diff --git a/bundle/next-all-namespaces/eclipse-che-preview-openshift/manifests/che-operator.clusterserviceversion.yaml b/bundle/next-all-namespaces/eclipse-che-preview-openshift/manifests/che-operator.clusterserviceversion.yaml index 3c4a9ebdc3..0b395d83ed 100644 --- a/bundle/next-all-namespaces/eclipse-che-preview-openshift/manifests/che-operator.clusterserviceversion.yaml +++ b/bundle/next-all-namespaces/eclipse-che-preview-openshift/manifests/che-operator.clusterserviceversion.yaml @@ -126,7 +126,7 @@ metadata: operators.operatorframework.io/project_layout: go.kubebuilder.io/v3 repository: https://github.com/eclipse-che/che-operator support: Eclipse Foundation - name: eclipse-che-preview-openshift.v7.40.0-377.next-all-namespaces + name: eclipse-che-preview-openshift.v7.40.0-378.next-all-namespaces namespace: placeholder spec: apiservicedefinitions: {} @@ -1439,4 +1439,4 @@ spec: maturity: stable provider: name: Eclipse Foundation - version: 7.40.0-377.next-all-namespaces + version: 7.40.0-378.next-all-namespaces diff --git a/bundle/next/eclipse-che-preview-kubernetes/manifests/che-operator.clusterserviceversion.yaml b/bundle/next/eclipse-che-preview-kubernetes/manifests/che-operator.clusterserviceversion.yaml index 52480e99e2..f77f79a176 100644 --- a/bundle/next/eclipse-che-preview-kubernetes/manifests/che-operator.clusterserviceversion.yaml +++ b/bundle/next/eclipse-che-preview-kubernetes/manifests/che-operator.clusterserviceversion.yaml @@ -133,7 +133,7 @@ metadata: operators.operatorframework.io/project_layout: go.kubebuilder.io/v3 repository: https://github.com/eclipse-che/che-operator support: Eclipse Foundation - name: eclipse-che-preview-kubernetes.v7.40.0-377.next + name: eclipse-che-preview-kubernetes.v7.40.0-378.next namespace: placeholder spec: apiservicedefinitions: {} @@ -1406,4 +1406,4 @@ spec: maturity: stable provider: name: Eclipse Foundation - version: 7.40.0-377.next + version: 7.40.0-378.next diff --git a/bundle/next/eclipse-che-preview-openshift/manifests/che-operator.clusterserviceversion.yaml b/bundle/next/eclipse-che-preview-openshift/manifests/che-operator.clusterserviceversion.yaml index 3163b2ebc7..131719e8d5 100644 --- a/bundle/next/eclipse-che-preview-openshift/manifests/che-operator.clusterserviceversion.yaml +++ b/bundle/next/eclipse-che-preview-openshift/manifests/che-operator.clusterserviceversion.yaml @@ -126,7 +126,7 @@ metadata: operators.operatorframework.io/project_layout: go.kubebuilder.io/v3 repository: https://github.com/eclipse-che/che-operator support: Eclipse Foundation - name: eclipse-che-preview-openshift.v7.40.0-377.next + name: eclipse-che-preview-openshift.v7.40.0-378.next namespace: placeholder spec: apiservicedefinitions: {} @@ -1439,4 +1439,4 @@ spec: maturity: stable provider: name: Eclipse Foundation - version: 7.40.0-377.next + version: 7.40.0-378.next diff --git a/config/rbac/cluster_role.yaml b/config/rbac/cluster_role.yaml index afd74d83c5..9caa4678dc 100644 --- a/config/rbac/cluster_role.yaml +++ b/config/rbac/cluster_role.yaml @@ -386,3 +386,283 @@ rules: - list - watch # devworkspace-controller-edit-workspaces.ClusterRole.yaml + - apiGroups: + - workspace.devfile.io + resources: + - devworkspaces + - devworkspacetemplates + verbs: + - create + - delete + - deletecollection + - patch + - update + - apiGroups: + - controller.devfile.io + resources: + - devworkspaceroutings + - components + verbs: + - create + - delete + - deletecollection + - patch + - update + # devworkspace-controller-leader-election-role.Role.yaml + - apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - watch + - create + - update + - patch + - delete + - apiGroups: + - "" + resources: + - configmaps/status + verbs: + - get + - update + - patch + - apiGroups: + - "" + resources: + - events + verbs: + - create + - patch + # devworkspace-controller-proxy-role.ClusterRole.yaml + - apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create + - apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create + # devworkspace-controller-role.ClusterRole.yaml + - apiGroups: + - "" + resourceNames: + - workspace-preferences-configmap + resources: + - configmaps + verbs: + - create + - delete + - get + - patch + - apiGroups: + - "" + resources: + - configmaps + - persistentvolumeclaims + - pods + - secrets + - serviceaccounts + verbs: + - '*' + - apiGroups: + - "" + resources: + - events + - namespaces + verbs: + - get + - list + - watch + - apiGroups: + - "" + resources: + - pods/exec + verbs: + - create + - apiGroups: + - "" + resourceNames: + - workspace-credentials-secret + resources: + - secrets + verbs: + - create + - delete + - get + - patch + - apiGroups: + - "" + resources: + - services + verbs: + - '*' + - apiGroups: + - admissionregistration.k8s.io + resources: + - mutatingwebhookconfigurations + - validatingwebhookconfigurations + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - apps + resourceNames: + - devworkspace-controller + resources: + - deployments/finalizers + verbs: + - update + - apiGroups: + - apps + - extensions + resources: + - deployments + verbs: + - get + - list + - watch + - apiGroups: + - apps + - extensions + resources: + - deployments + - replicasets + verbs: + - '*' + - apiGroups: + - apps + - extensions + resources: + - replicasets + verbs: + - get + - list + - watch + - apiGroups: + - batch + resources: + - jobs + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - controller.devfile.io + resources: + - '*' + verbs: + - '*' + - apiGroups: + - controller.devfile.io + resources: + - devworkspaceroutings + verbs: + - '*' + - apiGroups: + - controller.devfile.io + resources: + - devworkspaceroutings/status + verbs: + - get + - patch + - update + - apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - create + - get + - update + - apiGroups: + - monitoring.coreos.com + resources: + - servicemonitors + verbs: + - create + - get + - apiGroups: + - networking.k8s.io + resources: + - ingresses + verbs: + - '*' + - apiGroups: + - oauth.openshift.io + resources: + - oauthclients + verbs: + - create + - delete + - deletecollection + - get + - list + - patch + - update + - watch + - apiGroups: + - rbac.authorization.k8s.io + resources: + - clusterrolebindings + - clusterroles + - rolebindings + - roles + verbs: + - create + - get + - list + - update + - watch + - apiGroups: + - route.openshift.io + resources: + - routes + verbs: + - '*' + - apiGroups: + - route.openshift.io + resources: + - routes/custom-host + verbs: + - create + - apiGroups: + - workspace.devfile.io + resources: + - '*' + verbs: + - '*' + # devworkspace-controller-view-workspaces.ClusterRole.yaml + - apiGroups: + - workspace.devfile.io + resources: + - devworkspaces + - devworkspacetemplates + verbs: + - get + - list + - watch + - apiGroups: + - controller.devfile.io + resources: + - devworkspaceroutings + - components + verbs: + - get + - list + - watch diff --git a/helmcharts/crds/org_v1_che_crd.yaml b/helmcharts/crds/org_v1_che_crd.yaml index 10fbd2de98..4342ce58ec 100644 --- a/helmcharts/crds/org_v1_che_crd.yaml +++ b/helmcharts/crds/org_v1_che_crd.yaml @@ -174,7 +174,9 @@ spec: is defined, then it will be used to connect to the database. 