diff --git a/charts/charts/tenant-namespace-operator/Chart.yaml b/charts/charts/tenant-namespace-operator/Chart.yaml index 0d79925..e870eb8 100644 --- a/charts/charts/tenant-namespace-operator/Chart.yaml +++ b/charts/charts/tenant-namespace-operator/Chart.yaml @@ -14,8 +14,8 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. -version: 0.1.17 +version: 0.1.18 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. -appVersion: 0.1.14-1 +appVersion: 0.1.15-1 diff --git a/charts/charts/tenant-namespace-operator/templates/clusterrole.yaml b/charts/charts/tenant-namespace-operator/templates/clusterrole.yaml index 586554b..a2dc509 100644 --- a/charts/charts/tenant-namespace-operator/templates/clusterrole.yaml +++ b/charts/charts/tenant-namespace-operator/templates/clusterrole.yaml @@ -8,7 +8,7 @@ rules: - apiGroups: - miscscripts.pnnl.gov resources: - - 'tenantnamespaceflavors' + - tenantnamespaceflavors verbs: - get - list @@ -16,37 +16,25 @@ rules: - apiGroups: - "" resources: - - 'namespaces' - - 'resourcequotas' - - 'limitranges' + - namespaces + - resourcequotas + - limitranges verbs: - "*" - apiGroups: - rbac.authorization.k8s.io resources: - - 'rolebindings' + - rolebindings + - clusterroles + - clusterrolebindings verbs: - "*" - apiGroups: - - rbac.authorization.k8s.io - resources: - - 'clusterroles' - - 'clusterrolebindings' - verbs: - - "*" -- apiGroups: - - networking.k8s.io/v1 + - networking.k8s.io resources: - networkpolicies verbs: - "*" -- apiGroups: - - rbac.authorization.k8s.io - resources: - - 'clusterroles' - - 'clusterrolebindings' - verbs: - - "*" - apiGroups: - extensions - "networking.k8s.io" # k8s 1.14+ diff --git a/charts/charts/tenant-namespace-operator/templates/deployment.yaml b/charts/charts/tenant-namespace-operator/templates/deployment.yaml index f796d24..fd45255 100644 --- a/charts/charts/tenant-namespace-operator/templates/deployment.yaml +++ b/charts/charts/tenant-namespace-operator/templates/deployment.yaml @@ -45,7 +45,7 @@ spec: initialDelaySeconds: 5 periodSeconds: 10 args: - - "--enable-leader-election" + - "--leader-elect" - "--leader-election-id=tenant-namespace-operator" env: - name: ANSIBLE_GATHERING diff --git a/charts/charts/tenant-namespace-operator/templates/leader-election-role-binding.yaml b/charts/charts/tenant-namespace-operator/templates/leader-election-role-binding.yaml new file mode 100644 index 0000000..a5406b6 --- /dev/null +++ b/charts/charts/tenant-namespace-operator/templates/leader-election-role-binding.yaml @@ -0,0 +1,15 @@ +--- +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ include "tenant-namespace-operator.fullname" . }}-le + labels: +{{ include "tenant-namespace-operator.labels" . | nindent 4 }} +subjects: +- kind: ServiceAccount + name: {{ include "tenant-namespace-operator.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} +roleRef: + kind: Role + name: {{ include "tenant-namespace-operator.fullname" . }}-le + apiGroup: rbac.authorization.k8s.io diff --git a/charts/charts/tenant-namespace-operator/templates/leader-election-role.yaml b/charts/charts/tenant-namespace-operator/templates/leader-election-role.yaml new file mode 100644 index 0000000..f7fa8dd --- /dev/null +++ b/charts/charts/tenant-namespace-operator/templates/leader-election-role.yaml @@ -0,0 +1,20 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ include "tenant-namespace-operator.fullname" . }}-le + labels: +{{ include "tenant-namespace-operator.labels" . | nindent 4 }} +rules: +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - get + - list + - watch + - create + - update + - patch + - delete diff --git a/charts/charts/tenant-namespace-operator/templates/role.yaml b/charts/charts/tenant-namespace-operator/templates/role.yaml index ab2b6bb..c32fb7c 100644 --- a/charts/charts/tenant-namespace-operator/templates/role.yaml +++ b/charts/charts/tenant-namespace-operator/templates/role.yaml @@ -39,6 +39,19 @@ rules: - patch - update - watch +# needed for ingress leader election pre 1.24 +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - get + - list + - watch + - create + - update + - patch + - delete - apiGroups: - monitoring.coreos.com resources: diff --git a/charts/charts/tenant-namespace-operator/values.yaml b/charts/charts/tenant-namespace-operator/values.yaml index fd0c5b1..e236cf7 100644 --- a/charts/charts/tenant-namespace-operator/values.yaml +++ b/charts/charts/tenant-namespace-operator/values.yaml @@ -28,15 +28,18 @@ serviceAccount: # If not set and create is true, a name is generated using the fullname template name: -podSecurityContext: {} +podSecurityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault # fsGroup: 2000 -securityContext: {} - # capabilities: - # drop: - # - ALL +securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL # readOnlyRootFilesystem: true - # runAsNonRoot: true # runAsUser: 1000 resources: {} @@ -55,7 +58,19 @@ nodeSelector: {} tolerations: [] -affinity: {} +affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: kubernetes.io/arch + operator: In + values: + - amd64 + - key: kubernetes.io/os + operator: In + values: + - linux ingressClass: enabled: true diff --git a/containers/tenant-namespace-operator/Dockerfile b/containers/tenant-namespace-operator/Dockerfile index 99acc7e..30bca69 100644 --- a/containers/tenant-namespace-operator/Dockerfile +++ b/containers/tenant-namespace-operator/Dockerfile @@ -1,16 +1,17 @@ -FROM quay.io/operator-framework/ansible-operator:v1.4.0 +FROM quay.io/operator-framework/ansible-operator:v1.32.0 ARG helm_version=v3.5.2 USER 0 RUN \ - yum clean all && \ - yum install -y git patch && \ - yum clean all && \ - curl -o helm.tar.gz https://get.helm.sh/helm-${helm_version}-linux-amd64.tar.gz && \ + dnf clean all && \ + dnf install -y git patch && \ + dnf clean all && \ + ARCH=$(uname -m | sed 's/x86_64/amd64/' | sed 's/aarch64/arm64/') && \ + curl -o helm.tar.gz https://get.helm.sh/helm-${helm_version}-linux-${ARCH}.tar.gz && \ tar -zxvf helm.tar.gz && \ - mv linux-amd64/helm /usr/local/bin/helm && \ + mv linux-${ARCH}/helm /usr/local/bin/helm && \ rm -f helm.tar.gz && \ - rm -rf linux-amd64 && \ + rm -rf linux-${ARCH} && \ touch /.extrafingerprints && \ chown ${USER_UID}:0 /.extrafingerprints @@ -22,7 +23,7 @@ COPY roles/ ${HOME}/roles/ #FIXME forcing ingress newer to work on newer k8s clusters. Fix upstream chart. RUN \ - ansible-galaxy collection install -r ${HOME}/requirements.yml && \ + ansible-galaxy install -r ${HOME}/requirements.yml && \ chmod -R ug+rwx ${HOME}/.ansible && \ helm plugin install https://github.com/databus23/helm-diff --version master && \ helm pull --repo https://pnnl-miscscripts.github.io/charts tenant-namespace --version 0.6.13 --untar && \ @@ -32,4 +33,4 @@ RUN \ echo 0.1.13 >> /.extrafingerprints && \ md5sum watches.yaml >> /.extrafingerprints -ENTRYPOINT ["/usr/local/bin/ansible-operator", "run", "--watches-file=./watches.yaml", "--inject-owner-ref=false"] +ENTRYPOINT ["/tini", "--", "/usr/local/bin/ansible-operator", "run", "--watches-file=./watches.yaml", "--inject-owner-ref=false"] diff --git a/containers/tenant-namespace-operator/Makefile b/containers/tenant-namespace-operator/Makefile index 8f201fe..047ef55 100644 --- a/containers/tenant-namespace-operator/Makefile +++ b/containers/tenant-namespace-operator/Makefile @@ -6,10 +6,10 @@ VERSION ?