From 1f015f95e5cab7ef137f9043461b74c7b805bc11 Mon Sep 17 00:00:00 2001 From: Peter Nordquist Date: Tue, 24 Oct 2023 10:50:08 -0700 Subject: [PATCH 01/16] Addressed ansible-lint issues --- .../roles/tenantnamespace/meta/main.yml | 6 +- .../roles/tenantnamespace/tasks/main.yml | 271 +++++++++--------- .../roles/tenantnamespacefin/meta/main.yml | 6 +- .../roles/tenantnamespacefin/tasks/main.yml | 9 +- 4 files changed, 147 insertions(+), 145 deletions(-) diff --git a/containers/tenant-namespace-operator/roles/tenantnamespace/meta/main.yml b/containers/tenant-namespace-operator/roles/tenantnamespace/meta/main.yml index 0a5603e..398d03b 100644 --- a/containers/tenant-namespace-operator/roles/tenantnamespace/meta/main.yml +++ b/containers/tenant-namespace-operator/roles/tenantnamespace/meta/main.yml @@ -16,7 +16,7 @@ galaxy_info: # - CC-BY license: license (GPLv2, CC-BY, etc) - min_ansible_version: 2.9 + min_ansible_version: "2.9" # If this a Container Enabled role, provide the minimum Ansible Container version. # min_ansible_container_version: @@ -59,5 +59,5 @@ dependencies: [] # List your role dependencies here, one per line. Be sure to remove the '[]' above, # if you add dependencies to this list. collections: -- operator_sdk.util -- community.kubernetes + - operator_sdk.util + - community.kubernetes diff --git a/containers/tenant-namespace-operator/roles/tenantnamespace/tasks/main.yml b/containers/tenant-namespace-operator/roles/tenantnamespace/tasks/main.yml index 60119cb..f2d9eca 100644 --- a/containers/tenant-namespace-operator/roles/tenantnamespace/tasks/main.yml +++ b/containers/tenant-namespace-operator/roles/tenantnamespace/tasks/main.yml @@ -2,15 +2,15 @@ # tasks file for TenantNamespace - name: Set dryrun value - set_fact: - dryrun: "{{ lookup('env','DRYRUN') | default('False') | bool }}" + ansible.builtin.set_fact: + dryrun: "{{ lookup('env', 'DRYRUN') | default('False') | bool }}" - name: Set admin labels - set_fact: + ansible.builtin.set_fact: adminlabels: "{{ _miscscripts_pnnl_gov_tenantnamespace_spec.extraNamespaceLabels | default({}) | combine({'name': ansible_operator_meta.name + '-admin', 'miscscripts.pnnl.gov/namespace-type': 'admin'}, recursive=True) }}" - name: Create the k8s admin namespace - k8s: + community.kubernetes.k8s: state: present definition: apiVersion: v1 @@ -20,10 +20,10 @@ labels: "{{ adminlabels }}" annotations: "{{ _miscscripts_pnnl_gov_tenantnamespace_spec.extraNamespaceAnnotations | default({}) }}" when: - - not dryrun + - not dryrun - name: Set initial defaults. They be overridden. - set_fact: + ansible.builtin.set_fact: merged_values: magicnamespace: tiller: @@ -35,30 +35,31 @@ ingress: nginx: enabled: true + - name: Load in Flavor values if referenced block: - - name: Fetch referenced flavor - k8s_info: - api_version: miscscripts.pnnl.gov/v1beta1 - kind: TenantNamespaceFlavor - name: "{{ flavor_ref.name }}" - register: flavor - # Failures immediately trigger another reconciliation - failed_when: - - flavor.resources | length == 0 - - name: Merge in flavor values - set_fact: - merged_values: "{{ merged_values | combine(flavor.resources[0].spec, recursive=True) }}" + - name: Fetch referenced flavor + community.kubernetes.k8s_info: + api_version: miscscripts.pnnl.gov/v1beta1 + kind: TenantNamespaceFlavor + name: "{{ flavor_ref.name }}" + register: flavor + # Failures immediately trigger another reconciliation + failed_when: + - flavor.resources | length == 0 + - name: Merge in flavor values + ansible.builtin.set_fact: + merged_values: "{{ merged_values | combine(flavor.resources[0].spec, recursive=True) }}" when: - - flavor_ref is defined - - flavor_ref.kind == "TenantNamespaceFlavor" - - flavor_ref.group == "miscscripts.pnnl.gov" + - flavor_ref is defined + - flavor_ref.kind == "TenantNamespaceFlavor" + - flavor_ref.group == "miscscripts.pnnl.gov" - name: Set values from CR - set_fact: + ansible.builtin.set_fact: merged_values: "{{ merged_values | combine(_miscscripts_pnnl_gov_tenantnamespace_spec, recursive=True) }}" - name: Setup gitlabRunner if needed - set_fact: + ansible.builtin.set_fact: gitlabrunnerconfig: gitlabRunner: spec: @@ -66,9 +67,9 @@ namespace: "{{ ansible_operator_meta.name }}" tags: "{{ (merged_values.gitlabRunner.spec.runners.tags.split(',') + [ansible_operator_meta.name]) | unique | list | join(',') }}" when: - - merged_values.gitlabRunner.spec.runners.tags is defined + - merged_values.gitlabRunner.spec.runners.tags is defined - name: Setup gitlabRunner if needed - set_fact: + ansible.builtin.set_fact: gitlabrunnerconfig: gitlabRunner: spec: @@ -76,38 +77,39 @@ namespace: "{{ ansible_operator_meta.name }}" tags: "{{ ansible_operator_meta.name }}" when: - - merged_values.gitlabRunner.spec.runners.tags is not defined + - merged_values.gitlabRunner.spec.runners.tags is not defined - name: Merge gitlabRunner values - set_fact: + ansible.builtin.set_fact: merged_values: "{{ merged_values | combine(gitlabrunnerconfig, recursive=True) }}" when: - - merged_values.gitlabRunner.autoSetNamespaceAndTags + - merged_values.gitlabRunner.autoSetNamespaceAndTags - name: Set value for forced settings - set_fact: + ansible.builtin.set_fact: overrides: namespace: "{{ ansible_operator_meta.name }}" magicnamespace: namespace: "{{ ansible_operator_meta.name }}" ingress: nginx: - clusterRole: "{{ lookup('env','INGRESS_CLUSTERROLE') | default('tenant-namespace-operator-ingress-controller') }}" + clusterRole: "{{ lookup('env', 'INGRESS_CLUSTERROLE') | default('tenant-namespace-operator-ingress-controller') }}" controller: scope: namespace: "{{ ansible_operator_meta.name }}" + - name: Force namespace settings. Can not be overridden. - set_fact: + ansible.builtin.set_fact: merged_values: "{{ merged_values | combine(overrides, recursive=True) }}" - name: Set ingress ip if known - set_fact: + ansible.builtin.set_fact: loadBalancerIP: "{{ _miscscripts_pnnl_gov_tenantnamespace.status.loadBalancerIP }}" when: - - _miscscripts_pnnl_gov_tenantnamespace.status.loadBalancerIP is defined + - _miscscripts_pnnl_gov_tenantnamespace.status.loadBalancerIP is defined - name: Fetch ingress service - k8s_info: + community.kubernetes.k8s_info: api_version: v1 kind: Service name: "{{ ansible_operator_meta.name }}-ingress-controller" @@ -120,94 +122,95 @@ - name: Merge in existing ingress ip if exists block: - - name: Set ingress ip. - set_fact: - loadBalancerIP: "{{ ingressService.resources[0].status.loadBalancer.ingress[0].ip }}" - - k8s_status: - api_version: miscscripts.pnnl.gov/v1beta1 - kind: TenantNamespace - name: "{{ ansible_operator_meta.name }}" - namespace: "{{ ansible_operator_meta.namespace }}" - status: + - name: Set ingress ip. + ansible.builtin.set_fact: loadBalancerIP: "{{ ingressService.resources[0].status.loadBalancer.ingress[0].ip }}" + - name: Set ingress ip in CR status + operator_sdk.util.k8s_status: + api_version: miscscripts.pnnl.gov/v1beta1 + kind: TenantNamespace + name: "{{ ansible_operator_meta.name }}" + namespace: "{{ ansible_operator_meta.namespace }}" + status: + loadBalancerIP: "{{ ingressService.resources[0].status.loadBalancer.ingress[0].ip }}" when: - - _miscscripts_pnnl_gov_tenantnamespace.status.loadBalancerIP is not defined - - merged_values.ingress.controller.service.loadBalancerIP is not defined - - ingressService is defined - - ingressService.resources is defined - - ingressService.resources[0] is defined - - ingressService.resources[0].status is defined - - ingressService.resources[0].status.loadBalancer is defined - - ingressService.resources[0].status.loadBalancer.ingress is defined - - ingressService.resources[0].status.loadBalancer.ingress[0] is defined - - ingressService.resources[0].status.loadBalancer.ingress[0].ip is defined + - _miscscripts_pnnl_gov_tenantnamespace.status.loadBalancerIP is not defined + - merged_values.ingress.controller.service.loadBalancerIP is not defined + - ingressService is defined + - ingressService.resources is defined + - ingressService.resources[0] is defined + - ingressService.resources[0].status is defined + - ingressService.resources[0].status.loadBalancer is defined + - ingressService.resources[0].status.loadBalancer.ingress is defined + - ingressService.resources[0].status.loadBalancer.ingress[0] is defined + - ingressService.resources[0].status.loadBalancer.ingress[0].ip is defined - name: Set ingress ip if specified - set_fact: + ansible.builtin.set_fact: loadBalancerIP: "{{ _miscscripts_pnnl_gov_tenantnamespace.spec.ingress.controller.service.loadBalancerIP }}" when: - - loadBalancerIP is not defined - - _miscscripts_pnnl_gov_tenantnamespace.spec.ingress is defined - - _miscscripts_pnnl_gov_tenantnamespace.spec.ingress.controller is defined - - _miscscripts_pnnl_gov_tenantnamespace.spec.ingress.controller.service