From 02c0ed10c01c3ed971b0a6d3cb888b22277a14ee Mon Sep 17 00:00:00 2001 From: Periklis Tsirakidis Date: Wed, 24 Feb 2021 17:00:37 +0100 Subject: [PATCH] Fix operator ports for metrics endpoint This PR is a cherry-pick of openshift/elasticsearch-operator#652 to ensure porting fix forward for https://bugzilla.redhat.com/show_bug.cgi?id=1924657. --- Makefile | 9 ++++- ...nitoring.coreos.com_v1_servicemonitor.yaml | 11 ++++-- ...icsearch-operator-metrics_v1_service.yaml} | 12 +++---- ...search-operator.clusterserviceversion.yaml | 26 ++++++++++++-- ...horization.k8s.io_v1beta1_clusterrole.yaml | 12 +++++++ ...eus_rbac.authorization.k8s.io_v1_role.yaml | 21 +++++++++++ ...c.authorization.k8s.io_v1_rolebinding.yaml | 18 ++++++++++ ...c.authorization.k8s.io_v1_clusterrole.yaml | 20 +++++++++++ ...rization.k8s.io_v1_clusterrolebinding.yaml | 15 ++++++++ config/default/kustomization.yaml | 2 +- config/default/manager_auth_proxy_patch.yaml | 32 +++++++++++++++++ config/manager/manager.yaml | 4 +-- config/prometheus/kustomization.yaml | 1 - config/prometheus/monitor.yaml | 15 +++++--- config/prometheus/service.yaml | 15 -------- config/rbac/auth_proxy_service.yaml | 9 ++--- config/rbac/kustomization.yaml | 13 ++++--- config/rbac/prometheus_role.yaml | 18 ++++++++++ config/rbac/prometheus_role_binding.yaml | 16 +++++++++ ...nitoring.coreos.com_v1_servicemonitor.yaml | 11 ++++-- ...icsearch-operator-metrics_v1_service.yaml} | 12 +++---- ...operator.v5.1.0.clusterserviceversion.yaml | 26 ++++++++++++-- ...ole_rbac.authorization.k8s.io_v1_role.yaml | 35 +++++++++++++++++++ ...c.authorization.k8s.io_v1_rolebinding.yaml | 15 ++++++++ ...horization.k8s.io_v1beta1_clusterrole.yaml | 12 +++++++ ...eus_rbac.authorization.k8s.io_v1_role.yaml | 21 +++++++++++ ...c.authorization.k8s.io_v1_rolebinding.yaml | 18 ++++++++++ ...c.authorization.k8s.io_v1_clusterrole.yaml | 20 +++++++++++ ...rization.k8s.io_v1_clusterrolebinding.yaml | 15 ++++++++ 29 files changed, 396 insertions(+), 58 deletions(-) rename bundle/manifests/{elasticsearch-operator-metrics-service_v1_service.yaml => elasticsearch-operator-metrics_v1_service.yaml} (50%) create mode 100644 bundle/manifests/metrics-reader_rbac.authorization.k8s.io_v1beta1_clusterrole.yaml create mode 100644 bundle/manifests/prometheus_rbac.authorization.k8s.io_v1_role.yaml create mode 100644 bundle/manifests/prometheus_rbac.authorization.k8s.io_v1_rolebinding.yaml create mode 100644 bundle/manifests/proxy-role_rbac.authorization.k8s.io_v1_clusterrole.yaml create mode 100644 bundle/manifests/proxy-rolebinding_rbac.authorization.k8s.io_v1_clusterrolebinding.yaml create mode 100644 config/default/manager_auth_proxy_patch.yaml delete mode 100644 config/prometheus/service.yaml create mode 100644 config/rbac/prometheus_role.yaml create mode 100644 config/rbac/prometheus_role_binding.yaml rename manifests/5.1/{elasticsearch-operator-metrics-service_v1_service.yaml => elasticsearch-operator-metrics_v1_service.yaml} (50%) create mode 100644 manifests/5.1/leader-election-role_rbac.authorization.k8s.io_v1_role.yaml create mode 100644 manifests/5.1/leader-election-rolebinding_rbac.authorization.k8s.io_v1_rolebinding.yaml create mode 100644 manifests/5.1/metrics-reader_rbac.authorization.k8s.io_v1beta1_clusterrole.yaml create mode 100644 manifests/5.1/prometheus_rbac.authorization.k8s.io_v1_role.yaml create mode 100644 manifests/5.1/prometheus_rbac.authorization.k8s.io_v1_rolebinding.yaml create mode 100644 manifests/5.1/proxy-role_rbac.authorization.k8s.io_v1_clusterrole.yaml create mode 100644 manifests/5.1/proxy-rolebinding_rbac.authorization.k8s.io_v1_clusterrolebinding.yaml diff --git a/Makefile b/Makefile index e1ac5be4e..90edfcd12 100644 --- a/Makefile +++ b/Makefile @@ -175,7 +175,14 @@ bundle: regenerate $(KUSTOMIZE) cp bundle/manifests/logging.openshift.io_elasticsearches.yaml manifests/${LOGGING_VERSION}/logging.openshift.io_elasticsearches_crd.yaml cp bundle/manifests/logging.openshift.io_kibanas.yaml manifests/${LOGGING_VERSION}/logging.openshift.io_kibanas_crd.yaml cp bundle/manifests/elasticsearch-operator-metrics-monitor_monitoring.coreos.com_v1_servicemonitor.yaml manifests/${LOGGING_VERSION}/ - cp bundle/manifests/elasticsearch-operator-metrics-service_v1_service.yaml manifests/${LOGGING_VERSION}/ + cp bundle/manifests/elasticsearch-operator-metrics_v1_service.yaml manifests/${LOGGING_VERSION}/ + cp bundle/manifests/leader-election-role_rbac.authorization.k8s.io_v1_role.yaml manifests/${LOGGING_VERSION}/ + cp bundle/manifests/leader-election-rolebinding_rbac.authorization.k8s.io_v1_rolebinding.yaml manifests/${LOGGING_VERSION}/ + cp bundle/manifests/metrics-reader_rbac.authorization.k8s.io_v1beta1_clusterrole.yaml manifests/${LOGGING_VERSION}/ + cp bundle/manifests/proxy-role_rbac.authorization.k8s.io_v1_clusterrole.yaml manifests/${LOGGING_VERSION}/ + cp bundle/manifests/proxy-rolebinding_rbac.authorization.k8s.io_v1_clusterrolebinding.yaml manifests/${LOGGING_VERSION}/ + cp bundle/manifests/prometheus_rbac.authorization.k8s.io_v1_role.yaml manifests/${LOGGING_VERSION}/ + cp bundle/manifests/prometheus_rbac.authorization.k8s.io_v1_rolebinding.yaml manifests/${LOGGING_VERSION}/ .PHONY: bundle test-e2e-upgrade: diff --git a/bundle/manifests/elasticsearch-operator-metrics-monitor_monitoring.coreos.com_v1_servicemonitor.yaml b/bundle/manifests/elasticsearch-operator-metrics-monitor_monitoring.coreos.com_v1_servicemonitor.yaml index fccf2dfd0..bf0d59e92 100644 --- a/bundle/manifests/elasticsearch-operator-metrics-monitor_monitoring.coreos.com_v1_servicemonitor.yaml +++ b/bundle/manifests/elasticsearch-operator-metrics-monitor_monitoring.coreos.com_v1_servicemonitor.yaml @@ -6,10 +6,15 @@ metadata: name: elasticsearch-operator-metrics-monitor spec: endpoints: - - interval: 1s + - bearerTokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token + interval: 30s path: /metrics - port: http - scheme: http + scheme: https + scrapeTimeout: 10s + targetPort: 8443 + tlsConfig: + caFile: /etc/prometheus/configmaps/serving-certs-ca-bundle/service-ca.crt + serverName: elasticsearch-operator-metrics.openshift-operators-redhat.svc selector: matchLabels: name: elasticsearch-operator diff --git a/bundle/manifests/elasticsearch-operator-metrics-service_v1_service.yaml b/bundle/manifests/elasticsearch-operator-metrics_v1_service.yaml similarity index 50% rename from bundle/manifests/elasticsearch-operator-metrics-service_v1_service.yaml rename to bundle/manifests/elasticsearch-operator-metrics_v1_service.yaml index 013b80c5a..11d0bb149 100644 --- a/bundle/manifests/elasticsearch-operator-metrics-service_v1_service.yaml +++ b/bundle/manifests/elasticsearch-operator-metrics_v1_service.yaml @@ -1,18 +1,18 @@ apiVersion: v1 kind: Service metadata: + annotations: + service.beta.openshift.io/serving-cert-secret-name: elasticsearch-operator-metrics creationTimestamp: null labels: name: elasticsearch-operator - name: elasticsearch-operator-metrics-service + name: elasticsearch-operator-metrics spec: ports: - - name: http - port: 8080 - protocol: TCP - targetPort: 8080 + - name: https + port: 8443 + targetPort: https selector: name: elasticsearch-operator - type: ClusterIP status: loadBalancer: {} diff --git a/bundle/manifests/elasticsearch-operator.clusterserviceversion.yaml b/bundle/manifests/elasticsearch-operator.clusterserviceversion.yaml index 4adfdf685..4d24d6938 100644 --- a/bundle/manifests/elasticsearch-operator.clusterserviceversion.yaml +++ b/bundle/manifests/elasticsearch-operator.clusterserviceversion.yaml @@ -413,6 +413,22 @@ spec: name: elasticsearch-operator spec: containers: + - args: + - --secure-listen-address=0.0.0.0:8443 + - --upstream=http://127.0.0.1:8080/ + - --logtostderr=true + - --tls-cert-file=/var/run/secrets/serving-cert/tls.crt + - --tls-private-key-file=/var/run/secrets/serving-cert/tls.key + - --v=2 + image: gcr.io/kubebuilder/kube-rbac-proxy:v0.5.0 + name: kube-rbac-proxy + ports: + - containerPort: 8443 + name: https + resources: {} + volumeMounts: + - mountPath: /var/run/secrets/serving-cert + name: elasticsearch-operator-metrics-cert - command: - elasticsearch-operator env: @@ -438,8 +454,8 @@ spec: imagePullPolicy: IfNotPresent name: elasticsearch-operator ports: - - containerPort: 60000 - name: metrics + - containerPort: 8080 + name: http resources: limits: cpu: 200m @@ -450,6 +466,12 @@ spec: nodeSelector: kubernetes.io/os: linux serviceAccountName: elasticsearch-operator + volumes: + - name: elasticsearch-operator-metrics-cert + secret: + defaultMode: 420 + optional: true + secretName: elasticsearch-operator-metrics strategy: deployment installModes: - supported: true diff --git a/bundle/manifests/metrics-reader_rbac.authorization.k8s.io_v1beta1_clusterrole.yaml b/bundle/manifests/metrics-reader_rbac.authorization.k8s.io_v1beta1_clusterrole.yaml new file mode 100644 index 000000000..acca82df2 --- /dev/null +++ b/bundle/manifests/metrics-reader_rbac.authorization.k8s.io_v1beta1_clusterrole.yaml @@ -0,0 +1,12 @@ +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRole +metadata: + creationTimestamp: null + labels: + name: elasticsearch-operator + name: metrics-reader +rules: +- nonResourceURLs: + - /metrics + verbs: + - get diff --git a/bundle/manifests/prometheus_rbac.authorization.k8s.io_v1_role.yaml b/bundle/manifests/prometheus_rbac.authorization.k8s.io_v1_role.yaml new file mode 100644 index 000000000..be83451e2 --- /dev/null +++ b/bundle/manifests/prometheus_rbac.authorization.k8s.io_v1_role.yaml @@ -0,0 +1,21 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + annotations: + include.release.openshift.io/self-managed-high-availability: "true" + include.release.openshift.io/single-node-developer: "true" + creationTimestamp: null + labels: + name: elasticsearch-operator + name: prometheus +rules: +- apiGroups: + - "" + resources: + - services + - endpoints + - pods + verbs: + - get + - list + - watch diff --git a/bundle/manifests/prometheus_rbac.authorization.k8s.io_v1_rolebinding.yaml b/bundle/manifests/prometheus_rbac.authorization.k8s.io_v1_rolebinding.yaml new file mode 100644 index 000000000..a2b9b06bc --- /dev/null +++ b/bundle/manifests/prometheus_rbac.authorization.k8s.io_v1_rolebinding.yaml @@ -0,0 +1,18 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + annotations: + include.release.openshift.io/self-managed-high-availability: "true" + include.release.openshift.io/single-node-developer: "true" + creationTimestamp: null + labels: + name: elasticsearch-operator + name: prometheus +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: prometheus +subjects: +- kind: ServiceAccount + name: prometheus-k8s + namespace: openshift-monitoring diff --git a/bundle/manifests/proxy-role_rbac.authorization.k8s.io_v1_clusterrole.yaml b/bundle/manifests/proxy-role_rbac.authorization.k8s.io_v1_clusterrole.yaml new file mode 100644 index 000000000..9feb96aa7 --- /dev/null +++ b/bundle/manifests/proxy-role_rbac.authorization.k8s.io_v1_clusterrole.yaml @@ -0,0 +1,20 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + creationTimestamp: null + labels: + name: elasticsearch-operator + name: proxy-role +rules: +- apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create +- apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create diff --git a/bundle/manifests/proxy-rolebinding_rbac.authorization.k8s.io_v1_clusterrolebinding.yaml b/bundle/manifests/proxy-rolebinding_rbac.authorization.k8s.io_v1_clusterrolebinding.yaml new file mode 100644 index 000000000..3ccda5b15 --- /dev/null +++ b/bundle/manifests/proxy-rolebinding_rbac.authorization.k8s.io_v1_clusterrolebinding.yaml @@ -0,0 +1,15 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + creationTimestamp: null + labels: + name: elasticsearch-operator + name: proxy-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: proxy-role +subjects: +- kind: ServiceAccount + name: default + namespace: openshift-operators-redhat diff --git a/config/default/kustomization.yaml b/config/default/kustomization.yaml index c62bc79c0..2c14d8a76 100644 --- a/config/default/kustomization.yaml +++ b/config/default/kustomization.yaml @@ -16,10 +16,10 @@ bases: - ../crd - ../rbac - ../manager -# [PROMETHEUS] To enable prometheus monitor, uncomment all sections with 'PROMETHEUS'. - ../prometheus patchesStrategicMerge: +- manager_auth_proxy_patch.yaml # the following config is for teaching kustomize how to do var substitution vars: diff --git a/config/default/manager_auth_proxy_patch.yaml b/config/default/manager_auth_proxy_patch.yaml new file mode 100644 index 000000000..c162722f1 --- /dev/null +++ b/config/default/manager_auth_proxy_patch.yaml @@ -0,0 +1,32 @@ +# This patch inject a sidecar container which is a HTTP proxy for the +# controller manager, it performs RBAC authorization against the Kubernetes API using SubjectAccessReviews. +apiVersion: apps/v1 +kind: Deployment +metadata: + name: elasticsearch-operator + labels: +spec: + template: + spec: + containers: + - name: kube-rbac-proxy + image: gcr.io/kubebuilder/kube-rbac-proxy:v0.5.0 + args: + - "--secure-listen-address=0.0.0.0:8443" + - "--upstream=http://127.0.0.1:8080/" + - "--logtostderr=true" + - "--tls-cert-file=/var/run/secrets/serving-cert/tls.crt" + - "--tls-private-key-file=/var/run/secrets/serving-cert/tls.key" + - "--v=2" + ports: + - containerPort: 8443 + name: https + volumeMounts: + - mountPath: /var/run/secrets/serving-cert + name: elasticsearch-operator-metrics-cert + volumes: + - name: elasticsearch-operator-metrics-cert + secret: + defaultMode: 420 + optional: true + secretName: elasticsearch-operator-metrics diff --git a/config/manager/manager.yaml b/config/manager/manager.yaml index f195eb9fb..637480659 100644 --- a/config/manager/manager.yaml +++ b/config/manager/manager.yaml @@ -18,8 +18,8 @@ spec: - command: - elasticsearch-operator ports: - - containerPort: 60000 - name: metrics + - containerPort: 8080 + name: http image: quay.io/openshift/origin-elasticsearch-operator:latest name: elasticsearch-operator imagePullPolicy: IfNotPresent diff --git a/config/prometheus/kustomization.yaml b/config/prometheus/kustomization.yaml index 07ebb652a..ed137168a 100644 --- a/config/prometheus/kustomization.yaml +++ b/config/prometheus/kustomization.yaml @@ -1,3 +1,2 @@ resources: - monitor.yaml -- service.yaml diff --git a/config/prometheus/monitor.yaml b/config/prometheus/monitor.yaml index 4ba9cc6b3..d76c395d3 100644 --- a/config/prometheus/monitor.yaml +++ b/config/prometheus/monitor.yaml @@ -8,10 +8,15 @@ metadata: name: elasticsearch-operator-metrics-monitor spec: endpoints: - - path: /metrics - port: http - scheme: http - interval: 1s + - bearerTokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token + path: /metrics + targetPort: 8443 + scheme: https + interval: 30s + scrapeTimeout: 10s + tlsConfig: + caFile: /etc/prometheus/configmaps/serving-certs-ca-bundle/service-ca.crt + serverName: elasticsearch-operator-metrics.openshift-operators-redhat.svc