= 0.0.1 # CHANNELS define the bundle channels used in the bundle. -# Add a new line here if you would like to change its default config. (E.g CHANNELS = "preview,fast,stable") +# Add a new line here if you would like to change its default config. (E.g CHANNELS = "candidate,fast,stable") # To re-generate a bundle for other specific channels without changing the standard setup, you can: -# - use the CHANNELS as arg of the bundle target (e.g make bundle CHANNELS=preview,fast,stable) -# - use environment variables to overwrite this value (e.g export CHANNELS="preview,fast,stable") +# - use the CHANNELS as arg of the bundle target (e.g make bundle CHANNELS=candidate,fast,stable) +# - use environment variables to overwrite this value (e.g export CHANNELS="candidate,fast,stable") ifneq ($(origin CHANNELS), undefined) BUNDLE_CHANNELS := --channels=$(CHANNELS) endif @@ -24,59 +24,118 @@ BUNDLE_DEFAULT_CHANNEL := --default-channel=$(DEFAULT_CHANNEL) endif BUNDLE_METADATA_OPTS ?= $(BUNDLE_CHANNELS) $(BUNDLE_DEFAULT_CHANNEL) +# IMAGE_TAG_BASE defines the docker.io namespace and part of the image name for remote images. +# This variable is used to construct full image tags for bundle and catalog images. +# +# For example, running 'make bundle-build bundle-push catalog-build catalog-push' will build and push both +# pnnl.gov/tenant-namespace-operator-bundle:$VERSION and pnnl.gov/tenant-namespace-operator-catalog:$VERSION. +IMAGE_TAG_BASE ?= pnnlmiscscripts/tenant-namespace-operator + # BUNDLE_IMG defines the image:tag used for the bundle. # You can use it as an arg. (E.g make bundle-build BUNDLE_IMG=/:) -BUNDLE_IMG ?= controller-bundle:$(VERSION) +BUNDLE_IMG ?= $(IMAGE_TAG_BASE)-bundle:v$(VERSION) + +# BUNDLE_GEN_FLAGS are the flags passed to the operator-sdk generate bundle command +BUNDLE_GEN_FLAGS ?= -q --overwrite --version $(VERSION) $(BUNDLE_METADATA_OPTS) + +# USE_IMAGE_DIGESTS defines if images are resolved via tags or digests +# You can enable this value if you would like to use SHA Based Digests +# To enable set flag to true +USE_IMAGE_DIGESTS ?= false +ifeq ($(USE_IMAGE_DIGESTS), true) + BUNDLE_GEN_FLAGS += --use-image-digests +endif + +# Set the Operator SDK version to use. By default, what is installed on the system is used. +# This is useful for CI or a project to utilize a specific version of the operator-sdk toolkit. +OPERATOR_SDK_VERSION ?= v1.32.0 # Image URL to use all building/pushing image targets -IMG ?= controller:latest +IMG ?= $(IMAGE_TAG_BASE):$(VERSION) +.PHONY: all all: docker-build -# Run against the configured Kubernetes cluster in ~/.kube/config -run: ansible-operator +##@ General + +# The help target prints out all targets with their descriptions organized +# beneath their categories. The categories are represented by '##@' and the +# target descriptions by '##'. The awk commands is responsible for reading the +# entire set of makefiles included in this invocation, looking for lines of the +# file as xyz: ## something, and then pretty-format the target and help. Then, +# if there's a line with ##@ something, that gets pretty-printed as a category. +# More info on the usage of ANSI control characters for terminal formatting: +# https://en.wikipedia.org/wiki/ANSI_escape_code#SGR_parameters +# More info on the awk command: +# http://linuxcommand.org/lc3_adv_awk.php + +.PHONY: help +help: ## Display this help. + @awk 'BEGIN {FS = ":.*##"; printf "\nUsage:\n make \033[36m\033[0m\n"} /^[a-zA-Z_0-9-]+:.*?##/ { printf " \033[36m%-15s\033[0m %s\n", $$1, $$2 } /^##@/ { printf "\n\033[1m%s\033[0m\n", substr($$0, 5) } ' $(MAKEFILE_LIST) + +##@ Build + +.PHONY: run +ANSIBLE_ROLES_PATH?="$(shell pwd)/roles" +run: ansible-operator ## Run against the configured Kubernetes cluster in ~/.kube/config $(ANSIBLE_OPERATOR) run -# Install CRDs into a cluster -install: kustomize +.PHONY: docker-build +docker-build: ## Build docker image with the manager. + docker build -t ${IMG} . + +.PHONY: docker-push +docker-push: ## Push docker image with the manager. + docker push ${IMG} + +# PLATFORMS defines the target platforms for the manager image be build to provide support to multiple +# architectures. (i.e. make docker-buildx IMG=myregistry/mypoperator:0.0.1). To use this option you need to: +# - able to use docker buildx . More info: https://docs.docker.com/build/buildx/ +# - have enable BuildKit, More info: https://docs.docker.com/develop/develop-images/build_enhancements/ +# - be able to push the image for your registry (i.e. if you do not inform a valid value via IMG=> than the export will fail) +# To properly provided solutions that supports more than one platform you should use this option. +PLATFORMS ?= linux/arm64,linux/amd64 +.PHONY: docker-buildx +docker-buildx: test ## Build and push docker image for the manager for cross-platform support + # copy existing Dockerfile and insert --platform=${BUILDPLATFORM} into Dockerfile.cross, and preserve the original Dockerfile + sed -e '1 s/\(^FROM\)/FROM --platform=\$$\{BUILDPLATFORM\}/; t' -e ' 1,// s//FROM --platform=\$$\{BUILDPLATFORM\}/' Dockerfile > Dockerfile.cross + - docker buildx create --name project-v3-builder + docker buildx use project-v3-builder + - docker buildx build --push --platform=$(PLATFORMS) --tag ${IMG} -f Dockerfile.cross . + - docker buildx rm project-v3-builder + rm Dockerfile.cross + +##@ Deployment + +.PHONY: install +install: kustomize ## Install CRDs into the K8s cluster specified in ~/.kube/config. $(KUSTOMIZE) build config/crd | kubectl apply -f - -# Uninstall CRDs from a cluster -uninstall: kustomize +.PHONY: uninstall +uninstall: kustomize ## Uninstall CRDs from the K8s cluster specified in ~/.kube/config. $(KUSTOMIZE) build config/crd | kubectl delete -f - -# Deploy controller in the configured Kubernetes cluster in ~/.kube/config -deploy: kustomize +.PHONY: deploy +deploy: kustomize ## Deploy controller to the K8s cluster specified in ~/.kube/config. cd config/manager && $(KUSTOMIZE) edit set image