From 4f312db94e2c2e6bfe1cb6f00db188e0e2a05268 Mon Sep 17 00:00:00 2001 From: Michael Edgar Date: Mon, 9 Dec 2024 12:23:59 -0500 Subject: [PATCH] fix: disable QOSDK RBAC generation, specify deployment/SA names Signed-off-by: Michael Edgar --- .github/workflows/integration.yml | 4 +- .github/workflows/release.yml | 4 +- .github/workflows/snapshot.yml | 4 +- Makefile | 4 +- operator/bin/common.sh | 4 +- operator/bin/modify-bundle-metadata.sh | 29 +-- operator/src/main/kubernetes/kubernetes.yml | 170 +++++++++++++++++- .../src/main/resources/application.properties | 4 + 8 files changed, 192 insertions(+), 31 deletions(-) diff --git a/.github/workflows/integration.yml b/.github/workflows/integration.yml index 6c49497d1..946e12145 100644 --- a/.github/workflows/integration.yml +++ b/.github/workflows/integration.yml @@ -103,11 +103,11 @@ jobs: - name: Build Operator Bundle Image uses: docker/build-push-action@v6 with: - context: operator/target/bundle/console-operator/ + context: operator/target/bundle/streamshub-console-operator/ platforms: ${{ env.PLATFORMS }} provenance: false push: true - file: operator/target/bundle/console-operator/bundle.Dockerfile + file: operator/target/bundle/streamshub-console-operator/bundle.Dockerfile tags: | localhost:5000/streamshub/console-operator-bundle:${{ env.PROJECT_VERSION }} diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index aaad2ecac..cdfcfd88c 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -99,11 +99,11 @@ jobs: - name: Build and Push Operator Bundle Image uses: docker/build-push-action@v6 with: - context: target/checkout/operator/target/bundle/console-operator/ + context: target/checkout/operator/target/bundle/streamshub-console-operator/ platforms: ${{ env.PLATFORMS }} provenance: false push: true - file: target/checkout/operator/target/bundle/console-operator/bundle.Dockerfile + file: target/checkout/operator/target/bundle/streamshub-console-operator/bundle.Dockerfile tags: | ${{ secrets.IMAGE_REPO_HOSTNAME }}/${{ secrets.IMAGE_REPO_NAMESPACE }}/console-operator-bundle:${{steps.metadata.outputs.current-version}} ${{ secrets.IMAGE_REPO_HOSTNAME }}/${{ secrets.IMAGE_REPO_NAMESPACE }}/console-operator-bundle:latest diff --git a/.github/workflows/snapshot.yml b/.github/workflows/snapshot.yml index fc204737b..f25bffbad 100644 --- a/.github/workflows/snapshot.yml +++ b/.github/workflows/snapshot.yml @@ -103,11 +103,11 @@ jobs: - name: Build and Push Operator Bundle Image uses: docker/build-push-action@v6 with: - context: operator/target/bundle/console-operator/ + context: operator/target/bundle/streamshub-console-operator/ platforms: ${{ env.PLATFORMS }} provenance: false push: true - file: operator/target/bundle/console-operator/bundle.Dockerfile + file: operator/target/bundle/streamshub-console-operator/bundle.Dockerfile tags: | ${{ secrets.IMAGE_REPO_HOSTNAME }}/${{ secrets.IMAGE_REPO_NAMESPACE }}/console-operator-bundle:${{ env.NEXT_VERSION }} ${{ secrets.IMAGE_REPO_HOSTNAME }}/${{ secrets.IMAGE_REPO_NAMESPACE }}/console-operator-bundle:snapshot-${{github.ref_name}} diff --git a/Makefile b/Makefile index 413772f9f..23c5799d5 100644 --- a/Makefile +++ b/Makefile @@ -34,10 +34,10 @@ container-image-api-push: container-image-api skopeo copy --preserve-digests $(SKOPEO_TRANSPORT)$(CONSOLE_API_IMAGE) docker://$(CONSOLE_API_IMAGE) container-image-operator: - mvn package -am -pl operator -Pcontainer-image -DskipTests -Dquarkus.container-image.image=$(CONSOLE_OPERATOR_IMAGE) + mvn package -am -pl operator -Pcontainer-image -DskipTests -Dquarkus.kubernetes.namespace='$${NAMESPACE}' -Dquarkus.container-image.image=$(CONSOLE_OPERATOR_IMAGE) operator/bin/modify-bundle-metadata.sh "VERSION=$(CSV_VERSION)" "SKIP_RANGE=$(SKIP_RANGE)" "SKOPEO_TRANSPORT=$(SKOPEO_TRANSPORT)" operator/bin/generate-catalog.sh $(CSV_VERSION) - $(CONTAINER_RUNTIME) build --platform=$(ARCH) -t $(CONSOLE_OPERATOR_BUNDLE_IMAGE) -f operator/target/bundle/console-operator/bundle.Dockerfile + $(CONTAINER_RUNTIME) build --platform=$(ARCH) -t $(CONSOLE_OPERATOR_BUNDLE_IMAGE) -f operator/target/bundle/streamshub-console-operator/bundle.Dockerfile $(CONTAINER_RUNTIME) build --platform=$(ARCH) -t $(CONSOLE_OPERATOR_CATALOG_IMAGE) -f operator/target/catalog.Dockerfile container-image-operator-push: container-image-operator diff --git a/operator/bin/common.sh b/operator/bin/common.sh index 268093947..9ca5e8d22 100644 --- a/operator/bin/common.sh +++ b/operator/bin/common.sh @@ -2,8 +2,8 @@ SCRIPT_PATH="$(cd -- "$(dirname "$0")" >/dev/null 2>&1 ; pwd -P)" -BUNDLE_PATH=${SCRIPT_PATH}/../target/bundle/console-operator/ -CSV_FILE_PATH=${BUNDLE_PATH}/manifests/console-operator.clusterserviceversion.yaml +BUNDLE_PATH=${SCRIPT_PATH}/../target/bundle/streamshub-console-operator/ +CSV_FILE_PATH=${BUNDLE_PATH}/manifests/streamshub-console-operator.clusterserviceversion.yaml CATALOG_PATH=${SCRIPT_PATH}/../target/catalog OPERATOR_CATALOG_CONFIG_YAML_PATH=${CATALOG_PATH}/operator.yaml # Operator naming diff --git a/operator/bin/modify-bundle-metadata.sh b/operator/bin/modify-bundle-metadata.sh index a101a62ec..f5cdc2300 100755 --- a/operator/bin/modify-bundle-metadata.sh +++ b/operator/bin/modify-bundle-metadata.sh @@ -37,7 +37,7 @@ fi ${YQ} eval -o yaml -i 'del(.spec.install.spec.deployments[0].spec.template.metadata.namespace)' "${CSV_FILE_PATH}" # Get operator image name with tag -yq_image_expression=".spec.install.spec.deployments[0] | (select (.name ==\"${ORIGINAL_OPERATOR_NAME}\")).spec.template.spec.containers[].image" +yq_image_expression=".spec.install.spec.deployments[0].spec.template.spec.containers[0].image" operator_image_with_tag=$(${YQ} eval "${yq_image_expression}" "${CSV_FILE_PATH}") echo "[DEBUG] Original operator image name with tag = ${operator_image_with_tag}" @@ -54,9 +54,8 @@ operator_image_with_digest="${image_registry}/${operator_name}@${operator_image_ # Create relatedImages section ${YQ} eval -o yaml -i ".spec.relatedImages = null" "${CSV_FILE_PATH}" -# Add operator image with digest to related images + replace operator image tag to digest +# Replace operator image tag to digest echo "[DEBUG] Setting container image = ${operator_image_with_digest}" -${YQ} eval -o yaml -i ".spec.relatedImages += [{\"name\": \"${OPERATOR_NAME}\", \"image\": \"${operator_image_with_digest}\"}]" "${CSV_FILE_PATH}"; ${YQ} eval -o yaml -i ".metadata.annotations.containerImage = \"${operator_image_with_digest}\"" "${CSV_FILE_PATH}" ${YQ} eval -o yaml -i ".spec.install.spec.deployments[0].spec.template.spec.containers[0].image = \"${operator_image_with_digest}\"" "${CSV_FILE_PATH}" @@ -72,14 +71,6 @@ ${YQ} eval -o yaml -i ".spec.install.spec.deployments[0].name = \"${OPERATOR_INS ${YQ} eval -o yaml -i ".spec.install.spec.deployments[0].spec.selector.matchLabels[\"app.kubernetes.io/name\"] = \"${OPERATOR_INSTANCE_NAME}\"" "${CSV_FILE_PATH}" ${YQ} eval -o yaml -i ".spec.install.spec.deployments[0].spec.template.metadata.labels[\"app.kubernetes.io/instance\"] = \"${OPERATOR_INSTANCE_NAME}\"" "${CSV_FILE_PATH}" ${YQ} eval -o yaml -i ".spec.install.spec.deployments[0].spec.template.metadata.labels[\"app.kubernetes.io/name\"] = \"${OPERATOR_INSTANCE_NAME}\"" "${CSV_FILE_PATH}" -${YQ} eval -o yaml -i ".spec.install.spec.deployments[0].spec.template.spec.containers[0].name = \"${OPERATOR_NAME}\"" "${CSV_FILE_PATH}" -# Change serviceAccountName as well -${YQ} eval -o yaml -i ".spec.install.spec.deployments[0].spec.template.spec.serviceAccountName = \"${OPERATOR_NAME}\"" "${CSV_FILE_PATH}" -${YQ} eval -o yaml -i ".spec.install.spec.clusterPermissions.