is defined - - _miscscripts_pnnl_gov_tenantnamespace.spec.ingress.controller.service.loadBalancerIP is defined + - loadBalancerIP is not defined + - _miscscripts_pnnl_gov_tenantnamespace.spec.ingress is defined + - _miscscripts_pnnl_gov_tenantnamespace.spec.ingress.controller is defined + - _miscscripts_pnnl_gov_tenantnamespace.spec.ingress.controller.service is defined + - _miscscripts_pnnl_gov_tenantnamespace.spec.ingress.controller.service.loadBalancerIP is defined - name: Force loadBalancerIP address setting - set_fact: + ansible.builtin.set_fact: loadBalancerIP_overrides: ingress: controller: service: loadBalancerIP: "{{ loadBalancerIP }}" when: - - loadBalancerIP is defined + - loadBalancerIP is defined - name: Force loadBalancerIP. Can not be overridden. - set_fact: + ansible.builtin.set_fact: merged_values: "{{ merged_values | combine(loadBalancerIP_overrides, recursive=True) }}" when: - - loadBalancerIP is defined + - loadBalancerIP is defined # Delete resources that have selectors that need to be updated - name: Remove upgrade resources - k8s: + community.kubernetes.k8s: state: absent api_version: "{{ item.api_version }}" kind: "{{ item.kind }}" namespace: "{{ item.namespace }}" name: "{{ item.name }}" loop: - - api_version: apps/v1 - kind: Deployment - namespace: "{{ ansible_operator_meta.name }}-admin" - name: "{{ ansible_operator_meta.name }}-ingress-controller" - - api_version: v1 - kind: Service - namespace: "{{ ansible_operator_meta.name }}-admin" - name: "{{ ansible_operator_meta.name }}-ingress-controller" - - api_version: v1 - kind: Service - namespace: "{{ ansible_operator_meta.name }}-admin" - name: "{{ ansible_operator_meta.name }}-ingress-controller-metrics" - - api_version: apps/v1 - kind: Deployment - namespace: "{{ ansible_operator_meta.name }}-admin" - name: "{{ ansible_operator_meta.name }}-ingress-default-backend" - - api_version: v1 - kind: Service - namespace: "{{ ansible_operator_meta.name }}-admin" - name: "{{ ansible_operator_meta.name }}-ingress-default-backend" + - api_version: apps/v1 + kind: Deployment + namespace: "{{ ansible_operator_meta.name }}-admin" + name: "{{ ansible_operator_meta.name }}-ingress-controller" + - api_version: v1 + kind: Service + namespace: "{{ ansible_operator_meta.name }}-admin" + name: "{{ ansible_operator_meta.name }}-ingress-controller" + - api_version: v1 + kind: Service + namespace: "{{ ansible_operator_meta.name }}-admin" + name: "{{ ansible_operator_meta.name }}-ingress-controller-metrics" + - api_version: apps/v1 + kind: Deployment + namespace: "{{ ansible_operator_meta.name }}-admin" + name: "{{ ansible_operator_meta.name }}-ingress-default-backend" + - api_version: v1 + kind: Service + namespace: "{{ ansible_operator_meta.name }}-admin" + name: "{{ ansible_operator_meta.name }}-ingress-default-backend" when: - - not dryrun - - ingressService is defined - - ingressService.resources is defined - - ingressService.resources[0] is defined - - ingressService.resources[0].metadata is defined - - ingressService.resources[0].metadata.labels is defined - - ingressService.resources[0].metadata.labels.chart is defined - - ingressService.resources[0].metadata.labels.chart == "ingress-1.34.2" + - not dryrun + - ingressService is defined + - ingressService.resources is defined + - ingressService.resources[0] is defined + - ingressService.resources[0].metadata is defined + - ingressService.resources[0].metadata.labels is defined + - ingressService.resources[0].metadata.labels.chart is defined + - ingressService.resources[0].metadata.labels.chart == "ingress-1.34.2" - name: Add upgrade status marker - k8s_status: + operator_sdk.util.k8s_status: api_version: miscscripts.pnnl.gov/v1beta1 kind: TenantNamespace name: "{{ ansible_operator_meta.name }}" @@ -215,58 +218,59 @@ status: ingressNginxUpgradeComplete: true when: - - not dryrun - - ingressService is defined - - ingressService.resources is defined - - ingressService.resources[0] is defined - - ingressService.resources[0].metadata is defined - - ingressService.resources[0].metadata.labels is defined - - ingressService.resources[0].metadata.labels["helm.sh/chart"] is defined - - ingressService.resources[0].metadata.labels["helm.sh/chart"] == "ingress-3.34.0" + - not dryrun + - ingressService is defined + - ingressService.resources is defined + - ingressService.resources[0] is defined + - ingressService.resources[0].metadata is defined + - ingressService.resources[0].metadata.labels is defined + - ingressService.resources[0].metadata.labels["helm.sh/chart"] is defined + - ingressService.resources[0].metadata.labels["helm.sh/chart"] == "ingress-3.34.0" -#FIXME Consider making a service account specifically for this so it can't cross namespaces as far as it can today +# FIXME Consider making a service account specifically for this so it can't cross namespaces as far as it can today - name: Run Helm - helm: + community.kubernetes.helm: name: "{{ ansible_operator_meta.name }}" namespace: "{{ ansible_operator_meta.name }}-admin" chart_ref: ${HOME}/tenant-namespace values: "{{ merged_values }}" register: objs when: - - not dryrun + - not dryrun - name: Set diff - set_fact: + ansible.builtin.set_fact: differ: "" - name: Dry Run Helm - block: - - name: Make temp file - tempfile: - state: file - suffix: .yaml - register: temp_filename - - name: Copy values to temp file - copy: - content: "{{ merged_values | to_yaml }}" - dest: "{{ temp_filename.path }}" - no_log: True - - name: Do dry run of helm - shell: "helm diff upgrade --install --detailed-exitcode --namespace {{ ansible_operator_meta.name }}-admin {{ ansible_operator_meta.name }} ${HOME}/tenant-namespace -f {{ temp_filename.path }}" - register: diffhelm - ignore_errors: True - no_log: True - - name: Set diff - set_fact: - differ: "{{ diffhelm.stdout }}\n" - - name: Remove temp file - file: - path: "{{ temp_filename.path }}" - state: absent when: - - dryrun + - dryrun + block: + - name: Make temp file + ansible.builtin.tempfile: + state: file + suffix: .yaml + register: temp_filename + - name: Copy values to temp file + ansible.builtin.copy: + content: "{{ merged_values | to_yaml }}" + dest: "{{ temp_filename.path }}" + no_log: true + - name: Do dry run of helm + ansible.builtin.shell: "helm diff upgrade --install --detailed-exitcode --namespace {{ ansible_operator_meta.name }}-admin {{ ansible_operator_meta.name }} ${HOME}/tenant-namespace -f {{ temp_filename.path }}" + register: diffhelm + ignore_errors: true + no_log: true + - name: Set diff + ansible.builtin.set_fact: + differ: "{{ diffhelm.stdout }}\n" + - name: Remove temp file + ansible.builtin.file: + path: "{{ temp_filename.path }}" + state: absent -- k8s_status: +- name: Set diff output on status + operator_sdk.util.k8s_status: api_version: miscscripts.pnnl.gov/v1beta1 kind: TenantNamespace name: "{{ ansible_operator_meta.name }}" @@ -275,11 +279,11 @@ diff: "{{ differ | b64encode }}" - name: Set user labels - set_fact: + ansible.builtin.set_fact: userlabels: "{{ _miscscripts_pnnl_gov_tenantnamespace_spec.extraNamespaceLabels | default({}) | combine({'name': ansible_operator_meta.name, 'miscscripts.pnnl.gov/namespace-type': 'user'}, recursive=True) }}" - name: Create the k8s user namespace - k8s: + community.kubernetes.k8s: state: present definition: apiVersion: v1 @@ -289,5 +293,4 @@ labels: "{{ userlabels }}" annotations: "{{ _miscscripts_pnnl_gov_tenantnamespace_spec.extraNamespaceAnnotations | default({}) }}" when: - - not dryrun - + - not dryrun diff --git a/containers/tenant-namespace-operator/roles/tenantnamespacefin/meta/main.yml b/containers/tenant-namespace-operator/roles/tenantnamespacefin/meta/main.yml index 0a5603e..398d03b 100644 --- a/containers/tenant-namespace-operator/roles/tenantnamespacefin/meta/main.yml +++ b/containers/tenant-namespace-operator/roles/tenantnamespacefin/meta/main.yml @@ -16,7 +16,7 @@ galaxy_info: # - CC-BY license: license (GPLv2, CC-BY, etc) - min_ansible_version: 2.9 + min_ansible_version: "2.9" # If this a Container Enabled role, provide the minimum Ansible Container version. # min_ansible_container_version: @@ -59,5 +59,5 @@ dependencies: [] # List your role dependencies here, one per line. Be sure to remove the '[]' above, # if you add dependencies to this list. collections: -- operator_sdk.util -- community.kubernetes + - operator_sdk.util + - community.kubernetes diff --git a/containers/tenant-namespace-operator/roles/tenantnamespacefin/tasks/main.yml b/containers/tenant-namespace-operator/roles/tenantnamespacefin/tasks/main.yml index 336bde5..f970b0b 100644 --- a/containers/tenant-namespace-operator/roles/tenantnamespacefin/tasks/main.yml +++ b/containers/tenant-namespace-operator/roles/tenantnamespacefin/tasks/main.yml @@ -1,16 +1,16 @@ --- # tasks file for tenantnamespace -#Check to see release exists. If it doesnt continue on. If it does, delete it. +# Check to see release exists. If it doesnt continue on. If it does, delete it. - name: Delete the helm release - helm: + community.kubernetes.helm: name: "{{ ansible_operator_meta.name }}" namespace: "{{ ansible_operator_meta.name }}-admin" state: absent register: objs - name: Delete the k8s user namespace - k8s: + community.kubernetes.k8s: state: absent definition: apiVersion: v1 @@ -19,11 +19,10 @@ name: "{{ ansible_operator_meta.name }}" - name: Delete the k8s admin namespace - k8s: + community.kubernetes.k8s: state: absent definition: apiVersion: v1 kind: Namespace metadata: name: "{{ ansible_operator_meta.name }}-admin" - From ca0a606e963bef059fc2eebd1ac07ddd785c1e2f Mon Sep 17 00:00:00 2001 From: Peter Nordquist Date: Thu, 26 Oct 2023 15:29:52 -0700 Subject: [PATCH 02/16] Bumped chart and container version --- charts/charts/tenant-namespace-operator/Chart.yaml | 4 ++-- containers/tenant-namespace-operator/buildenv | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/charts/charts/tenant-namespace-operator/Chart.yaml b/charts/charts/tenant-namespace-operator/Chart.yaml index 0d79925..e870eb8 100644 --- a/charts/charts/tenant-namespace-operator/Chart.yaml +++ b/charts/charts/tenant-namespace-operator/Chart.yaml @@ -14,8 +14,8 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. -version: 0.1.17 +version: 0.1.18 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. -appVersion: 0.1.14-1 +appVersion: 0.1.15-1 diff --git a/containers/tenant-namespace-operator/buildenv b/containers/tenant-namespace-operator/buildenv index 04a4b2d..9039d65 100644 --- a/containers/tenant-namespace-operator/buildenv +++ b/containers/tenant-namespace-operator/buildenv @@ -1 +1 @@ -export PREFIX=0.1.14 +export PREFIX=0.1.15 From b585ba4da09a75804cce2a68ddc280e7ad93c69b Mon Sep 17 00:00:00 2001 From: Peter Nordquist Date: Thu, 26 Oct 2023 15:42:05 -0700 Subject: [PATCH 03/16] Removed obsolete upgrade code --- .../roles/tenantnamespace/tasks/main.yml | 60 +------------------ 1 file changed, 1 insertion(+), 59 deletions(-) diff --git a/containers/tenant-namespace-operator/roles/tenantnamespace/tasks/main.yml b/containers/tenant-namespace-operator/roles/tenantnamespace/tasks/main.yml index f2d9eca..b5fed74 100644 --- a/containers/tenant-namespace-operator/roles/tenantnamespace/tasks/main.yml +++ b/containers/tenant-namespace-operator/roles/tenantnamespace/tasks/main.yml @@ -117,8 +117,7 @@ register: ingressService when: > merged_values.ingress.nginx.enabled and - (_miscscripts_pnnl_gov_tenantnamespace.status.loadBalancerIP is not defined or - _miscscripts_pnnl_gov_tenantnamespace.status.ingressNginxUpgradeComplete is not defined) + _miscscripts_pnnl_gov_tenantnamespace.status.loadBalancerIP is not defined - name: Merge in existing ingress ip if exists block: @@ -170,63 +169,6 @@ when: - loadBalancerIP is defined -# Delete resources that have selectors that need to be updated -- name: Remove upgrade resources - community.kubernetes.k8s: - state: absent - api_version: "{{ item.api_version }}" - kind: "{{ item.kind }}" - namespace: "{{ item.namespace }}" - name: "{{ item.name }}" - loop: - - api_version: apps/v1 - kind: Deployment - namespace: "{{ ansible_operator_meta.name }}-admin" - name: "{{ ansible_operator_meta.name }}-ingress-controller" - - api_version: v1 - kind: Service - namespace: "{{ ansible_operator_meta.name }}-admin" - name: "{{ ansible_operator_meta.name }}-ingress-controller" - - api_version: v1 - kind: Service - namespace: "{{ ansible_operator_meta.name }}-admin" - name: "{{ ansible_operator_meta.name }}-ingress-controller-metrics" - - api_version: apps/v1 - kind: Deployment - namespace: "{{ ansible_operator_meta.name }}-admin" - name: "{{ ansible_operator_meta.name }}-ingress-default-backend" - - api_version: v1 - kind: Service - namespace: "{{ ansible_operator_meta.name }}-admin" - name: "{{ ansible_operator_meta.name }}-ingress-default-backend" - when: - - not dryrun - - ingressService is defined - - ingressService.resources is defined - - ingressService.resources[0] is defined - - ingressService.resources[0].metadata is defined - - ingressService.resources[0].metadata.labels is defined - - ingressService.resources[0].metadata.labels.chart is defined - - ingressService.resources[0].metadata.labels.chart == "ingress-1.34.2" - -- name: Add upgrade status marker - operator_sdk.util.k8s_status: - api_version: miscscripts.pnnl.gov/v1beta1 - kind: TenantNamespace - name: "{{ ansible_operator_meta.name }}" - namespace: "{{ ansible_operator_meta.namespace }}" - status: - ingressNginxUpgradeComplete: true - when: - - not dryrun - - ingressService is defined - - ingressService.resources is defined - - ingressService.resources[0] is defined - - ingressService.resources[0].metadata is defined - - ingressService.resources[0].metadata.labels is defined - - ingressService.resources[0].metadata.labels["helm.sh/chart"] is defined - - ingressService.resources[0].metadata.labels["helm.sh/chart"] == "ingress-3.34.0" - # FIXME Consider making a service account specifically for this so it can't cross namespaces as far as it can today - name: Run Helm community.kubernetes.helm: From 211a414d090fa2a09640c64b7eaa186fe9de75b3 Mon Sep 17 00:00:00 2001 From: Peter Nordquist Date: Tue, 24 Oct 2023 13:38:53 -0700 Subject: [PATCH 04/16] Upgraded to sdk 1.6.0 --- .../templates/deployment.yaml | 2 +- .../leader-election-role-binding.yaml | 15 +++ .../templates/leader-election-role.yaml | 20 +++ .../tenant-namespace-operator/values.yaml | 7 +- .../tenant-namespace-operator/Dockerfile | 2 +- containers/tenant-namespace-operator/Makefile | 120 +++++++++++++----- containers/tenant-namespace-operator/PROJECT | 23 +++- .../config/crd/kustomization.yaml | 2 +- .../config/default/kustomization.yaml | 6 +- .../default/manager_auth_proxy_patch.yaml | 7 +- .../config/default/manager_config_patch.yaml | 20 +++ .../manager/controller_manager_config.yaml | 10 ++ .../config/manager/kustomization.yaml | 8 ++ .../config/manager/manager.yaml | 45 ++++--- .../config/manifests/kustomization.yaml | 7 + .../config/prometheus/monitor.yaml | 6 +- .../config/rbac/auth_proxy_role_binding.yaml | 2 +- .../config/rbac/kustomization.yaml | 6 + .../config/rbac/leader_election_role.yaml | 2 + .../rbac/leader_election_role_binding.yaml | 2 +- .../config/rbac/role.yaml | 2 +- .../config/rbac/role_binding.yaml | 3 +- .../config/rbac/service_account.yaml | 5 + .../config/samples/kustomization.yaml | 2 +- .../config/scorecard/kustomization.yaml | 2 +- .../scorecard/patches/basic.config.yaml | 2 +- .../config/scorecard/patches/olm.config.yaml | 10 +- .../requirements.yml | 4 +- .../roles/tenantnamespace/meta/main.yml | 1 + .../roles/tenantnamespacefin/meta/main.yml | 1 + .../tenant-namespace-operator/watches.yaml | 2 +- 31 files changed, 259 insertions(+), 87 deletions(-) create mode 100644 charts/charts/tenant-namespace-operator/templates/leader-election-role-binding.yaml create mode 100644 charts/charts/tenant-namespace-operator/templates/leader-election-role.yaml create mode 100644 containers/tenant-namespace-operator/config/default/manager_config_patch.yaml create mode 100644 containers/tenant-namespace-operator/config/manager/controller_manager_config.yaml create mode 100644 containers/tenant-namespace-operator/config/manifests/kustomization.yaml create mode 100644 containers/tenant-namespace-operator/config/rbac/service_account.yaml diff --git a/charts/charts/tenant-namespace-operator/templates/deployment.yaml b/charts/charts/tenant-namespace-operator/templates/deployment.yaml index f796d24..fd45255 100644 --- a/charts/charts/tenant-namespace-operator/templates/deployment.yaml +++ b/charts/charts/tenant-namespace-operator/templates/deployment.yaml @@ -45,7 +45,7 @@ spec: initialDelaySeconds: 5 periodSeconds: 10 args: - - "--enable-leader-election" + - "--leader-elect" - "--leader-election-id=tenant-namespace-operator" env: - name: ANSIBLE_GATHERING diff --git a/charts/charts/tenant-namespace-operator/templates/leader-election-role-binding.yaml b/charts/charts/tenant-namespace-operator/templates/leader-election-role-binding.yaml new file mode 100644 index 0000000..a5406b6 --- /dev/null +++ b/charts/charts/tenant-namespace-operator/templates/leader-election-role-binding.yaml @@ -0,0 +1,15 @@ +--- +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ include "tenant-namespace-operator.fullname" . }}-le + labels: +{{ include "tenant-namespace-operator.labels" . | nindent 4 }} +subjects: +- kind: ServiceAccount + name: {{ include "tenant-namespace-operator.