controller=${IMG} $(KUSTOMIZE) build config/default | kubectl apply -f - -# Undeploy controller in the configured Kubernetes cluster in ~/.kube/config -undeploy: kustomize +.PHONY: undeploy +undeploy: ## Undeploy controller from the K8s cluster specified in ~/.kube/config. $(KUSTOMIZE) build config/default | kubectl delete -f - -# Build the docker image -docker-build: - docker build -t ${IMG} . - -# Push the docker image -docker-push: - docker push ${IMG} - -PATH := $(PATH):$(PWD)/bin -SHELL := env 'PATH=$(PATH)' /bin/sh OS := $(shell uname -s | tr '[:upper:]' '[:lower:]') -ARCH := $(shell uname -m | sed 's/x86_64/amd64/') +ARCH := $(shell uname -m | sed 's/x86_64/amd64/' | sed 's/aarch64/arm64/') -# Download kustomize locally if necessary, preferring the $(pwd)/bin path over global if both exist. .PHONY: kustomize KUSTOMIZE = $(shell pwd)/bin/kustomize -kustomize: +kustomize: ## Download kustomize locally if necessary. ifeq (,$(wildcard $(KUSTOMIZE))) ifeq (,$(shell which kustomize 2>/dev/null)) @{ \ set -e ;\ mkdir -p $(dir $(KUSTOMIZE)) ;\ - curl -sSLo - https://github.com/kubernetes-sigs/kustomize/releases/download/kustomize/v3.5.4/kustomize_v3.5.4_$(OS)_$(ARCH).tar.gz | \ + curl -sSLo - https://github.com/kubernetes-sigs/kustomize/releases/download/kustomize/v4.5.7/kustomize_v4.5.7_$(OS)_$(ARCH).tar.gz | \ tar xzf - -C bin/ ;\ } else @@ -84,16 +143,15 @@ KUSTOMIZE = $(shell which kustomize) endif endif -# Download ansible-operator locally if necessary, preferring the $(pwd)/bin path over global if both exist. .PHONY: ansible-operator ANSIBLE_OPERATOR = $(shell pwd)/bin/ansible-operator -ansible-operator: +ansible-operator: ## Download ansible-operator locally if necessary, preferring the $(pwd)/bin path over global if both exist. ifeq (,$(wildcard $(ANSIBLE_OPERATOR))) ifeq (,$(shell which ansible-operator 2>/dev/null)) @{ \ set -e ;\ mkdir -p $(dir $(ANSIBLE_OPERATOR)) ;\ - curl -sSLo $(ANSIBLE_OPERATOR) https://github.com/operator-framework/operator-sdk/releases/download/v1.4.0/ansible-operator_$(OS)_$(ARCH) ;\ + curl -sSLo $(ANSIBLE_OPERATOR) https://github.com/operator-framework/ansible-operator-plugins/releases/download/v1.32.0/ansible-operator_$(OS)_$(ARCH) ;\ chmod +x $(ANSIBLE_OPERATOR) ;\ } else @@ -101,15 +159,73 @@ ANSIBLE_OPERATOR = $(shell which ansible-operator) endif endif -# Generate bundle manifests and metadata, then validate generated files. +.PHONY: operator-sdk +OPERATOR_SDK ?= ./bin/operator-sdk +operator-sdk: ## Download operator-sdk locally if necessary. +ifeq (,$(wildcard $(OPERATOR_SDK))) +ifeq (, $(shell which operator-sdk 2>/dev/null)) + @{ \ + set -e ;\ + mkdir -p $(dir $(OPERATOR_SDK)) ;\ + curl -sSLo $(OPERATOR_SDK) https://github.com/operator-framework/operator-sdk/releases/download/$(OPERATOR_SDK_VERSION)/operator-sdk_$(OS)_$(ARCH) ;\ + chmod +x $(OPERATOR_SDK) ;\ + } +else +OPERATOR_SDK = $(shell which operator-sdk) +endif +endif + .PHONY: bundle -bundle: kustomize - operator-sdk generate kustomize manifests -q +bundle: kustomize operator-sdk ## Generate bundle manifests and metadata, then validate generated files. + $(OPERATOR_SDK) generate kustomize manifests -q cd config/manager && $(KUSTOMIZE) edit set image controller=$(IMG) - $(KUSTOMIZE) build config/manifests | operator-sdk generate bundle -q --overwrite --version $(VERSION) $(BUNDLE_METADATA_OPTS) - operator-sdk bundle validate ./bundle + $(KUSTOMIZE) build config/manifests | $(OPERATOR_SDK) generate bundle $(BUNDLE_GEN_FLAGS) + $(OPERATOR_SDK) bundle validate ./bundle -# Build the bundle image. .PHONY: bundle-build -bundle-build: +bundle-build: ## Build the bundle image. docker build -f bundle.Dockerfile -t $(BUNDLE_IMG) . + +.PHONY: bundle-push +bundle-push: ## Push the bundle image. + $(MAKE) docker-push IMG=$(BUNDLE_IMG) + +.PHONY: opm +OPM = ./bin/opm +opm: ## Download opm locally if necessary. +ifeq (,$(wildcard $(OPM))) +ifeq (,$(shell which opm 2>/dev/null)) + @{ \ + set -e ;\ + mkdir -p $(dir $(OPM)) ;\ + curl -sSLo $(OPM) https://github.com/operator-framework/operator-registry/releases/download/v1.23.0/$(OS)-$(ARCH)-opm ;\ + chmod +x $(OPM) ;\ + } +else +OPM = $(shell which opm) +endif +endif + +# A comma-separated list of bundle images (e.g. make catalog-build BUNDLE_IMGS=example.com/operator-bundle:v0.1.0,example.com/operator-bundle:v0.2.0). +# These images MUST exist in a registry and be pull-able. +BUNDLE_IMGS ?= $(BUNDLE_IMG) + +# The image tag given to the resulting catalog image (e.g. make catalog-build CATALOG_IMG=example.com/operator-catalog:v0.2.0). +CATALOG_IMG ?= $(IMAGE_TAG_BASE)-catalog:v$(VERSION) + +# Set CATALOG_BASE_IMG to an existing catalog image tag to add $BUNDLE_IMGS to that image. +ifneq ($(origin CATALOG_BASE_IMG), undefined) +FROM_INDEX_OPT := --from-index $(CATALOG_BASE_IMG) +endif + +# Build a catalog image by adding bundle images to an empty catalog using the operator package manager tool, 'opm'. +# This recipe invokes 'opm' in 'semver' bundle add mode. For more information on add modes, see: +# https://github.com/operator-framework/community-operators/blob/7f1438c/docs/packaging-operator.md#updating-your-existing-operator +.PHONY: catalog-build +catalog-build: opm ## Build a catalog image. + $(OPM) index add --container-tool docker --mode semver --tag $(CATALOG_IMG) --bundles $(BUNDLE_IMGS) $(FROM_INDEX_OPT) + +# Push the catalog image. +.PHONY: catalog-push +catalog-push: ## Push a catalog image. + $(MAKE) docker-push IMG=$(CATALOG_IMG) diff --git a/containers/tenant-namespace-operator/PROJECT b/containers/tenant-namespace-operator/PROJECT index be0a6ea..7195632 100644 --- a/containers/tenant-namespace-operator/PROJECT +++ b/containers/tenant-namespace-operator/PROJECT @@ -1,14 +1,27 @@ +# Code generated by tool. DO NOT EDIT. +# This file is used to track the info used to scaffold your project +# and allow the plugins properly work. +# More info: https://book.kubebuilder.io/reference/project-config.html domain: pnnl.gov -layout: ansible.sdk.operatorframework.io/v1 +layout: +- ansible.sdk.operatorframework.io/v1 +plugins: + manifests.sdk.operatorframework.io/v2: {} + scorecard.sdk.operatorframework.io/v2: {} projectName: tenant-namespace-operator resources: -- group: miscscripts +- api: + crdVersion: v1 + namespaced: false + domain: pnnl.gov + group: miscscripts kind: TenantNamespace version: v1beta1 -- group: miscscripts +- api: + crdVersion: v1 + namespaced: false + domain: pnnl.gov + group: miscscripts kind: TenantNamespaceFlavor version: v1beta1 -version: 3-alpha -plugins: - manifests.sdk.operatorframework.io/v2: {} - scorecard.sdk.operatorframework.io/v2: {} +version: "3" diff --git