diff --git a/pkg/scaffold/api.go b/pkg/scaffold/api.go index a3f1b64507a..3f36e40c9cd 100644 --- a/pkg/scaffold/api.go +++ b/pkg/scaffold/api.go @@ -162,6 +162,7 @@ func (api *API) scaffoldV2() error { &resourcev2.Group{Resource: r}, &resourcev2.CRDSample{Resource: r}, &crdv2.EnableWebhookPatch{Resource: r}, + &crdv2.EnableCAInjectionPatch{Resource: r}, ) if err != nil { return fmt.Errorf("error scaffolding APIs: %v", err) diff --git a/pkg/scaffold/v2/certmanager/kustomize.go b/pkg/scaffold/v2/certmanager/kustomize.go index b3eef8e70f0..57cac3196b8 100644 --- a/pkg/scaffold/v2/certmanager/kustomize.go +++ b/pkg/scaffold/v2/certmanager/kustomize.go @@ -41,20 +41,24 @@ var kustomizationTemplate = `resources: # the following config is for teaching kustomize how to do var substitution vars: +- name: NAMESPACE # namespace of the service and the certificate CR + objref: + kind: Service + version: v1 + name: webhook-service + fieldref: + fieldpath: metadata.namespace - name: CERTIFICATENAME objref: kind: Certificate group: certmanager.k8s.io version: v1alpha1 name: serving-cert # this name should match the one in certificate.yaml -- name: CERTIFICATENAMESPACE +- name: SERVICENAME objref: - kind: Certificate - group: certmanager.k8s.io - version: v1alpha1 - name: serving-cert # this name should match the one in certificate.yaml - fieldref: - fieldpath: metadata.namespace + kind: Service + version: v1 + name: webhook-service configurations: - kustomizeconfig.yaml diff --git a/pkg/scaffold/v2/crd/enablecainjection_patch.go b/pkg/scaffold/v2/crd/enablecainjection_patch.go new file mode 100644 index 00000000000..d0e184dbaeb --- /dev/null +++ b/pkg/scaffold/v2/crd/enablecainjection_patch.go @@ -0,0 +1,63 @@ +/* +Copyright 2019 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package v2 + +import ( + "fmt" + "path/filepath" + "strings" + + "github.com/markbates/inflect" + + "sigs.k8s.io/kubebuilder/pkg/scaffold/input" + "sigs.k8s.io/kubebuilder/pkg/scaffold/v1/resource" +) + +// EnableCAInjectionPatch scaffolds a EnableCAInjectionPatch for a Resource +type EnableCAInjectionPatch struct { + input.Input + + // Resource is the Resource to make the EnableCAInjectionPatch for + Resource *resource.Resource +} + +// GetInput implements input.File +func (p *EnableCAInjectionPatch) GetInput() (input.Input, error) { + if p.Path == "" { + rs := inflect.NewDefaultRuleset() + plural := rs.Pluralize(strings.ToLower(p.Resource.Kind)) + p.Path = filepath.Join("config", "crd", "patches", + fmt.Sprintf("cainjection_in_%s.yaml", plural)) + } + p.TemplateBody = EnableCAInjectionPatchTemplate + return p.Input, nil +} + +// Validate validates the values +func (g *EnableCAInjectionPatch) Validate() error { + return g.Resource.Validate() +} + +var EnableCAInjectionPatchTemplate = `# The following patch adds a directive for certmanager to inject CA into the CRD +# CRD conversion requires k8s 1.13 or later. +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + annotations: + certmanager.k8s.io/inject-ca-from: $(NAMESPACE)/$(CERTIFICATENAME) + name: {{ .Resource.Resource }}.{{ .Resource.Group }}.