diff --git a/charts/charts/tenant-namespace-operator/Chart.yaml b/charts/charts/tenant-namespace-operator/Chart.yaml index 55161a2..0d79925 100644 --- a/charts/charts/tenant-namespace-operator/Chart.yaml +++ b/charts/charts/tenant-namespace-operator/Chart.yaml @@ -14,8 +14,8 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. -version: 0.1.16 +version: 0.1.17 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. -appVersion: 0.1.13-1 +appVersion: 0.1.14-1 diff --git a/charts/charts/tenant-namespace-operator/README.md b/charts/charts/tenant-namespace-operator/README.md index a828917..4c0e2e8 100644 --- a/charts/charts/tenant-namespace-operator/README.md +++ b/charts/charts/tenant-namespace-operator/README.md @@ -7,8 +7,8 @@ The tenant-namespace-operator chart launches an instance of the tenant-namespace Apply the CRD's if not already done so: ```bash -kubectl apply -f https://raw.githubusercontent.com/pnnl-miscscripts/miscscripts/master/containers/tenant-namespace-operator/deploy/crds/miscscripts.pnnl.gov_tenantnamespaceflavors_crd.yaml -kubectl apply -f https://raw.githubusercontent.com/pnnl-miscscripts/miscscripts/master/containers/tenant-namespace-operator/deploy/crds/miscscripts.pnnl.gov_tenantnamespaces_crd.yaml +kubectl apply -f https://raw.githubusercontent.com/pnnl-miscscripts/miscscripts/master/containers/tenant-namespace-operator/config/crd/bases/miscscripts.pnnl.gov_tenantnamespaceflavors.yaml +kubectl apply -f https://raw.githubusercontent.com/pnnl-miscscripts/miscscripts/master/containers/tenant-namespace-operator/config/crd/bases/miscscripts.pnnl.gov_tenantnamespaces.yaml ``` To install the Chart into your Kubernetes cluster (Helm 3 only) : diff --git a/charts/charts/tenant-namespace-operator/templates/deployment.yaml b/charts/charts/tenant-namespace-operator/templates/deployment.yaml index 9719707..f796d24 100644 --- a/charts/charts/tenant-namespace-operator/templates/deployment.yaml +++ b/charts/charts/tenant-namespace-operator/templates/deployment.yaml @@ -32,7 +32,24 @@ spec: {{- toYaml .Values.securityContext | nindent 12 }} resources: {{- toYaml .Values.resources | nindent 12 }} + livenessProbe: + httpGet: + path: /healthz + port: 6789 + initialDelaySeconds: 15 + periodSeconds: 20 + readinessProbe: + httpGet: + path: /readyz + port: 6789 + initialDelaySeconds: 5 + periodSeconds: 10 + args: + - "--enable-leader-election" + - "--leader-election-id=tenant-namespace-operator" env: + - name: ANSIBLE_GATHERING + value: explicit - name: WATCH_NAMESPACE {{- if eq .Values.mode "cluster" }} value: "" @@ -41,14 +58,6 @@ spec: fieldRef: fieldPath: metadata.namespace {{- end }} - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: OPERATOR_NAME - value: "tenant-namespace-operator" - - name: ANSIBLE_GATHERING - value: explicit - name: SERVICE_ACCOUNT_NAME value: {{ include "tenant-namespace-operator.serviceAccountName" . }} - name: NAMESPACE diff --git a/containers/tenant-namespace-operator/.gitignore b/containers/tenant-namespace-operator/.gitignore new file mode 100644 index 0000000..b434200 --- /dev/null +++ b/containers/tenant-namespace-operator/.gitignore @@ -0,0 +1,17 @@ + +# Binaries for programs and plugins +*.exe +*.exe~ +*.dll +*.so +*.dylib +bin + +# editor and IDE paraphernalia +.idea +*.swp +*.swo +*~ + +bundle/ +bundle.Dockerfile diff --git a/containers/tenant-namespace-operator/Dockerfile b/containers/tenant-namespace-operator/Dockerfile index f86a2d1..99acc7e 100644 --- a/containers/tenant-namespace-operator/Dockerfile +++ b/containers/tenant-namespace-operator/Dockerfile @@ -1,6 +1,6 @@ -FROM quay.io/operator-framework/ansible-operator:v0.17.0 +FROM quay.io/operator-framework/ansible-operator:v1.4.0 -ARG helm_version=v3.3.4 +ARG helm_version=v3.5.2 USER 0 RUN \ yum clean all && \ @@ -32,4 +32,4 @@ RUN \ echo 0.1.13 >> /.extrafingerprints && \ md5sum watches.yaml >> /.extrafingerprints -ENTRYPOINT ["/usr/local/bin/entrypoint", "--inject-owner-ref=false"] +ENTRYPOINT ["/usr/local/bin/ansible-operator", "run", "--watches-file=./watches.yaml", "--inject-owner-ref=false"] diff --git a/containers/tenant-namespace-operator/Makefile b/containers/tenant-namespace-operator/Makefile new file mode 100644 index 0000000..8f201fe --- /dev/null +++ b/containers/tenant-namespace-operator/Makefile @@ -0,0 +1,115 @@ +# VERSION defines the project version for the bundle. +# Update this value when you upgrade the version of your project. +# To re-generate a bundle for another specific version without changing the standard setup, you can: +# - use the VERSION as arg of the bundle target (e.g make bundle VERSION=0.0.2) +# - use environment variables to overwrite this value (e.g export VERSION=0.0.2) +VERSION ?