fix: disable QOSDK RBAC generation, specify deployment/SA names

Signed-off-by: Michael Edgar <[email protected]>
streamshub · Dec 9, 2024 · 9045596 · 9045596
1 parent 7f3790a
commit 9045596
Show file tree

Hide file tree

Showing 4 changed files with 184 additions and 23 deletions.
diff --git a/operator/bin/common.sh b/operator/bin/common.sh
@@ -2,8 +2,8 @@
 
 SCRIPT_PATH="$(cd -- "$(dirname "$0")" >/dev/null 2>&1 ; pwd -P)"
 
-BUNDLE_PATH=${SCRIPT_PATH}/../target/bundle/console-operator/
-CSV_FILE_PATH=${BUNDLE_PATH}/manifests/console-operator.clusterserviceversion.yaml
+BUNDLE_PATH=${SCRIPT_PATH}/../target/bundle/streamshub-console-operator/
+CSV_FILE_PATH=${BUNDLE_PATH}/manifests/streamshub-console-operator.clusterserviceversion.yaml
 CATALOG_PATH=${SCRIPT_PATH}/../target/catalog
 OPERATOR_CATALOG_CONFIG_YAML_PATH=${CATALOG_PATH}/operator.yaml
 # Operator naming

diff --git a/operator/bin/modify-bundle-metadata.sh b/operator/bin/modify-bundle-metadata.sh
@@ -37,7 +37,7 @@ fi
 ${YQ} eval -o yaml -i 'del(.spec.install.spec.deployments[0].spec.template.metadata.namespace)' "${CSV_FILE_PATH}"
 
 # Get operator image name with tag
-yq_image_expression=".spec.install.spec.deployments[0] | (select (.name ==\"${ORIGINAL_OPERATOR_NAME}\")).spec.template.spec.containers[].image"
+yq_image_expression=".spec.install.spec.deployments[0].spec.template.spec.containers[0].image"
 operator_image_with_tag=$(${YQ} eval "${yq_image_expression}" "${CSV_FILE_PATH}")
 echo "[DEBUG] Original operator image name with tag = ${operator_image_with_tag}"
 
@@ -54,9 +54,8 @@ operator_image_with_digest="${image_registry}/${operator_name}@${operator_image_
 # Create relatedImages section
 ${YQ} eval -o yaml -i ".spec.relatedImages = null" "${CSV_FILE_PATH}"
 
-# Add operator image with digest to related images + replace operator image tag to digest
+# Replace operator image tag to digest
 echo "[DEBUG] Setting container image = ${operator_image_with_digest}"
-${YQ} eval -o yaml -i ".spec.relatedImages += [{\"name\": \"${OPERATOR_NAME}\", \"image\": \"${operator_image_with_digest}\"}]" "${CSV_FILE_PATH}";
 ${YQ} eval -o yaml -i ".metadata.annotations.containerImage = \"${operator_image_with_digest}\"" "${CSV_FILE_PATH}"
 ${YQ} eval -o yaml -i ".spec.install.spec.deployments[0].spec.template.spec.containers[0].image = \"${operator_image_with_digest}\"" "${CSV_FILE_PATH}"
 
@@ -72,14 +71,6 @@ ${YQ} eval -o yaml -i ".spec.install.spec.deployments[0].name = \"${OPERATOR_INS
 ${YQ} eval -o yaml -i ".spec.install.spec.deployments[0].spec.selector.matchLabels[\"app.kubernetes.io/name\"] = \"${OPERATOR_INSTANCE_NAME}\"" "${CSV_FILE_PATH}"
 ${YQ} eval -o yaml -i ".spec.install.spec.deployments[0].spec.template.metadata.labels[\"app.kubernetes.io/instance\"] = \"${OPERATOR_INSTANCE_NAME}\"" "${CSV_FILE_PATH}"
 ${YQ} eval -o yaml -i ".spec.install.spec.deployments[0].spec.template.metadata.labels[\"app.kubernetes.io/name\"] = \"${OPERATOR_INSTANCE_NAME}\"" "${CSV_FILE_PATH}"
-${YQ} eval -o yaml -i ".spec.install.spec.deployments[0].spec.template.spec.containers[0].name = \"${OPERATOR_NAME}\"" "${CSV_FILE_PATH}"
-# Change serviceAccountName as well
-${YQ} eval -o yaml -i ".spec.install.spec.deployments[0].spec.template.spec.serviceAccountName = \"${OPERATOR_NAME}\"" "${CSV_FILE_PATH}"
-${YQ} eval -o yaml -i ".spec.install.spec.clusterPermissions.[].serviceAccountName = \"${OPERATOR_NAME}\"" "${CSV_FILE_PATH}"
-
-echo "[DEBUG] Updating package name annotation and image label to ${OPERATOR_NAME}"
-${YQ} eval -o yaml -i ".annotations.[\"operators.operatorframework.io.bundle.package.v1\"] = \"${OPERATOR_NAME}\"" "${BUNDLE_PATH}/metadata/annotations.yaml"
-sed -i 's/'${ORIGINAL_OPERATOR_NAME}'/'${OPERATOR_NAME}'/' "${BUNDLE_PATH}/bundle.Dockerfile"
 