[].serviceAccountName = \"${OPERATOR_NAME}\"" "${CSV_FILE_PATH}" - -echo "[DEBUG] Updating package name annotation and image label to ${OPERATOR_NAME}" -${YQ} eval -o yaml -i ".annotations.[\"operators.operatorframework.io.bundle.package.v1\"] = \"${OPERATOR_NAME}\"" "${BUNDLE_PATH}/metadata/annotations.yaml" -sed -i 's/'${ORIGINAL_OPERATOR_NAME}'/'${OPERATOR_NAME}'/' "${BUNDLE_PATH}/bundle.Dockerfile" # Add Env for operator deployment that references API and UI images with digest instead of tag echo "[DEBUG] Add UI and API images to CSV" @@ -94,8 +85,20 @@ api_image_digest=$(${SKOPEO} inspect --tls-verify=false --override-os=linux --fo api_image_with_digest="${image_registry}/${api_name}@${api_image_digest}" echo "[DEBUG] Using API image: ${api_image_with_digest}" -${YQ} eval -o yaml -i ".spec.install.spec.deployments[0].spec.template.spec.containers[0].env += [{\"name\": \"CONSOLE_DEPLOYMENT_DEFAULT_UI_IMAGE\", \"value\": \"${ui_image_with_digest}\"}]" "${CSV_FILE_PATH}"; -${YQ} eval -o yaml -i ".spec.install.spec.deployments[0].spec.template.spec.containers[0].env += [{\"name\": \"CONSOLE_DEPLOYMENT_DEFAULT_API_IMAGE\", \"value\": \"${api_image_with_digest}\"}]" "${CSV_FILE_PATH}"; +${YQ} eval -o yaml -i ".spec.install.spec.deployments[0].spec.template.spec.containers[0].env += [{\"name\": \"CONSOLE_DEPLOYMENT_DEFAULT_UI_IMAGE\", \"value\": \"${ui_image_with_digest}\"}]" "${CSV_FILE_PATH}" +${YQ} eval -o yaml -i ".spec.install.spec.deployments[0].spec.template.spec.containers[0].env += [{\"name\": \"CONSOLE_DEPLOYMENT_DEFAULT_API_IMAGE\", \"value\": \"${api_image_with_digest}\"}]" "${CSV_FILE_PATH}" + +# Add operator and operatnd images with digests to related images +${YQ} eval -o yaml -i '.spec.relatedImages += [{ + "name": "'${OPERATOR_NAME}'", + "image": "'${operator_image_with_digest}'" +}, { + "name": "streamshub-console-api", + "image": "'${api_image_with_digest}'" +}, { + "name": "streamshub-console-ui", + "image": "'${ui_image_with_digest}'" +}]' "${CSV_FILE_PATH}" # Add skipRange if present if [[ -n "$SKIP_RANGE" ]]; then diff --git a/operator/src/main/kubernetes/kubernetes.yml b/operator/src/main/kubernetes/kubernetes.yml index cd0d14701..fcae1cdeb 100644 --- a/operator/src/main/kubernetes/kubernetes.yml +++ b/operator/src/main/kubernetes/kubernetes.yml @@ -2,7 +2,137 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: - name: consolereconciler-additional-cluster-role + name: streamshub-consolereconciler-cluster-role +rules: + - apiGroups: + - console.streamshub.github.com + resources: + - consoles + - consoles/status + - consoles/finalizers + verbs: + - get + - list + - watch + - patch + - update + - create + - delete + - apiGroups: + - rbac.authorization.k8s.io + resources: + - clusterrolebindings + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - "" + resources: + - serviceaccounts + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - apps + resources: + - deployments + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - "" + resources: + - services + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - networking.k8s.io + resources: + - ingresses + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - "" + resources: + - configmaps + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - rbac.authorization.k8s.io + resources: + - clusterroles + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - "" + resources: + - secrets + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: streamshub-console-crd-validating-cluster-role +rules: + # Used by operator framework to validate CRDs + - apiGroups: + - apiextensions.k8s.io + resources: + - customresourcedefinitions + verbs: + - get + - list +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: streamshub-consolereconciler-additional-cluster-role rules: - apiGroups: - coordination.k8s.io @@ -103,11 +233,35 @@ rules: apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: - name: consolereconciler-additional-cluster-role-binding + name: streamshub-consolereconciler-cluster-role-binding +roleRef: + kind: ClusterRole + apiGroup: rbac.authorization.k8s.io + name: streamshub-consolereconciler-cluster-role +subjects: + - kind: ServiceAccount + name: streamshub-console-operator +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: streamshub-consolereconciler-crd-validating-role-binding +roleRef: + kind: ClusterRole + apiGroup: rbac.authorization.k8s.io + name: streamshub-console-crd-validating-cluster-role +subjects: + - kind: ServiceAccount + name: streamshub-console-operator +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: streamshub-consolereconciler-additional-cluster-role-binding roleRef: kind: ClusterRole apiGroup: rbac.authorization.k8s.io - name: consolereconciler-additional-cluster-role + name: streamshub-consolereconciler-additional-cluster-role subjects: - kind: ServiceAccount name: streamshub-console-operator @@ -116,7 +270,7 @@ subjects: kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: - name: consolereconciler-cluster-monitoring-view + name: streamshub-consolereconciler-cluster-monitoring-view roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole @@ -128,19 +282,19 @@ subjects: apiVersion: apps/v1 kind: Deployment metadata: - name: console-operator + name: streamshub-console-operator spec: replicas: 1 selector: matchLabels: - app.kubernetes.io/name: console-operator + app.kubernetes.io/name: streamshub-console-operator template: metadata: labels: - app.kubernetes.io/name: console-operator + app.kubernetes.io/name: streamshub-console-operator spec: containers: - - name: console-operator + - name: streamshub-console-operator securityContext: readOnlyRootFilesystem: true allowPrivilegeEscalation: false diff --git a/operator/src/main/resources/application.properties b/operator/src/main/resources/application.properties index 2299dbfd6..846d7ff3b 100644 --- a/operator/src/main/resources/application.properties +++ b/operator/src/main/resources/application.properties @@ -10,7 +10,11 @@ quarkus.container-image.name=console-operator quarkus.operator-sdk.activate-leader-election-for-profiles=prod quarkus.operator-sdk.controllers."consolereconciler".selector=${console.selector} +# Disable auto-RBAC to control naming of service accounts and roles/bindings +quarkus.operator-sdk.disable-rbac-generation=true +quarkus.kubernetes.name=streamshub-console-operator +quarkus.kubernetes.rbac.service-accounts.streamshub-console-operator.namespace= quarkus.kubernetes.env.fields."CONSOLE_DEPLOYMENT_DEFAULT_IMAGE_TAG"=metadata.labels['app.kubernetes.io/version'] # Not needed. Disable to support read-only FS