{{ .Domain }} +` diff --git a/pkg/scaffold/v2/crd/enablewebhook_patch.go b/pkg/scaffold/v2/crd/enablewebhook_patch.go index f2496c76ae3..9ced42190ec 100644 --- a/pkg/scaffold/v2/crd/enablewebhook_patch.go +++ b/pkg/scaffold/v2/crd/enablewebhook_patch.go @@ -52,13 +52,11 @@ func (g *EnableWebhookPatch) Validate() error { return g.Resource.Validate() } -// TODO(mengqiy): plural of the resources -var enableWebhookPatchTemplate = `# The following patch enables conversion webhook for CRDw +var enableWebhookPatchTemplate = `# The following patch enables conversion webhook for CRD +# CRD conversion requires k8s 1.13 or later. apiVersion: apiextensions.k8s.io/v1beta1 kind: CustomResourceDefinition metadata: - annotations: - certmanager.k8s.io/inject-ca-from: $(NAMESPACE)/$(CERTIFICATENAME) name: {{ .Resource.Resource }}.{{ .Resource.Group }}.{{ .Domain }} spec: conversion: @@ -68,7 +66,7 @@ spec: # but we're going to set it later using the cert-manager (or potentially a patch if not using cert-manager) caBundle: Cg== service: - namespace: $(NAMESPACE) + namespace: system name: webhook-service - path: /convert-{{ lower .Resource.Kind }} + path: /convert ` diff --git a/pkg/scaffold/v2/crd/kustomization.go b/pkg/scaffold/v2/crd/kustomization.go index 4bdb7658ed9..1cd7da23bc7 100644 --- a/pkg/scaffold/v2/crd/kustomization.go +++ b/pkg/scaffold/v2/crd/kustomization.go @@ -29,8 +29,9 @@ import ( ) const ( - kustomizeResourceScaffoldMarker = "# +kubebuilder:scaffold:kustomizeresource" - kustomizePatchScaffoldMarker = "# +kubebuilder:scaffold:kustomizepatch" + kustomizeResourceScaffoldMarker = "# +kubebuilder:scaffold:crdkustomizeresource" + kustomizeWebhookPatchScaffoldMarker = "# +kubebuilder:scaffold:crdkustomizewebhookpatch" + kustomizeCAInjectionPatchScaffoldMarker = "# +kubebuilder:scaffold:crdkustomizecainjectionpatch" ) var _ input.File = &Kustomization{} @@ -64,12 +65,14 @@ func (c *Kustomization) Update() error { plural := rs.Pluralize(strings.ToLower(c.Resource.Kind)) kustomizeResourceCodeFragment := fmt.Sprintf("- bases/%s.%s_%s.yaml\n", c.Resource.Group, c.Domain, plural) - kustomizePatchCodeFragment := fmt.Sprintf("#- patches/webhook_in_%s.yaml\n", plural) + kustomizeWebhookPatchCodeFragment := fmt.Sprintf("#- patches/webhook_in_%s.yaml\n", plural) + kustomizeCAInjectionPatchCodeFragment := fmt.Sprintf("#- patches/cainjection_in_%s.yaml\n", plural) return internal.InsertStringsInFile(c.Path, map[string][]string{ - kustomizeResourceScaffoldMarker: []string{kustomizeResourceCodeFragment}, - kustomizePatchScaffoldMarker: []string{kustomizePatchCodeFragment}, + kustomizeResourceScaffoldMarker: {kustomizeResourceCodeFragment}, + kustomizeWebhookPatchScaffoldMarker: {kustomizeWebhookPatchCodeFragment}, + kustomizeCAInjectionPatchScaffoldMarker: {kustomizeCAInjectionPatchCodeFragment}, }) } @@ -80,10 +83,13 @@ resources: %s patches: -# patches here are for enabling the conversion webhook for each CRD +# [WEBHOOK] patches here are for enabling the conversion webhook for each CRD +%s + +# [CAINJECTION] patches here are for enabling the CA injection for each CRD %s # the following config is for teaching kustomize how to do kustomization for CRDs. configurations: - kustomizeconfig.yaml -`, kustomizeResourceScaffoldMarker, kustomizePatchScaffoldMarker) +`, kustomizeResourceScaffoldMarker, kustomizeWebhookPatchScaffoldMarker, kustomizeCAInjectionPatchScaffoldMarker) diff --git a/pkg/scaffold/v2/crd/kustomizeconfig.go b/pkg/scaffold/v2/crd/kustomizeconfig.go index 