= 0.0.1 + +# CHANNELS define the bundle channels used in the bundle. +# Add a new line here if you would like to change its default config. (E.g CHANNELS = "preview,fast,stable") +# To re-generate a bundle for other specific channels without changing the standard setup, you can: +# - use the CHANNELS as arg of the bundle target (e.g make bundle CHANNELS=preview,fast,stable) +# - use environment variables to overwrite this value (e.g export CHANNELS="preview,fast,stable") +ifneq ($(origin CHANNELS), undefined) +BUNDLE_CHANNELS := --channels=$(CHANNELS) +endif + +# DEFAULT_CHANNEL defines the default channel used in the bundle. +# Add a new line here if you would like to change its default config. (E.g DEFAULT_CHANNEL = "stable") +# To re-generate a bundle for any other default channel without changing the default setup, you can: +# - use the DEFAULT_CHANNEL as arg of the bundle target (e.g make bundle DEFAULT_CHANNEL=stable) +# - use environment variables to overwrite this value (e.g export DEFAULT_CHANNEL="stable") +ifneq ($(origin DEFAULT_CHANNEL), undefined) +BUNDLE_DEFAULT_CHANNEL := --default-channel=$(DEFAULT_CHANNEL) +endif +BUNDLE_METADATA_OPTS ?= $(BUNDLE_CHANNELS) $(BUNDLE_DEFAULT_CHANNEL) + +# BUNDLE_IMG defines the image:tag used for the bundle. +# You can use it as an arg. (E.g make bundle-build BUNDLE_IMG=/:) +BUNDLE_IMG ?= controller-bundle:$(VERSION) + +# Image URL to use all building/pushing image targets +IMG ?= controller:latest + +all: docker-build + +# Run against the configured Kubernetes cluster in ~/.kube/config +run: ansible-operator + $(ANSIBLE_OPERATOR) run + +# Install CRDs into a cluster +install: kustomize + $(KUSTOMIZE) build config/crd | kubectl apply -f - + +# Uninstall CRDs from a cluster +uninstall: kustomize + $(KUSTOMIZE) build config/crd | kubectl delete -f - + +# Deploy controller in the configured Kubernetes cluster in ~/.kube/config +deploy: kustomize + cd config/manager && $(KUSTOMIZE) edit set image controller=${IMG} + $(KUSTOMIZE) build config/default | kubectl apply -f - + +# Undeploy controller in the configured Kubernetes cluster in ~/.kube/config +undeploy: kustomize + $(KUSTOMIZE) build config/default | kubectl delete -f - + +# Build the docker image +docker-build: + docker build -t ${IMG} . + +# Push the docker image +docker-push: + docker push ${IMG} + +PATH := $(PATH):$(PWD)/bin +SHELL := env 'PATH=$(PATH)' /bin/sh +OS := $(shell uname -s | tr '[:upper:]' '[:lower:]') +ARCH := $(shell uname -m | sed 's/x86_64/amd64/') + +# Download kustomize locally if necessary, preferring the $(pwd)/bin path over global if both exist. +.PHONY: kustomize +KUSTOMIZE = $(shell pwd)/bin/kustomize +kustomize: +ifeq (,$(wildcard $(KUSTOMIZE))) +ifeq (,$(shell which kustomize 2>/dev/null)) + @{ \ + set -e ;\ + mkdir -p $(dir $(KUSTOMIZE)) ;\ + curl -sSLo - https://github.com/kubernetes-sigs/kustomize/releases/download/kustomize/v3.5.4/kustomize_v3.5.4_$(OS)_$(ARCH).tar.gz | \ + tar xzf - -C bin/ ;\ + } +else +KUSTOMIZE = $(shell which kustomize) +endif +endif + +# Download ansible-operator locally if necessary, preferring the $(pwd)/bin path over global if both exist. +.PHONY: ansible-operator +ANSIBLE_OPERATOR = $(shell pwd)/bin/ansible-operator +ansible-operator: +ifeq (,$(wildcard $(ANSIBLE_OPERATOR))) +ifeq (,$(shell which ansible-operator 2>/dev/null)) + @{ \ + set -e ;\ + mkdir -p $(dir $(ANSIBLE_OPERATOR)) ;\ + curl -sSLo $(ANSIBLE_OPERATOR) https://github.com/operator-framework/operator-sdk/releases/download/v1.4.0/ansible-operator_$(OS)_$(ARCH) ;\ + chmod +x $(ANSIBLE_OPERATOR) ;\ + } +else +ANSIBLE_OPERATOR = $(shell which ansible-operator) +endif +endif + +# Generate bundle manifests and metadata, then validate generated files. +.PHONY: bundle +bundle: kustomize + operator-sdk generate kustomize manifests -q + cd config/manager && $(KUSTOMIZE) edit set image controller=$(IMG) + $(KUSTOMIZE) build config/manifests | operator-sdk generate bundle -q --overwrite --version $(VERSION) $(BUNDLE_METADATA_OPTS) + operator-sdk bundle validate ./bundle + +# Build the bundle image. +.PHONY: bundle-build +bundle-build: + docker build -f bundle.Dockerfile -t $(BUNDLE_IMG) . diff --git a/containers/tenant-namespace-operator/PROJECT b/containers/tenant-namespace-operator/PROJECT new file mode 100644 index 0000000..be0a6ea --- /dev/null +++ b/containers/tenant-namespace-operator/PROJECT @@ -0,0 +1,14 @@ +domain: pnnl.gov +layout: ansible.sdk.operatorframework.io/v1 +projectName: tenant-namespace-operator +resources: +- group: miscscripts + kind: TenantNamespace + version: v1beta1 +- group: miscscripts + kind: TenantNamespaceFlavor + version: v1beta1 +version: 3-alpha +plugins: + manifests.sdk.operatorframework.io/v2: {} + scorecard.sdk.operatorframework.io/v2: {} diff --git a/containers/tenant-namespace-operator/build/Dockerfile b/containers/tenant-namespace-operator/build/Dockerfile deleted file mode 120000 index 395595c..0000000 --- a/containers/tenant-namespace-operator/build/Dockerfile +++ /dev/null @@ -1 +0,0 @@ -../Dockerfile \ No newline at end of file diff --git a/containers/tenant-namespace-operator/buildenv b/containers/tenant-namespace-operator/buildenv index 7441c07..04a4b2d 100644 --- a/containers/tenant-namespace-operator/buildenv +++ b/containers/tenant-namespace-operator/buildenv @@ -1 +1 @@ -export PREFIX=0.1.13 +export PREFIX=0.1.14 diff --git a/containers/tenant-namespace-operator/deploy/crds/miscscripts.pnnl.gov_tenantnamespaceflavors_crd.yaml b/containers/tenant-namespace-operator/config/crd/bases/miscscripts.pnnl.gov_tenantnamespaceflavors.yaml similarity