From 89d52e986dfaf57bdafb24d717eab14a79b410d6 Mon Sep 17 00:00:00 2001 From: Michael Edgar Date: Mon, 9 Dec 2024 12:23:59 -0500 Subject: [PATCH] fix: disable QOSDK RBAC generation, specify deployment/SA names Signed-off-by: Michael Edgar --- operator/bin/modify-bundle-metadata.sh | 8 - operator/src/main/kubernetes/kubernetes.yml | 168 +++++++++++++++++- .../src/main/resources/application.properties | 4 + 3 files changed, 165 insertions(+), 15 deletions(-) diff --git a/operator/bin/modify-bundle-metadata.sh b/operator/bin/modify-bundle-metadata.sh index a101a62ec..d7f7a070b 100755 --- a/operator/bin/modify-bundle-metadata.sh +++ b/operator/bin/modify-bundle-metadata.sh @@ -72,14 +72,6 @@ ${YQ} eval -o yaml -i ".spec.install.spec.deployments[0].name = \"${OPERATOR_INS ${YQ} eval -o yaml -i ".spec.install.spec.deployments[0].spec.selector.matchLabels[\"app.kubernetes.io/name\"] = \"${OPERATOR_INSTANCE_NAME}\"" "${CSV_FILE_PATH}" ${YQ} eval -o yaml -i ".spec.install.spec.deployments[0].spec.template.metadata.labels[\"app.kubernetes.io/instance\"] = \"${OPERATOR_INSTANCE_NAME}\"" "${CSV_FILE_PATH}" ${YQ} eval -o yaml -i ".spec.install.spec.deployments[0].spec.template.metadata.labels[\"app.kubernetes.io/name\"] = \"${OPERATOR_INSTANCE_NAME}\"" "${CSV_FILE_PATH}" -${YQ} eval -o yaml -i ".spec.install.spec.deployments[0].spec.template.spec.containers[0].name = \"${OPERATOR_NAME}\"" "${CSV_FILE_PATH}" -# Change serviceAccountName as well -${YQ} eval -o yaml -i ".spec.install.spec.deployments[0].spec.template.spec.serviceAccountName = \"${OPERATOR_NAME}\"" "${CSV_FILE_PATH}" -${YQ} eval -o yaml -i ".spec.install.spec.clusterPermissions.[].serviceAccountName = \"${OPERATOR_NAME}\"" "${CSV_FILE_PATH}" - -echo "[DEBUG] Updating package name annotation and image label to ${OPERATOR_NAME}" -${YQ} eval -o yaml -i ".annotations.[\"operators.operatorframework.io.bundle.package.v1\"] = \"${OPERATOR_NAME}\"" "${BUNDLE_PATH}/metadata/annotations.yaml" -sed -i 's/'${ORIGINAL_OPERATOR_NAME}'/'${OPERATOR_NAME}'/' "${BUNDLE_PATH}/bundle.Dockerfile" # Add Env for operator deployment that references API and UI images with digest instead of tag echo "[DEBUG] Add UI and API images to CSV" diff --git a/operator/src/main/kubernetes/kubernetes.yml b/operator/src/main/kubernetes/kubernetes.yml index cd0d14701..4ed368c09 100644 --- a/operator/src/main/kubernetes/kubernetes.yml +++ b/operator/src/main/kubernetes/kubernetes.yml @@ -2,7 +2,137 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: - name: consolereconciler-additional-cluster-role + name: streamshub-consolereconciler-cluster-role +rules: + - apiGroups: + - console.streamshub.github.com + resources: + - consoles + - consoles/status + - consoles/finalizers + verbs: + - get + - list + - watch + - patch + - update + - create + - delete + - apiGroups: + - rbac.authorization.k8s.io + resources: + - clusterrolebindings + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - "" + resources: + - serviceaccounts + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - apps + resources: + - deployments + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - "" + resources: + - services + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - networking.k8s.io + resources: + - ingresses + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - "" + resources: + - configmaps + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - rbac.authorization.k8s.io + resources: + - clusterroles + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - "" + resources: + - secrets + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: streamshub-console-crd-validating-cluster-role +rules: + # Used by operator framework to validate CRDs + - apiGroups: + - apiextensions.k8s.io + resources: + - customresourcedefinitions + verbs: + - get + - list +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: streamshub-consolereconciler-additional-cluster-role rules: - apiGroups: - coordination.k8s.io @@ -103,11 +233,35 @@ rules: apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: - name: consolereconciler-additional-cluster-role-binding + name: streamshub-consolereconciler-cluster-role-binding +roleRef: + kind: ClusterRole + apiGroup: rbac.authorization.k8s.io + name: streamshub-consolereconciler-cluster-role +subjects: + - kind: ServiceAccount + name: streamshub-console-operator +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: streamshub-consolereconciler-crd-validating-role-binding +roleRef: + kind: ClusterRole + apiGroup: rbac.authorization.k8s.io + name: streamshub-console-crd-validating-cluster-role +subjects: + - kind: ServiceAccount + name: streamshub-console-operator +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: streamshub-consolereconciler-additional-cluster-role-binding roleRef: kind: ClusterRole apiGroup: rbac.authorization.k8s.io - name: consolereconciler-additional-cluster-role + name: streamshub-consolereconciler-additional-cluster-role subjects: - kind: ServiceAccount name: streamshub-console-operator @@ -116,7 +270,7 @@ subjects: kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: - name: consolereconciler-cluster-monitoring-view + name: streamshub-consolereconciler-cluster-monitoring-view roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole @@ -128,16 +282,16 @@ subjects: apiVersion: apps/v1 kind: Deployment metadata: - name: console-operator + name: streamshub-console-operator spec: replicas: 1 selector: matchLabels: - app.kubernetes.io/name: console-operator + app.kubernetes.io/name: streamshub-console-operator template: metadata: labels: - app.kubernetes.io/name: console-operator + app.kubernetes.io/name: streamshub-console-operator spec: containers: - name: console-operator diff --git a/operator/src/main/resources/application.properties b/operator/src/main/resources/application.properties index 2299dbfd6..846d7ff3b 100644 --- a/operator/src/main/resources/application.properties +++ b/operator/src/main/resources/application.properties @@ -10,7 +10,11 @@ quarkus.container-image.name=console-operator quarkus.operator-sdk.activate-leader-election-for-profiles=prod quarkus.operator-sdk.controllers."consolereconciler".selector=${console.selector} +# Disable auto-RBAC to control naming of service accounts and roles/bindings +quarkus.operator-sdk.disable-rbac-generation=true +quarkus.kubernetes.name=streamshub-console-operator +quarkus.kubernetes.rbac.service-accounts.streamshub-console-operator.namespace= quarkus.kubernetes.env.fields."CONSOLE_DEPLOYMENT_DEFAULT_IMAGE_TAG"=metadata.labels['app.kubernetes.io/version'] # Not needed. Disable to support read-only FS