fix: disable QOSDK RBAC generation, specify deployment/SA names

Signed-off-by: Michael Edgar <[email protected]>
streamshub · Dec 9, 2024 · 89d52e9 · 89d52e9
1 parent 7f3790a
commit 89d52e9
Show file tree

Hide file tree

Showing 3 changed files with 165 additions and 15 deletions.
diff --git a/operator/bin/modify-bundle-metadata.sh b/operator/bin/modify-bundle-metadata.sh
@@ -72,14 +72,6 @@ ${YQ} eval -o yaml -i ".spec.install.spec.deployments[0].name = \"${OPERATOR_INS
 ${YQ} eval -o yaml -i ".spec.install.spec.deployments[0].spec.selector.matchLabels[\"app.kubernetes.io/name\"] = \"${OPERATOR_INSTANCE_NAME}\"" "${CSV_FILE_PATH}"
 ${YQ} eval -o yaml -i ".spec.install.spec.deployments[0].spec.template.metadata.labels[\"app.kubernetes.io/instance\"] = \"${OPERATOR_INSTANCE_NAME}\"" "${CSV_FILE_PATH}"
 ${YQ} eval -o yaml -i ".spec.install.spec.deployments[0].spec.template.metadata.labels[\"app.kubernetes.io/name\"] = \"${OPERATOR_INSTANCE_NAME}\"" "${CSV_FILE_PATH}"
-${YQ} eval -o yaml -i ".spec.install.spec.deployments[0].spec.template.spec.containers[0].name = \"${OPERATOR_NAME}\"" "${CSV_FILE_PATH}"
-# Change serviceAccountName as well
-${YQ} eval -o yaml -i ".spec.install.spec.deployments[0].spec.template.spec.serviceAccountName = \"${OPERATOR_NAME}\"" "${CSV_FILE_PATH}"
-${YQ} eval -o yaml -i ".spec.install.spec.clusterPermissions.[].serviceAccountName = \"${OPERATOR_NAME}\"" "${CSV_FILE_PATH}"
-
-echo "[DEBUG] Updating package name annotation and image label to ${OPERATOR_NAME}"
-${YQ} eval -o yaml -i ".annotations.[\"operators.operatorframework.io.bundle.package.v1\"] = \"${OPERATOR_NAME}\"" "${BUNDLE_PATH}/metadata/annotations.yaml"
-sed -i 's/'${ORIGINAL_OPERATOR_NAME}'/'${OPERATOR_NAME}'/' "${BUNDLE_PATH}/bundle.Dockerfile"
 
 # Add Env for operator deployment that references API and UI images with digest instead of tag
 echo "[DEBUG] Add UI and API images to CSV"