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} +roleRef: + kind: Role + name: {{ include "tenant-namespace-operator.fullname" . }}-le + apiGroup: rbac.authorization.k8s.io diff --git a/charts/charts/tenant-namespace-operator/templates/leader-election-role.yaml b/charts/charts/tenant-namespace-operator/templates/leader-election-role.yaml new file mode 100644 index 0000000..f7fa8dd --- /dev/null +++ b/charts/charts/tenant-namespace-operator/templates/leader-election-role.yaml @@ -0,0 +1,20 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ include "tenant-namespace-operator.fullname" . }}-le + labels: +{{ include "tenant-namespace-operator.labels" . | nindent 4 }} +rules: +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - get + - list + - watch + - create + - update + - patch + - delete diff --git a/charts/charts/tenant-namespace-operator/values.yaml b/charts/charts/tenant-namespace-operator/values.yaml index fd0c5b1..a956462 100644 --- a/charts/charts/tenant-namespace-operator/values.yaml +++ b/charts/charts/tenant-namespace-operator/values.yaml @@ -28,15 +28,16 @@ serviceAccount: # If not set and create is true, a name is generated using the fullname template name: -podSecurityContext: {} +podSecurityContext: + runAsNonRoot: true # fsGroup: 2000 -securityContext: {} +securityContext: + allowPrivilegeEscalation: false # capabilities: # drop: # - ALL # readOnlyRootFilesystem: true - # runAsNonRoot: true # runAsUser: 1000 resources: {} diff --git a/containers/tenant-namespace-operator/Dockerfile b/containers/tenant-namespace-operator/Dockerfile index 99acc7e..74e678f 100644 --- a/containers/tenant-namespace-operator/Dockerfile +++ b/containers/tenant-namespace-operator/Dockerfile @@ -1,4 +1,4 @@ -FROM quay.io/operator-framework/ansible-operator:v1.4.0 +FROM quay.io/operator-framework/ansible-operator:v1.6.2 ARG helm_version=v3.5.2 USER 0 diff --git a/containers/tenant-namespace-operator/Makefile b/containers/tenant-namespace-operator/Makefile index 8f201fe..d5d65f5 100644 --- a/containers/tenant-namespace-operator/Makefile +++ b/containers/tenant-namespace-operator/Makefile @@ -24,53 +24,70 @@ BUNDLE_DEFAULT_CHANNEL := --default-channel=$(DEFAULT_CHANNEL) endif BUNDLE_METADATA_OPTS ?= $(BUNDLE_CHANNELS) $(BUNDLE_DEFAULT_CHANNEL) +# IMAGE_TAG_BASE defines the docker.io namespace and part of the image name for remote images. +# This variable is used to construct full image tags for bundle and catalog images. +# +# For example, running 'make bundle-build bundle-push catalog-build catalog-push' will build and push both +# pnnl.gov/tenant-namespace-operator-bundle:$VERSION and pnnl.gov/tenant-namespace-operator-catalog:$VERSION. +IMAGE_TAG_BASE ?= pnnlmiscscripts/tenant-namespace-operator + # BUNDLE_IMG defines the image:tag used for the bundle. # You can use it as an arg. (E.g make bundle-build BUNDLE_IMG=/:) -BUNDLE_IMG ?= controller-bundle:$(VERSION) +BUNDLE_IMG ?= $(IMAGE_TAG_BASE)-bundle:v$(VERSION) # Image URL to use all building/pushing image targets -IMG ?= controller:latest +IMG ?= $(IMAGE_TAG_BASE):$(VERSION) all: docker-build -# Run against the configured Kubernetes cluster in ~/.kube/config -run: ansible-operator +##@ General + +# The help target prints out all targets with their descriptions organized +# beneath their categories. The categories are represented by '##@' and the +# target descriptions by '##'. The awk commands is responsible for reading the +# entire set of makefiles included in this invocation, looking for lines of the +# file as xyz: ## something, and then pretty-format the target and help. Then, +# if there's a line with ##@ something, that gets pretty-printed as a category. +# More info on the usage of ANSI control characters for terminal formatting: +# https://en.wikipedia.org/wiki/ANSI_escape_code#SGR_parameters +# More info on the awk command: +# http://linuxcommand.org/lc3_adv_awk.php + +help: ## Display this help. + @awk 'BEGIN {FS = ":.*##"; printf "\nUsage:\n make \033[36m\033[0m\n"} /^[a-zA-Z_0-9-]+:.*?##/ { printf " \033[36m%-15s\033[0m %s\n", $$1, $$2 } /^##@/ { printf "\n\033[1m%s\033[0m\n", substr($$0, 5) } ' $(MAKEFILE_LIST) + +##@ Build + +run: ansible-operator ## Run against the configured Kubernetes cluster in ~/.kube/config $(ANSIBLE_OPERATOR) run -# Install CRDs into a cluster -install: kustomize +docker-build: ## Build docker image with the manager. + docker build -t ${IMG} . + +docker-push: ## Push docker image with the manager. + docker push ${IMG} + +##@ Deployment + +install: kustomize ## Install CRDs into the K8s cluster specified in ~/.kube/config. $(KUSTOMIZE) build config/crd | kubectl apply -f - -# Uninstall CRDs from a cluster -uninstall: kustomize +uninstall: kustomize ## Uninstall CRDs from the K8s cluster specified in ~/.kube/config. $(KUSTOMIZE) build config/crd | kubectl delete -f - -# Deploy controller in the configured Kubernetes cluster in ~/.kube/config -deploy: kustomize +deploy: kustomize ## Deploy controller to the K8s cluster specified in ~/.kube/config. cd config/manager && $(KUSTOMIZE) edit set image controller=${IMG} $(KUSTOMIZE) build config/default | kubectl apply -f - -# Undeploy controller in the configured Kubernetes cluster in ~/.kube/config -undeploy: kustomize +undeploy: ## Undeploy controller from the K8s cluster specified in ~/.kube/config. $(KUSTOMIZE) build config/default | kubectl delete -f - -# Build the docker image -docker-build: - docker build -t ${IMG} . - -# Push the docker image -docker-push: - docker push ${IMG} - -PATH := $(PATH):$(PWD)/bin -SHELL := env 'PATH=$(PATH)' /bin/sh OS := $(shell uname -s | tr '[:upper:]' '[:lower:]') ARCH := $(shell uname -m | sed 's/x86_64/amd64/') -# Download kustomize locally if necessary, preferring the $(pwd)/bin path over global if both exist. .PHONY: kustomize KUSTOMIZE = $(shell pwd)/bin/kustomize -kustomize: +kustomize: ## Download kustomize locally if necessary. ifeq (,$(wildcard $(KUSTOMIZE))) ifeq (,$(shell which kustomize 2>/dev/null)) @{ \ @@ -84,16 +101,15 @@ KUSTOMIZE = $(shell which kustomize) endif endif -# Download ansible-operator locally if necessary, preferring the $(pwd)/bin path over global if both exist. .PHONY: ansible-operator ANSIBLE_OPERATOR = $(shell pwd)/bin/ansible-operator -ansible-operator: +ansible-operator: ## Download ansible-operator locally if necessary, preferring the $(pwd)/bin path over global if both exist. ifeq (,$(wildcard $(ANSIBLE_OPERATOR))) ifeq (,$(shell which ansible-operator 2>/dev/null)) @{ \ set -e ;\ mkdir -p $(dir $(ANSIBLE_OPERATOR)) ;\ - curl -sSLo $(ANSIBLE_OPERATOR) https://github.com/operator-framework/operator-sdk/releases/download/v1.4.0/ansible-operator_$(OS)_$(ARCH) ;\ + curl -sSLo $(ANSIBLE_OPERATOR) https://github.com/operator-framework/operator-sdk/releases/download/v1.6.2/ansible-operator_$(OS)_$(ARCH) ;\ chmod +x $(ANSIBLE_OPERATOR) ;\ } else @@ -101,15 +117,57 @@ ANSIBLE_OPERATOR = $(shell which ansible-operator) endif endif -# Generate bundle manifests and metadata, then validate generated files. .PHONY: bundle -bundle: kustomize +bundle: kustomize ## Generate bundle manifests and metadata, then validate generated files. operator-sdk generate kustomize manifests -q cd config/manager && $(KUSTOMIZE) edit set image controller=$(IMG) $(KUSTOMIZE) build config/manifests | operator-sdk generate bundle -q --overwrite --version $(VERSION) $(BUNDLE_METADATA_OPTS) operator-sdk bundle validate ./bundle -# Build the bundle image. .PHONY: bundle-build -bundle-build: +bundle-build: ## Build the bundle image. docker build -f bundle.Dockerfile -t $(BUNDLE_IMG) . + +.PHONY: bundle-push +bundle-push: ## Push the bundle image. + $(MAKE) docker-push IMG=$(BUNDLE_IMG) + +.PHONY: opm +OPM = ./bin/opm +opm: ## Download opm locally if necessary. +ifeq (,$(wildcard $(OPM))) +ifeq (,$(shell which opm 2>/dev/null)) + @{ \ + set -e ;\ + mkdir -p $(dir $(OPM)) ;\ + curl -sSLo $(OPM) https://github.com/operator-framework/operator-registry/releases/download/v1.15.1/$(OS)-$(ARCH)-opm ;\ + chmod +x $(OPM) ;\ + } +else +OPM = $(shell which opm) +endif +endif + +# A comma-separated list of bundle images (e.g. make catalog-build BUNDLE_IMGS=example.com/operator-bundle:v0.1.0,example.com/operator-bundle:v0.2.0). +# These images MUST exist in a registry and be pull-able. +BUNDLE_IMGS ?= $(BUNDLE_IMG) + +# The image tag given to the resulting catalog image (e.g. make catalog-build CATALOG_IMG=example.com/operator-catalog:v0.2.0). +CATALOG_IMG ?