selector: matchLabels: - name: elasticsearch-operator \ No newline at end of file + name: elasticsearch-operator diff --git a/config/prometheus/service.yaml b/config/prometheus/service.yaml deleted file mode 100644 index 6105ca25d..000000000 --- a/config/prometheus/service.yaml +++ /dev/null @@ -1,15 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - labels: - name: elasticsearch-operator - name: elasticsearch-operator-metrics-service -spec: - ports: - - name: http - port: 8080 - targetPort: 8080 - protocol: TCP - selector: - name: elasticsearch-operator - type: ClusterIP diff --git a/config/rbac/auth_proxy_service.yaml b/config/rbac/auth_proxy_service.yaml index 6cf656be1..5409d6ffc 100644 --- a/config/rbac/auth_proxy_service.yaml +++ b/config/rbac/auth_proxy_service.yaml @@ -1,14 +1,15 @@ apiVersion: v1 kind: Service metadata: + annotations: + service.beta.openshift.io/serving-cert-secret-name: elasticsearch-operator-metrics labels: - control-plane: controller-manager - name: controller-manager-metrics-service - namespace: system + name: elasticsearch-operator + name: elasticsearch-operator-metrics spec: ports: - name: https port: 8443 targetPort: https selector: - control-plane: controller-manager + name: elasticsearch-operator diff --git a/config/rbac/kustomization.yaml b/config/rbac/kustomization.yaml index dbcbe1bab..b48c43c16 100644 --- a/config/rbac/kustomization.yaml +++ b/config/rbac/kustomization.yaml @@ -3,10 +3,9 @@ resources: - role_binding.yaml - leader_election_role.yaml - leader_election_role_binding.yaml -# Comment the following 4 lines if you want to disable -# the auth proxy (https://github.com/brancz/kube-rbac-proxy) -# which protects your /metrics endpoint. -#- auth_proxy_service.yaml -#- auth_proxy_role.yaml -#- auth_proxy_role_binding.yaml -#- auth_proxy_client_clusterrole.yaml +- auth_proxy_service.yaml +- auth_proxy_role.yaml +- auth_proxy_role_binding.yaml +- auth_proxy_client_clusterrole.yaml +- prometheus_role.yaml +- prometheus_role_binding.yaml diff --git a/config/rbac/prometheus_role.yaml b/config/rbac/prometheus_role.yaml new file mode 100644 index 000000000..c99de1f9f --- /dev/null +++ b/config/rbac/prometheus_role.yaml @@ -0,0 +1,18 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + annotations: + include.release.openshift.io/self-managed-high-availability: "true" + include.release.openshift.io/single-node-developer: "true" + name: prometheus +rules: +- apiGroups: + - "" + resources: + - services + - endpoints + - pods + verbs: + - get + - list + - watch diff --git a/config/rbac/prometheus_role_binding.yaml b/config/rbac/prometheus_role_binding.yaml new file mode 100644 index 000000000..e12439c22 --- /dev/null +++ b/config/rbac/prometheus_role_binding.yaml @@ -0,0 +1,16 @@ +# Grant cluster-monitoring access to openshift-operators-redhat metrics +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: prometheus + annotations: + include.release.openshift.io/self-managed-high-availability: "true" + include.release.openshift.io/single-node-developer: "true" +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: prometheus +subjects: +- kind: ServiceAccount + name: prometheus-k8s + namespace: openshift-monitoring diff --git a/manifests/5.1/elasticsearch-operator-metrics-monitor_monitoring.coreos.com_v1_servicemonitor.yaml b/manifests/5.1/elasticsearch-operator-metrics-monitor_monitoring.coreos.com_v1_servicemonitor.yaml index fccf2dfd0..bf0d59e92 100644 --- a/manifests/5.1/elasticsearch-operator-metrics-monitor_monitoring.coreos.com_v1_servicemonitor.yaml +++ b/manifests/5.1/elasticsearch-operator-metrics-monitor_monitoring.coreos.com_v1_servicemonitor.yaml @@ -6,10 +6,15 @@ metadata: name: elasticsearch-operator-metrics-monitor