From f890f861f0b869e902062ec31a2d0e87af4363c5 Mon Sep 17 00:00:00 2001 From: Mikalai Radchuk Date: Tue, 8 Oct 2024 16:46:21 +0200 Subject: [PATCH 1/2] UPSTREAM: : Add global-pull-secret flag Pass global-pull-secret to the manager container. Signed-off-by: Mikalai Radchuk --- openshift/generate-manifests.sh | 38 +++++++++++++++---- .../overlays/openshift/kustomization.yaml | 15 +------- .../openshift/olmv1-ns/kustomization.yaml | 19 ++++++++++ .../patches/manager_deployment_ca.yaml | 0 .../patches/manager_namespace_privileged.yaml | 6 +++ .../olmv1-ns/patches/manager_role.yaml | 7 ++++ .../resources/ca_configmap.yaml | 0 .../openshift-config/kustomization.yaml | 6 +++ .../operator-controller_manager_role.yaml | 17 +++++++++ ...rator-controller_manager_role_binding.yaml | 15 ++++++++ ...amespace-openshift-operator-controller.yml | 2 +- ...onfig-operator-controller-manager-role.yml | 18 +++++++++ ...rator-controller-leader-election-role.yml} | 0 ...ller-operator-controller-manager-role.yml} | 0 ...ntroller-clusterextension-editor-role.yml} | 0 ...ntroller-clusterextension-viewer-role.yml} | 0 ...ator-controller-extension-editor-role.yml} | 0 ...ator-controller-extension-viewer-role.yml} | 0 ...role-operator-controller-manager-role.yml} | 8 ++++ ...le-operator-controller-metrics-reader.yml} | 0 ...errole-operator-controller-proxy-role.yml} | 0 ...perator-controller-manager-rolebinding.yml | 17 +++++++++ ...ontroller-leader-election-rolebinding.yml} | 0 ...erator-controller-manager-rolebinding.yml} | 0 ...erator-controller-manager-rolebinding.yml} | 0 ...operator-controller-proxy-rolebinding.yml} | 0 ...ller-operator-controller-openshift-ca.yml} | 0 ...er-controller-manager-metrics-service.yml} | 0 ...perator-controller-controller-manager.yml} | 3 +- 29 files changed, 149 insertions(+), 22 deletions(-) create mode 100644 openshift/kustomize/overlays/openshift/olmv1-ns/kustomization.yaml rename openshift/kustomize/overlays/openshift/{ => olmv1-ns}/patches/manager_deployment_ca.yaml (100%) create mode 100644 openshift/kustomize/overlays/openshift/olmv1-ns/patches/manager_namespace_privileged.yaml create mode 100644 openshift/kustomize/overlays/openshift/olmv1-ns/patches/manager_role.yaml rename openshift/kustomize/overlays/openshift/{ => olmv1-ns}/resources/ca_configmap.yaml (100%) create mode 100644 openshift/kustomize/overlays/openshift/openshift-config/kustomization.yaml create mode 100644 openshift/kustomize/overlays/openshift/openshift-config/rbac/operator-controller_manager_role.yaml create mode 100644 openshift/kustomize/overlays/openshift/openshift-config/rbac/operator-controller_manager_role_binding.yaml create mode 100644 openshift/manifests/03-role-openshift-config-operator-controller-manager-role.yml rename openshift/manifests/{03-role-openshift-operator-controller-operator-controller-leader-election-role.yml => 04-role-openshift-operator-controller-operator-controller-leader-election-role.yml} (100%) rename openshift/manifests/{04-role-openshift-operator-controller-operator-controller-manager-role.yml => 05-role-openshift-operator-controller-operator-controller-manager-role.yml} (100%) rename openshift/manifests/{05-clusterrole-operator-controller-clusterextension-editor-role.yml => 06-clusterrole-operator-controller-clusterextension-editor-role.yml} (100%) rename openshift/manifests/{06-clusterrole-operator-controller-clusterextension-viewer-role.yml => 07-clusterrole-operator-controller-clusterextension-viewer-role.yml} (100%) rename openshift/manifests/{07-clusterrole-operator-controller-extension-editor-role.yml => 08-clusterrole-operator-controller-extension-editor-role.yml} (100%) rename openshift/manifests/{08-clusterrole-operator-controller-extension-viewer-role.yml => 09-clusterrole-operator-controller-extension-viewer-role.yml} (100%) rename openshift/manifests/{09-clusterrole-operator-controller-manager-role.yml => 10-clusterrole-operator-controller-manager-role.yml} (86%) rename openshift/manifests/{10-clusterrole-operator-controller-metrics-reader.yml => 11-clusterrole-operator-controller-metrics-reader.yml} (100%) rename openshift/manifests/{11-clusterrole-operator-controller-proxy-role.yml => 12-clusterrole-operator-controller-proxy-role.yml} (100%) create mode 100644 openshift/manifests/13-rolebinding-openshift-config-operator-controller-manager-rolebinding.yml rename openshift/manifests/{12-rolebinding-openshift-operator-controller-operator-controller-leader-election-rolebinding.yml => 14-rolebinding-openshift-operator-controller-operator-controller-leader-election-rolebinding.yml} (100%) rename openshift/manifests/{13-rolebinding-openshift-operator-controller-operator-controller-manager-rolebinding.yml => 