2. `identityProviderPostgresPassword` is not defined, then a new secret with the name `che-identity-postgres-secret` - will be created with an auto-generated value for `password`.' + will be created with an auto-generated value for `password`. + The secret must have `app.kubernetes.io/part-of=che.eclipse.org` + label.' type: string identityProviderRealm: description: Name of a Identity provider, Keycloak or RH-SSO, @@ -215,7 +217,8 @@ spec: or `identityProviderPassword` are not defined, then a new secret with the name `che-identity-secret` will be created with default value `admin` for `user` and with an auto-generated - value for `password`.' + value for `password`. The secret must have `app.kubernetes.io/part-of=che.eclipse.org` + label.' type: string identityProviderURL: description: Public URL of the Identity Provider server (Keycloak @@ -328,7 +331,8 @@ spec: to connect to the DB. 2. `chePostgresUser` or `chePostgresPassword` are not defined, then a new secret with the name `che-postgres-secret` will be created with default value of `pgche` for `user` and - with an auto-generated value for `password`.' + with an auto-generated value for `password`. The secret must + have `app.kubernetes.io/part-of=che.eclipse.org` label.' type: string chePostgresUser: description: PostgreSQL user that the Che server uses to connect @@ -513,9 +517,9 @@ spec: type: boolean cheClusterRoles: description: A comma-separated list of ClusterRoles that will - be assigned to Che ServiceAccount. Be aware that the Che Operator - has to already have all permissions in these ClusterRoles - to grant them. + be assigned to Che ServiceAccount. Each role must have `app.kubernetes.io/part-of=che.eclipse.org` + label. Be aware that the Che Operator has to already have + all permissions in these ClusterRoles to grant them. type: string cheDebug: description: Enables the debug mode for Che server. Defaults @@ -536,7 +540,8 @@ spec: cheHostTLSSecret: description: Name of a secret containing certificates to secure ingress or route for the custom host name of the installed - Che server. See the `cheHost` field. + Che server. The secret must have `app.kubernetes.io/part-of=che.eclipse.org` + label. See the `cheHost` field. type: string cheImage: description: Overrides the container image used in Che deployment. @@ -598,8 +603,8 @@ spec: type: object cheWorkspaceClusterRole: description: Custom cluster role bound to the user for the Che - workspaces. The default roles are used when omitted or left - blank. + workspaces. The role must have `app.kubernetes.io/part-of=che.eclipse.org` + label. The default roles are used when omitted or left blank. type: string customCheProperties: additionalProperties: @@ -783,7 +788,9 @@ spec: gitSelfSignedCert: description: When enabled, the certificate from `che-git-self-signed-cert` ConfigMap will be propagated to the Che components and provide - particular configuration for Git. + particular configuration for Git. Note, the `che-git-self-signed-cert` + ConfigMap must have `app.kubernetes.io/part-of=che.eclipse.org` + label. type: boolean nonProxyHosts: description: 'List of hosts that will be reached directly, bypassing @@ -882,7 +889,8 @@ spec: proxySecret: description: The secret that contains `user` and `password` for a proxy server. When the secret is defined, the `proxyUser` - and `proxyPassword` are ignored. + and `proxyPassword` are ignored. The secret must have `app.kubernetes.io/part-of=che.eclipse.org` + label. type: string proxyURL: description: URL (protocol+host name) of the proxy server. This @@ -942,7 +950,8 @@ spec: required when adding the OpenShift OAuth provider, which has HTTPS endpoint signed with self-signed cert. The Che server must be aware of its CA cert to be able to request it. This - is disabled by default. + is disabled by default. The Config Map must have `app.kubernetes.io/part-of=che.eclipse.org` + label. type: string singleHostGatewayConfigMapLabels: additionalProperties: diff --git a/helmcharts/templates/cluster_role.yaml b/helmcharts/templates/cluster_role.yaml index c344be5196..9caa4678dc 100644 --- a/helmcharts/templates/cluster_role.yaml +++ b/helmcharts/templates/cluster_role.yaml @@ -17,6 +17,7 @@ metadata: labels: app.kubernetes.io/name: che app.kubernetes.io/instance: che + app.kubernetes.io/part-of: che.eclipse.org app.kubernetes.io/component: che-operator rules: ### CHE-OPERATOR ROLES ONLY: BEGIN @@ -449,6 +450,17 @@ rules: verbs: - create # devworkspace-controller-role.ClusterRole.yaml + - apiGroups: + - "" + resourceNames: + - workspace-preferences-configmap + resources: + - configmaps + verbs: + - create + - delete + - get + - patch - apiGroups: - "" resources: @@ -484,6 +496,7 @@ rules: - create - delete - get + - patch - apiGroups: - "" resources: diff --git a/helmcharts/templates/cluster_rolebinding.yaml b/helmcharts/templates/cluster_rolebinding.yaml index d1d3fa7f22..7e3c558894 100644 --- a/helmcharts/templates/cluster_rolebinding.yaml +++ b/helmcharts/templates/cluster_rolebinding.yaml @@ -17,6 +17,7 @@ metadata: labels: app.kubernetes.io/name: che app.kubernetes.io/instance: che + app.kubernetes.io/part-of: che.eclipse.org app.kubernetes.io/component: che-operator subjects: - kind: ServiceAccount diff --git a/helmcharts/templates/manager.yaml b/helmcharts/templates/manager.yaml index 4b161d94a5..2b6647985c 100644 --- a/helmcharts/templates/manager.yaml +++ b/helmcharts/templates/manager.yaml @@ -19,6 +19,7 @@ metadata: app: che-operator app.kubernetes.io/name: che app.kubernetes.io/instance: che + app.kubernetes.io/part-of: che.eclipse.org app.kubernetes.io/component: che-operator spec: replicas: 1 @@ -33,6 +34,7 @@ spec: app: che-operator app.kubernetes.io/name: che app.kubernetes.io/instance: che + app.kubernetes.io/part-of: che.eclipse.org app.kubernetes.io/component: che-operator spec: containers: @@ -68,7 +70,7 @@ spec: - name: RELATED_IMAGE_devfile_registry value: quay.io/eclipse/che-devfile-registry:next - name: RELATED_IMAGE_che_tls_secrets_creation_job - value: quay.io/eclipse/che-tls-secret-creator:alpine-d1ed4ad + value: quay.io/eclipse/che-tls-secret-creator:alpine-01a4c34 - name: RELATED_IMAGE_pvc_jobs value: registry.access.redhat.com/ubi8-minimal:8.5-204 - name: RELATED_IMAGE_postgres @@ -90,7 +92,7 @@ spec: - name: RELATED_IMAGE_devworkspace_controller value: quay.io/devfile/devworkspace-controller:v0.9.0 - name: RELATED_IMAGE_internal_rest_backup_server - value: quay.io/eclipse/che-backup-server-rest:eeacd92 + value: quay.io/eclipse/che-backup-server-rest:b6cc165 - name: RELATED_IMAGE_gateway_authentication_sidecar value: quay.io/openshift/origin-oauth-proxy:4.7 - name: RELATED_IMAGE_gateway_authorization_sidecar @@ -148,7 +150,7 @@ spec: resources: limits: cpu: 500m - memory: 5Gi + memory: 256Mi requests: cpu: 100m memory: 64Mi diff --git a/helmcharts/templates/role.yaml b/helmcharts/templates/role.yaml index 742f115552..a560976b56 100644 --- a/helmcharts/templates/role.yaml +++ b/helmcharts/templates/role.yaml @@ -16,6 +16,7 @@ metadata: labels: app.kubernetes.io/component: che-operator app.kubernetes.io/instance: che + app.kubernetes.io/part-of: che.eclipse.org app.kubernetes.io/name: che name: che-operator namespace: '{{ .Release.Namespace }}' diff --git a/helmcharts/templates/role_binding.yaml b/helmcharts/templates/role_binding.yaml index 15c86342e9..43833da8eb 100644 --- a/helmcharts/templates/role_binding.yaml +++ b/helmcharts/templates/role_binding.yaml @@ -17,6 +17,7 @@ metadata: labels: app.kubernetes.io/name: che app.kubernetes.io/instance: che + app.kubernetes.io/part-of: che.eclipse.org app.kubernetes.io/component: che-operator namespace: '{{ .Release.Namespace }}' roleRef: diff --git a/helmcharts/templates/service_account.yaml b/helmcharts/templates/service_account.yaml index 215deda274..6ed62d366b 100644 --- a/helmcharts/templates/service_account.yaml +++ b/helmcharts/templates/service_account.yaml @@ -17,5 +17,6 @@ metadata: labels: app.kubernetes.io/name: che app.kubernetes.io/instance: che + app.kubernetes.io/part-of: che.eclipse.org app.kubernetes.io/component: che-operator namespace: '{{ .Release.Namespace }}'