= $(IMAGE_TAG_BASE)-catalog:v$(VERSION) + +# Set CATALOG_BASE_IMG to an existing catalog image tag to add $BUNDLE_IMGS to that image. +ifneq ($(origin CATALOG_BASE_IMG), undefined) +FROM_INDEX_OPT := --from-index $(CATALOG_BASE_IMG) +endif + +# Build a catalog image by adding bundle images to an empty catalog using the operator package manager tool, 'opm'. +# This recipe invokes 'opm' in 'semver' bundle add mode. For more information on add modes, see: +# https://github.com/operator-framework/community-operators/blob/7f1438c/docs/packaging-operator.md#updating-your-existing-operator +.PHONY: catalog-build +catalog-build: opm ## Build a catalog image. + $(OPM) index add --container-tool docker --mode semver --tag $(CATALOG_IMG) --bundles $(BUNDLE_IMGS) $(FROM_INDEX_OPT) + +# Push the catalog image. +.PHONY: catalog-push +catalog-push: ## Push a catalog image. + $(MAKE) docker-push IMG=$(CATALOG_IMG) diff --git a/containers/tenant-namespace-operator/PROJECT b/containers/tenant-namespace-operator/PROJECT index be0a6ea..7b78fd7 100644 --- a/containers/tenant-namespace-operator/PROJECT +++ b/containers/tenant-namespace-operator/PROJECT @@ -1,14 +1,23 @@ domain: pnnl.gov -layout: ansible.sdk.operatorframework.io/v1 +layout: +- ansible.sdk.operatorframework.io/v1 +plugins: + manifests.sdk.operatorframework.io/v2: {} + scorecard.sdk.operatorframework.io/v2: {} projectName: tenant-namespace-operator resources: -- group: miscscripts +- api: + crdVersion: v1 + namespaced: false + domain: pnnl.gov + group: miscscripts kind: TenantNamespace version: v1beta1 -- group: miscscripts +- api: + crdVersion: v1 + namespaced: false + domain: pnnl.gov + group: miscscripts kind: TenantNamespaceFlavor version: v1beta1 -version: 3-alpha -plugins: - manifests.sdk.operatorframework.io/v2: {} - scorecard.sdk.operatorframework.io/v2: {} +version: "3" diff --git a/containers/tenant-namespace-operator/config/crd/kustomization.yaml b/containers/tenant-namespace-operator/config/crd/kustomization.yaml index ac3d522..30206ac 100644 --- a/containers/tenant-namespace-operator/config/crd/kustomization.yaml +++ b/containers/tenant-namespace-operator/config/crd/kustomization.yaml @@ -4,4 +4,4 @@ resources: - bases/miscscripts.pnnl.gov_tenantnamespaces.yaml - bases/miscscripts.pnnl.gov_tenantnamespaceflavors.yaml -# +kubebuilder:scaffold:crdkustomizeresource +#+kubebuilder:scaffold:crdkustomizeresource diff --git a/containers/tenant-namespace-operator/config/default/kustomization.yaml b/containers/tenant-namespace-operator/config/default/kustomization.yaml index 1e5312b..fca2593 100644 --- a/containers/tenant-namespace-operator/config/default/kustomization.yaml +++ b/containers/tenant-namespace-operator/config/default/kustomization.yaml @@ -20,7 +20,7 @@ bases: #- ../prometheus patchesStrategicMerge: - # Protect the /metrics endpoint by putting it behind auth. - # If you want your controller-manager to expose the /metrics - # endpoint w/o any authn/z, please comment the following line. +# Protect the /metrics endpoint by putting it behind auth. +# If you want your controller-manager to expose the /metrics +# endpoint w/o any authn/z, please comment the following line. - manager_auth_proxy_patch.yaml diff --git a/containers/tenant-namespace-operator/config/default/manager_auth_proxy_patch.yaml b/containers/tenant-namespace-operator/config/default/manager_auth_proxy_patch.yaml index f1b16e3..2859969 100644 --- a/containers/tenant-namespace-operator/config/default/manager_auth_proxy_patch.yaml +++ b/containers/tenant-namespace-operator/config/default/manager_auth_proxy_patch.yaml @@ -10,7 +10,7 @@ spec: spec: containers: - name: kube-rbac-proxy - image: gcr.io/kubebuilder/kube-rbac-proxy:v0.5.0 + image: gcr.io/kubebuilder/kube-rbac-proxy:v0.8.0 args: - "--secure-listen-address=0.0.0.0:8443" - "--upstream=http://127.0.0.1:8080/" @@ -21,6 +21,7 @@ spec: name: https - name: manager args: - - "--metrics-addr=127.0.0.1:8080" - - "--enable-leader-election" + - "--health-probe-bind-address=:6789" + - "--metrics-bind-address=127.0.0.1:8080" + - "--leader-elect" - "--leader-election-id=tenant-namespace-operator" diff --git a/containers/tenant-namespace-operator/config/default/manager_config_patch.yaml b/containers/tenant-namespace-operator/config/default/manager_config_patch.yaml new file mode 100644 index 0000000..6c40015 --- /dev/null +++ b/containers/tenant-namespace-operator/config/default/manager_config_patch.yaml @@ -0,0 +1,20 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: controller-manager + namespace: system +spec: + template: + spec: + containers: + - name: manager + args: + - "--config=controller_manager_config.yaml" + volumeMounts: + - name: manager-config + mountPath: /controller_manager_config.yaml + subPath: controller_manager_config.yaml + volumes: + - name: manager-config + configMap: + name: manager-config diff --git a/containers/tenant-namespace-operator/config/manager/controller_manager_config.yaml b/containers/tenant-namespace-operator/config/manager/controller_manager_config.yaml new file mode 100644 index 0000000..68ada6b --- /dev/null +++ b/containers/tenant-namespace-operator/config/manager/controller_manager_config.yaml @@ -0,0 +1,10 @@ +apiVersion: controller-runtime.sigs.k8s.io/v1alpha1 +kind: ControllerManagerConfig +health: + healthProbeBindAddress: :6789 +metrics: + bindAddress: 127.0.0.1:8080 + +leaderElection: + leaderElect: true + resourceName: 811c9dc5.pnnl.gov diff --git a/containers/tenant-namespace-operator/config/manager/kustomization.yaml b/containers/tenant-namespace-operator/config/manager/kustomization.yaml index 5c5f0b8..2bcd3ee 100644 --- a/containers/tenant-namespace-operator/config/manager/kustomization.yaml +++ b/containers/tenant-namespace-operator/config/manager/kustomization.yaml @@ -1,2 +1,10 @@ resources: - manager.yaml + +generatorOptions: + disableNameSuffixHash: true + +configMapGenerator: +- name: manager-config + files: + - controller_manager_config.yaml diff --git a/containers/tenant-namespace-operator/config/manager/manager.yaml b/containers/tenant-namespace-operator/config/manager/manager.yaml index 411b7a4..5f854b2 100644 --- a/containers/tenant-namespace-operator/config/manager/manager.yaml +++ b/containers/tenant-namespace-operator/config/manager/manager.yaml @@ -22,25 +22,30 @@ spec: labels: control-plane: controller-manager spec: + securityContext: + runAsNonRoot: true containers: - - name: manager - args: - - "--enable-leader-election" - - "--leader-election-id=tenant-namespace-operator" - env: - - name: ANSIBLE_GATHERING - value: explicit - image: controller:latest - livenessProbe: - httpGet: - path: /readyz - port: 6789 - initialDelaySeconds: 15 - periodSeconds: 20 - readinessProbe: - httpGet: - path: /healthz - port: 6789 - initialDelaySeconds: 5 - periodSeconds: 10 + - args: + - --leader-elect + - --leader-election-id=tenant-namespace-operator + image: controller:latest + name: manager + env: + - name: ANSIBLE_GATHERING + value: explicit + securityContext: + allowPrivilegeEscalation: false + livenessProbe: + httpGet: + path: /healthz + port: 6789 + initialDelaySeconds: 15 + periodSeconds: 20 + readinessProbe: + httpGet: + path: /readyz + port: 6789 + initialDelaySeconds: 5 + periodSeconds: 10 + serviceAccountName: controller-manager terminationGracePeriodSeconds: 10 diff --git a/containers/tenant-namespace-operator/config/manifests/kustomization.yaml b/containers/tenant-namespace-operator/config/manifests/kustomization.yaml new file mode 100644 index 0000000..6063a99 --- /dev/null +++ b/containers/tenant-namespace-operator/config/manifests/kustomization.yaml @@ -0,0 +1,7 @@ +# These resources constitute the fully configured set of manifests +# used to generate the 'manifests/' directory in a bundle. +resources: +- bases/tenant-namespace-operator.clusterserviceversion.yaml +- ../default +- ../samples +- ../scorecard diff --git a/containers/tenant-namespace-operator/config/prometheus/monitor.yaml b/containers/tenant-namespace-operator/config/prometheus/monitor.yaml index 1b44d4f..d19136a 100644 --- a/containers/tenant-namespace-operator/config/prometheus/monitor.yaml +++ b/containers/tenant-namespace-operator/config/prometheus/monitor.yaml @@ -1,4 +1,4 @@ ---- + # Prometheus Monitor Service (Metrics) apiVersion: monitoring.coreos.com/v1 kind: ServiceMonitor @@ -11,6 +11,10 @@ spec: endpoints: - path: /metrics port: https + scheme: https + bearerTokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token + tlsConfig: + insecureSkipVerify: true selector: matchLabels: control-plane: controller-manager diff --git a/containers/tenant-namespace-operator/config/rbac/auth_proxy_role_binding.yaml b/containers/tenant-namespace-operator/config/rbac/auth_proxy_role_binding.yaml index 48ed1e4..ec7acc0 100644 --- a/containers/tenant-namespace-operator/config/rbac/auth_proxy_role_binding.yaml +++ b/containers/tenant-namespace-operator/config/rbac/auth_proxy_role_binding.yaml @@ -8,5 +8,5 @@ roleRef: name: proxy-role subjects: - kind: ServiceAccount - name: default + name: controller-manager namespace: system diff --git a/containers/tenant-namespace-operator/config/rbac/kustomization.yaml