15-rolebinding-openshift-operator-controller-operator-controller-manager-rolebinding.yml} (100%) rename openshift/manifests/{14-clusterrolebinding-operator-controller-manager-rolebinding.yml => 16-clusterrolebinding-operator-controller-manager-rolebinding.yml} (100%) rename openshift/manifests/{15-clusterrolebinding-operator-controller-proxy-rolebinding.yml => 17-clusterrolebinding-operator-controller-proxy-rolebinding.yml} (100%) rename openshift/manifests/{16-configmap-openshift-operator-controller-operator-controller-openshift-ca.yml => 18-configmap-openshift-operator-controller-operator-controller-openshift-ca.yml} (100%) rename openshift/manifests/{17-service-openshift-operator-controller-operator-controller-controller-manager-metrics-service.yml => 19-service-openshift-operator-controller-operator-controller-controller-manager-metrics-service.yml} (100%) rename openshift/manifests/{18-deployment-openshift-operator-controller-operator-controller-controller-manager.yml => 20-deployment-openshift-operator-controller-operator-controller-controller-manager.yml} (96%) diff --git a/openshift/generate-manifests.sh b/openshift/generate-manifests.sh index ea2e40d4a..e33b9a2a6 100755 --- a/openshift/generate-manifests.sh +++ b/openshift/generate-manifests.sh @@ -20,6 +20,19 @@ IMAGE_MAPPINGS[kube-rbac-proxy]='${KUBE_RBAC_PROXY_IMAGE}' # shellcheck disable=SC2016 IMAGE_MAPPINGS[manager]='${OPERATOR_CONTROLLER_IMAGE}' +# This is a mapping of catalogd flag names to values. For example, given a deployment with a container +# named "manager" and arguments: +# args: +# - --flagname=one +# and an entry to the FLAG_MAPPINGS of FLAG_MAPPINGS[flagname]='two', the argument will be updated to: +# args: +# - --flagname=two +# +# If the flag doesn't already exist - it will be appended to the list. +declare -A FLAG_MAPPINGS +# shellcheck disable=SC2016 +FLAG_MAPPINGS[global-pull-secret]="openshift-config/pull-secret" + ################################################## # You shouldn't need to change anything below here ################################################## @@ -36,11 +49,12 @@ TMP_ROOT="$(mktemp -p . -d 2>/dev/null || mktemp -d ./tmpdir.XXXXXXX)" trap 'rm -rf $TMP_ROOT' EXIT # Copy all kustomize files into a temp dir -TMP_CONFIG="${TMP_ROOT}/config" -cp -a "${REPO_ROOT}/config" "$TMP_CONFIG" +cp -a "${REPO_ROOT}/config" "${TMP_ROOT}/config" +mkdir -p "${TMP_ROOT}/openshift" +cp -a "${REPO_ROOT}/openshift/kustomize" "${TMP_ROOT}/openshift/kustomize" -# Override namespace to openshift-operator-controller -$YQ -i ".namespace = \"${NAMESPACE}\"" "${TMP_CONFIG}/base/kustomization.yaml" +# Override OPENSHIFT-NAMESPACE to ${NAMESPACE} +find "${TMP_ROOT}" -name "*.yaml" -exec sed -i "s/OPENSHIFT-NAMESPACE/${NAMESPACE}/g" {} \; # Create a temp dir for manifests TMP_MANIFEST_DIR="${TMP_ROOT}/manifests" @@ -48,17 +62,28 @@ mkdir -p "$TMP_MANIFEST_DIR" # Run kustomize, which emits a single yaml file TMP_KUSTOMIZE_OUTPUT="${TMP_MANIFEST_DIR}/temp.yaml" -$KUSTOMIZE build "${REPO_ROOT}"/openshift/kustomize/overlays/openshift -o "$TMP_KUSTOMIZE_OUTPUT" +$KUSTOMIZE build "${TMP_ROOT}/openshift/kustomize/overlays/openshift" -o "$TMP_KUSTOMIZE_OUTPUT" for container_name in "${!IMAGE_MAPPINGS[@]}"; do placeholder="${IMAGE_MAPPINGS[$container_name]}" $YQ -i "(select(.kind == \"Deployment\")|.spec.template.spec.containers[]|select(.name==\"$container_name\")|.image) = \"$placeholder\"" "$TMP_KUSTOMIZE_OUTPUT" $YQ -i 'select(.kind == "Deployment").spec.template.metadata.annotations += {"target.workload.openshift.io/management": "{\"effect\": \"PreferredDuringScheduling\"}"}' "$TMP_KUSTOMIZE_OUTPUT" - $YQ -i 'select(.kind == "Deployment").spec.template.metadata.annotations += {"openshift.io/required-scc": "restricted-v2"}' "$TMP_KUSTOMIZE_OUTPUT" + $YQ -i 'select(.kind == "Deployment").spec.template.metadata.annotations += {"openshift.io/required-scc": "privileged"}' "$TMP_KUSTOMIZE_OUTPUT" $YQ -i 'select(.kind == "Deployment").spec.template.spec += {"priorityClassName": "system-cluster-critical"}' "$TMP_KUSTOMIZE_OUTPUT" $YQ -i 'select(.kind == "Namespace").metadata.annotations += {"workload.openshift.io/allowed": "management"}' "$TMP_KUSTOMIZE_OUTPUT" done +# Loop through any flag updates that need to be made to the manager container +for flag_name in "${!FLAG_MAPPINGS[@]}"; do + flagval="${FLAG_MAPPINGS[$flag_name]}" + + # First, update the flag if it exists + $YQ -i "(select(.kind == \"Deployment\") | .spec.template.spec.containers[] | select(.name == \"manager\") | .args[] | select(. | contains(\"--$flag_name=\")) | .) = \"--$flag_name=$flagval\"" "$TMP_KUSTOMIZE_OUTPUT" + + # Then, append the flag if it doesn't exist + $YQ -i "(select(.kind == \"Deployment\") | .spec.template.spec.containers[] | select(.name == \"manager\") | .args) |= (select(.