spec: endpoints: - - interval: 1s + - bearerTokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token + interval: 30s path: /metrics - port: http - scheme: http + scheme: https + scrapeTimeout: 10s + targetPort: 8443 + tlsConfig: + caFile: /etc/prometheus/configmaps/serving-certs-ca-bundle/service-ca.crt + serverName: elasticsearch-operator-metrics.openshift-operators-redhat.svc selector: matchLabels: name: elasticsearch-operator diff --git a/manifests/5.1/elasticsearch-operator-metrics-service_v1_service.yaml b/manifests/5.1/elasticsearch-operator-metrics_v1_service.yaml similarity index 50% rename from manifests/5.1/elasticsearch-operator-metrics-service_v1_service.yaml rename to manifests/5.1/elasticsearch-operator-metrics_v1_service.yaml index 013b80c5a..11d0bb149 100644 --- a/manifests/5.1/elasticsearch-operator-metrics-service_v1_service.yaml +++ b/manifests/5.1/elasticsearch-operator-metrics_v1_service.yaml @@ -1,18 +1,18 @@ apiVersion: v1 kind: Service metadata: + annotations: + service.beta.openshift.io/serving-cert-secret-name: elasticsearch-operator-metrics creationTimestamp: null labels: name: elasticsearch-operator - name: elasticsearch-operator-metrics-service + name: elasticsearch-operator-metrics spec: ports: - - name: http - port: 8080 - protocol: TCP - targetPort: 8080 + - name: https + port: 8443 + targetPort: https selector: name: elasticsearch-operator - type: ClusterIP status: loadBalancer: {} diff --git a/manifests/5.1/elasticsearch-operator.v5.1.0.clusterserviceversion.yaml b/manifests/5.1/elasticsearch-operator.v5.1.0.clusterserviceversion.yaml index 4adfdf685..4d24d6938 100644 --- a/manifests/5.1/elasticsearch-operator.v5.1.0.clusterserviceversion.yaml +++ b/manifests/5.1/elasticsearch-operator.v5.1.0.clusterserviceversion.yaml @@ -413,6 +413,22 @@ spec: name: elasticsearch-operator spec: containers: + - args: + - --secure-listen-address=0.0.0.0:8443 + - --upstream=http://127.0.0.1:8080/ + - --logtostderr=true + - --tls-cert-file=/var/run/secrets/serving-cert/tls.crt + - --tls-private-key-file=/var/run/secrets/serving-cert/tls.key + - --v=2 + image: gcr.io/kubebuilder/kube-rbac-proxy:v0.5.0 + name: kube-rbac-proxy + ports: + - containerPort: 8443 + name: https + resources: {} + volumeMounts: + - mountPath: /var/run/secrets/serving-cert + name: elasticsearch-operator-metrics-cert - command: - elasticsearch-operator env: @@ -438,8 +454,8 @@ spec: imagePullPolicy: IfNotPresent name: elasticsearch-operator ports: - - containerPort: 60000 - name: metrics + - containerPort: 8080 + name: http resources: limits: cpu: 200m @@ -450,6 +466,12 @@ spec: nodeSelector: kubernetes.io/os: linux serviceAccountName: elasticsearch-operator + volumes: + - name: elasticsearch-operator-metrics-cert + secret: + defaultMode: 420 + optional: true + secretName: elasticsearch-operator-metrics strategy: deployment installModes: - supported: true diff --git a/manifests/5.1/leader-election-role_rbac.authorization.k8s.io_v1_role.yaml b/manifests/5.1/leader-election-role_rbac.authorization.k8s.io_v1_role.yaml new file mode 100644 index 000000000..76bc8f40b --- /dev/null +++ b/manifests/5.1/leader-election-role_rbac.authorization.k8s.io_v1_role.yaml @@ -0,0 +1,35 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + creationTimestamp: null + labels: + name: elasticsearch-operator + name: leader-election-role +rules: +- apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - "" + resources: + - configmaps/status + verbs: + - get + - update + - patch +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch diff --git a/manifests/5.1/leader-election-rolebinding_rbac.authorization.k8s.io_v1_rolebinding.yaml b/manifests/5.1/leader-election-rolebinding_rbac.authorization.k8s.io_v1_rolebinding.yaml