a/containers/tenant-namespace-operator/buildenv b/containers/tenant-namespace-operator/buildenv index 04a4b2d..9039d65 100644 --- a/containers/tenant-namespace-operator/buildenv +++ b/containers/tenant-namespace-operator/buildenv @@ -1 +1 @@ -export PREFIX=0.1.14 +export PREFIX=0.1.15 diff --git a/containers/tenant-namespace-operator/config/crd/kustomization.yaml b/containers/tenant-namespace-operator/config/crd/kustomization.yaml index ac3d522..30206ac 100644 --- a/containers/tenant-namespace-operator/config/crd/kustomization.yaml +++ b/containers/tenant-namespace-operator/config/crd/kustomization.yaml @@ -4,4 +4,4 @@ resources: - bases/miscscripts.pnnl.gov_tenantnamespaces.yaml - bases/miscscripts.pnnl.gov_tenantnamespaceflavors.yaml -# +kubebuilder:scaffold:crdkustomizeresource +#+kubebuilder:scaffold:crdkustomizeresource diff --git a/containers/tenant-namespace-operator/config/default/kustomization.yaml b/containers/tenant-namespace-operator/config/default/kustomization.yaml index 1e5312b..bfb2076 100644 --- a/containers/tenant-namespace-operator/config/default/kustomization.yaml +++ b/containers/tenant-namespace-operator/config/default/kustomization.yaml @@ -9,10 +9,12 @@ namespace: tenant-namespace-operator namePrefix: tenant-namespace-operator- # Labels to add to all resources and selectors. -#commonLabels: -# someName: someValue +#labels: +#- includeSelectors: true +# pairs: +# someName: someValue -bases: +resources: - ../crd - ../rbac - ../manager @@ -20,7 +22,9 @@ bases: #- ../prometheus patchesStrategicMerge: - # Protect the /metrics endpoint by putting it behind auth. - # If you want your controller-manager to expose the /metrics - # endpoint w/o any authn/z, please comment the following line. +# Protect the /metrics endpoint by putting it behind auth. +# If you want your controller-manager to expose the /metrics +# endpoint w/o any authn/z, please comment the following line. - manager_auth_proxy_patch.yaml + + diff --git a/containers/tenant-namespace-operator/config/default/manager_auth_proxy_patch.yaml b/containers/tenant-namespace-operator/config/default/manager_auth_proxy_patch.yaml index f1b16e3..9e1fc82 100644 --- a/containers/tenant-namespace-operator/config/default/manager_auth_proxy_patch.yaml +++ b/containers/tenant-namespace-operator/config/default/manager_auth_proxy_patch.yaml @@ -8,19 +8,49 @@ metadata: spec: template: spec: + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: kubernetes.io/arch + operator: In + values: + - amd64 + - arm64 + - ppc64le + - s390x + - key: kubernetes.io/os + operator: In + values: + - linux containers: - name: kube-rbac-proxy - image: gcr.io/kubebuilder/kube-rbac-proxy:v0.5.0 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - "ALL" + image: gcr.io/kubebuilder/kube-rbac-proxy:v0.13.1 args: - "--secure-listen-address=0.0.0.0:8443" - "--upstream=http://127.0.0.1:8080/" - "--logtostderr=true" - - "--v=10" + - "--v=0" ports: - containerPort: 8443 + protocol: TCP name: https + resources: + limits: + cpu: 500m + memory: 128Mi + requests: + cpu: 5m + memory: 64Mi - name: manager args: - - "--metrics-addr=127.0.0.1:8080" - - "--enable-leader-election" + - "--health-probe-bind-address=:6789" + - "--metrics-bind-address=127.0.0.1:8080" + - "--leader-elect" - "--leader-election-id=tenant-namespace-operator" diff --git a/containers/tenant-namespace-operator/config/default/manager_config_patch.yaml b/containers/tenant-namespace-operator/config/default/manager_config_patch.yaml new file mode 100644 index 0000000..f6f5891 --- /dev/null +++ b/containers/tenant-namespace-operator/config/default/manager_config_patch.yaml @@ -0,0 +1,10 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: controller-manager + namespace: system +spec: + template: + spec: + containers: + - name: manager diff --git a/containers/tenant-namespace-operator/config/manager/manager.yaml b/containers/tenant-namespace-operator/config/manager/manager.yaml index 411b7a4..4710fb7 100644 --- a/containers/tenant-namespace-operator/config/manager/manager.yaml +++ b/containers/tenant-namespace-operator/config/manager/manager.yaml @@ -19,28 +19,63 @@ spec: replicas: 1 template: metadata: + annotations: + kubectl.kubernetes.io/default-container: manager labels: control-plane: controller-manager spec: + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: kubernetes.io/arch + operator: In + values: + - amd64 + - arm64 + - key: kubernetes.io/os + operator: In + values: + - linux + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault containers: - - name: manager - args: - - "--enable-leader-election" - - "--leader-election-id=tenant-namespace-operator" - env: - - name: ANSIBLE_GATHERING - value: explicit - image: controller:latest - livenessProbe: - httpGet: - path: /readyz - port: 6789 - initialDelaySeconds: 15 - periodSeconds: 20 - readinessProbe: - httpGet: - path: /healthz - port: 6789 - initialDelaySeconds: 5 - periodSeconds: 10 + - args: + - --leader-elect + - --leader-election-id=tenant-namespace-operator + image: controller:latest + name: manager + env: + - name: ANSIBLE_GATHERING + value: explicit + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - "ALL" + livenessProbe: + httpGet: + path: /healthz + port: 6789 + initialDelaySeconds: 15 + periodSeconds: 20 + readinessProbe: + httpGet: + path: /readyz + port: 6789 + initialDelaySeconds: 5 + periodSeconds: 10 + # TODO(user): Configure the resources accordingly based on the project requirements. + # More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + resources: + limits: + cpu: 500m + memory: 768Mi + requests: + cpu: 10m + memory: 256Mi + serviceAccountName: controller-manager terminationGracePeriodSeconds: 10 diff --git a/containers/tenant-namespace-operator/config/manifests/kustomization.yaml b/containers/tenant-namespace-operator/config/manifests/kustomization.yaml new file mode 100644 index 0000000..6063a99 --- /dev/null +++ b/containers/tenant-namespace-operator/config/manifests/kustomization.yaml @@ -0,0 +1,7 @@ +# These resources constitute the fully configured set of manifests +# used to generate the 'manifests/' directory in a bundle. +resources: +- bases/tenant-namespace-operator.clusterserviceversion.yaml +- ../default +- ../samples +- ../scorecard diff --git a/containers/tenant-namespace-operator/config/prometheus/monitor.yaml b/containers/tenant-namespace-operator/config/prometheus/monitor.yaml index 1b44d4f..d19136a 100644 --- a/containers/tenant-namespace-operator/config/prometheus/monitor.yaml +++ b/containers/tenant-namespace-operator/config/prometheus/monitor.yaml @@ -1,4 +1,4 @@ ---- + # Prometheus Monitor Service (Metrics) apiVersion: monitoring.coreos.com/v1 