[] | contains(\"--$flag_name=\")) | .) // . + [\"--$flag_name=$flagval\"]" "$TMP_KUSTOMIZE_OUTPUT" +done + # Use yq to split the single yaml file into 1 per document. # Naming convention: $index-$kind-$namespace-$name. If $namespace is empty, just use the empty string. ( @@ -102,4 +127,3 @@ cp "$TMP_MANIFEST_DIR"/* "$MANIFEST_DIR"/ fi done ) - diff --git a/openshift/kustomize/overlays/openshift/kustomization.yaml b/openshift/kustomize/overlays/openshift/kustomization.yaml index 1116e3b51..d263908b3 100644 --- a/openshift/kustomize/overlays/openshift/kustomization.yaml +++ b/openshift/kustomize/overlays/openshift/kustomization.yaml @@ -1,16 +1,5 @@ -# Adds namespace to all resources. -namespace: openshift-operator-controller - namePrefix: operator-controller- resources: - - resources/ca_configmap.yaml - - ../../../../config/base/crd - - ../../../../config/base/rbac - - ../../../../config/base/manager - -patches: - - target: - kind: Deployment - name: controller-manager - path: patches/manager_deployment_ca.yaml + - olmv1-ns + - openshift-config diff --git a/openshift/kustomize/overlays/openshift/olmv1-ns/kustomization.yaml b/openshift/kustomize/overlays/openshift/olmv1-ns/kustomization.yaml new file mode 100644 index 000000000..7e1b8f4f4 --- /dev/null +++ b/openshift/kustomize/overlays/openshift/olmv1-ns/kustomization.yaml @@ -0,0 +1,19 @@ +# Adds namespace to all resources. +namespace: OPENSHIFT-NAMESPACE + +resources: + - resources/ca_configmap.yaml + - ../../../../../config/base/crd + - ../../../../../config/base/rbac + - ../../../../../config/base/manager + +patches: + - target: + kind: ClusterRole + name: manager-role + path: patches/manager_role.yaml + - target: + kind: Deployment + name: controller-manager + path: patches/manager_deployment_ca.yaml + - path: patches/manager_namespace_privileged.yaml diff --git a/openshift/kustomize/overlays/openshift/patches/manager_deployment_ca.yaml b/openshift/kustomize/overlays/openshift/olmv1-ns/patches/manager_deployment_ca.yaml similarity index 100% rename from openshift/kustomize/overlays/openshift/patches/manager_deployment_ca.yaml rename to openshift/kustomize/overlays/openshift/olmv1-ns/patches/manager_deployment_ca.yaml diff --git a/openshift/kustomize/overlays/openshift/olmv1-ns/patches/manager_namespace_privileged.yaml b/openshift/kustomize/overlays/openshift/olmv1-ns/patches/manager_namespace_privileged.yaml new file mode 100644 index 000000000..54bbe3084 --- /dev/null +++ b/openshift/kustomize/overlays/openshift/olmv1-ns/patches/manager_namespace_privileged.yaml @@ -0,0 +1,6 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: system + labels: + pod-security.kubernetes.io/enforce: privileged diff --git a/openshift/kustomize/overlays/openshift/olmv1-ns/patches/manager_role.yaml b/openshift/kustomize/overlays/openshift/olmv1-ns/patches/manager_role.yaml new file mode 100644 index 000000000..2030563c4 --- /dev/null +++ b/openshift/kustomize/overlays/openshift/olmv1-ns/patches/manager_role.yaml @@ -0,0 +1,7 @@ +- op: add + path: /rules/- + value: + apiGroups: [security.openshift.io] + resources: [securitycontextconstraints] + resourceNames: [privileged] + verbs: [use] diff --git a/openshift/kustomize/overlays/openshift/resources/ca_configmap.yaml b/openshift/kustomize/overlays/openshift/olmv1-ns/resources/ca_configmap.yaml similarity index 100% rename from openshift/kustomize/overlays/openshift/resources/ca_configmap.yaml rename to openshift/kustomize/overlays/openshift/olmv1-ns/resources/ca_configmap.yaml diff --git a/openshift/kustomize/overlays/openshift/openshift-config/kustomization.yaml b/openshift/kustomize/overlays/openshift/openshift-config/kustomization.yaml new file mode 100644 index 000000000..34440c434 --- /dev/null +++ b/openshift/kustomize/overlays/openshift/openshift-config/kustomization.yaml @@ -0,0 +1,6 @@ +# Adds namespace to all resources. +namespace: openshift-config + +resources: +- rbac/operator-controller_manager_role.yaml +- rbac/operator-controller_manager_role_binding.yaml diff --git a/openshift/kustomize/overlays/openshift/openshift-config/rbac/operator-controller_manager_role.yaml b/openshift/kustomize/overlays/openshift/openshift-config/rbac/operator-controller_manager_role.yaml new file mode 100644 index 000000000..0fcd8cf39 --- /dev/null +++ b/openshift/kustomize/overlays/openshift/openshift-config/rbac/operator-controller_manager_role.yaml @@ -0,0 +1,17 @@ +# permissions to do leader election. +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + labels: + app.kubernetes.io/part-of: olm + app.kubernetes.io/name: catalogd + name: manager-role +rules: +- apiGroups: + - "" + resources: + - secrets + verbs: + - get + - list + - watch diff --git