new file mode 100644 index 000000000..87196cb79 --- /dev/null +++ b/manifests/5.1/leader-election-rolebinding_rbac.authorization.k8s.io_v1_rolebinding.yaml @@ -0,0 +1,15 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + creationTimestamp: null + labels: + name: elasticsearch-operator + name: leader-election-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: leader-election-role +subjects: +- kind: ServiceAccount + name: default + namespace: openshift-operators-redhat diff --git a/manifests/5.1/metrics-reader_rbac.authorization.k8s.io_v1beta1_clusterrole.yaml b/manifests/5.1/metrics-reader_rbac.authorization.k8s.io_v1beta1_clusterrole.yaml new file mode 100644 index 000000000..acca82df2 --- /dev/null +++ b/manifests/5.1/metrics-reader_rbac.authorization.k8s.io_v1beta1_clusterrole.yaml @@ -0,0 +1,12 @@ +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRole +metadata: + creationTimestamp: null + labels: + name: elasticsearch-operator + name: metrics-reader +rules: +- nonResourceURLs: + - /metrics + verbs: + - get diff --git a/manifests/5.1/prometheus_rbac.authorization.k8s.io_v1_role.yaml b/manifests/5.1/prometheus_rbac.authorization.k8s.io_v1_role.yaml new file mode 100644 index 000000000..be83451e2 --- /dev/null +++ b/manifests/5.1/prometheus_rbac.authorization.k8s.io_v1_role.yaml @@ -0,0 +1,21 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + annotations: + include.release.openshift.io/self-managed-high-availability: "true" + include.release.openshift.io/single-node-developer: "true" + creationTimestamp: null + labels: + name: elasticsearch-operator + name: prometheus +rules: +- apiGroups: + - "" + resources: + - services + - endpoints + - pods + verbs: + - get + - list + - watch diff --git a/manifests/5.1/prometheus_rbac.authorization.k8s.io_v1_rolebinding.yaml b/manifests/5.1/prometheus_rbac.authorization.k8s.io_v1_rolebinding.yaml new file mode 100644 index 000000000..a2b9b06bc --- /dev/null +++ b/manifests/5.1/prometheus_rbac.authorization.k8s.io_v1_rolebinding.yaml @@ -0,0 +1,18 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + annotations: + include.release.openshift.io/self-managed-high-availability: "true" + include.release.openshift.io/single-node-developer: "true" + creationTimestamp: null + labels: + name: elasticsearch-operator + name: prometheus +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: prometheus +subjects: +- kind: ServiceAccount + name: prometheus-k8s + namespace: openshift-monitoring diff --git a/manifests/5.1/proxy-role_rbac.authorization.k8s.io_v1_clusterrole.yaml b/manifests/5.1/proxy-role_rbac.authorization.k8s.io_v1_clusterrole.yaml new file mode 100644 index 000000000..9feb96aa7 --- /dev/null +++ b/manifests/5.1/proxy-role_rbac.authorization.k8s.io_v1_clusterrole.yaml @@ -0,0 +1,20 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + creationTimestamp: null + labels: + name: elasticsearch-operator + name: proxy-role +rules: +- apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create +- apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create diff --git a/manifests/5.1/proxy-rolebinding_rbac.authorization.k8s.io_v1_clusterrolebinding.yaml b/manifests/5.1/proxy-rolebinding_rbac.authorization.k8s.io_v1_clusterrolebinding.yaml new file mode 100644 index 000000000..3ccda5b15 --- /dev/null +++ b/manifests/5.1/proxy-rolebinding_rbac.authorization.k8s.io_v1_clusterrolebinding.yaml @@ -0,0 +1,15 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + creationTimestamp: null + labels: + name: elasticsearch-operator + name: proxy-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: proxy-role +subjects: +- kind: ServiceAccount + name: default + namespace: openshift-operators-redhat