 # Add Env for operator deployment that references API and UI images with digest instead of tag
 echo "[DEBUG] Add UI and API images to CSV"
@@ -94,8 +85,20 @@ api_image_digest=$(${SKOPEO} inspect --tls-verify=false --override-os=linux --fo
 api_image_with_digest="${image_registry}/${api_name}@${api_image_digest}"
 echo "[DEBUG] Using API image: ${api_image_with_digest}"
 
-${YQ} eval -o yaml -i ".spec.install.spec.deployments[0].spec.template.spec.containers[0].env += [{\"name\": \"CONSOLE_DEPLOYMENT_DEFAULT_UI_IMAGE\", \"value\": \"${ui_image_with_digest}\"}]" "${CSV_FILE_PATH}";
-${YQ} eval -o yaml -i ".spec.install.spec.deployments[0].spec.template.spec.containers[0].env += [{\"name\": \"CONSOLE_DEPLOYMENT_DEFAULT_API_IMAGE\", \"value\": \"${api_image_with_digest}\"}]" "${CSV_FILE_PATH}";
+${YQ} eval -o yaml -i ".spec.install.spec.deployments[0].spec.template.spec.containers[0].env += [{\"name\": \"CONSOLE_DEPLOYMENT_DEFAULT_UI_IMAGE\", \"value\": \"${ui_image_with_digest}\"}]" "${CSV_FILE_PATH}"
+${YQ} eval -o yaml -i ".spec.install.spec.deployments[0].spec.template.spec.containers[0].env += [{\"name\": \"CONSOLE_DEPLOYMENT_DEFAULT_API_IMAGE\", \"value\": \"${api_image_with_digest}\"}]" "${CSV_FILE_PATH}"
+
+# Add operator and operatnd images with digests to related images
+${YQ} eval -o yaml -i '.spec.relatedImages += [{
+  "name": "'${OPERATOR_NAME}'",
+  "image": "'${operator_image_with_digest}'"
+}, {
+  "name": "streamshub-console-api",
+  "image": "'${api_image_with_digest}'"
+}, {
+  "name": "streamshub-console-ui",
+  "image": "'${ui_image_with_digest}'"
+}]' "${CSV_FILE_PATH}"
 
 # Add skipRange if present
 if [[ -n "$SKIP_RANGE" ]]; then

diff --git a/operator/src/main/kubernetes/kubernetes.yml b/operator/src/main/kubernetes/kubernetes.yml
@@ -2,7 +2,137 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
-  name: consolereconciler-additional-cluster-role
+  name: streamshub-consolereconciler-cluster-role
+rules:
+  - apiGroups:
+      - console.streamshub.github.com
+    resources:
+      - consoles
+      - consoles/status
+      - consoles/finalizers
+    verbs:
+      - get
+      - list
+      - watch
+      - patch
+      - update
+      - create
+      - delete
+  - apiGroups:
+      - rbac.authorization.k8s.io
+    resources:
+      - clusterrolebindings
+    verbs:
+      - create
+      - delete
+      - get
+      - list
+      - patch
+      - update
+      - watch
+  - apiGroups:
+      - ""
+    resources:
+      - serviceaccounts
+    verbs:
+      - create
+      - delete
+      - get
+      - list
+      - patch
+      - update
+      - watch
+  - apiGroups:
+      - apps
+    resources:
+      - deployments
+    verbs:
+      - create
+      - delete
+      - get
+      - list
+      - patch
+      - update
+      - watch
+  - apiGroups:
+      - ""
+    resources:
+      - services
+    verbs:
+      - create
+      - delete
+      - get
+      - list
+      - patch
+      - update
+      - watch
+  - apiGroups:
+      - networking.k8s.io
+    resources:
+      - ingresses
+    verbs:
+      - create
+      - delete
+      - get
+      - list
+      - patch
+      - update
+      - watch
+  - apiGroups:
+      - ""
+    resources:
+      - configmaps
+    verbs:
+      - create
+      - delete
+      - get
+      - list
+      - patch
+      - update
+      - watch
+  - apiGroups:
+      - rbac.authorization.k8s.io
+    resources:
+      - clusterroles
+    verbs:
+      - create
+      - delete
+      - get
+      - list
+      - patch
+      - update
+      - watch
+  - apiGroups:
+      - ""
+    resources:
+      - secrets
+    verbs:
+      - create
+      - delete
+      - get
+      - list
+      - patch
+      - update
+      - watch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: streamshub-console-crd-validating-cluster-role
+rules:
+  # Used by operator framework to validate CRDs
+  - apiGroups:
+      - apiextensions.k8s.io
+    resources:
+      - customresourcedefinitions
+    verbs:
+      - get
+      - list
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: streamshub-consolereconciler-additional-cluster-role
 rules:
   - apiGroups:
       - coordination.k8s.io
@@ -103,11 +233,35 @@ rules:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
-  name: consolereconciler-additional-cluster-role-binding
+  name: streamshub-consolereconciler-cluster-role-binding
+roleRef:
+  kind: ClusterRole
+  apiGroup: rbac.authorization.k8s.io
+  name: streamshub-consolereconciler-cluster-role
+subjects:
+  - kind: ServiceAccount
+    name: streamshub-console-operator
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: streamshub-consolereconciler-crd-validating-role-binding
+roleRef:
+  kind: ClusterRole
+  apiGroup: rbac.authorization.k8s.io
+  name: streamshub-console-crd-validating-cluster-role
+subjects:
+  - kind: ServiceAccount
+    name: streamshub-console-operator
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: streamshub-consolereconciler-additional-cluster-role-binding
 roleRef:
   kind: ClusterRole
   apiGroup: rbac.authorization.k8s.io
-  name: consolereconciler-additional-cluster-role
+  name: streamshub-consolereconciler-additional-cluster-role
 subjects:
   - kind: ServiceAccount
     name: streamshub-console-operator
@@ -116,7 +270,7 @@ subjects:
 kind: ClusterRoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
-  name: consolereconciler-cluster-monitoring-view
+  name: streamshub-consolereconciler-cluster-monitoring-view
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
@@ -128,19 +282,19 @@ subjects:
 apiVersion: apps/v1
 kind: Deployment
 metadata:
-  name: console-operator
+  name: streamshub-console-operator
 spec:
   replicas: 1
   selector:
     matchLabels:
-      app.kubernetes.io/name: console-operator
+      app.kubernetes.io/name: streamshub-console-operator
   template:
     metadata:
       labels:
-        app.kubernetes.io/name: console-operator
+        app.kubernetes.io/name: streamshub-console-operator
     spec:
       containers:
-        - name: console-operator
+        - name: streamshub-console-operator
           securityContext:
             readOnlyRootFilesystem: true
             allowPrivilegeEscalation: false

diff --git a/operator/src/main/resources/application.properties b/operator/src/main/resources/application.properties
@@ -10,7 +10,11 @@ quarkus.container-image.name=console-operator
 
 quarkus.operator-sdk.activate-leader-election-for-profiles=prod
 quarkus.operator-sdk.controllers."consolereconciler".selector=${console.selector}
+# Disable auto-RBAC to control naming of service accounts and roles/bindings
+quarkus.operator-sdk.disable-rbac-generation=true
 
+quarkus.kubernetes.name=streamshub-console-operator
+quarkus.kubernetes.rbac.service-accounts.streamshub-console-operator.namespace=
 quarkus.kubernetes.env.fields."CONSOLE_DEPLOYMENT_DEFAULT_IMAGE_TAG"=metadata.labels['app.kubernetes.io/version']
 
 # Not needed. Disable to support read-only FS