a/openshift/kustomize/overlays/openshift/openshift-config/rbac/operator-controller_manager_role_binding.yaml b/openshift/kustomize/overlays/openshift/openshift-config/rbac/operator-controller_manager_role_binding.yaml new file mode 100644 index 000000000..74d61a43e --- /dev/null +++ b/openshift/kustomize/overlays/openshift/openshift-config/rbac/operator-controller_manager_role_binding.yaml @@ -0,0 +1,15 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + labels: + app.kubernetes.io/part-of: olm + app.kubernetes.io/name: catalogd + name: manager-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: manager-role +subjects: +- kind: ServiceAccount + name: controller-manager + namespace: OPENSHIFT-NAMESPACE diff --git a/openshift/manifests/00-namespace-openshift-operator-controller.yml b/openshift/manifests/00-namespace-openshift-operator-controller.yml index 2f4379f91..3ac1e22ee 100644 --- a/openshift/manifests/00-namespace-openshift-operator-controller.yml +++ b/openshift/manifests/00-namespace-openshift-operator-controller.yml @@ -3,7 +3,7 @@ kind: Namespace metadata: labels: control-plane: controller-manager - pod-security.kubernetes.io/enforce: restricted + pod-security.kubernetes.io/enforce: privileged pod-security.kubernetes.io/enforce-version: latest name: openshift-operator-controller annotations: diff --git a/openshift/manifests/03-role-openshift-config-operator-controller-manager-role.yml b/openshift/manifests/03-role-openshift-config-operator-controller-manager-role.yml new file mode 100644 index 000000000..d74a44986 --- /dev/null +++ b/openshift/manifests/03-role-openshift-config-operator-controller-manager-role.yml @@ -0,0 +1,18 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + labels: + app.kubernetes.io/name: catalogd + app.kubernetes.io/part-of: olm + name: operator-controller-manager-role + namespace: openshift-config +rules: + - apiGroups: + - "" + resources: + - secrets + verbs: + - get + - list + - watch diff --git a/openshift/manifests/03-role-openshift-operator-controller-operator-controller-leader-election-role.yml b/openshift/manifests/04-role-openshift-operator-controller-operator-controller-leader-election-role.yml similarity index 100% rename from openshift/manifests/03-role-openshift-operator-controller-operator-controller-leader-election-role.yml rename to openshift/manifests/04-role-openshift-operator-controller-operator-controller-leader-election-role.yml diff --git a/openshift/manifests/04-role-openshift-operator-controller-operator-controller-manager-role.yml b/openshift/manifests/05-role-openshift-operator-controller-operator-controller-manager-role.yml similarity index 100% rename from openshift/manifests/04-role-openshift-operator-controller-operator-controller-manager-role.yml rename to openshift/manifests/05-role-openshift-operator-controller-operator-controller-manager-role.yml diff --git a/openshift/manifests/05-clusterrole-operator-controller-clusterextension-editor-role.yml b/openshift/manifests/06-clusterrole-operator-controller-clusterextension-editor-role.yml similarity index 100% rename from openshift/manifests/05-clusterrole-operator-controller-clusterextension-editor-role.yml rename to openshift/manifests/06-clusterrole-operator-controller-clusterextension-editor-role.yml diff --git a/openshift/manifests/06-clusterrole-operator-controller-clusterextension-viewer-role.yml b/openshift/manifests/07-clusterrole-operator-controller-clusterextension-viewer-role.yml similarity index 100% rename from openshift/manifests/06-clusterrole-operator-controller-clusterextension-viewer-role.yml rename to openshift/manifests/07-clusterrole-operator-controller-clusterextension-viewer-role.yml diff --git a/openshift/manifests/07-clusterrole-operator-controller-extension-editor-role.yml b/openshift/manifests/08-clusterrole-operator-controller-extension-editor-role.yml similarity index 100% rename from openshift/manifests/07-clusterrole-operator-controller-extension-editor-role.yml rename to openshift/manifests/08-clusterrole-operator-controller-extension-editor-role.yml diff --git a/openshift/manifests/08-clusterrole-operator-controller-extension-viewer-role.yml b/openshift/manifests/09-clusterrole-operator-controller-extension-viewer-role.yml similarity index 100% rename from openshift/manifests/08-clusterrole-operator-controller-extension-viewer-role.yml rename to openshift/manifests/09-clusterrole-operator-controller-extension-viewer-role.yml diff --git a/openshift/manifests/09-clusterrole-operator-controller-manager-role.yml b/openshift/manifests/10-clusterrole-operator-controller-manager-role.yml similarity index 86% rename from openshift/manifests/09-clusterrole-operator-controller-manager-role.yml rename to