kind: ServiceMonitor @@ -11,6 +11,10 @@ spec: endpoints: - path: /metrics port: https + scheme: https + bearerTokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token + tlsConfig: + insecureSkipVerify: true selector: matchLabels: control-plane: controller-manager diff --git a/containers/tenant-namespace-operator/config/rbac/auth_proxy_client_clusterrole.yaml b/containers/tenant-namespace-operator/config/rbac/auth_proxy_client_clusterrole.yaml index bd4af13..51a75db 100644 --- a/containers/tenant-namespace-operator/config/rbac/auth_proxy_client_clusterrole.yaml +++ b/containers/tenant-namespace-operator/config/rbac/auth_proxy_client_clusterrole.yaml @@ -3,5 +3,7 @@ kind: ClusterRole metadata: name: metrics-reader rules: -- nonResourceURLs: ["/metrics"] - verbs: ["get"] +- nonResourceURLs: + - "/metrics" + verbs: + - get diff --git a/containers/tenant-namespace-operator/config/rbac/auth_proxy_role.yaml b/containers/tenant-namespace-operator/config/rbac/auth_proxy_role.yaml index 618f5e4..80e1857 100644 --- a/containers/tenant-namespace-operator/config/rbac/auth_proxy_role.yaml +++ b/containers/tenant-namespace-operator/config/rbac/auth_proxy_role.yaml @@ -3,11 +3,15 @@ kind: ClusterRole metadata: name: proxy-role rules: -- apiGroups: ["authentication.k8s.io"] +- apiGroups: + - authentication.k8s.io resources: - tokenreviews - verbs: ["create"] -- apiGroups: ["authorization.k8s.io"] + verbs: + - create +- apiGroups: + - authorization.k8s.io resources: - subjectaccessreviews - verbs: ["create"] + verbs: + - create diff --git a/containers/tenant-namespace-operator/config/rbac/auth_proxy_role_binding.yaml b/containers/tenant-namespace-operator/config/rbac/auth_proxy_role_binding.yaml index 48ed1e4..ec7acc0 100644 --- a/containers/tenant-namespace-operator/config/rbac/auth_proxy_role_binding.yaml +++ b/containers/tenant-namespace-operator/config/rbac/auth_proxy_role_binding.yaml @@ -8,5 +8,5 @@ roleRef: name: proxy-role subjects: - kind: ServiceAccount - name: default + name: controller-manager namespace: system diff --git a/containers/tenant-namespace-operator/config/rbac/auth_proxy_service.yaml b/containers/tenant-namespace-operator/config/rbac/auth_proxy_service.yaml index 6cf656b..71f1797 100644 --- a/containers/tenant-namespace-operator/config/rbac/auth_proxy_service.yaml +++ b/containers/tenant-namespace-operator/config/rbac/auth_proxy_service.yaml @@ -9,6 +9,7 @@ spec: ports: - name: https port: 8443 + protocol: TCP targetPort: https selector: control-plane: controller-manager diff --git a/containers/tenant-namespace-operator/config/rbac/kustomization.yaml b/containers/tenant-namespace-operator/config/rbac/kustomization.yaml index 66c2833..731832a 100644 --- a/containers/tenant-namespace-operator/config/rbac/kustomization.yaml +++ b/containers/tenant-namespace-operator/config/rbac/kustomization.yaml @@ -1,4 +1,10 @@ resources: +# All RBAC will be applied under this service account in +# the deployment namespace. You may comment out this resource +# if your manager will use a service account that exists at +# runtime. Be sure to update RoleBinding and ClusterRoleBinding +# subjects if changing service account names. +- service_account.yaml - role.yaml - role_binding.yaml - leader_election_role.yaml diff --git a/containers/tenant-namespace-operator/config/rbac/leader_election_role.yaml b/containers/tenant-namespace-operator/config/rbac/leader_election_role.yaml index 53e9749..4190ec8 100644 --- a/containers/tenant-namespace-operator/config/rbac/leader_election_role.yaml +++ b/containers/tenant-namespace-operator/config/rbac/leader_election_role.yaml @@ -16,6 +16,18 @@ rules: - update - patch - delete +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - get + - list + - watch + - create + - update + - patch + - delete - apiGroups: - "" resources: diff --git a/containers/tenant-namespace-operator/config/rbac/leader_election_role_binding.yaml b/containers/tenant-namespace-operator/config/rbac/leader_election_role_binding.yaml index eed1690..1d1321e 100644 --- a/containers/tenant-namespace-operator/config/rbac/leader_election_role_binding.yaml +++ b/containers/tenant-namespace-operator/config/rbac/leader_election_role_binding.yaml @@ -8,5 +8,5 @@ roleRef: name: leader-election-role subjects: - kind: ServiceAccount - name: default + name: controller-manager namespace: system diff --git a/containers/tenant-namespace-operator/config/rbac/role.yaml b/containers/tenant-namespace-operator/config/rbac/role.yaml index 853329c..bee268b 100644 --- a/containers/tenant-namespace-operator/config/rbac/role.yaml +++ b/containers/tenant-namespace-operator/config/rbac/role.yaml @@ -21,6 +21,19 @@ rules: - patch - update - watch + # needed for ingress leader election pre 1.24 + - apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - get + - list + - watch + - create + - update + - patch + - delete - apiGroups: - apps resources: @@ -38,6 +51,7 @@ rules: - monitoring.coreos.com resources: - servicemonitors + - prometheusrules verbs: - get - create @@ -121,4 +135,4 @@ rules: - get - list - watch -# +kubebuilder:scaffold:rules +#+kubebuilder:scaffold:rules diff --git a/containers/tenant-namespace-operator/config/rbac/role_binding.yaml b/containers/tenant-namespace-operator/config/rbac/role_binding.yaml index 98f8782..2070ede 100644 --- a/containers/tenant-namespace-operator/config/rbac/role_binding.yaml +++ b/containers/tenant-namespace-operator/config/rbac/role_binding.yaml @@ -1,4 +1,3 @@ ---- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: @@ -9,5 +8,5 @@ roleRef: name: manager-role subjects: - kind: ServiceAccount - name: default + name: controller-manager namespace: system diff --git a/containers/tenant-namespace-operator/config/rbac/service_account.yaml b/containers/tenant-namespace-operator/config/rbac/service_account.yaml new file mode 100644 index 0000000..7cd6025 --- /dev/null +++ b/containers/tenant-namespace-operator/config/rbac/service_account.yaml @@ -0,0 +1,5 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: controller-manager + namespace: system diff --git a/containers/tenant-namespace-operator/config/samples/kustomization.yaml b/containers/tenant-namespace-operator/config/samples/kustomization.yaml index ae78b95..ea2ca2e 100644 --- a/containers/tenant-namespace-operator/config/samples/kustomization.yaml +++ b/containers/tenant-namespace-operator/config/samples/kustomization.yaml @@ -1,5 +1,5 @@ -## Append samples you want in your CSV to this file as resources ## +## Append samples of your project ## resources: - miscscripts_v1beta1_tenantnamespace.yaml - miscscripts_v1beta1_tenantnamespaceflavor.yaml -# +kubebuilder:scaffold:manifestskustomizesamples +#+kubebuilder:scaffold:manifestskustomizesamples diff --git a/containers/tenant-namespace-operator/config/scorecard/kustomization.yaml b/containers/tenant-namespace-operator/config/scorecard/kustomization.yaml index d73509e..50cd2d0 100644 --- a/containers/tenant-namespace-operator/config/scorecard/kustomization.yaml +++ b/containers/tenant-namespace-operator/config/scorecard/kustomization.yaml @@ -13,4 +13,4 @@ patchesJson6902: version: v1alpha3 kind: Configuration name: config -# +kubebuilder:scaffold:patchesJson6902 +#+kubebuilder:scaffold:patchesJson6902 diff --git a/containers/tenant-namespace-operator/config/scorecard/patches/basic.config.yaml b/containers/tenant-namespace-operator/config/scorecard/patches/basic.config.yaml index 4581edc..472a988 100644 --- a/containers/tenant-namespace-operator/config/scorecard/patches/basic.config.yaml +++ b/containers/tenant-namespace-operator/config/scorecard/patches/basic.config.yaml @@ -4,7 +4,7 @@ entrypoint: - scorecard-test - basic-check-spec - image: quay.io/operator-framework/scorecard-test:v1.4.0 + image: quay.io/operator-framework/scorecard-test:v1.32.0 labels: suite: basic test: basic-check-spec-test diff --git a/containers/tenant-namespace-operator/config/scorecard/patches/olm.config.yaml b/containers/tenant-namespace-operator/config/scorecard/patches/olm.config.yaml index 9422681..343c6d8 100644 --- a/containers/tenant-namespace-operator/config/scorecard/patches/olm.config.yaml +++ b/containers/tenant-namespace-operator/config/scorecard/patches/olm.config.yaml @@ -4,7 +4,7 @@ entrypoint: - scorecard-test - olm-bundle-validation - image: quay.io/operator-framework/scorecard-test:v1.4.0 + image: quay.io/operator-framework/scorecard-test:v1.32.0 labels: suite: olm test: olm-bundle-validation-test @@ -14,7 +14,7 @@ entrypoint: - scorecard-test - olm-crds-have-validation - image: quay.io/operator-framework/scorecard-test:v1.4.0 + image: quay.io/operator-framework/scorecard-test:v1.32.0 labels: suite: olm test: olm-crds-have-validation-test @@ -24,7 +24,7 @@ entrypoint: - scorecard-test - olm-crds-have-resources - image: quay.io/operator-framework/scorecard-test:v1.4.0 + image: quay.io/operator-framework/scorecard-test:v1.32.0 labels: suite: olm test: olm-crds-have-resources-test @@ -34,7 +34,7 @@ entrypoint: - scorecard-test - olm-spec-descriptors - image: quay.io/operator-framework/scorecard-test:v1.4.0 + image: quay.io/operator-framework/scorecard-test:v1.32.0 labels: suite: olm test: olm-spec-descriptors-test @@ -44,7 +44,7 @@ entrypoint: - scorecard-test - olm-status-descriptors - image: quay.io/operator-framework/scorecard-test:v1.4.0 + image: quay.io/operator-framework/scorecard-test:v1.32.0 labels: suite: olm test: olm-status-descriptors-test diff --git a/containers/tenant-namespace-operator/requirements.yml b/containers/tenant-namespace-operator/requirements.yml index 848028c..8baf919 100644 --- a/containers/tenant-namespace-operator/requirements.yml +++ b/containers/tenant-namespace-operator/requirements.yml @@ -1,5 +1,10 @@ +--- collections: - - name: community.kubernetes - version: "<2.0.0" - name: operator_sdk.util - version: "0.1.0" + version: "0.5.0" + - name: kubernetes.core + version: "2.4.0" + - name: cloud.common + version: "2.1.1" + - name: community.docker + version: "3.4.0" diff --git a/containers/tenant-namespace-operator/roles/tenantnamespace/meta/main.yml b/containers/tenant-namespace-operator/roles/tenantnamespace/meta/main.yml index 0a5603e..e496738 100644 --- a/containers/tenant-namespace-operator/roles/tenantnamespace/meta/main.yml +++ b/containers/tenant-namespace-operator/roles/tenantnamespace/meta/main.yml @@ -1,3 +1,4 @@ +--- galaxy_info: author: your name description: your description @@ -16,7 +17,7 @@ galaxy_info: # - CC-BY license: license (GPLv2, CC-BY, etc) - min_ansible_version: 2.9 + min_ansible_version: "2.9" # If this a Container Enabled role, provide the minimum Ansible Container version. # min_ansible_container_version: @@ -59,5 +60,5 @@ dependencies: [] # List your role dependencies here, one per line. Be sure to remove the '[]' above, # if you add dependencies to this list. collections: -- operator_sdk.util -- community.kubernetes + - operator_sdk.util + - kubernetes.core diff --git a/containers/tenant-namespace-operator/roles/tenantnamespace/tasks/main.yml b/containers/tenant-namespace-operator/roles/tenantnamespace/tasks/main.yml index 60119cb..72d29dd 100644 --- a/containers/tenant-namespace-operator/roles/tenantnamespace/tasks/main.yml +++ b/containers/tenant-namespace-operator/roles/tenantnamespace/tasks/main.yml @@ -2,15 +2,15 @@ # tasks file for TenantNamespace - name: Set dryrun value - set_fact: - dryrun: "{{ lookup('env','DRYRUN') | default('False') | bool }}" + ansible.builtin.set_fact: + dryrun: "{{ lookup('env', 'DRYRUN') | default('False') | bool }}" - name: Set admin labels - set_fact: + ansible.builtin.set_fact: adminlabels: "{{ _miscscripts_pnnl_gov_tenantnamespace_spec.extraNamespaceLabels | default({}) | combine({'name': ansible_operator_meta.name + '-admin', 'miscscripts.pnnl.gov/namespace-type': 'admin'}, recursive=True) }}" - name: Create the k8s admin namespace - k8s: + kubernetes.core.k8s: state: present definition: apiVersion: v1 @@ -19,11 +19,10 @@ name: "{{ ansible_operator_meta.name }}-admin" labels: "{{ adminlabels }}" annotations: "{{ _miscscripts_pnnl_gov_tenantnamespace_spec.extraNamespaceAnnotations | default({}) }}" - when: - - not dryrun + check_mode: "{{ dryrun }}" - name: Set initial defaults. They be overridden. - set_fact: + ansible.builtin.set_fact: merged_values: magicnamespace: tiller: @@ -35,30 +34,31 @@ ingress: nginx: enabled: true + - name: Load in Flavor values if referenced - block: - - name: Fetch referenced flavor - k8s_info: - api_version: miscscripts.pnnl.gov/v1beta1 - kind: TenantNamespaceFlavor - name: "{{ flavor_ref.name }}" - register: flavor - # Failures immediately trigger another reconciliation - failed_when: - - flavor.resources | length == 0 - - name: Merge in flavor values - set_fact: - merged_values: "{{ merged_values | combine(flavor.resources[0].spec, recursive=True) }}" when: - - flavor_ref is defined - - flavor_ref.kind == "TenantNamespaceFlavor" - - flavor_ref.group == "miscscripts.pnnl.gov" + - flavor_ref is defined + - flavor_ref.kind == "TenantNamespaceFlavor" + - flavor_ref.group == "miscscripts.pnnl.gov" + block: + - name: Fetch referenced flavor + kubernetes.core.k8s_info: + api_version: miscscripts.pnnl.gov/v1beta1 + kind: TenantNamespaceFlavor + name: "{{ flavor_ref.name }}" + register: flavor + # Failures immediately trigger