 5m
+                    memory: 64Mi
+              - args:
+                - --health-probe-bind-address=:8081
+                - --metrics-bind-address=127.0.0.1:8080
+                - --leader-elect
+                command:
+                - /manager
+                env:
+                - name: AWS_ACCESS_KEY_ID
+                  valueFrom:
+                    secretKeyRef:
+                      key: aws_access_key_id
+                      name: aws-ecr-cloud-credentials
+                      optional: true
+                - name: AWS_SECRET_ACCESS_KEY
+                  valueFrom:
+                    secretKeyRef:
+                      key: aws_secret_access_key
+                      name: aws-ecr-cloud-credentials
+                      optional: true
+                - name: AWS_SDK_LOAD_CONFIG
+                  value: "1"
+                - name: AWS_CONFIG_FILE
+                  value: /var/run/secrets/aws/credentials
+                - name: WATCH_NAMESPACE
+                  valueFrom:
+                    fieldRef:
+                      fieldPath: metadata.annotations['olm.targetNamespaces']
+                image: quay.io/mobb/ecr-secret-operator:v0.4.1
+                livenessProbe:
+                  httpGet:
+                    path: /healthz
+                    port: 8081
+                  initialDelaySeconds: 15
+                  periodSeconds: 20
+                name: manager
+                readinessProbe:
+                  httpGet:
+                    path: /readyz
+                    port: 8081
+                  initialDelaySeconds: 5
+                  periodSeconds: 10
+                resources:
+                  limits:
+                    cpu: 500m
+                    memory: 1000Mi
+                  requests:
+                    cpu: 10m
+                    memory: 64Mi
+                securityContext:
+                  allowPrivilegeEscalation: false
+                volumeMounts:
+                - mountPath: /var/run/secrets/aws
+                  name: aws-credentials
+                  readOnly: true
+                - mountPath: /var/run/secrets/openshift/serviceaccount
+                  name: bound-sa-token
+                  readOnly: true
+              securityContext:
+                runAsNonRoot: true
+              serviceAccountName: ecr-secret-operator-controller-manager
+              terminationGracePeriodSeconds: 10
+              volumes:
+              - name: aws-credentials
+                secret:
+                  optional: true
+                  secretName: aws-ecr-cloud-credentials
+              - name: bound-sa-token
+                projected:
+                  sources:
+                  - serviceAccountToken:
+                      audience: openshift
+                      path: token
+      permissions:
+      - rules:
+        - apiGroups:
+          - ""
+          resources:
+          - configmaps
+          verbs:
+          - get
+          - list
+          - watch
+          - create
+          - update
+          - patch
+          - delete
+        - apiGroups:
+          - coordination.k8s.io
+          resources:
+          - leases
+          verbs:
+          - get
+          - list
+          - watch
+          - create
+          - update
+          - patch
+          - delete
+        - apiGroups:
+          - ""
+          resources:
+          - events
+          verbs:
+          - create
+          - patch
+        serviceAccountName: ecr-secret-operator-controller-manager
+    strategy: deployment
+  installModes:
+  - supported: true
+    type: OwnNamespace
+  - supported: true
+    type: SingleNamespace
+  - supported: true
+    type: MultiNamespace
+  - supported: true
+    type: AllNamespaces
+  keywords:
+  - ecr
+  - aws
+  - redhat
+  links:
+  - name: Ecr Secret Operator
+    url: https://github.com/rh-mobb/ecr-secret-operator
+  maintainers:
+  - email: [email protected]
+    name: Shaozhen Ding
+  maturity: alpha
+  provider:
+    name: Managed Openshift Black Belt
+  replaces: ecr-secret-operator.v0.4.0
+  version: 0.4.1

operators/ecr-secret-operator/0.4.1/ecr-secret-sample_ecr.mobb.redhat.com_v1alpha1_secret.yaml

@@ -0,0 +1,9 @@
+apiVersion: ecr.mobb.redhat.com/v1alpha1
+kind: Secret
+metadata:
+  name: ecr-secret-sample
+spec:
+  ecr_registry: ACCOUNT_ID.dkr.ecr.us-east-2.amazonaws.com
+  frequency: 10h
+  generated_secret_name: ecr-docker-secret
+  region: us-east-2