openshift/manifests/10-clusterrole-operator-controller-manager-role.yml index 12180249d..ffbdbdb58 100644 --- a/openshift/manifests/09-clusterrole-operator-controller-manager-role.yml +++ b/openshift/manifests/10-clusterrole-operator-controller-manager-role.yml @@ -53,3 +53,11 @@ rules: verbs: - patch - update + - apiGroups: + - security.openshift.io + resourceNames: + - privileged + resources: + - securitycontextconstraints + verbs: + - use diff --git a/openshift/manifests/10-clusterrole-operator-controller-metrics-reader.yml b/openshift/manifests/11-clusterrole-operator-controller-metrics-reader.yml similarity index 100% rename from openshift/manifests/10-clusterrole-operator-controller-metrics-reader.yml rename to openshift/manifests/11-clusterrole-operator-controller-metrics-reader.yml diff --git a/openshift/manifests/11-clusterrole-operator-controller-proxy-role.yml b/openshift/manifests/12-clusterrole-operator-controller-proxy-role.yml similarity index 100% rename from openshift/manifests/11-clusterrole-operator-controller-proxy-role.yml rename to openshift/manifests/12-clusterrole-operator-controller-proxy-role.yml diff --git a/openshift/manifests/13-rolebinding-openshift-config-operator-controller-manager-rolebinding.yml b/openshift/manifests/13-rolebinding-openshift-config-operator-controller-manager-rolebinding.yml new file mode 100644 index 000000000..5f5d6bd95 --- /dev/null +++ b/openshift/manifests/13-rolebinding-openshift-config-operator-controller-manager-rolebinding.yml @@ -0,0 +1,17 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + labels: + app.kubernetes.io/name: catalogd + app.kubernetes.io/part-of: olm + name: operator-controller-manager-rolebinding + namespace: openshift-config +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: operator-controller-manager-role +subjects: + - kind: ServiceAccount + name: operator-controller-controller-manager + namespace: openshift-operator-controller diff --git a/openshift/manifests/12-rolebinding-openshift-operator-controller-operator-controller-leader-election-rolebinding.yml b/openshift/manifests/14-rolebinding-openshift-operator-controller-operator-controller-leader-election-rolebinding.yml similarity index 100% rename from openshift/manifests/12-rolebinding-openshift-operator-controller-operator-controller-leader-election-rolebinding.yml rename to openshift/manifests/14-rolebinding-openshift-operator-controller-operator-controller-leader-election-rolebinding.yml diff --git a/openshift/manifests/13-rolebinding-openshift-operator-controller-operator-controller-manager-rolebinding.yml b/openshift/manifests/15-rolebinding-openshift-operator-controller-operator-controller-manager-rolebinding.yml similarity index 100% rename from openshift/manifests/13-rolebinding-openshift-operator-controller-operator-controller-manager-rolebinding.yml rename to openshift/manifests/15-rolebinding-openshift-operator-controller-operator-controller-manager-rolebinding.yml diff --git a/openshift/manifests/14-clusterrolebinding-operator-controller-manager-rolebinding.yml b/openshift/manifests/16-clusterrolebinding-operator-controller-manager-rolebinding.yml similarity index 100% rename from openshift/manifests/14-clusterrolebinding-operator-controller-manager-rolebinding.yml rename to openshift/manifests/16-clusterrolebinding-operator-controller-manager-rolebinding.yml diff --git a/openshift/manifests/15-clusterrolebinding-operator-controller-proxy-rolebinding.yml b/openshift/manifests/17-clusterrolebinding-operator-controller-proxy-rolebinding.yml similarity index 100% rename from openshift/manifests/15-clusterrolebinding-operator-controller-proxy-rolebinding.yml rename to openshift/manifests/17-clusterrolebinding-operator-controller-proxy-rolebinding.yml diff --git a/openshift/manifests/16-configmap-openshift-operator-controller-operator-controller-openshift-ca.yml b/openshift/manifests/18-configmap-openshift-operator-controller-operator-controller-openshift-ca.yml similarity index 100% rename from openshift/manifests/16-configmap-openshift-operator-controller-operator-controller-openshift-ca.yml rename to openshift/manifests/18-configmap-openshift-operator-controller-operator-controller-openshift-ca.yml diff --git a/openshift/manifests/17-service-openshift-operator-controller-operator-controller-controller-manager-metrics-service.yml b/openshift/manifests/19-service-openshift-operator-controller-operator-controller-controller-manager-metrics-service.yml similarity index 100% rename from openshift/manifests/17-service-openshift-operator-controller-operator-controller-controller-manager-metrics-service.yml rename to openshift/manifests/19-service-openshift-operator-controller-operator-controller-controller-manager-metrics-service.yml diff --git