4fe021e82bb..1ea5a3ddd27 100644 --- a/pkg/scaffold/v2/crd/kustomizeconfig.go +++ b/pkg/scaffold/v2/crd/kustomizeconfig.go @@ -48,9 +48,12 @@ nameReference: group: apiextensions.k8s.io path: spec/conversion/webhookClientConfig/service/name -varReference: -- path: metadata/annotations +namespace: - kind: CustomResourceDefinition group: apiextensions.k8s.io path: spec/conversion/webhookClientConfig/service/namespace + create: false + +varReference: +- path: metadata/annotations ` diff --git a/pkg/scaffold/v2/kustomize.go b/pkg/scaffold/v2/kustomize.go index 84f0604c547..a509a12669b 100644 --- a/pkg/scaffold/v2/kustomize.go +++ b/pkg/scaffold/v2/kustomize.go @@ -69,9 +69,9 @@ bases: - ../crd - ../rbac - ../manager -# [WEBHOOK] Uncomment all the sections with [WEBHOOK] prefix to enable webhook. +# [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix including the one in crd/kustomization.yaml #- ../webhook -# [CERTMANAGER] Uncomment next line to enable cert-manager +# [CERTMANAGER] To enable cert-manager, uncomment next line. 'WEBHOOK' components are required. #- ../certmanager patches: @@ -87,10 +87,11 @@ patches: # manager_prometheus_metrics_patch.yaml should be enabled. #- manager_prometheus_metrics_patch.yaml -# [WEBHOOK] Uncomment all the sections with [WEBHOOK] prefix to enable webhook. +# [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix including the one in crd/kustomization.yaml #- manager_webhook_patch.yaml -# [CAINJECTION] Uncomment next line to enable the CA injection in the admission webhooks. [CERTMANAGER] needs to be -# enabled to use ca injection +# [CAINJECTION] Uncomment next line to enable the CA injection in the admission webhooks. +# Uncomment 'CAINJECTION' in crd/kustomization.yaml to enable the CA injection in the admission webhooks. +# 'CERTMANAGER' needs to be enabled to use ca injection #- webhookcainjection_patch.yaml ` diff --git a/pkg/scaffold/v2/main.go b/pkg/scaffold/v2/main.go index ab623523a7b..2ea0e9a70bf 100644 --- a/pkg/scaffold/v2/main.go +++ b/pkg/scaffold/v2/main.go @@ -138,6 +138,10 @@ func init() { %s } +// Persmissions to do leader election. +// +kubebuilder:rbac:groups="",resources=configmaps,verbs=get;list;watch;create;update;patch;delete +// +kubebuilder:rbac:groups="",resources=configmaps/status,verbs=get;update;patch + func main() { var metricsAddr string flag.StringVar(&metricsAddr, "metrics-addr", ":8080", "The address the metric endpoint binds to.") @@ -145,14 +149,16 @@ func main() { ctrl.SetLogger(zap.Logger(true)) - // Persmissions to do leader election. - // +kubebuilder:rbac:groups="",resources=configmaps,verbs=get;list;watch;create;update;patch;delete - // +kubebuilder:rbac:groups="",resources=configmaps/status,verbs=get;update;patch + leaderElectionNamespace := "default" + if len(os.Getenv("POD_NAMESPACE")) != 0 { + leaderElectionNamespace = os.Getenv("POD_NAMESPACE") + } + mgr, err := ctrl.NewManager(ctrl.GetConfigOrDie(), ctrl.Options{ Scheme: scheme, MetricsBindAddress: metricsAddr, LeaderElection: true, - LeaderElectionNamespace: "default", + LeaderElectionNamespace: leaderElectionNamespace, }) if err != nil { setupLog.Error(err, "unable to start manager") diff --git a/pkg/scaffold/v2/manager/config.go b/pkg/scaffold/v2/manager/config.go index 2e8937c7afa..226f080af66 100644 --- a/pkg/scaffold/v2/manager/config.go +++ b/pkg/scaffold/v2/manager/config.go @@ -76,7 +76,7 @@ spec: matchLabels: control-plane: controller-manager controller-tools.k8s.io: "1.0" - replicas: 1 + replicas: 2 template: metadata: labels: @@ -86,6 +86,11 @@ spec: containers: - command: - /manager + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace image: {{ .Image }} imagePullPolicy: Always name: manager diff --git a/pkg/scaffold/v2/webhook/enablecainection_patch.go b/pkg/scaffold/v2/webhook/enablecainection_patch.go index 8026c07d2f5..108155e263c 100644 --- a/pkg/scaffold/v2/webhook/enablecainection_patch.go +++ b/pkg/scaffold/v2/webhook/enablecainection_patch.go @@ -46,12 +46,12 @@ kind: MutatingWebhookConfiguration metadata: name: mutating-webhook-configuration annotations: - certmanager.k8s.io/inject-ca-from: $(CERTIFICATENAMESPACE)/$(CERTIFICATENAME) + certmanager.k8s.io/inject-ca-from: $(NAMESPACE)/$(CERTIFICATENAME) --- apiVersion: admissionregistration.k8s.io/v1beta1 kind: ValidatingWebhookConfiguration metadata: name: validating-webhook-configuration annotations: - certmanager.k8s.io/inject-ca-from: $(CERTIFICATENAMESPACE)/$(CERTIFICATENAME) + certmanager.k8s.io/inject-ca-from: $(NAMESPACE)/$(CERTIFICATENAME) ` diff --git a/pkg/scaffold/v2/webhook/kustomization.go b/pkg/scaffold/v2/webhook/kustomization.go index c181c69575e..51ca6b599e1 100644 --- a/pkg/scaffold/v2/webhook/kustomization.go +++ b/pkg/scaffold/v2/webhook/kustomization.go @@ -45,19 +45,4 @@ var KustomizeWebhookTemplate = `resources: configurations: - kustomizeconfig.yaml - -# the following config is for teaching kustomize how to do var substitution -vars: -- name: NAMESPACE - objref: - kind: Service - version: v1 - name: webhook-service - fieldref: - fieldpath: metadata.namespace -- name: SERVICENAME - objref: - kind: Service - version: v1 - name: webhook-service ` diff --git a/testdata/project-v2/config/certmanager/kustomization.yaml b/testdata/project-v2/config/certmanager/kustomization.yaml index 50236e80a29..8181bc3a270 100644 --- a/testdata/project-v2/config/certmanager/kustomization.yaml +++ b/testdata/project-v2/config/certmanager/kustomization.yaml @@ -3,20 +3,24 @@ resources: # the following config is for teaching kustomize how to do var substitution vars: +- name: NAMESPACE # namespace of the service and the certificate CR + objref: + kind: Service + version: v1 + name: webhook-service + fieldref: + fieldpath: metadata.namespace - name: CERTIFICATENAME objref: kind: Certificate group: certmanager.k8s.io version: v1alpha1 name: serving-cert # this name should match the one in certificate.yaml -- name: CERTIFICATENAMESPACE +- name: SERVICENAME objref: - kind: Certificate - group: certmanager.k8s.io - version: v1alpha1 - name: serving-cert # this name should match the one in certificate.yaml - fieldref: - fieldpath: metadata.namespace + kind: Service + version: v1 + name: webhook-service configurations: - kustomizeconfig.yaml diff --git a/testdata/project-v2/config/crd/kustomization.yaml b/testdata/project-v2/config/crd/kustomization.yaml index 255470c5ca1..5904ad735e5 100644 --- a/testdata/project-v2/config/crd/kustomization.yaml +++ b/testdata/project-v2/config/crd/kustomization.yaml @@ -4,13 +4,18 @@ resources: - bases/crew.testproject.org_captains.yaml - bases/crew.testproject.org_firstmates.yaml -# +kubebuilder:scaffold:kustomizeresource +# +kubebuilder:scaffold:crdkustomizeresource patches: -# patches here are for enabling the conversion webhook for each CRD +# [WEBHOOK] patches here are for enabling the conversion webhook for each CRD #- patches/webhook_in_captains.yaml #- patches/webhook_in_firstmates.yaml -# +kubebuilder:scaffold:kustomizepatch +# +kubebuilder:scaffold:crdkustomizewebhookpatch + +# [CAINJECTION] patches here are for enabling the CA injection for each CRD +#- patches/cainjection_in_captains.yaml +#- patches/cainjection_in_firstmates.yaml +# +kubebuilder:scaffold:crdkustomizecainjectionpatch # the following config is for teaching kustomize how to do kustomization for CRDs. configurations: diff --git a/testdata/project-v2/config/crd/kustomizeconfig.yaml b/testdata/project-v2/config/crd/kustomizeconfig.yaml index 373f8cfac9d..6f83d9a94bc 100644 --- a/testdata/project-v2/config/crd/kustomizeconfig.yaml +++ b/testdata/project-v2/config/crd/kustomizeconfig.yaml @@ -7,8 +7,11 @@ nameReference: group: apiextensions.k8s.io path: spec/conversion/webhookClientConfig/service/name -varReference: -- path: metadata/annotations +namespace: - kind: CustomResourceDefinition group: apiextensions.k8s.io path: spec/conversion/webhookClientConfig/service/namespace + create: false + +varReference: +- path: metadata/annotations diff --git a/testdata/project-v2/config/crd/patches/cainjection_in_captains.yaml b/testdata/project-v2/config/crd/patches/cainjection_in_captains.yaml new file mode 100644 index 00000000000..5fc7f2a25dd --- /dev/null +++ b/testdata/project-v2/config/crd/patches/cainjection_in_captains.yaml @@ -0,0 +1,8 @@ +# The following patch adds a directive for certmanager to inject CA into the CRD +# CRD conversion requires k8s 1.13 or later. +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + annotations: + certmanager.k8s.io/inject-ca-from: $(NAMESPACE)/$(CERTIFICATENAME) + name: captains.crew.testproject.org diff --git a/testdata/project-v2/config/crd/patches/cainjection_in_firstmates.yaml b/testdata/project-v2/config/crd/patches/cainjection_in_firstmates.yaml new file mode 100644 index 00000000000..c5e60b9fe1c --- /dev/null +++ b/testdata/project-v2/config/crd/patches/cainjection_in_firstmates.yaml @@ -0,0 +1,8 @@ +# The following patch adds a directive for certmanager to inject CA into the CRD +# CRD conversion requires k8s 1.13 or later. +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + annotations: + certmanager.k8s.io/inject-ca-from: $(NAMESPACE)/$(CERTIFICATENAME) + name: firstmates.crew.testproject.org diff --git a/testdata/project-v2/config/crd/patches/webhook_in_captains.yaml b/testdata/project-v2/config/crd/patches/webhook_in_captains.yaml index cb3929b59b5..c515517131e 100644 --- a/testdata/project-v2/config/crd/patches/webhook_in_captains.yaml +++ b/testdata/project-v2/config/crd/patches/webhook_in_captains.yaml @@ -1,9 +1,8 @@ -# The following patch enables conversion webhook for CRDw +# The following patch enables conversion webhook for CRD +# CRD conversion requires k8s 1.13 or later. apiVersion: apiextensions.k8s.io/v1beta1 kind: CustomResourceDefinition metadata: - annotations: - certmanager.k8s.io/inject-ca-from: $(NAMESPACE)/$(CERTIFICATENAME) name: captains.crew.testproject.org spec: conversion: @@ -13,6 +12,6 @@ spec: # but we're going to set it later using the cert-manager (or potentially a patch if not using cert-manager) caBundle: Cg== service: - namespace: $(NAMESPACE) + namespace: system name: webhook-service - path: /convert-captain + path: /convert diff --git a/testdata/project-v2/config/crd/patches/webhook_in_firstmates.yaml b/testdata/project-v2/config/crd/patches/webhook_in_firstmates.yaml index d492d511ed5..05c23fd1e8b 100644 --- a/testdata/project-v2/config/crd/patches/webhook_in_firstmates.yaml +++ b/testdata/project-v2/config/crd/patches/webhook_in_firstmates.yaml @@ -1,9 +1,8 @@ -# The following patch enables conversion webhook for CRDw +# The following patch enables conversion webhook for CRD +# CRD conversion requires k8s 1.13 or later. apiVersion: apiextensions.k8s.io/v1beta1 kind: CustomResourceDefinition metadata: - annotations: - certmanager.k8s.io/inject-ca-from: $(NAMESPACE)/$(CERTIFICATENAME) name: firstmates.crew.testproject.org spec: conversion: @@ -13,6 +12,6 @@ spec: # but we're going to set it later using the cert-manager (or potentially a patch if not using cert-manager) caBundle: Cg== service: - namespace: $(NAMESPACE) + namespace: system name: webhook-service - path: /convert-firstmate + path: /convert diff --git a/testdata/project-v2/config/default/kustomization.yaml b/testdata/project-v2/config/default/kustomization.yaml index ea8d5aeb32d..4c3d15f3ca3 100644 --- a/testdata/project-v2/config/default/kustomization.yaml +++ b/testdata/project-v2/config/default/kustomization.yaml @@ -16,9 +16,9 @@ bases: - ../crd - ../rbac - ../manager -# [WEBHOOK] Uncomment all the sections with [WEBHOOK] prefix to enable webhook. +# [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix including the one in crd/kustomization.yaml #- ../webhook -# [CERTMANAGER] Uncomment next line to enable cert-manager +# [CERTMANAGER] To enable cert-manager, uncomment next line. 'WEBHOOK' components are required. #- ../certmanager patches: @@ -34,9 +34,10 @@ patches: # manager_prometheus_metrics_patch.yaml should be enabled. #- manager_prometheus_metrics_patch.yaml -# [WEBHOOK] Uncomment all the sections with [WEBHOOK] prefix to enable webhook. +# [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix including the one in crd/kustomization.yaml #- manager_webhook_patch.yaml -# [CAINJECTION] Uncomment next line to enable the CA injection in the admission webhooks. [CERTMANAGER] needs to be -# enabled to use ca injection +# [CAINJECTION] Uncomment next line to enable the CA injection in the admission webhooks. +# Uncomment 'CAINJECTION' in crd/kustomization.yaml to enable the CA injection in the admission webhooks. +# 'CERTMANAGER' needs to be enabled to use ca injection #- webhookcainjection_patch.yaml diff --git a/testdata/project-v2/config/default/webhookcainjection_patch.yaml b/testdata/project-v2/config/default/webhookcainjection_patch.yaml index c2d2a3cdf88..f6d71cb768f 100644 --- a/testdata/project-v2/config/default/webhookcainjection_patch.yaml +++ b/testdata/project-v2/config/default/webhookcainjection_patch.yaml @@ -5,11 +5,11 @@ kind: MutatingWebhookConfiguration metadata: name: mutating-webhook-configuration annotations: - certmanager.k8s.io/inject-ca-from: $(CERTIFICATENAMESPACE)/$(CERTIFICATENAME) + certmanager.k8s.io/inject-ca-from: $(NAMESPACE)/$(CERTIFICATENAME) --- apiVersion: admissionregistration.k8s.io/v1beta1 kind: ValidatingWebhookConfiguration metadata: name: validating-webhook-configuration annotations: - certmanager.k8s.io/inject-ca-from: $(CERTIFICATENAMESPACE)/$(CERTIFICATENAME) + certmanager.k8s.io/inject-ca-from: $(NAMESPACE)/$(CERTIFICATENAME) diff --git a/testdata/project-v2/config/manager/manager.yaml b/testdata/project-v2/config/manager/manager.yaml index acc1d6af175..10dc706f71b 100644 --- a/testdata/project-v2/config/manager/manager.yaml +++ b/testdata/project-v2/config/manager/manager.yaml @@ -34,7 +34,7 @@ spec: matchLabels: control-plane: controller-manager controller-tools.k8s.io: "1.0" - replicas: 1 + replicas: 2 template: metadata: labels: @@ -44,6 +44,11 @@ spec: containers: - command: - /manager + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace image: controller:latest imagePullPolicy: Always name: manager diff --git a/testdata/project-v2/config/rbac/role.yaml b/testdata/project-v2/config/rbac/role.yaml index 67802a8cd01..42731f3109a 100644 --- a/testdata/project-v2/config/rbac/role.yaml +++ b/testdata/project-v2/config/rbac/role.yaml @@ -66,3 +66,23 @@ rules: - get - update - patch +- apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - "" + resources: + - configmaps/status + verbs: + - get + - update + - patch diff --git a/testdata/project-v2/config/webhook/kustomization.yaml b/testdata/project-v2/config/webhook/kustomization.yaml index 9e2bcac2e5a..9cf26134e4d 100644 --- a/testdata/project-v2/config/webhook/kustomization.yaml +++ b/testdata/project-v2/config/webhook/kustomization.yaml @@ -4,18 +4,3 @@ resources: configurations: - kustomizeconfig.yaml - -# the following config is for teaching kustomize how to do var substitution -vars: -- name: NAMESPACE - objref: - kind: Service - version: v1 - name: webhook-service - fieldref: - fieldpath: metadata.namespace -- name: SERVICENAME - objref: - kind: Service - version: v1 - name: webhook-service diff --git a/testdata/project-v2/main.go b/testdata/project-v2/main.go index c8337782120..092f47251bf 100644 --- a/testdata/project-v2/main.go +++ b/testdata/project-v2/main.go @@ -42,6 +42,10 @@ func init() { // +kubebuilder:scaffold:scheme } +// Persmissions to do leader election. +// +kubebuilder:rbac:groups="",resources=configmaps,verbs=get;list;watch;create;update;patch;delete +// +kubebuilder:rbac:groups="",resources=configmaps/status,verbs=get;update;patch + func main() { var metricsAddr string flag.StringVar(&metricsAddr, "metrics-addr", ":8080", "The address the metric endpoint binds to.") @@ -49,14 +53,16 @@ func main() { ctrl.SetLogger(zap.Logger(true)) - // Persmissions to do leader election. - // +kubebuilder:rbac:groups="",resources=configmaps,verbs=get;list;watch;create;update;patch;delete - // +kubebuilder:rbac:groups="",resources=configmaps/status,verbs=get;update;patch + leaderElectionNamespace := "default" + if len(os.Getenv("POD_NAMESPACE")) != 0 { + leaderElectionNamespace = os.Getenv("POD_NAMESPACE") + } + mgr, err := ctrl.NewManager(ctrl.GetConfigOrDie(), ctrl.Options{ Scheme: scheme, MetricsBindAddress: metricsAddr, LeaderElection: true, - LeaderElectionNamespace: "default", + LeaderElectionNamespace: leaderElectionNamespace, }) if err != nil { setupLog.Error(err, "unable to start manager")