b/containers/tenant-namespace-operator/config/rbac/kustomization.yaml index 66c2833..731832a 100644 --- a/containers/tenant-namespace-operator/config/rbac/kustomization.yaml +++ b/containers/tenant-namespace-operator/config/rbac/kustomization.yaml @@ -1,4 +1,10 @@ resources: +# All RBAC will be applied under this service account in +# the deployment namespace. You may comment out this resource +# if your manager will use a service account that exists at +# runtime. Be sure to update RoleBinding and ClusterRoleBinding +# subjects if changing service account names. +- service_account.yaml - role.yaml - role_binding.yaml - leader_election_role.yaml diff --git a/containers/tenant-namespace-operator/config/rbac/leader_election_role.yaml b/containers/tenant-namespace-operator/config/rbac/leader_election_role.yaml index 53e9749..6334cc5 100644 --- a/containers/tenant-namespace-operator/config/rbac/leader_election_role.yaml +++ b/containers/tenant-namespace-operator/config/rbac/leader_election_role.yaml @@ -6,8 +6,10 @@ metadata: rules: - apiGroups: - "" + - coordination.k8s.io resources: - configmaps + - leases verbs: - get - list diff --git a/containers/tenant-namespace-operator/config/rbac/leader_election_role_binding.yaml b/containers/tenant-namespace-operator/config/rbac/leader_election_role_binding.yaml index eed1690..1d1321e 100644 --- a/containers/tenant-namespace-operator/config/rbac/leader_election_role_binding.yaml +++ b/containers/tenant-namespace-operator/config/rbac/leader_election_role_binding.yaml @@ -8,5 +8,5 @@ roleRef: name: leader-election-role subjects: - kind: ServiceAccount - name: default + name: controller-manager namespace: system diff --git a/containers/tenant-namespace-operator/config/rbac/role.yaml b/containers/tenant-namespace-operator/config/rbac/role.yaml index 853329c..2d370b7 100644 --- a/containers/tenant-namespace-operator/config/rbac/role.yaml +++ b/containers/tenant-namespace-operator/config/rbac/role.yaml @@ -121,4 +121,4 @@ rules: - get - list - watch -# +kubebuilder:scaffold:rules +#+kubebuilder:scaffold:rules diff --git a/containers/tenant-namespace-operator/config/rbac/role_binding.yaml b/containers/tenant-namespace-operator/config/rbac/role_binding.yaml index 98f8782..2070ede 100644 --- a/containers/tenant-namespace-operator/config/rbac/role_binding.yaml +++ b/containers/tenant-namespace-operator/config/rbac/role_binding.yaml @@ -1,4 +1,3 @@ ---- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: @@ -9,5 +8,5 @@ roleRef: name: manager-role subjects: - kind: ServiceAccount - name: default + name: controller-manager namespace: system diff --git a/containers/tenant-namespace-operator/config/rbac/service_account.yaml b/containers/tenant-namespace-operator/config/rbac/service_account.yaml new file mode 100644 index 0000000..7cd6025 --- /dev/null +++ b/containers/tenant-namespace-operator/config/rbac/service_account.yaml @@ -0,0 +1,5 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: controller-manager + namespace: system diff --git a/containers/tenant-namespace-operator/config/samples/kustomization.yaml b/containers/tenant-namespace-operator/config/samples/kustomization.yaml index ae78b95..b5d5245 100644 --- a/containers/tenant-namespace-operator/config/samples/kustomization.yaml +++ b/containers/tenant-namespace-operator/config/samples/kustomization.yaml @@ -2,4 +2,4 @@ resources: - miscscripts_v1beta1_tenantnamespace.yaml - miscscripts_v1beta1_tenantnamespaceflavor.yaml -# +kubebuilder:scaffold:manifestskustomizesamples +#+kubebuilder:scaffold:manifestskustomizesamples diff --git a/containers/tenant-namespace-operator/config/scorecard/kustomization.yaml b/containers/tenant-namespace-operator/config/scorecard/kustomization.yaml index d73509e..50cd2d0 100644 --- a/containers/tenant-namespace-operator/config/scorecard/kustomization.yaml +++ b/containers/tenant-namespace-operator/config/scorecard/kustomization.yaml @@ -13,4 +13,4 @@ patchesJson6902: version: v1alpha3 kind: Configuration name: config -# +kubebuilder:scaffold:patchesJson6902 +#+kubebuilder:scaffold:patchesJson6902 diff --git a/containers/tenant-namespace-operator/config/scorecard/patches/basic.config.yaml b/containers/tenant-namespace-operator/config/scorecard/patches/basic.config.yaml index 4581edc..4ba3dcd 100644 --- a/containers/tenant-namespace-operator/config/scorecard/patches/basic.config.yaml +++ b/containers/tenant-namespace-operator/config/scorecard/patches/basic.config.yaml @@ -4,7 +4,7 @@ entrypoint: - scorecard-test - basic-check-spec - image: quay.io/operator-framework/scorecard-test:v1.4.0 + image: quay.io/operator-framework/scorecard-test:v1.6.2 labels: suite: basic test: basic-check-spec-test diff --git a/containers/tenant-namespace-operator/config/scorecard/patches/olm.config.yaml b/containers/tenant-namespace-operator/config/scorecard/patches/olm.config.yaml index 9422681..ab41b54 100644 --- a/containers/tenant-namespace-operator/config/scorecard/patches/olm.config.yaml +++ b/containers/tenant-namespace-operator/config/scorecard/patches/olm.config.yaml @@ -4,7 +4,7 @@ entrypoint: - scorecard-test - olm-bundle-validation - image: quay.io/operator-framework/scorecard-test:v1.4.0 + image: quay.io/operator-framework/scorecard-test:v1.6.2 labels: suite: olm test: olm-bundle-validation-test @@ -14,7 +14,7 @@ entrypoint: - scorecard-test - olm-crds-have-validation - image: quay.io/operator-framework/scorecard-test:v1.4.0 + image: quay.io/operator-framework/scorecard-test:v1.6.2 labels: suite: olm test: olm-crds-have-validation-test @@ -24,7 +24,7 @@ entrypoint: - scorecard-test - olm-crds-have-resources - image: quay.io/operator-framework/scorecard-test:v1.4.0 + image: quay.io/operator-framework/scorecard-test:v1.6.2 labels: suite: olm test: olm-crds-have-resources-test @@ -34,7 +34,7 @@ entrypoint: - scorecard-test - olm-spec-descriptors - image: quay.io/operator-framework/scorecard-test:v1.4.0 + image: quay.io/operator-framework/scorecard-test:v1.6.2 labels: suite: olm test: olm-spec-descriptors-test @@ -44,7 +44,7 @@ entrypoint: - scorecard-test - olm-status-descriptors - image: quay.io/operator-framework/scorecard-test:v1.4.0 + image: quay.io/operator-framework/scorecard-test:v1.6.2 labels: suite: olm test: olm-status-descriptors-test diff --git a/containers/tenant-namespace-operator/requirements.yml b/containers/tenant-namespace-operator/requirements.yml index 848028c..600aadf 100644 --- a/containers/tenant-namespace-operator/requirements.yml +++ b/containers/tenant-namespace-operator/requirements.yml @@ -1,5 +1,5 @@ collections: - name: community.kubernetes - version: "<2.0.0" + version: "1.2.1" - name: operator_sdk.util - version: "0.1.0" + version: "0.2.0" diff --git a/containers/tenant-namespace-operator/roles/tenantnamespace/meta/main.yml b/containers/tenant-namespace-operator/roles/tenantnamespace/meta/main.yml index 398d03b..e44ba32 100644 --- a/containers/tenant-namespace-operator/roles/tenantnamespace/meta/main.yml +++ b/containers/tenant-namespace-operator/roles/tenantnamespace/meta/main.yml @@ -1,3 +1,4 @@ +--- galaxy_info: author: your name description: your description diff --git a/containers/tenant-namespace-operator/roles/tenantnamespacefin/meta/main.yml b/containers/tenant-namespace-operator/roles/tenantnamespacefin/meta/main.yml index 398d03b..e44ba32 100644 --- a/containers/tenant-namespace-operator/roles/tenantnamespacefin/meta/main.yml +++ b/containers/tenant-namespace-operator/roles/tenantnamespacefin/meta/main.yml @@ -1,3 +1,4 @@ +--- galaxy_info: author: your name description: your description diff --git a/containers/tenant-namespace-operator/watches.yaml b/containers/tenant-namespace-operator/watches.yaml index 17fae67..f69fa1a 100644 --- a/containers/tenant-namespace-operator/watches.yaml +++ b/containers/tenant-namespace-operator/watches.yaml @@ -8,4 +8,4 @@ finalizer: name: finalizer.tenantnamespace.miscscripts.pnnl.gov role: tenantnamespacefin -# +kubebuilder:scaffold:watch +#+kubebuilder:scaffold:watch From 4d86649df3beabac202acf5f5eff8a44305d24ff Mon Sep 17 00:00:00 2001 From: Peter Nordquist Date: Thu, 26 Oct 2023 13:32:35 -0700 Subject: [PATCH 05/16] Upgraded to 1.7.2 --- containers/tenant-namespace-operator/Dockerfile | 2 +- containers/tenant-namespace-operator/Makefile | 2 +- .../config/default/kustomization.yaml | 4 ++++ .../config/rbac/auth_proxy_client_clusterrole.yaml | 6 ++++-- .../config/rbac/auth_proxy_role.yaml | 12 ++++++++---- .../config/rbac/leader_election_role.yaml | 12 +++++++++++- .../config/scorecard/patches/basic.config.yaml | 2 +- .../config/scorecard/patches/olm.config.yaml | 10 +++++----- .../tenant-namespace-operator/requirements.yml | 1 + 9 files changed, 36 insertions(+), 15 deletions(-) diff --git a/containers/tenant-namespace-operator/Dockerfile