a/openshift/manifests/18-deployment-openshift-operator-controller-operator-controller-controller-manager.yml b/openshift/manifests/20-deployment-openshift-operator-controller-operator-controller-controller-manager.yml similarity index 96% rename from openshift/manifests/18-deployment-openshift-operator-controller-operator-controller-controller-manager.yml rename to openshift/manifests/20-deployment-openshift-operator-controller-operator-controller-controller-manager.yml index f55013f16..8d93f5f93 100644 --- a/openshift/manifests/18-deployment-openshift-operator-controller-operator-controller-controller-manager.yml +++ b/openshift/manifests/20-deployment-openshift-operator-controller-operator-controller-controller-manager.yml @@ -18,7 +18,7 @@ spec: annotations: kubectl.kubernetes.io/default-container: manager target.workload.openshift.io/management: '{"effect": "PreferredDuringScheduling"}' - openshift.io/required-scc: restricted-v2 + openshift.io/required-scc: privileged labels: control-plane: controller-manager spec: @@ -44,6 +44,7 @@ spec: - --metrics-bind-address=127.0.0.1:8080 - --leader-elect - --ca-certs-dir=/var/certs + - --global-pull-secret=openshift-config/pull-secret command: - /manager image: ${OPERATOR_CONTROLLER_IMAGE} From 0979422ef920270083efa499d54aa2693f89d573 Mon Sep 17 00:00:00 2001 From: Ankita Thomas Date: Mon, 25 Nov 2024 23:53:53 -0500 Subject: [PATCH 2/2] UPSTREAM: : use global pullsecret for image pulls Signed-off-by: Ankita Thomas --- cmd/manager/main.go | 65 ++++++++++++++----- internal/rukpak/source/image_registry.go | 24 ++++++- openshift/generate-manifests.sh | 3 +- .../openshift/olmv1-ns/kustomization.yaml | 5 -- .../patches/manager_namespace_privileged.yaml | 6 -- .../olmv1-ns/patches/manager_role.yaml | 7 -- ...amespace-openshift-operator-controller.yml | 2 +- ...rrole-operator-controller-manager-role.yml | 8 --- ...operator-controller-controller-manager.yml | 2 +- 9 files changed, 73 insertions(+), 49 deletions(-) delete mode 100644 openshift/kustomize/overlays/openshift/olmv1-ns/patches/manager_namespace_privileged.yaml delete mode 100644 openshift/kustomize/overlays/openshift/olmv1-ns/patches/manager_role.yaml diff --git a/cmd/manager/main.go b/cmd/manager/main.go index 205461259..246cfd165 100644 --- a/cmd/manager/main.go +++ b/cmd/manager/main.go @@ -23,13 +23,17 @@ import ( "net/http" "os" "path/filepath" + "strings" "time" "github.com/spf13/pflag" "go.uber.org/zap/zapcore" + corev1 "k8s.io/api/core/v1" apiextensionsv1client "k8s.io/apiextensions-apiserver/pkg/client/clientset/clientset/typed/apiextensions/v1" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/fields" k8slabels "k8s.io/apimachinery/pkg/labels" - "k8s.io/apimachinery/pkg/selection" + k8stypes "k8s.io/apimachinery/pkg/types" corev1client "k8s.io/client-go/kubernetes/typed/core/v1" _ "k8s.io/client-go/plugin/pkg/client/auth" ctrl "sigs.k8s.io/controller-runtime" @@ -52,7 +56,6 @@ import ( "github.com/operator-framework/operator-controller/internal/contentmanager" "github.com/operator-framework/operator-controller/internal/controllers" "github.com/operator-framework/operator-controller/internal/httputil" - "github.com/operator-framework/operator-controller/internal/labels" "github.com/operator-framework/operator-controller/internal/resolve" "github.com/operator-framework/operator-controller/internal/rukpak/preflights/crdupgradesafety" "github.com/operator-framework/operator-controller/internal/rukpak/source" @@ -87,6 +90,7 @@ func main() { operatorControllerVersion bool systemNamespace string caCertDir string + globalPullSecret string ) flag.StringVar(&metricsAddr, "metrics-bind-address", ":8080", "The address the metric endpoint binds to.") flag.StringVar(&probeAddr, "health-probe-bind-address", ":8081", "The address the probe endpoint binds to.") @@ -97,6 +101,7 @@ func main() { flag.StringVar(&cachePath, "cache-path", "/var/cache", "The local directory path used for filesystem based caching") flag.BoolVar(&operatorControllerVersion, "version", false, "Prints operator-controller version information") flag.StringVar(&systemNamespace, "system-namespace", "", "Configures the namespace that gets used to deploy system resources.") + flag.StringVar(&globalPullSecret, "global-pull-secret", "", "The / of the global pull secret that is going to be used to pull bundle images.") opts := zap.Options{ Development: true, TimeEncoder: zapcore.RFC3339NanoTimeEncoder, @@ -115,16 +120,42 @@ func main() { ctrl.SetLogger(zap.New(zap.UseFlagOptions(&opts), zap.StacktraceLevel(zapcore.DPanicLevel))) setupLog.Info("starting up the controller", "version info", version.String()) + var globalPullSecretKey *k8stypes.NamespacedName + if globalPullSecret != "" { + secretParts := strings.Split(globalPullSecret, "/") + if len(secretParts) != 2 { + setupLog.Error(fmt.Errorf("incorrect number of components"), "value of global-pull-secret should be of the format /") + os.Exit(1) + } + globalPullSecretKey = &k8stypes.NamespacedName{Name: secretParts[1], Namespace: secretParts[0]} + } + if systemNamespace == "" { systemNamespace = podNamespace() } - dependentRequirement, err := k8slabels.NewRequirement(labels.OwnerKindKey, selection.In, []string{ocv1alpha1.ClusterExtensionKind}) - if err != nil { - setupLog.Error(err, "unable to create dependent label selector for cache") - os.Exit(1) + cacheOptions := crcache.Options{ + ByObject: map[client.Object]crcache.ByObject{ + &ocv1alpha1.ClusterExtension{}: {Label: k8slabels.Everything()}, + &catalogd.ClusterCatalog{}: {Label: k8slabels.Everything()}, + }, + DefaultNamespaces: map[string]crcache.Config{ + systemNamespace: {LabelSelector: k8slabels.Everything()}, + }, + DefaultLabelSelector: k8slabels.Nothing(), + } + if globalPullSecretKey != nil { + cacheOptions.ByObject[&corev1.Secret{}] = crcache.ByObject{ + Namespaces: map[string]crcache.Config{ + globalPullSecretKey.Namespace: { + LabelSelector: k8slabels.Everything(), + FieldSelector: fields.SelectorFromSet(map[string]string{ + "metadata.name": globalPullSecretKey.Name, + }), + }, + }, + } } - dependentSelector := k8slabels.NewSelector().Add(*dependentRequirement) setupLog.Info("set up manager") mgr, err := ctrl.NewManager(ctrl.GetConfigOrDie(), ctrl.Options{ @@ -133,16 +164,7 @@ func main() { HealthProbeBindAddress: probeAddr, LeaderElection: enableLeaderElection, LeaderElectionID: "9c4404e7.operatorframework.io", - Cache: crcache.Options{ - ByObject: map[client.Object]crcache.ByObject{ - &ocv1alpha1.ClusterExtension{}: {Label: k8slabels.Everything()}, - &catalogd.ClusterCatalog{}: {Label: k8slabels.Everything()}, - }, - DefaultNamespaces: map[string]crcache.Config{ - systemNamespace: {LabelSelector: k8slabels.Everything()}, - }, - DefaultLabelSelector: dependentSelector, - }, + Cache: cacheOptions, // LeaderElectionReleaseOnCancel defines if the leader should step down voluntarily // when the Manager ends. This requires the binary to immediately end when the // Manager is stopped, otherwise, this setting is unsafe. Setting this significantly @@ -200,6 +222,15 @@ func main() { AuthNamespace: systemNamespace, CertPoolWatcher: certPoolWatcher, } + if globalPullSecretKey != nil { + unpacker.PullSecretFetcher = func(ctx context.Context) ([]corev1.Secret, error) { + pullSecret, err := coreClient.Secrets(globalPullSecretKey.Namespace).Get(ctx, globalPullSecretKey.Name, metav1.GetOptions{}) + if err != nil { + return nil, err + } + return []corev1.Secret{*pullSecret}, err + } + } clusterExtensionFinalizers := crfinalizer.NewFinalizers() domain := ocv1alpha1.GroupVersion.Group diff --git a/internal/rukpak/source/image_registry.go b/internal/rukpak/source/image_registry.go index a6d6640d4..5c99d0059 100644 --- a/internal/rukpak/source/image_registry.go +++ b/internal/rukpak/source/image_registry.go @@ -17,6 +17,7 @@ import ( gcrkube "github.com/google/go-containerregistry/pkg/authn/kubernetes" "github.com/google/go-containerregistry/pkg/name" "github.com/google/go-containerregistry/pkg/v1/remote" + corev1 "k8s.io/api/core/v1" apimacherrors "k8s.io/apimachinery/pkg/util/errors" "sigs.k8s.io/controller-runtime/pkg/log" @@ -52,11 +53,14 @@ func NewUnrecoverable(err error) *Unrecoverable { // TODO: Make asynchronous type ImageRegistry struct { - BaseCachePath string - AuthNamespace string - CertPoolWatcher *httputil.CertPoolWatcher + BaseCachePath string + AuthNamespace string + CertPoolWatcher *httputil.CertPoolWatcher + PullSecretFetcher PullSecretFetcher } +type PullSecretFetcher func(ctx context.Context) ([]corev1.Secret, error) + func (i *ImageRegistry) Unpack(ctx context.Context, bundle *BundleSource) (*Result, error) { l := log.FromContext(ctx) if bundle.Type != SourceTypeImage { @@ -119,6 +123,20 @@ func (i *ImageRegistry) Unpack(ctx context.Context, bundle *BundleSource) (*Resu } } + if i.PullSecretFetcher != nil { + pullSecrets, err := i.PullSecretFetcher(ctx) + if err != nil { + l.V(1).Error(err, "failed to fetch global pullsecret, attempting unauthenticated image pull") + } else { + pullSecretAuth, err := gcrkube.NewFromPullSecrets(ctx, pullSecrets) + if err != nil { + l.V(1).Error(err, "failed to parse global pullsecret, attempting unauthenticated image pull") + } else { + remoteOpts = append(remoteOpts, remote.WithAuthFromKeychain(pullSecretAuth)) + } + } + } + // always fetch the hash imgDesc, err := remote.Head(imgRef, remoteOpts...) if err != nil { diff --git a/openshift/generate-manifests.sh b/openshift/generate-manifests.sh index e33b9a2a6..bf3b0b5da 