index 100% rename from containers/tenant-namespace-operator/deploy/crds/miscscripts.pnnl.gov_tenantnamespaceflavors_crd.yaml rename to containers/tenant-namespace-operator/config/crd/bases/miscscripts.pnnl.gov_tenantnamespaceflavors.yaml diff --git a/containers/tenant-namespace-operator/deploy/crds/miscscripts.pnnl.gov_tenantnamespaces_crd.yaml b/containers/tenant-namespace-operator/config/crd/bases/miscscripts.pnnl.gov_tenantnamespaces.yaml similarity index 100% rename from containers/tenant-namespace-operator/deploy/crds/miscscripts.pnnl.gov_tenantnamespaces_crd.yaml rename to containers/tenant-namespace-operator/config/crd/bases/miscscripts.pnnl.gov_tenantnamespaces.yaml diff --git a/containers/tenant-namespace-operator/config/crd/kustomization.yaml b/containers/tenant-namespace-operator/config/crd/kustomization.yaml new file mode 100644 index 0000000..ac3d522 --- /dev/null +++ b/containers/tenant-namespace-operator/config/crd/kustomization.yaml @@ -0,0 +1,7 @@ +# This kustomization.yaml is not intended to be run by itself, +# since it depends on service name and namespace that are out of this kustomize package. +# It should be run by config/default +resources: +- bases/miscscripts.pnnl.gov_tenantnamespaces.yaml +- bases/miscscripts.pnnl.gov_tenantnamespaceflavors.yaml +# +kubebuilder:scaffold:crdkustomizeresource diff --git a/containers/tenant-namespace-operator/config/default/kustomization.yaml b/containers/tenant-namespace-operator/config/default/kustomization.yaml new file mode 100644 index 0000000..1e5312b --- /dev/null +++ b/containers/tenant-namespace-operator/config/default/kustomization.yaml @@ -0,0 +1,26 @@ +# Adds namespace to all resources. +namespace: tenant-namespace-operator + +# Value of this field is prepended to the +# names of all resources, e.g. a deployment named +# "wordpress" becomes "alices-wordpress". +# Note that it should also match with the prefix (text before '-') of the namespace +# field above. +namePrefix: tenant-namespace-operator- + +# Labels to add to all resources and selectors. +#commonLabels: +# someName: someValue + +bases: +- ../crd +- ../rbac +- ../manager +# [PROMETHEUS] To enable prometheus monitor, uncomment all sections with 'PROMETHEUS'. +#- ../prometheus + +patchesStrategicMerge: + # Protect the /metrics endpoint by putting it behind auth. + # If you want your controller-manager to expose the /metrics + # endpoint w/o any authn/z, please comment the following line. +- manager_auth_proxy_patch.yaml diff --git a/containers/tenant-namespace-operator/config/default/manager_auth_proxy_patch.yaml b/containers/tenant-namespace-operator/config/default/manager_auth_proxy_patch.yaml new file mode 100644 index 0000000..f1b16e3 --- /dev/null +++ b/containers/tenant-namespace-operator/config/default/manager_auth_proxy_patch.yaml @@ -0,0 +1,26 @@ +# This patch inject a sidecar container which is a HTTP proxy for the +# controller manager, it performs RBAC authorization against the Kubernetes API using SubjectAccessReviews. +apiVersion: apps/v1 +kind: Deployment +metadata: + name: controller-manager + namespace: system +spec: + template: + spec: + containers: + - name: kube-rbac-proxy + image: gcr.io/kubebuilder/kube-rbac-proxy:v0.5.0 + args: + - "--secure-listen-address=0.0.0.0:8443" + - "--upstream=http://127.0.0.1:8080/" + - "--logtostderr=true" + - "--v=10" + ports: + - containerPort: 8443 + name: https + - name: manager + args: + - "--metrics-addr=127.0.0.1:8080" + - "--enable-leader-election" + - "--leader-election-id=tenant-namespace-operator" diff --git a/containers/tenant-namespace-operator/config/manager/kustomization.yaml b/containers/tenant-namespace-operator/config/manager/kustomization.yaml new file mode 100644 index 0000000..5c5f0b8 --- /dev/null +++ b/containers/tenant-namespace-operator/config/manager/kustomization.yaml @@ -0,0 +1,2 @@ +resources: +- manager.yaml diff --git a/containers/tenant-namespace-operator/config/manager/manager.yaml b/containers/tenant-namespace-operator/config/manager/manager.yaml new file mode 100644 index 0000000..411b7a4 --- /dev/null +++ b/containers/tenant-namespace-operator/config/manager/manager.yaml @@ -0,0 +1,46 @@ +apiVersion: v1 +kind: Namespace +metadata: + labels: + control-plane: controller-manager + name: system +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: controller-manager + namespace: system + labels: + control-plane: controller-manager +spec: + selector: + matchLabels: + control-plane: controller-manager + replicas: 1 + template: + metadata: + labels: + control-plane: controller-manager + spec: + containers: + - name: manager + args: + - "--enable-leader-election" + - "--leader-election-id=tenant-namespace-operator" + env: + - name: ANSIBLE_GATHERING + value: explicit + image: controller:latest + livenessProbe: + httpGet: + path: /readyz + port: 6789 + initialDelaySeconds: 15 + periodSeconds: 20 + readinessProbe: + httpGet: + path: /healthz + port: 6789 + initialDelaySeconds: 5 + periodSeconds: 10 + terminationGracePeriodSeconds: 10 diff --git a/containers/tenant-namespace-operator/config/prometheus/kustomization.yaml b/containers/tenant-namespace-operator/config/prometheus/kustomization.yaml new file mode 100644 index 0000000..ed13716 --- /dev/null +++ b/containers/tenant-namespace-operator/config/prometheus/kustomization.yaml @@ -0,0 +1,2 @@ +resources: +- monitor.yaml diff --git a/containers/tenant-namespace-operator/config/prometheus/monitor.yaml b/containers/tenant-namespace-operator/config/prometheus/monitor.yaml new file mode 100644 index 0000000..1b44d4f --- /dev/null +++ b/containers/tenant-namespace-operator/config/prometheus/monitor.yaml @@ -0,0 +1,16 @@ +--- +# Prometheus Monitor Service (Metrics) +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + labels: + control-plane: controller-manager + name: controller-manager-metrics-monitor + namespace: system +spec: + endpoints: + - path: /metrics + port: https + selector: + matchLabels: + control-plane: controller-manager diff --git a/containers/tenant-namespace-operator/config/rbac/auth_proxy_client_clusterrole.yaml b/containers/tenant-namespace-operator/config/rbac/auth_proxy_client_clusterrole.yaml new file mode 100644 index 0000000..bd4af13 --- /dev/null +++ b/containers/tenant-namespace-operator/config/rbac/auth_proxy_client_clusterrole.yaml @@ -0,0 +1,7 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: metrics-reader +rules: +- nonResourceURLs: ["/metrics"] + verbs: ["get"] diff --git a/containers/tenant-namespace-operator/config/rbac/auth_proxy_role.yaml b/containers/tenant-namespace-operator/config/rbac/auth_proxy_role.yaml new file mode 100644 index 0000000..618f5e4 --- /dev/null +++ b/containers/tenant-namespace-operator/config/rbac/auth_proxy_role.yaml @@ -0,0 +1,13 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: proxy-role +rules: +- apiGroups: ["authentication.k8s.io"] + resources: + - tokenreviews + verbs: ["create"] +- apiGroups: ["authorization.k8s.io"] + resources: + - subjectaccessreviews + verbs: ["create"] diff --git a/containers/tenant-namespace-operator/config/rbac/auth_proxy_role_binding.yaml b/containers/tenant-namespace-operator/config/rbac/auth_proxy_role_binding.yaml new file mode 100644 index 0000000..48ed1e4 --- /dev/null +++ b/containers/tenant-namespace-operator/config/rbac/auth_proxy_role_binding.yaml @@ -0,0 +1,12 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: proxy-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: proxy-role +subjects: +- kind: ServiceAccount + name: default + namespace: system diff --git a/containers/tenant-namespace-operator/config/rbac/auth_proxy_service.yaml b/containers/tenant-namespace-operator/config/rbac/auth_proxy_service.yaml new file mode 100644 index 0000000..6cf656b --- /dev/null +++ b/containers/tenant-namespace-operator/config/rbac/auth_proxy_service.yaml @@ -0,0 +1,14 @@ +apiVersion: v1 +kind: Service +metadata: + labels: + control-plane: controller-manager + name: controller-manager-metrics-service + namespace: system +spec: + ports: + - name: https + port: 8443 + targetPort: https + selector: + control-plane: controller-manager diff --git a/containers/tenant-namespace-operator/config/rbac/kustomization.yaml b/containers/tenant-namespace-operator/config/rbac/kustomization.yaml new file mode 100644 index 0000000..66c2833 --- /dev/null +++ b/containers/tenant-namespace-operator/config/rbac/kustomization.yaml @@ -0,0 +1,12 @@ +resources: +- role.yaml +- role_binding.yaml +- leader_election_role.yaml +- leader_election_role_binding.yaml +# Comment the following 4 lines if you want to disable +# the auth proxy (https://github.com/brancz/kube-rbac-proxy) +# which protects your /metrics endpoint. +- auth_proxy_service.yaml +- auth_proxy_role.yaml +- auth_proxy_role_binding.yaml +- auth_proxy_client_clusterrole.yaml diff --git a/containers/tenant-namespace-operator/config/rbac/leader_election_role.yaml b/containers/tenant-namespace-operator/config/rbac/leader_election_role.yaml new file mode 100644 index 0000000..53e9749 --- /dev/null +++ b/containers/tenant-namespace-operator/config/rbac/leader_election_role.yaml @@ -0,0 +1,25 @@ +# permissions to do leader election. +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: leader-election-role +rules: +- apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch diff --git a/containers/tenant-namespace-operator/config/rbac/leader_election_role_binding.yaml b/containers/tenant-namespace-operator/config/rbac/leader_election_role_binding.yaml new file mode 100644 index 0000000..eed1690 --- /dev/null +++ b/containers/tenant-namespace-operator/config/rbac/leader_election_role_binding.yaml @@ -0,0 +1,12 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: leader-election-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: leader-election-role +subjects: +- kind: ServiceAccount + name: default + namespace: system diff --git a/containers/tenant-namespace-operator/config/rbac/role.yaml b/containers/tenant-namespace-operator/config/rbac/role.yaml new file mode 100644 index 0000000..853329c --- /dev/null +++ b/containers/tenant-namespace-operator/config/rbac/role.yaml @@ -0,0 +1,124 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: manager-role +rules: + - apiGroups: + - "" + resources: + - pods + - services + - services/finalizers + - endpoints + - events + - configmaps + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - apps + resources: + - deployments + - replicasets + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - monitoring.coreos.com + resources: + - servicemonitors + verbs: + - get + - create + - list + - delete + - patch + - update + - watch + - apiGroups: + - apps + resourceNames: + - tenant-namespace-operator + resources: + - deployments/finalizers + verbs: + - update + ## + ## Base operator rules + ## + - apiGroups: + - "" + resources: + - namespaces + - resourcequotas + - limitranges + verbs: + - "*" + - apiGroups: + - rbac.authorization.k8s.io + resources: + - rolebindings + - clusterroles + - clusterrolebindings + verbs: + - "*" + - apiGroups: + - networking.k8s.io + resources: + - networkpolicies + verbs: + - "*" + - apiGroups: + - extensions + - networking.k8s.io + resources: + - ingresses/status + verbs: + - update + - apiGroups: + - operators.coreos.com + resources: + - operatorgroups + - subscriptions + verbs: + - "*" + ## + ## Rules for miscscripts.pnnl.gov/v1beta1, Kind: TenantNamespace + ## + - apiGroups: + - miscscripts.pnnl.gov + resources: + - tenantnamespaces + - tenantnamespaces/status + - tenantnamespaces/finalizers + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + ## + ## Rules for miscscripts.pnnl.gov/v1beta1, Kind: TenantNamespaceFlavor + ## + - apiGroups: + - miscscripts.pnnl.gov + resources: + - tenantnamespaceflavors + verbs: + - get + - list + - watch +# +kubebuilder:scaffold:rules diff --git a/containers/tenant-namespace-operator/config/rbac/role_binding.yaml b/containers/tenant-namespace-operator/config/rbac/role_binding.yaml new file mode 100644 index 0000000..98f8782 --- /dev/null +++ b/containers/tenant-namespace-operator/config/rbac/role_binding.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: manager-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: manager-role +subjects: +- kind: ServiceAccount + name: default + namespace: system diff --git a/containers/tenant-namespace-operator/config/rbac/tenantnamespace_editor_role.yaml b/containers/tenant-namespace-operator/config/rbac/tenantnamespace_editor_role.yaml new file mode 100644 index 0000000..dac1a0e --- /dev/null +++ b/containers/tenant-namespace-operator/config/rbac/tenantnamespace_editor_role.yaml @@ -0,0 +1,24 @@ +# permissions for end users to edit tenantnamespaces. +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: tenantnamespace-editor-role +rules: +- apiGroups: + - miscscripts.pnnl.gov + resources: + - tenantnamespaces + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - miscscripts.pnnl.gov + resources: + - tenantnamespaces/status + verbs: + - get diff --git a/containers/tenant-namespace-operator/config/rbac/tenantnamespace_viewer_role.yaml b/containers/tenant-namespace-operator/config/rbac/tenantnamespace_viewer_role.yaml new file mode 100644 index 0000000..d070c80 --- /dev/null +++ b/containers/tenant-namespace-operator/config/rbac/tenantnamespace_viewer_role.yaml @@ -0,0 +1,20 @@ +# permissions for end users to view tenantnamespaces. +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: tenantnamespace-viewer-role +rules: +- apiGroups: + - miscscripts.pnnl.gov + resources: + - tenantnamespaces + verbs: + - get + - list + - watch +- apiGroups: + - miscscripts.pnnl.gov + resources: + - tenantnamespaces/status + verbs: + - get diff --git a/containers/tenant-namespace-operator/config/rbac/tenantnamespaceflavor_editor_role.yaml b/containers/tenant-namespace-operator/config/rbac/tenantnamespaceflavor_editor_role.yaml new file mode 100644 index 0000000..e6470de --- /dev/null +++ b/containers/tenant-namespace-operator/config/rbac/tenantnamespaceflavor_editor_role.yaml @@ -0,0 +1,24 @@ +# permissions for end users to edit tenantnamespaceflavors. +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: tenantnamespaceflavor-editor-role +rules: +- apiGroups: + - miscscripts.pnnl.gov + resources: + - tenantnamespaceflavors + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - miscscripts.pnnl.gov + resources: + - tenantnamespaceflavors/status + verbs: + - get diff --git a/containers/tenant-namespace-operator/config/rbac/tenantnamespaceflavor_viewer_role.yaml b/containers/tenant-namespace-operator/config/rbac/tenantnamespaceflavor_viewer_role.yaml new file mode 100644 index 0000000..84d6f17 --- /dev/null +++ b/containers/tenant-namespace-operator/config/rbac/tenantnamespaceflavor_viewer_role.yaml @@ -0,0 +1,20 @@ +# permissions for end users to view tenantnamespaceflavors. +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: tenantnamespaceflavor-viewer-role +rules: +- apiGroups: + - miscscripts.pnnl.gov + resources: + - tenantnamespaceflavors + verbs: + - get + - list + - watch +- apiGroups: + - miscscripts.pnnl.gov + resources: + - tenantnamespaceflavors/status + verbs: + - get diff --git a/containers/tenant-namespace-operator/config/samples/kustomization.yaml b/containers/tenant-namespace-operator/config/samples/kustomization.yaml new file mode 100644 index 0000000..ae78b95 --- /dev/null +++ b/containers/tenant-namespace-operator/config/samples/kustomization.yaml @@ -0,0 +1,5 @@ +## Append samples you want in your CSV to this file as resources ## +resources: +- miscscripts_v1beta1_tenantnamespace.yaml +- miscscripts_v1beta1_tenantnamespaceflavor.yaml +# +kubebuilder:scaffold:manifestskustomizesamples diff --git a/containers/tenant-namespace-operator/examples/miscscripts.pnnl.gov_v1beta1_tenantnamespace_cr.yaml b/containers/tenant-namespace-operator/config/samples/miscscripts_v1beta1_tenantnamespace.yaml similarity index 100% rename from containers/tenant-namespace-operator/examples/miscscripts.pnnl.gov_v1beta1_tenantnamespace_cr.yaml rename to containers/tenant-namespace-operator/config/samples/miscscripts_v1beta1_tenantnamespace.yaml diff --git a/containers/tenant-namespace-operator/examples/miscscripts.pnnl.gov_v1beta1_tenantnamespaceflavor_cr.yaml b/containers/tenant-namespace-operator/config/samples/miscscripts_v1beta1_tenantnamespaceflavor.yaml similarity index 100% rename from containers/tenant-namespace-operator/examples/miscscripts.pnnl.gov_v1beta1_tenantnamespaceflavor_cr.yaml rename to containers/tenant-namespace-operator/config/samples/miscscripts_v1beta1_tenantnamespaceflavor.yaml diff --git a/containers/tenant-namespace-operator/config/scorecard/bases/config.yaml b/containers/tenant-namespace-operator/config/scorecard/bases/config.yaml new file mode 100644 index 0000000..c770478 --- /dev/null +++ b/containers/tenant-namespace-operator/config/scorecard/bases/config.yaml @@ -0,0 +1,7 @@ +apiVersion: scorecard.operatorframework.io/v1alpha3 +kind: Configuration +metadata: + name: config +stages: +- parallel: true + tests: [] diff --git a/containers/tenant-namespace-operator/config/scorecard/kustomization.yaml b/containers/tenant-namespace-operator/config/scorecard/kustomization.yaml new file mode 100644 index 0000000..d73509e --- /dev/null +++ b/containers/tenant-namespace-operator/config/scorecard/kustomization.yaml @@ -0,0 +1,16 @@ +resources: +- bases/config.yaml +patchesJson6902: +- path: patches/basic.config.yaml + target: + group: scorecard.operatorframework.io + version: v1alpha3 + kind: Configuration + name: config +- path: patches/olm.config.yaml + target: + group: scorecard.operatorframework.io + version: v1alpha3 + kind: Configuration + name: config +# +kubebuilder:scaffold:patchesJson6902 diff --git a/containers/tenant-namespace-operator/config/scorecard/patches/basic.config.yaml b/containers/tenant-namespace-operator/config/scorecard/patches/basic.config.yaml new file mode 100644 index 0000000..4581edc --- /dev/null +++ b/containers/tenant-namespace-operator/config/scorecard/patches/basic.config.yaml @@ -0,0 +1,10 @@ +- op: add + path: /stages/0/tests/- + value: + entrypoint: + - scorecard-test + - basic-check-spec + image: quay.io/operator-framework/scorecard-test:v1.4.0 + labels: + suite: basic + test: basic-check-spec-test diff --git a/containers/tenant-namespace-operator/config/scorecard/patches/olm.config.yaml b/containers/tenant-namespace-operator/config/scorecard/patches/olm.config.yaml new file mode 100644 index 0000000..9422681 --- /dev/null +++ b/containers/tenant-namespace-operator/config/scorecard/patches/olm.config.yaml @@ -0,0 +1,50 @@ +- op: add + path: /stages/0/tests/- + value: + entrypoint: + - scorecard-test + - olm-bundle-validation + image: quay.io/operator-framework/scorecard-test:v1.4.0 + labels: + suite: olm + test: olm-bundle-validation-test +- op: add + path: /stages/0/tests/- + value: + entrypoint: + - scorecard-test + - olm-crds-have-validation + image: quay.io/operator-framework/scorecard-test:v1.4.0 + labels: + suite: olm + test: olm-crds-have-validation-test +- op: add + path: /stages/0/tests/- + value: + entrypoint: + - scorecard-test + - olm-crds-have-resources + image: quay.io/operator-framework/scorecard-test:v1.4.0 + labels: + suite: olm + test: olm-crds-have-resources-test +- op: add + path: /stages/0/tests/- + value: + entrypoint: + - scorecard-test + - olm-spec-descriptors + image: quay.io/operator-framework/scorecard-test:v1.4.0 + labels: + suite: olm + test: olm-spec-descriptors-test +- op: add + path: /stages/0/tests/- + value: + entrypoint: + - scorecard-test + - olm-status-descriptors + image: quay.io/operator-framework/scorecard-test:v1.4.0 + labels: + suite: olm + test: olm-status-descriptors-test diff --git a/containers/tenant-namespace-operator/roles/tenantnamespace/README.md b/containers/tenant-namespace-operator/roles/tenantnamespace/README.md index 3ebede3..c88a8ca 100644 --- a/containers/tenant-namespace-operator/roles/tenantnamespace/README.md +++ b/containers/tenant-namespace-operator/roles/tenantnamespace/README.md @@ -6,22 +6,27 @@ A brief description of the role goes here. Requirements ------------ -Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required. +Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, +if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required. Role Variables -------------- -A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well. +A description of the settable variables for this role should go here, including any variables that are in +defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables +that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well. Dependencies ------------ -A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles. +A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set +for other roles, or variables that are used from other roles. Example Playbook ---------------- -Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too: +Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for +users too: - hosts: servers roles: diff --git a/containers/tenant-namespace-operator/roles/tenantnamespace/defaults/main.yml b/containers/tenant-namespace-operator/roles/tenantnamespace/defaults/main.yml index e3bc486..ef917c4 100644 --- a/containers/tenant-namespace-operator/roles/tenantnamespace/defaults/main.yml +++ b/containers/tenant-namespace-operator/roles/tenantnamespace/defaults/main.yml @@ -1,2 +1,2 @@ --- -# defaults file for tenantnamespace +# defaults file for TenantNamespace diff --git a/containers/tenant-namespace-operator/roles/tenantnamespace/handlers/main.yml b/containers/tenant-namespace-operator/roles/tenantnamespace/handlers/main.yml index b9adc54..66f94e3 100644 --- a/containers/tenant-namespace-operator/roles/tenantnamespace/handlers/main.yml +++ b/containers/tenant-namespace-operator/roles/tenantnamespace/handlers/main.yml @@ -1,2 +1,2 @@ --- -# handlers file for gitlabrunner +# handlers file for TenantNamespace diff --git a/containers/tenant-namespace-operator/roles/tenantnamespace/tasks/main.yml b/containers/tenant-namespace-operator/roles/tenantnamespace/tasks/main.yml index a58b193..60119cb 100644 --- a/containers/tenant-namespace-operator/roles/tenantnamespace/tasks/main.yml +++ b/containers/tenant-namespace-operator/roles/tenantnamespace/tasks/main.yml @@ -1,5 +1,5 @@ --- -# tasks file for tenantnamespace +# tasks file for TenantNamespace - name: Set dryrun value set_fact: @@ -7,7 +7,7 @@ - name: Set admin labels set_fact: - adminlabels: "{{ _miscscripts_pnnl_gov_tenantnamespace_spec.extraNamespaceLabels | default({}) | combine({'name': meta.name + '-admin', 'miscscripts.pnnl.gov/namespace-type': 'admin'}, recursive=True) }}" + adminlabels: "{{ _miscscripts_pnnl_gov_tenantnamespace_spec.extraNamespaceLabels | default({}) | combine({'name': ansible_operator_meta.name + '-admin', 'miscscripts.pnnl.gov/namespace-type': 'admin'}, recursive=True) }}" - name: Create the k8s admin namespace k8s: @@ -16,7 +16,7 @@ apiVersion: v1 kind: Namespace metadata: - name: "{{ meta.name }}-admin" + name: "{{ ansible_operator_meta.name }}-admin" labels: "{{ adminlabels }}" annotations: "{{ _miscscripts_pnnl_gov_tenantnamespace_spec.extraNamespaceAnnotations | default({}) }}" when: @@ -63,8 +63,8 @@ gitlabRunner: spec: runners: - namespace: "{{ meta.name }}" - tags: "{{ (merged_values.gitlabRunner.spec.runners.tags.split(',') + [meta.name]) | unique | list | join(',') }}" + namespace: "{{ ansible_operator_meta.name }}" + tags: "{{ (merged_values.gitlabRunner.spec.runners.tags.split(',') + [ansible_operator_meta.name]) | unique | list | join(',') }}" when: - merged_values.gitlabRunner.spec.runners.tags is defined - name: Setup gitlabRunner if needed @@ -73,8 +73,8 @@ gitlabRunner: spec: runners: - namespace: "{{ meta.name }}" - tags: "{{ meta.name }}" + namespace: "{{ ansible_operator_meta.name }}" + tags: "{{ ansible_operator_meta.name }}" when: - merged_values.gitlabRunner.spec.runners.tags is not defined @@ -87,15 +87,15 @@ - name: Set value for forced settings set_fact: overrides: - namespace: "{{ meta.name }}" + namespace: "{{ ansible_operator_meta.name }}" magicnamespace: - namespace: "{{ meta.name }}" + namespace: "{{ ansible_operator_meta.name }}" ingress: nginx: clusterRole: "{{ lookup('env','INGRESS_CLUSTERROLE') | default('tenant-namespace-operator-ingress-controller') }}" controller: scope: - namespace: "{{ meta.name }}" + namespace: "{{ ansible_operator_meta.name }}" - name: Force namespace settings. Can not be overridden. set_fact: merged_values: "{{ merged_values | combine(overrides, recursive=True) }}" @@ -110,8 +110,8 @@ k8s_info: api_version: v1 kind: Service - name: "{{ meta.name }}-ingress-controller" - namespace: "{{ meta.name }}-admin" + name: "{{ ansible_operator_meta.name }}-ingress-controller" + namespace: "{{ ansible_operator_meta.name }}-admin" register: ingressService when: > merged_values.ingress.nginx.enabled and @@ -126,8 +126,8 @@ - k8s_status: api_version: miscscripts.pnnl.gov/v1beta1 kind: TenantNamespace - name: "{{ meta.name }}" - namespace: "{{ meta.namespace }}" + name: "{{ ansible_operator_meta.name }}" + namespace: "{{ ansible_operator_meta.namespace }}" status: loadBalancerIP: "{{ ingressService.resources[0].status.loadBalancer.ingress[0].ip }}" when: @@ -178,24 +178,24 @@ loop: - api_version: apps/v1 kind: Deployment - namespace: "{{ meta.name }}-admin" - name: "{{ meta.name }}-ingress-controller" + namespace: "{{ ansible_operator_meta.name }}-admin" + name: "{{ ansible_operator_meta.name }}-ingress-controller" - api_version: v1 kind: Service - namespace: "{{ meta.name }}-admin" - name: "{{ meta.name }}-ingress-controller" + namespace: "{{ ansible_operator_meta.name }}-admin" + name: "{{ ansible_operator_meta.name }}-ingress-controller" - api_version: v1 kind: Service - namespace: "{{ meta.name }}-admin" - name: "{{ meta.name }}-ingress-controller-metrics" + namespace: "{{ ansible_operator_meta.name }}-admin" + name: "{{ ansible_operator_meta.name }}-ingress-controller-metrics" - api_version: apps/v1 kind: Deployment - namespace: "{{ meta.name }}-admin" - name: "{{ meta.name }}-ingress-default-backend" + namespace: "{{ ansible_operator_meta.name }}-admin" + name: "{{ ansible_operator_meta.name }}-ingress-default-backend" - api_version: v1 kind: Service - namespace: "{{ meta.name }}-admin" - name: "{{ meta.name }}-ingress-default-backend" + namespace: "{{ ansible_operator_meta.name }}-admin" + name: "{{ ansible_operator_meta.name }}-ingress-default-backend" when: - not dryrun - ingressService is defined @@ -210,8 +210,8 @@ k8s_status: api_version: miscscripts.pnnl.gov/v1beta1 kind: TenantNamespace - name: "{{ meta.name }}" - namespace: "{{ meta.namespace }}" + name: "{{ ansible_operator_meta.name }}" + namespace: "{{ ansible_operator_meta.namespace }}" status: ingressNginxUpgradeComplete: true when: @@ -227,8 +227,8 @@ #FIXME Consider making a service account specifically for this so it can't cross namespaces as far as it can today - name: Run Helm helm: - name: "{{ meta.name }}" - namespace: "{{ meta.name }}-admin" + name: "{{ ansible_operator_meta.name }}" + namespace: "{{ ansible_operator_meta.name }}-admin" chart_ref: ${HOME}/tenant-namespace values: "{{ merged_values }}" register: objs @@ -252,9 +252,9 @@ dest: "{{ temp_filename.path }}" no_log: True - name: Do dry run of helm - shell: "helm diff upgrade --install --detailed-exitcode --namespace {{ meta.name }}-admin {{ meta.name }} ${HOME}/tenant-namespace -f {{ temp_filename.path }}" + shell: "helm diff upgrade --install --detailed-exitcode --namespace {{ ansible_operator_meta.name }}-admin {{ ansible_operator_meta.name }} ${HOME}/tenant-namespace -f {{ temp_filename.path }}" register: diffhelm - ignore_errors: yes + ignore_errors: True no_log: True - name: Set diff set_fact: @@ -269,14 +269,14 @@ - k8s_status: api_version: miscscripts.pnnl.gov/v1beta1 kind: TenantNamespace - name: "{{ meta.name }}" - namespace: "{{ meta.namespace }}" + name: "{{ ansible_operator_meta.name }}" + namespace: "{{ ansible_operator_meta.namespace }}" status: diff: "{{ differ | b64encode }}" - name: Set user labels set_fact: - userlabels: "{{ _miscscripts_pnnl_gov_tenantnamespace_spec.extraNamespaceLabels | default({}) | combine({'name': meta.name, 'miscscripts.pnnl.gov/namespace-type': 'user'}, recursive=True) }}" + userlabels: "{{ _miscscripts_pnnl_gov_tenantnamespace_spec.extraNamespaceLabels | default({}) | combine({'name': ansible_operator_meta.name, 'miscscripts.pnnl.gov/namespace-type': 'user'}, recursive=True) }}" - name: Create the k8s user namespace k8s: @@ -285,7 +285,7 @@ apiVersion: v1 kind: Namespace metadata: - name: "{{ meta.name }}" + name: "{{ ansible_operator_meta.name }}" labels: "{{ userlabels }}" annotations: "{{ _miscscripts_pnnl_gov_tenantnamespace_spec.extraNamespaceAnnotations | default({}) }}" when: diff --git a/containers/tenant-namespace-operator/roles/tenantnamespace/vars/main.yml b/containers/tenant-namespace-operator/roles/tenantnamespace/vars/main.yml index b2e5b69..901daba 100644 --- a/containers/tenant-namespace-operator/roles/tenantnamespace/vars/main.yml +++ b/containers/tenant-namespace-operator/roles/tenantnamespace/vars/main.yml @@ -1,2 +1,2 @@ --- -# vars file for tenantnamespace +# vars file for TenantNamespace diff --git a/containers/tenant-namespace-operator/roles/tenantnamespacefin/tasks/main.yml b/containers/tenant-namespace-operator/roles/tenantnamespacefin/tasks/main.yml index 535f3d2..336bde5 100644 --- a/containers/tenant-namespace-operator/roles/tenantnamespacefin/tasks/main.yml +++ b/containers/tenant-namespace-operator/roles/tenantnamespacefin/tasks/main.yml @@ -4,8 +4,8 @@ #Check to see release exists. If it doesnt continue on. If it does, delete it. - name: Delete the helm release helm: - name: "{{ meta.name }}" - namespace: "{{ meta.name }}-admin" + name: "{{ ansible_operator_meta.name }}" + namespace: "{{ ansible_operator_meta.name }}-admin" state: absent register: objs @@ -16,7 +16,7 @@ apiVersion: v1 kind: Namespace metadata: - name: "{{ meta.name }}" + name: "{{ ansible_operator_meta.name }}" - name: Delete the k8s admin namespace k8s: @@ -25,5 +25,5 @@ apiVersion: v1 kind: Namespace metadata: - name: "{{ meta.name }}-admin" + name: "{{ ansible_operator_meta.name }}-admin" diff --git a/containers/tenant-namespace-operator/watches.yaml b/containers/tenant-namespace-operator/watches.yaml index 26a4dd8..17fae67 100644 --- a/containers/tenant-namespace-operator/watches.yaml +++ b/containers/tenant-namespace-operator/watches.yaml @@ -1,4 +1,5 @@ --- +# Use the 'create api' subcommand to add watches to this file. - version: v1beta1 group: miscscripts.pnnl.gov kind: TenantNamespace @@ -7,3 +8,4 @@ finalizer: name: finalizer.tenantnamespace.miscscripts.pnnl.gov role: tenantnamespacefin +# +kubebuilder:scaffold:watch