diff --git a/operator/src/main/kubernetes/kubernetes.yml b/operator/src/main/kubernetes/kubernetes.yml
@@ -2,7 +2,137 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
-  name: consolereconciler-additional-cluster-role
+  name: streamshub-consolereconciler-cluster-role
+rules:
+  - apiGroups:
+      - console.streamshub.github.com
+    resources:
+      - consoles
+      - consoles/status
+      - consoles/finalizers
+    verbs:
+      - get
+      - list
+      - watch
+      - patch
+      - update
+      - create
+      - delete
+  - apiGroups:
+      - rbac.authorization.k8s.io
+    resources:
+      - clusterrolebindings
+    verbs:
+      - create
+      - delete
+      - get
+      - list
+      - patch
+      - update
+      - watch
+  - apiGroups:
+      - ""
+    resources:
+      - serviceaccounts
+    verbs:
+      - create
+      - delete
+      - get
+      - list
+      - patch
+      - update
+      - watch
+  - apiGroups:
+      - apps
+    resources:
+      - deployments
+    verbs:
+      - create
+      - delete
+      - get
+      - list
+      - patch
+      - update
+      - watch
+  - apiGroups:
+      - ""
+    resources:
+      - services
+    verbs:
+      - create
+      - delete
+      - get
+      - list
+      - patch
+      - update
+      - watch
+  - apiGroups:
+      - networking.k8s.io
+    resources:
+      - ingresses
+    verbs:
+      - create
+      - delete
+      - get
+      - list
+      - patch
+      - update
+      - watch
+  - apiGroups:
+      - ""
+    resources:
+      - configmaps
+    verbs:
+      - create
+      - delete
+      - get
+      - list
+      - patch
+      - update
+      - watch
+  - apiGroups:
+      - rbac.authorization.k8s.io
+    resources:
+      - clusterroles
+    verbs:
+      - create
+      - delete
+      - get
+      - list
+      - patch
+      - update
+      - watch
+  - apiGroups:
+      - ""
+    resources:
+      - secrets
+    verbs:
+      - create
+      - delete
+      - get
+      - list
+      - patch
+      - update
+      - watch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: streamshub-console-crd-validating-cluster-role
+rules:
+  # Used by operator framework to validate CRDs
+  - apiGroups:
+      - apiextensions.k8s.io
+    resources:
+      - customresourcedefinitions
+    verbs:
+      - get
+      - list
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: streamshub-consolereconciler-additional-cluster-role
 rules:
   - apiGroups:
       - coordination.k8s.io
@@ -103,11 +233,35 @@ rules:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
-  name: consolereconciler-additional-cluster-role-binding
+  name: streamshub-consolereconciler-cluster-role-binding
+roleRef:
+  kind: ClusterRole
+  apiGroup: rbac.authorization.k8s.io
+  name: streamshub-consolereconciler-cluster-role
+subjects:
+  - kind: ServiceAccount
+    name: streamshub-console-operator
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: streamshub-consolereconciler-crd-validating-role-binding
+roleRef:
+  kind: ClusterRole
+  apiGroup: rbac.authorization.k8s.io
+  name: streamshub-console-crd-validating-cluster-role
+subjects:
+  - kind: ServiceAccount
+    name: streamshub-console-operator
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: streamshub-consolereconciler-additional-cluster-role-binding
 roleRef:
   kind: ClusterRole
   apiGroup: rbac.authorization.k8s.io
-  name: consolereconciler-additional-cluster-role
+  name: streamshub-consolereconciler-additional-cluster-role
 subjects:
   - kind: ServiceAccount
     name: streamshub-console-operator
@@ -116,7 +270,7 @@ subjects:
 kind: ClusterRoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
-  name: consolereconciler-cluster-monitoring-view
+  name: streamshub-consolereconciler-cluster-monitoring-view
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
@@ -128,16 +282,16 @@ subjects:
 apiVersion: apps/v1
 kind: Deployment
 metadata:
-  name: console-operator
+  name: streamshub-console-operator
 spec:
   replicas: 1
   selector:
     matchLabels:
-      app.kubernetes.io/name: console-operator
+      app.kubernetes.io/name: streamshub-console-operator
   template:
     metadata:
       labels:
-        app.kubernetes.io/name: console-operator
+        app.kubernetes.io/name: streamshub-console-operator
     spec:
       containers:
         - name: console-operator

diff --git a/operator/src/main/resources/application.properties b/operator/src/main/resources/application.properties
@@ -10,7 +10,11 @@ quarkus.container-image.name=console-operator
 
 quarkus.operator-sdk.activate-leader-election-for-profiles=prod
 quarkus.operator-sdk.controllers."consolereconciler".selector=${console.selector}
+# Disable auto-RBAC to control naming of service accounts and roles/bindings
+quarkus.operator-sdk.disable-rbac-generation=true
 
+quarkus.kubernetes.name=streamshub-console-operator
+quarkus.kubernetes.rbac.service-accounts.streamshub-console-operator.namespace=
 quarkus.kubernetes.env.fields."CONSOLE_DEPLOYMENT_DEFAULT_IMAGE_TAG"=metadata.labels['app.kubernetes.io/version']
 
 # Not needed. Disable to support read-only FS