another reconciliation + failed_when: + - flavor.resources | length == 0 + - name: Merge in flavor values + ansible.builtin.set_fact: + merged_values: "{{ merged_values | combine(flavor.resources[0].spec, recursive=True) }}" - name: Set values from CR - set_fact: + ansible.builtin.set_fact: merged_values: "{{ merged_values | combine(_miscscripts_pnnl_gov_tenantnamespace_spec, recursive=True) }}" - name: Setup gitlabRunner if needed - set_fact: + ansible.builtin.set_fact: gitlabrunnerconfig: gitlabRunner: spec: @@ -66,9 +66,9 @@ namespace: "{{ ansible_operator_meta.name }}" tags: "{{ (merged_values.gitlabRunner.spec.runners.tags.split(',') + [ansible_operator_meta.name]) | unique | list | join(',') }}" when: - - merged_values.gitlabRunner.spec.runners.tags is defined + - merged_values.gitlabRunner.spec.runners.tags is defined - name: Setup gitlabRunner if needed - set_fact: + ansible.builtin.set_fact: gitlabrunnerconfig: gitlabRunner: spec: @@ -76,38 +76,39 @@ namespace: "{{ ansible_operator_meta.name }}" tags: "{{ ansible_operator_meta.name }}" when: - - merged_values.gitlabRunner.spec.runners.tags is not defined + - merged_values.gitlabRunner.spec.runners.tags is not defined - name: Merge gitlabRunner values - set_fact: + ansible.builtin.set_fact: merged_values: "{{ merged_values | combine(gitlabrunnerconfig, recursive=True) }}" when: - - merged_values.gitlabRunner.autoSetNamespaceAndTags + - merged_values.gitlabRunner.autoSetNamespaceAndTags - name: Set value for forced settings - set_fact: + ansible.builtin.set_fact: overrides: namespace: "{{ ansible_operator_meta.name }}" magicnamespace: namespace: "{{ ansible_operator_meta.name }}" ingress: nginx: - clusterRole: "{{ lookup('env','INGRESS_CLUSTERROLE') | default('tenant-namespace-operator-ingress-controller') }}" + clusterRole: "{{ lookup('env', 'INGRESS_CLUSTERROLE') | default('tenant-namespace-operator-ingress-controller') }}" controller: scope: namespace: "{{ ansible_operator_meta.name }}" + - name: Force namespace settings. Can not be overridden. - set_fact: + ansible.builtin.set_fact: merged_values: "{{ merged_values | combine(overrides, recursive=True) }}" - name: Set ingress ip if known - set_fact: + ansible.builtin.set_fact: loadBalancerIP: "{{ _miscscripts_pnnl_gov_tenantnamespace.status.loadBalancerIP }}" when: - - _miscscripts_pnnl_gov_tenantnamespace.status.loadBalancerIP is defined + - _miscscripts_pnnl_gov_tenantnamespace.status.loadBalancerIP is defined - name: Fetch ingress service - k8s_info: + kubernetes.core.k8s_info: api_version: v1 kind: Service name: "{{ ansible_operator_meta.name }}-ingress-controller" @@ -115,171 +116,84 @@ register: ingressService when: > merged_values.ingress.nginx.enabled and - (_miscscripts_pnnl_gov_tenantnamespace.status.loadBalancerIP is not defined or - _miscscripts_pnnl_gov_tenantnamespace.status.ingressNginxUpgradeComplete is not defined) + _miscscripts_pnnl_gov_tenantnamespace.status.loadBalancerIP is not defined - name: Merge in existing ingress ip if exists + when: + - _miscscripts_pnnl_gov_tenantnamespace.status.loadBalancerIP is not defined + - merged_values.ingress.controller.service.loadBalancerIP is not defined + - ingressService is defined + - ingressService.resources is defined + - ingressService.resources[0] is defined + - ingressService.resources[0].status is defined + - ingressService.resources[0].status.loadBalancer is defined + - ingressService.resources[0].status.loadBalancer.ingress is defined + - ingressService.resources[0].status.loadBalancer.ingress[0] is defined + - ingressService.resources[0].status.loadBalancer.ingress[0].ip is defined block: - - name: Set ingress ip. - set_fact: - loadBalancerIP: "{{ ingressService.resources[0].status.loadBalancer.ingress[0].ip }}" - - k8s_status: - api_version: miscscripts.pnnl.gov/v1beta1 - kind: TenantNamespace - name: "{{ ansible_operator_meta.name }}" - namespace: "{{ ansible_operator_meta.namespace }}" - status: + - name: Set ingress ip. + ansible.builtin.set_fact: loadBalancerIP: "{{ ingressService.resources[0].status.loadBalancer.ingress[0].ip }}" - when: - - _miscscripts_pnnl_gov_tenantnamespace.status.loadBalancerIP is not defined - - merged_values.ingress.controller.service.loadBalancerIP is not defined - - ingressService is defined - - ingressService.resources is defined - - ingressService.resources[0] is defined - - ingressService.resources[0].status is defined - - ingressService.resources[0].status.loadBalancer is defined - - ingressService.resources[0].status.loadBalancer.ingress is defined - - ingressService.resources[0].status.loadBalancer.ingress[0] is defined - - ingressService.resources[0].status.loadBalancer.ingress[0].ip is defined + - name: Set ingress ip in CR status + operator_sdk.util.k8s_status: + api_version: miscscripts.pnnl.gov/v1beta1 + kind: TenantNamespace + name: "{{ ansible_operator_meta.name }}" + namespace: "{{ ansible_operator_meta.namespace }}" + status: + loadBalancerIP: "{{ ingressService.resources[0].status.loadBalancer.ingress[0].ip }}" - name: Set ingress ip if specified - set_fact: + ansible.builtin.set_fact: loadBalancerIP: "{{ _miscscripts_pnnl_gov_tenantnamespace.spec.ingress.controller.service.loadBalancerIP }}" when: - - loadBalancerIP is not defined - - _miscscripts_pnnl_gov_tenantnamespace.spec.ingress is defined - - _miscscripts_pnnl_gov_tenantnamespace.spec.ingress.controller is defined - - _miscscripts_pnnl_gov_tenantnamespace.spec.ingress.controller.service is defined - - _miscscripts_pnnl_gov_tenantnamespace.spec.ingress.controller.service.loadBalancerIP is defined + - loadBalancerIP is not defined + - _miscscripts_pnnl_gov_tenantnamespace.spec.ingress is defined + - _miscscripts_pnnl_gov_tenantnamespace.spec.ingress.controller is defined + - _miscscripts_pnnl_gov_tenantnamespace.spec.ingress.controller.service is defined + - _miscscripts_pnnl_gov_tenantnamespace.spec.ingress.controller.service.loadBalancerIP is defined - name: Force loadBalancerIP address setting - set_fact: + ansible.builtin.set_fact: loadBalancerIP_overrides: ingress: controller: service: loadBalancerIP: "{{ loadBalancerIP }}" when: - - loadBalancerIP is defined + - loadBalancerIP is defined - name: Force loadBalancerIP. Can not be overridden. - set_fact: + ansible.builtin.set_fact: merged_values: "{{ merged_values | combine(loadBalancerIP_overrides, recursive=True) }}" when: - - loadBalancerIP is defined - -# Delete resources that have selectors that need to be updated -- name: Remove upgrade resources - k8s: - state: absent - api_version: "{{ item.api_version }}" - kind: "{{ item.kind }}" - namespace: "{{ item.namespace }}" - name: "{{ item.name }}" - loop: - - api_version: apps/v1 - kind: Deployment - namespace: "{{ ansible_operator_meta.name }}-admin" - name: "{{ ansible_operator_meta.name }}-ingress-controller" - - api_version: v1 - kind: Service - namespace: "{{ ansible_operator_meta.name }}-admin" - name: "{{ ansible_operator_meta.name }}-ingress-controller" - - api_version: v1 - kind: Service - namespace: "{{ ansible_operator_meta.name }}-admin" - name: "{{ ansible_operator_meta.name }}-ingress-controller-metrics" - - api_version: apps/v1 - kind: Deployment - namespace: "{{ ansible_operator_meta.name }}-admin" - name: "{{ ansible_operator_meta.name }}-ingress-default-backend" - - api_version: v1 - kind: Service - namespace: "{{ ansible_operator_meta.name }}-admin" - name: "{{ ansible_operator_meta.name }}-ingress-default-backend" - when: - - not dryrun - - ingressService is defined - - ingressService.resources is defined - - ingressService.resources[0] is defined - - ingressService.resources[0].metadata is defined - - ingressService.resources[0].metadata.labels is defined - - ingressService.resources[0].metadata.labels.chart is defined - - ingressService.resources[0].metadata.labels.chart == "ingress-1.34.2" + - loadBalancerIP is defined -- name: Add upgrade status marker - k8s_status: - api_version: miscscripts.pnnl.gov/v1beta1 - kind: TenantNamespace - name: "{{ ansible_operator_meta.name }}" - namespace: "{{ ansible_operator_meta.namespace }}" - status: - ingressNginxUpgradeComplete: true - when: - - not dryrun - - ingressService is defined - - ingressService.resources is defined - - ingressService.resources[0] is defined - - ingressService.resources[0].metadata is defined - - ingressService.resources[0].metadata.labels is defined - - ingressService.resources[0].metadata.labels["helm.sh/chart"] is defined - - ingressService.resources[0].metadata.labels["helm.sh/chart"] == "ingress-3.34.0" - -#FIXME Consider making a service account specifically for this so it can't cross namespaces as far as it can today +# FIXME Consider making a service account specifically for this so it can't cross namespaces as far as it can today - name: Run Helm - helm: + kubernetes.core.helm: name: "{{ ansible_operator_meta.name }}" namespace: "{{ ansible_operator_meta.name }}-admin" chart_ref: ${HOME}/tenant-namespace values: "{{ merged_values }}" register: objs - when: - - not dryrun - -- name: Set diff - set_fact: - differ: "" - -- name: Dry Run Helm - block: - - name: Make temp file - tempfile: - state: file - suffix: .yaml - register: temp_filename - - name: Copy values to temp file - copy: - content: "{{ merged_values | to_yaml }}" - dest: "{{ temp_filename.path }}" - no_log: True - - name: Do dry run of helm - shell: "helm diff upgrade --install --detailed-exitcode --namespace {{ ansible_operator_meta.name }}-admin {{ ansible_operator_meta.name }} ${HOME}/tenant-namespace -f {{ temp_filename.path }}" - register: diffhelm - ignore_errors: True - no_log: True - - name: Set diff - set_fact: - differ: "{{ diffhelm.stdout }}\n" - - name: Remove temp file - file: - path: "{{ temp_filename.path }}" - state: absent - when: - - dryrun + check_mode: "{{ dryrun }}" + diff: "{{ dryrun }}" -- k8s_status: +- name: Set diff output on status + operator_sdk.util.k8s_status: api_version: miscscripts.pnnl.gov/v1beta1 kind: TenantNamespace name: "{{ ansible_operator_meta.name }}" namespace: "{{ ansible_operator_meta.namespace }}" status: - diff: "{{ differ | b64encode }}" + diff: "{{ ((objs.diff.prepared | default('')) + '\n') | b64encode }}" - name: Set user labels - set_fact: + ansible.builtin.set_fact: userlabels: "{{ _miscscripts_pnnl_gov_tenantnamespace_spec.extraNamespaceLabels | default({}) | combine({'name': ansible_operator_meta.name, 'miscscripts.pnnl.gov/namespace-type': 'user'}, recursive=True) }}" - name: Create the k8s user namespace - k8s: + kubernetes.core.k8s: state: present definition: apiVersion: v1 @@ -288,6 +202,4 @@ name: "{{ ansible_operator_meta.name }}" labels: "{{ userlabels }}" annotations: "{{ _miscscripts_pnnl_gov_tenantnamespace_spec.extraNamespaceAnnotations | default({}) }}" - when: - - not dryrun - + check_mode: "{{ dryrun }}" diff --git a/containers/tenant-namespace-operator/roles/tenantnamespacefin/meta/main.yml b/containers/tenant-namespace-operator/roles/tenantnamespacefin/meta/main.yml index 0a5603e..e496738 100644 --- a/containers/tenant-namespace-operator/roles/tenantnamespacefin/meta/main.yml +++ b/containers/tenant-namespace-operator/roles/tenantnamespacefin/meta/main.yml @@ -1,3 +1,4 @@ +--- galaxy_info: author: your name description: your description @@ -16,7 +17,7 @@ galaxy_info: # - CC-BY license: license (GPLv2, CC-BY, etc) - min_ansible_version: 2.9 + min_ansible_version: "2.9" # If this a Container Enabled role, provide the minimum Ansible Container version. # min_ansible_container_version: @@ -59,5 +60,5 @@ dependencies: [] # List your role dependencies here, one per line. Be sure to remove the '[]' above, # if you add dependencies to this list. collections: -- operator_sdk.util -- community.kubernetes + - operator_sdk.util + - kubernetes.core diff --git a/containers/tenant-namespace-operator/roles/tenantnamespacefin/tasks/main.yml b/containers/tenant-namespace-operator/roles/tenantnamespacefin/tasks/main.yml index 336bde5..bf6da17 100644 --- a/containers/tenant-namespace-operator/roles/tenantnamespacefin/tasks/main.yml +++ b/containers/tenant-namespace-operator/roles/tenantnamespacefin/tasks/main.yml @@ -1,16 +1,16 @@ --- # tasks file for tenantnamespace -#Check to see release exists. If it doesnt continue on. If it does, delete it. +# Check to see release exists. If it doesnt continue on. If it does, delete it. - name: Delete the helm release - helm: + kubernetes.core.helm: name: "{{ ansible_operator_meta.name }}" namespace: "{{ ansible_operator_meta.name }}-admin" state: absent register: objs - name: Delete the k8s user namespace - k8s: + kubernetes.core.k8s: state: absent definition: apiVersion: v1 @@ -19,11 +19,10 @@ name: "{{ ansible_operator_meta.name }}" - name: Delete the k8s admin namespace - k8s: + kubernetes.core.k8s: state: absent definition: apiVersion: v1 kind: Namespace metadata: name: "{{ ansible_operator_meta.name }}-admin" - diff --git a/containers/tenant-namespace-operator/watches.yaml b/containers/tenant-namespace-operator/watches.yaml index 17fae67..f69fa1a 100644 --- a/containers/tenant-namespace-operator/watches.yaml +++ b/containers/tenant-namespace-operator/watches.yaml @@ -8,4 +8,4 @@ finalizer: name: finalizer.tenantnamespace.miscscripts.pnnl.gov role: tenantnamespacefin -# +kubebuilder:scaffold:watch +#+kubebuilder:scaffold:watch