100755 --- a/openshift/generate-manifests.sh +++ b/openshift/generate-manifests.sh @@ -68,7 +68,7 @@ for container_name in "${!IMAGE_MAPPINGS[@]}"; do placeholder="${IMAGE_MAPPINGS[$container_name]}" $YQ -i "(select(.kind == \"Deployment\")|.spec.template.spec.containers[]|select(.name==\"$container_name\")|.image) = \"$placeholder\"" "$TMP_KUSTOMIZE_OUTPUT" $YQ -i 'select(.kind == "Deployment").spec.template.metadata.annotations += {"target.workload.openshift.io/management": "{\"effect\": \"PreferredDuringScheduling\"}"}' "$TMP_KUSTOMIZE_OUTPUT" - $YQ -i 'select(.kind == "Deployment").spec.template.metadata.annotations += {"openshift.io/required-scc": "privileged"}' "$TMP_KUSTOMIZE_OUTPUT" + $YQ -i 'select(.kind == "Deployment").spec.template.metadata.annotations += {"openshift.io/required-scc": "restricted-v2"}' "$TMP_KUSTOMIZE_OUTPUT" $YQ -i 'select(.kind == "Deployment").spec.template.spec += {"priorityClassName": "system-cluster-critical"}' "$TMP_KUSTOMIZE_OUTPUT" $YQ -i 'select(.kind == "Namespace").metadata.annotations += {"workload.openshift.io/allowed": "management"}' "$TMP_KUSTOMIZE_OUTPUT" done @@ -127,3 +127,4 @@ cp "$TMP_MANIFEST_DIR"/* "$MANIFEST_DIR"/ fi done ) + diff --git a/openshift/kustomize/overlays/openshift/olmv1-ns/kustomization.yaml b/openshift/kustomize/overlays/openshift/olmv1-ns/kustomization.yaml index 7e1b8f4f4..49b3a5d6a 100644 --- a/openshift/kustomize/overlays/openshift/olmv1-ns/kustomization.yaml +++ b/openshift/kustomize/overlays/openshift/olmv1-ns/kustomization.yaml @@ -8,12 +8,7 @@ resources: - ../../../../../config/base/manager patches: - - target: - kind: ClusterRole - name: manager-role - path: patches/manager_role.yaml - target: kind: Deployment name: controller-manager path: patches/manager_deployment_ca.yaml - - path: patches/manager_namespace_privileged.yaml diff --git a/openshift/kustomize/overlays/openshift/olmv1-ns/patches/manager_namespace_privileged.yaml b/openshift/kustomize/overlays/openshift/olmv1-ns/patches/manager_namespace_privileged.yaml deleted file mode 100644 index 54bbe3084..000000000 --- a/openshift/kustomize/overlays/openshift/olmv1-ns/patches/manager_namespace_privileged.yaml +++ /dev/null @@ -1,6 +0,0 @@ -apiVersion: v1 -kind: Namespace -metadata: - name: system - labels: - pod-security.kubernetes.io/enforce: privileged diff --git a/openshift/kustomize/overlays/openshift/olmv1-ns/patches/manager_role.yaml b/openshift/kustomize/overlays/openshift/olmv1-ns/patches/manager_role.yaml deleted file mode 100644 index 2030563c4..000000000 --- a/openshift/kustomize/overlays/openshift/olmv1-ns/patches/manager_role.yaml +++ /dev/null @@ -1,7 +0,0 @@ -- op: add - path: /rules/- - value: - apiGroups: [security.openshift.io] - resources: [securitycontextconstraints] - resourceNames: [privileged] - verbs: [use] diff --git a/openshift/manifests/00-namespace-openshift-operator-controller.yml b/openshift/manifests/00-namespace-openshift-operator-controller.yml index 3ac1e22ee..2f4379f91 100644 --- a/openshift/manifests/00-namespace-openshift-operator-controller.yml +++ b/openshift/manifests/00-namespace-openshift-operator-controller.yml @@ -3,7 +3,7 @@ kind: Namespace metadata: labels: control-plane: controller-manager - pod-security.kubernetes.io/enforce: privileged + pod-security.kubernetes.io/enforce: restricted pod-security.kubernetes.io/enforce-version: latest name: openshift-operator-controller annotations: diff --git a/openshift/manifests/10-clusterrole-operator-controller-manager-role.yml b/openshift/manifests/10-clusterrole-operator-controller-manager-role.yml index ffbdbdb58..12180249d 100644 --- a/openshift/manifests/10-clusterrole-operator-controller-manager-role.yml +++ b/openshift/manifests/10-clusterrole-operator-controller-manager-role.yml @@ -53,11 +53,3 @@ rules: verbs: - patch - update - - apiGroups: - - security.openshift.io - resourceNames: - - privileged - resources: - - securitycontextconstraints - verbs: - - use diff --git a/openshift/manifests/20-deployment-openshift-operator-controller-operator-controller-controller-manager.yml b/openshift/manifests/20-deployment-openshift-operator-controller-operator-controller-controller-manager.yml index 8d93f5f93..64a79afd2 100644 --- a/openshift/manifests/20-deployment-openshift-operator-controller-operator-controller-controller-manager.yml +++ b/openshift/manifests/20-deployment-openshift-operator-controller-operator-controller-controller-manager.yml @@ -18,7 +18,7 @@ spec: annotations: kubectl.kubernetes.io/default-container: manager target.workload.openshift.io/management: '{"effect": "PreferredDuringScheduling"}' - openshift.io/required-scc: privileged + openshift.io/required-scc: restricted-v2 labels: control-plane: controller-manager spec: