From 90455961b40b8a4241b536b8740a79f65372cc2b Mon Sep 17 00:00:00 2001 From: Michael Edgar Date: Mon, 9 Dec 2024 12:23:59 -0500 Subject: [PATCH] fix: disable QOSDK RBAC generation, specify deployment/SA names Signed-off-by: Michael Edgar --- operator/bin/common.sh | 4 +- operator/bin/modify-bundle-metadata.sh | 29 +-- operator/src/main/kubernetes/kubernetes.yml | 170 +++++++++++++++++- .../src/main/resources/application.properties | 4 + 4 files changed, 184 insertions(+), 23 deletions(-) diff --git a/operator/bin/common.sh b/operator/bin/common.sh index 268093947..9ca5e8d22 100644 --- a/operator/bin/common.sh +++ b/operator/bin/common.sh @@ -2,8 +2,8 @@ SCRIPT_PATH="$(cd -- "$(dirname "$0")" >/dev/null 2>&1 ; pwd -P)" -BUNDLE_PATH=${SCRIPT_PATH}/../target/bundle/console-operator/ -CSV_FILE_PATH=${BUNDLE_PATH}/manifests/console-operator.clusterserviceversion.yaml +BUNDLE_PATH=${SCRIPT_PATH}/../target/bundle/streamshub-console-operator/ +CSV_FILE_PATH=${BUNDLE_PATH}/manifests/streamshub-console-operator.clusterserviceversion.yaml CATALOG_PATH=${SCRIPT_PATH}/../target/catalog OPERATOR_CATALOG_CONFIG_YAML_PATH=${CATALOG_PATH}/operator.yaml # Operator naming diff --git a/operator/bin/modify-bundle-metadata.sh b/operator/bin/modify-bundle-metadata.sh index a101a62ec..f5cdc2300 100755 --- a/operator/bin/modify-bundle-metadata.sh +++ b/operator/bin/modify-bundle-metadata.sh @@ -37,7 +37,7 @@ fi ${YQ} eval -o yaml -i 'del(.spec.install.spec.deployments[0].spec.template.metadata.namespace)' "${CSV_FILE_PATH}" # Get operator image name with tag -yq_image_expression=".spec.install.spec.deployments[0] | (select (.name ==\"${ORIGINAL_OPERATOR_NAME}\")).spec.template.spec.containers[].image" +yq_image_expression=".spec.install.spec.deployments[0].spec.template.spec.containers[0].image" operator_image_with_tag=$(${YQ} eval "${yq_image_expression}" "${CSV_FILE_PATH}") echo "[DEBUG] Original operator image name with tag = ${operator_image_with_tag}" @@ -54,9 +54,8 @@ operator_image_with_digest="${image_registry}/${operator_name}@${operator_image_ # Create relatedImages section ${YQ} eval -o yaml -i ".spec.relatedImages = null" "${CSV_FILE_PATH}" -# Add operator image with digest to related images + replace operator image tag to digest +# Replace operator image tag to digest echo "[DEBUG] Setting container image = ${operator_image_with_digest}" -${YQ} eval -o yaml -i ".spec.relatedImages += [{\"name\": \"${OPERATOR_NAME}\", \"image\": \"${operator_image_with_digest}\"}]" "${CSV_FILE_PATH}"; ${YQ} eval -o yaml -i ".metadata.annotations.containerImage = \"${operator_image_with_digest}\"" "${CSV_FILE_PATH}" ${YQ} eval -o yaml -i ".spec.install.spec.deployments[0].spec.template.spec.containers[0].image = \"${operator_image_with_digest}\"" "${CSV_FILE_PATH}" @@ -72,14 +71,6 @@ ${YQ} eval -o yaml -i ".spec.install.spec.deployments[0].name = \"${OPERATOR_INS ${YQ} eval -o yaml -i ".spec.install.spec.deployments[0].spec.selector.matchLabels[\"app.kubernetes.io/name\"] = \"${OPERATOR_INSTANCE_NAME}\"" "${CSV_FILE_PATH}" ${YQ} eval -o yaml -i ".spec.install.spec.deployments[0].spec.template.metadata.labels[\"app.kubernetes.io/instance\"] = \"${OPERATOR_INSTANCE_NAME}\"" "${CSV_FILE_PATH}" ${YQ} eval -o yaml -i ".spec.install.spec.deployments[0].spec.template.metadata.labels[\"app.kubernetes.io/name\"] = \"${OPERATOR_INSTANCE_NAME}\"" "${CSV_FILE_PATH}" -${YQ} eval -o yaml -i ".spec.install.spec.deployments[0].spec.template.spec.containers[0].name = \"${OPERATOR_NAME}\"" "${CSV_FILE_PATH}" -# Change serviceAccountName as well -${YQ} eval -o yaml -i ".spec.install.spec.deployments[0].spec.template.spec.serviceAccountName = \"${OPERATOR_NAME}\"" "${CSV_FILE_PATH}" -${YQ} eval -o yaml -i ".spec.install.spec.clusterPermissions.[].serviceAccountName = \"${OPERATOR_NAME}\"" "${CSV_FILE_PATH}" - -echo "[DEBUG] Updating package name annotation and image label to ${OPERATOR_NAME}" -${YQ} eval -o yaml -i ".annotations.[\"operators.operatorframework.io.bundle.package.v1\"] = \"${OPERATOR_NAME}\"" "${BUNDLE_PATH}/metadata/annotations.yaml" -sed -i 's/'${ORIGINAL_OPERATOR_NAME}'/'${OPERATOR_NAME}'/' "${BUNDLE_PATH}/bundle.Dockerfile" # Add Env for operator deployment that references API and UI images with digest instead of tag echo "[DEBUG] Add UI and API images to CSV" @@ -94,8 +85,20 @@ api_image_digest=$(${SKOPEO} inspect --tls-verify=false --override-os=linux --fo api_image_with_digest="${image_registry}/${api_name}@${api_image_digest}" echo "[DEBUG] Using API image: ${api_image_with_digest}" -${YQ} eval -o yaml -i ".spec.install.spec.deployments[0].spec.template.spec.containers[0].env += [{\"name\": \"CONSOLE_DEPLOYMENT_DEFAULT_UI_IMAGE\", \"value\": \"${ui_image_with_digest}\"}]" "${CSV_FILE_PATH}"; -${YQ} eval -o yaml -i ".spec.install.spec.deployments[0].spec.template.spec.containers[0].env += [{\"name\": \"CONSOLE_DEPLOYMENT_DEFAULT_API_IMAGE\", \"value\": \"${api_image_with_digest}\"}]" "${CSV_FILE_PATH}"; +${YQ} eval -o yaml -i ".spec.install.spec.deployments[0].spec.template.spec.containers[0].env += [{\"name\": \"CONSOLE_DEPLOYMENT_DEFAULT_UI_IMAGE\", \"value\": \"${ui_image_with_digest}\"}]" "${CSV_FILE_PATH}" +${YQ} eval -o yaml -i ".spec.install.spec.deployments[0].spec.template.spec.containers[0].env += [{\"name\": \"CONSOLE_DEPLOYMENT_DEFAULT_API_IMAGE\", \"value\": \"${api_image_with_digest}\"}]" "${CSV_FILE_PATH}" + +# Add operator and operatnd images with digests to related images +${YQ} eval -o yaml -i '.spec.relatedImages += [{ + "name": "'${OPERATOR_NAME}'", + "image": "'${operator_image_with_digest}'" +}, { + "name": "streamshub-console-api", + "image": "'${api_image_with_digest}'" +}, { + "name": "streamshub-console-ui", + "image": "'${ui_image_with_digest}'" +}]' "${CSV_FILE_PATH}" # Add skipRange if present if [[ -n "$SKIP_RANGE" ]]; then diff --git a/operator/src/main/kubernetes/kubernetes.yml b/operator/src/main/kubernetes/kubernetes.yml index cd0d14701..fcae1cdeb 100644 --- a/operator/src/main/kubernetes/kubernetes.yml +++ b/operator/src/main/kubernetes/kubernetes.yml @@ -2,7 +2,137 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: - name: consolereconciler-additional-cluster-role + name: streamshub-consolereconciler-cluster-role +rules: + - apiGroups: + - console.streamshub.github.com + resources: + - consoles + - consoles/status + - consoles/finalizers + verbs: + - get + - list + - watch + - patch + - update + - create + - delete + - apiGroups: + - rbac.authorization.k8s.io + resources: + - clusterrolebindings + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - "" + resources: + - serviceaccounts + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - apps + resources: + - deployments + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - "" + resources: + - services + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - networking.k8s.io + resources: + - ingresses + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - "" + resources: + - configmaps + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - rbac.authorization.k8s.io + resources: + - clusterroles + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - "" + resources: + - secrets + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: streamshub-console-crd-validating-cluster-role +rules: + # Used by operator framework to validate CRDs + - apiGroups: + - apiextensions.k8s.io + resources: + - customresourcedefinitions + verbs: + - get + - list +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: streamshub-consolereconciler-additional-cluster-role rules: - apiGroups: - coordination.k8s.io @@ -103,11 +233,35 @@ rules: apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: - name: consolereconciler-additional-cluster-role-binding + name: streamshub-consolereconciler-cluster-role-binding +roleRef: + kind: ClusterRole + apiGroup: rbac.authorization.k8s.io + name: streamshub-consolereconciler-cluster-role +subjects: + - kind: ServiceAccount + name: streamshub-console-operator +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: streamshub-consolereconciler-crd-validating-role-binding +roleRef: + kind: ClusterRole + apiGroup: rbac.authorization.k8s.io + name: streamshub-console-crd-validating-cluster-role +subjects: + - kind: ServiceAccount + name: streamshub-console-operator +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: streamshub-consolereconciler-additional-cluster-role-binding roleRef: kind: ClusterRole apiGroup: rbac.authorization.k8s.io - name: consolereconciler-additional-cluster-role + name: streamshub-consolereconciler-additional-cluster-role subjects: - kind: ServiceAccount name: streamshub-console-operator @@ -116,7 +270,7 @@ subjects: kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: - name: consolereconciler-cluster-monitoring-view + name: streamshub-consolereconciler-cluster-monitoring-view roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole @@ -128,19 +282,19 @@ subjects: apiVersion: apps/v1 kind: Deployment metadata: - name: console-operator + name: streamshub-console-operator spec: replicas: 1 selector: matchLabels: - app.kubernetes.io/name: console-operator + app.kubernetes.io/name: streamshub-console-operator template: metadata: labels: - app.kubernetes.io/name: console-operator + app.kubernetes.io/name: streamshub-console-operator spec: containers: - - name: console-operator + - name: streamshub-console-operator securityContext: readOnlyRootFilesystem: true allowPrivilegeEscalation: false diff --git a/operator/src/main/resources/application.properties b/operator/src/main/resources/application.properties index 2299dbfd6..846d7ff3b 100644 --- a/operator/src/main/resources/application.properties +++ b/operator/src/main/resources/application.properties @@ -10,7 +10,11 @@ quarkus.container-image.name=console-operator quarkus.operator-sdk.activate-leader-election-for-profiles=prod quarkus.operator-sdk.controllers."consolereconciler".selector=${console.selector} +# Disable auto-RBAC to control naming of service accounts and roles/bindings +quarkus.operator-sdk.disable-rbac-generation=true +quarkus.kubernetes.name=streamshub-console-operator +quarkus.kubernetes.rbac.service-accounts.streamshub-console-operator.namespace= quarkus.kubernetes.env.fields."CONSOLE_DEPLOYMENT_DEFAULT_IMAGE_TAG"=metadata.labels['app.kubernetes.io/version'] # Not needed. Disable to support read-only FS