b/containers/tenant-namespace-operator/Dockerfile index 74e678f..7392143 100644 --- a/containers/tenant-namespace-operator/Dockerfile +++ b/containers/tenant-namespace-operator/Dockerfile @@ -1,4 +1,4 @@ -FROM quay.io/operator-framework/ansible-operator:v1.6.2 +FROM quay.io/operator-framework/ansible-operator:v1.7.2 ARG helm_version=v3.5.2 USER 0 diff --git a/containers/tenant-namespace-operator/Makefile b/containers/tenant-namespace-operator/Makefile index d5d65f5..b64c078 100644 --- a/containers/tenant-namespace-operator/Makefile +++ b/containers/tenant-namespace-operator/Makefile @@ -109,7 +109,7 @@ ifeq (,$(shell which ansible-operator 2>/dev/null)) @{ \ set -e ;\ mkdir -p $(dir $(ANSIBLE_OPERATOR)) ;\ - curl -sSLo $(ANSIBLE_OPERATOR) https://github.com/operator-framework/operator-sdk/releases/download/v1.6.2/ansible-operator_$(OS)_$(ARCH) ;\ + curl -sSLo $(ANSIBLE_OPERATOR) https://github.com/operator-framework/operator-sdk/releases/download/v1.7.2/ansible-operator_$(OS)_$(ARCH) ;\ chmod +x $(ANSIBLE_OPERATOR) ;\ } else diff --git a/containers/tenant-namespace-operator/config/default/kustomization.yaml b/containers/tenant-namespace-operator/config/default/kustomization.yaml index fca2593..78d7a6c 100644 --- a/containers/tenant-namespace-operator/config/default/kustomization.yaml +++ b/containers/tenant-namespace-operator/config/default/kustomization.yaml @@ -24,3 +24,7 @@ patchesStrategicMerge: # If you want your controller-manager to expose the /metrics # endpoint w/o any authn/z, please comment the following line. - manager_auth_proxy_patch.yaml + +# Mount the controller config file for loading manager configurations +# through a ComponentConfig type +#- manager_config_patch.yaml diff --git a/containers/tenant-namespace-operator/config/rbac/auth_proxy_client_clusterrole.yaml b/containers/tenant-namespace-operator/config/rbac/auth_proxy_client_clusterrole.yaml index bd4af13..51a75db 100644 --- a/containers/tenant-namespace-operator/config/rbac/auth_proxy_client_clusterrole.yaml +++ b/containers/tenant-namespace-operator/config/rbac/auth_proxy_client_clusterrole.yaml @@ -3,5 +3,7 @@ kind: ClusterRole metadata: name: metrics-reader rules: -- nonResourceURLs: ["/metrics"] - verbs: ["get"] +- nonResourceURLs: + - "/metrics" + verbs: + - get diff --git a/containers/tenant-namespace-operator/config/rbac/auth_proxy_role.yaml b/containers/tenant-namespace-operator/config/rbac/auth_proxy_role.yaml index 618f5e4..80e1857 100644 --- a/containers/tenant-namespace-operator/config/rbac/auth_proxy_role.yaml +++ b/containers/tenant-namespace-operator/config/rbac/auth_proxy_role.yaml @@ -3,11 +3,15 @@ kind: ClusterRole metadata: name: proxy-role rules: -- apiGroups: ["authentication.k8s.io"] +- apiGroups: + - authentication.k8s.io resources: - tokenreviews - verbs: ["create"] -- apiGroups: ["authorization.k8s.io"] + verbs: + - create +- apiGroups: + - authorization.k8s.io resources: - subjectaccessreviews - verbs: ["create"] + verbs: + - create diff --git a/containers/tenant-namespace-operator/config/rbac/leader_election_role.yaml b/containers/tenant-namespace-operator/config/rbac/leader_election_role.yaml index 6334cc5..4190ec8 100644 --- a/containers/tenant-namespace-operator/config/rbac/leader_election_role.yaml +++ b/containers/tenant-namespace-operator/config/rbac/leader_election_role.yaml @@ -6,9 +6,19 @@ metadata: rules: - apiGroups: - "" - - coordination.k8s.io resources: - configmaps + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - coordination.k8s.io + resources: - leases verbs: - get diff --git a/containers/tenant-namespace-operator/config/scorecard/patches/basic.config.yaml b/containers/tenant-namespace-operator/config/scorecard/patches/basic.config.yaml index 4ba3dcd..2d4e0a9 100644 --- a/containers/tenant-namespace-operator/config/scorecard/patches/basic.config.yaml +++ b/containers/tenant-namespace-operator/config/scorecard/patches/basic.config.yaml @@ -4,7 +4,7 @@ entrypoint: - scorecard-test - basic-check-spec - image: quay.io/operator-framework/scorecard-test:v1.6.2 + image: quay.io/operator-framework/scorecard-test:v1.7.2 labels: suite: basic test: basic-check-spec-test diff --git a/containers/tenant-namespace-operator/config/scorecard/patches/olm.config.yaml b/containers/tenant-namespace-operator/config/scorecard/patches/olm.config.yaml index ab41b54..59c5576 100644 --- a/containers/tenant-namespace-operator/config/scorecard/patches/olm.config.yaml +++ b/containers/tenant-namespace-operator/config/scorecard/patches/olm.config.yaml @@ -4,7 +4,7 @@ entrypoint: - scorecard-test - olm-bundle-validation - image: quay.io/operator-framework/scorecard-test:v1.6.2 + image: quay.io/operator-framework/scorecard-test:v1.7.2 labels: suite: olm test: olm-bundle-validation-test @@ -14,7 +14,7 @@ entrypoint: - scorecard-test - olm-crds-have-validation - image: quay.io/operator-framework/scorecard-test:v1.6.2 + image: quay.io/operator-framework/scorecard-test:v1.7.2 labels: suite: olm test: olm-crds-have-validation-test @@ -24,7 +24,7 @@ entrypoint: - scorecard-test - olm-crds-have-resources - image: quay.io/operator-framework/scorecard-test:v1.6.2 + image: quay.io/operator-framework/scorecard-test:v1.7.2 labels: suite: olm test: olm-crds-have-resources-test @@ -34,7 +34,7 @@ entrypoint: - scorecard-test - olm-spec-descriptors - image: quay.io/operator-framework/scorecard-test:v1.6.2 + image: quay.io/operator-framework/scorecard-test:v1.7.2 labels: suite: olm test: olm-spec-descriptors-test @@ -44,7 +44,7 @@ entrypoint: - scorecard-test - olm-status-descriptors - image: quay.io/operator-framework/scorecard-test:v1.6.2 + image: quay.io/operator-framework/scorecard-test:v1.7.2 labels: suite: olm test: olm-status-descriptors-test diff --git a/containers/tenant-namespace-operator/requirements.yml b/containers/tenant-namespace-operator/requirements.yml index 600aadf..3f626ed 100644 --- a/containers/tenant-namespace-operator/requirements.yml +++ b/containers/tenant-namespace-operator/requirements.yml @@ -1,3 +1,4 @@ +--- collections: - name: community.kubernetes version: "1.2.1" From 664b2dfa389859242100c3c99f49fb2fc495cbbd Mon Sep 17 00:00:00 2001 From: Peter Nordquist Date: Thu, 26 Oct 2023 16:54:13 -0700 Subject: [PATCH 06/16] Upgraded to 1.11.0 --- containers/tenant-namespace-operator/Dockerfile | 2 +- containers/tenant-namespace-operator/Makefile | 12 ++++++------ .../config/default/manager_auth_proxy_patch.yaml | 1 + .../config/rbac/auth_proxy_service.yaml | 1 + 4 files changed, 9 insertions(+), 7 deletions(-) diff --git a/containers/tenant-namespace-operator/Dockerfile b/containers/tenant-namespace-operator/Dockerfile index 7392143..135c8c5 100644 --- a/containers/tenant-namespace-operator/Dockerfile +++ b/containers/tenant-namespace-operator/Dockerfile @@ -1,4 +1,4 @@ -FROM quay.io/operator-framework/ansible-operator:v1.7.2 +FROM quay.io/operator-framework/ansible-operator:v1.11.0 ARG helm_version=v3.5.2 USER 0 diff --git a/containers/tenant-namespace-operator/Makefile b/containers/tenant-namespace-operator/Makefile index b64c078..b629350 100644 --- a/containers/tenant-namespace-operator/Makefile +++ b/containers/tenant-namespace-operator/Makefile @@ -6,10 +6,10 @@ VERSION ?= 0.0.1 # CHANNELS define the bundle channels used in the bundle. -# Add a new line here if you would like to change its default config. (E.g CHANNELS = "preview,fast,stable") +# Add a new line here if you would like to change its default config. (E.g CHANNELS = "candidate,fast,stable") # To re-generate a bundle for other specific channels without changing the standard setup, you can: -# - use the CHANNELS as arg of the bundle target (e.g make bundle CHANNELS=preview,fast,stable) -# - use environment variables to overwrite this value (e.g export CHANNELS="preview,fast,stable") +# - use the CHANNELS as arg of the bundle target (e.g make bundle CHANNELS=candidate,fast,stable) +# - use environment variables to overwrite this value (e.g export CHANNELS="candidate,fast,stable") ifneq ($(origin CHANNELS), undefined) BUNDLE_CHANNELS := --channels=$(CHANNELS) endif @@ -59,7 +59,7 @@ help: ## Display this help. ##@ Build run: ansible-operator ## Run against the configured Kubernetes cluster in ~/.kube/config - $(ANSIBLE_OPERATOR) run + ANSIBLE_ROLES_PATH="$(ANSIBLE_ROLES_PATH):$(shell pwd)/roles" $(ANSIBLE_OPERATOR) run docker-build: ## Build docker image with the manager. docker build -t ${IMG} . @@ -93,7 +93,7 @@ ifeq (,$(shell which kustomize 2>/dev/null)) @{ \ set -e ;\ mkdir -p $(dir $(KUSTOMIZE)) ;\ - curl -sSLo - https://github.com/kubernetes-sigs/kustomize/releases/download/kustomize/v3.5.4/kustomize_v3.5.4_$(OS)_$(ARCH).tar.gz | \ + curl -sSLo - https://github.com/kubernetes-sigs/kustomize/releases/download/kustomize/v3.8.7/kustomize_v3.8.7_$(OS)_$(ARCH).tar.gz | \ tar xzf - -C bin/ ;\ } else @@ -109,7 +109,7 @@ ifeq (,$(shell which ansible-operator 2>/dev/null)) @{ \ set -e ;\ mkdir -p $(dir $(ANSIBLE_OPERATOR)) ;\ - curl -sSLo $(ANSIBLE_OPERATOR) https://github.com/operator-framework/operator-sdk/releases/download/v1.7.2/ansible-operator_$(OS)_$(ARCH) ;\ + curl -sSLo $(ANSIBLE_OPERATOR) https://github.com/operator-framework/operator-sdk/releases/download/v1.11.0/ansible-operator_$(OS)_$(ARCH) ;\ chmod +x $(ANSIBLE_OPERATOR) ;\ } else diff --git a/containers/tenant-namespace-operator/config/default/manager_auth_proxy_patch.yaml b/containers/tenant-namespace-operator/config/default/manager_auth_proxy_patch.yaml index 2859969..6b59115 100644 --- a/containers/tenant-namespace-operator/config/default/manager_auth_proxy_patch.yaml +++ b/containers/tenant-namespace-operator/config/default/manager_auth_proxy_patch.yaml @@ -18,6 +18,7 @@ spec: - "--v=10" ports: - containerPort: 8443 + protocol: TCP name: https - name: manager args: diff --git a/containers/tenant-namespace-operator/config/rbac/auth_proxy_service.yaml b/containers/tenant-namespace-operator/config/rbac/auth_proxy_service.yaml index 6cf656b..71f1797 100644 --- a/containers/tenant-namespace-operator/config/rbac/auth_proxy_service.yaml +++ b/containers/tenant-namespace-operator/config/rbac/auth_proxy_service.yaml @@ -9,6 +9,7 @@ spec: ports: - name: https port: 8443 + protocol: TCP targetPort: https selector: control-plane: controller-manager From c914174ddcab8f58ba8d964cd75aa1776d0357e7 Mon Sep 17 00:00:00 2001 From: Peter Nordquist Date: Thu, 26 Oct 2023 17:38:09 -0700 Subject: [PATCH 07/16] Upgraded to 1.15.0 --- containers/tenant-namespace-operator/Dockerfile | 2 +- containers/tenant-namespace-operator/Makefile | 2 +- containers/tenant-namespace-operator/requirements.yml | 4 ++-- .../roles/tenantnamespace/meta/main.yml | 2 +- .../roles/tenantnamespace/tasks/main.yml | 10 +++++----- .../roles/tenantnamespacefin/meta/main.yml | 2 +- .../roles/tenantnamespacefin/tasks/main.yml | 6 +++--- 7 files changed, 14 insertions(+), 14 deletions(-) diff --git a/containers/tenant-namespace-operator/Dockerfile b/containers/tenant-namespace-operator/Dockerfile index 135c8c5..ec763df 100644 --- a/containers/tenant-namespace-operator/Dockerfile +++ b/containers/tenant-namespace-operator/Dockerfile @@ -1,4 +1,4 @@ -FROM quay.io/operator-framework/ansible-operator:v1.11.0 +FROM quay.io/operator-framework/ansible-operator:v1.15.0 ARG helm_version=v3.5.2 USER 0 diff --git a/containers/tenant-namespace-operator/Makefile b/containers/tenant-namespace-operator/Makefile index b629350..3b06078 100644 --- a/containers/tenant-namespace-operator/Makefile +++ b/containers/tenant-namespace-operator/Makefile @@ -109,7 +109,7 @@ ifeq (,$(shell which ansible-operator 2>/dev/null)) @{ \ set -e ;\ mkdir -p $(dir $(ANSIBLE_OPERATOR)) ;\ - curl -sSLo $(ANSIBLE_OPERATOR) https://github.com/operator-framework/operator-sdk/releases/download/v1.11.0/ansible-operator_$(OS)_$(ARCH) ;\ + curl -sSLo $(ANSIBLE_OPERATOR) https://github.com/operator-framework/operator-sdk/releases/download/v1.15.0/ansible-operator_$(OS)_$(ARCH) ;\ chmod +x $(ANSIBLE_OPERATOR) ;\ } else diff --git a/containers/tenant-namespace-operator/requirements.yml b/containers/tenant-namespace-operator/requirements.yml index 3f626ed..6972920 100644 --- a/containers/tenant-namespace-operator/requirements.yml +++ b/containers/tenant-namespace-operator/requirements.yml @@ -1,6 +1,6 @@ --- collections: - - name: community.kubernetes - version: "1.2.1" + - name: kubernetes.core + version: "2.2.0" - name: operator_sdk.util version: "0.2.0" diff --git a/containers/tenant-namespace-operator/roles/tenantnamespace/meta/main.yml b/containers/tenant-namespace-operator/roles/tenantnamespace/meta/main.yml index e44ba32..e496738 100644 --- a/containers/tenant-namespace-operator/roles/tenantnamespace/meta/main.yml +++ b/containers/tenant-namespace-operator/roles/tenantnamespace/meta/main.yml @@ -61,4 +61,4 @@ dependencies: [] # if you add dependencies to this list. collections: - operator_sdk.util - - community.kubernetes + - kubernetes.core diff --git a/containers/tenant-namespace-operator/roles/tenantnamespace/tasks/main.yml b/containers/tenant-namespace-operator/roles/tenantnamespace/tasks/main.yml index b5fed74..343a48a 100644 --- a/containers/tenant-namespace-operator/roles/tenantnamespace/tasks/main.yml +++ b/containers/tenant-namespace-operator/roles/tenantnamespace/tasks/main.yml @@ -10,7 +10,7 @@ adminlabels: "{{ _miscscripts_pnnl_gov_tenantnamespace_spec.extraNamespaceLabels | default({}) | combine({'name': ansible_operator_meta.name + '-admin', 'miscscripts.pnnl.gov/namespace-type': 'admin'}, recursive=True) }}" - name: Create the k8s admin namespace - community.kubernetes.k8s: + kubernetes.core.k8s: state: present definition: apiVersion: v1 @@ -39,7 +39,7 @@ - name: Load in Flavor values if referenced block: - name: Fetch referenced flavor - community.kubernetes.k8s_info: + kubernetes.core.k8s_info: api_version: miscscripts.pnnl.gov/v1beta1 kind: TenantNamespaceFlavor name: "{{ flavor_ref.name }}" @@ -109,7 +109,7 @@ - _miscscripts_pnnl_gov_tenantnamespace.status.loadBalancerIP is defined - name: Fetch ingress service - community.kubernetes.k8s_info: + kubernetes.core.k8s_info: api_version: v1 kind: Service name: "{{ ansible_operator_meta.name }}-ingress-controller" @@ -171,7 +171,7 @@ # FIXME Consider making a service account specifically for this so it can't cross namespaces as far as it can today - name: Run Helm - community.kubernetes.helm: + kubernetes.core.helm: name: "{{ ansible_operator_meta.name }}" namespace: "{{ ansible_operator_meta.name }}-admin" chart_ref: ${HOME}/tenant-namespace @@ -225,7 +225,7 @@ userlabels: "{{ _miscscripts_pnnl_gov_tenantnamespace_spec.extraNamespaceLabels | default({}) | combine({'name': ansible_operator_meta.name, 'miscscripts.pnnl.gov/namespace-type': 'user'}, recursive=True) }}" - name: Create the k8s user namespace - community.kubernetes.k8s: + kubernetes.core.k8s: state: present definition: apiVersion: v1 diff --git a/containers/tenant-namespace-operator/roles/tenantnamespacefin/meta/main.yml b/containers/tenant-namespace-operator/roles/tenantnamespacefin/meta/main.yml index e44ba32..e496738 100644 --- a/containers/tenant-namespace-operator/roles/tenantnamespacefin/meta/main.yml +++ b/containers/tenant-namespace-operator/roles/tenantnamespacefin/meta/main.yml @@ -61,4 +61,4 @@ dependencies: [] # if you add dependencies to this list. collections: - operator_sdk.util - - community.kubernetes + - kubernetes.core diff --git a/containers/tenant-namespace-operator/roles/tenantnamespacefin/tasks/main.yml b/containers/tenant-namespace-operator/roles/tenantnamespacefin/tasks/main.yml index f970b0b..bf6da17 100644 --- a/containers/tenant-namespace-operator/roles/tenantnamespacefin/tasks/main.yml +++ b/containers/tenant-namespace-operator/roles/tenantnamespacefin/tasks/main.yml @@ -3,14 +3,14 @@ # Check to see release exists. If it doesnt continue on. If it does, delete it. - name: Delete the helm release - community.kubernetes.helm: + kubernetes.core.helm: name: "{{ ansible_operator_meta.name }}" namespace: "{{ ansible_operator_meta.name }}-admin" state: absent register: objs - name: Delete the k8s user namespace - community.kubernetes.k8s: + kubernetes.core.k8s: state: absent definition: apiVersion: v1 @@ -19,7 +19,7 @@ name: "{{ ansible_operator_meta.name }}" - name: Delete the k8s admin namespace - community.kubernetes.k8s: + kubernetes.core.k8s: state: absent definition: apiVersion: v1 From 235e483ece35133b201133824e962bc2643a1751 Mon Sep 17 00:00:00 2001 From: Peter Nordquist Date: Thu, 26 Oct 2023 17:56:39 -0700 Subject: [PATCH 08/16] Upgraded to 1.18.0 --- .../tenant-namespace-operator/Dockerfile | 2 +- containers/tenant-namespace-operator/Makefile | 24 +++++++++++++++++-- .../default/manager_auth_proxy_patch.yaml | 9 ++++++- .../config/manager/manager.yaml | 11 +++++++++ .../scorecard/patches/basic.config.yaml | 2 +- .../config/scorecard/patches/olm.config.yaml | 10 ++++---- .../requirements.yml | 6 +++-- 7 files changed, 52 insertions(+), 12 deletions(-) diff --git a/containers/tenant-namespace-operator/Dockerfile b/containers/tenant-namespace-operator/Dockerfile index ec763df..a7a86ee 100644 --- a/containers/tenant-namespace-operator/Dockerfile +++ b/containers/tenant-namespace-operator/Dockerfile @@ -1,4 +1,4 @@ -FROM quay.io/operator-framework/ansible-operator:v1.15.0 +FROM quay.io/operator-framework/ansible-operator:v1.18.0 ARG helm_version=v3.5.2 USER 0 diff --git a/containers/tenant-namespace-operator/Makefile b/containers/tenant-namespace-operator/Makefile index 3b06078..b13ab44 100644 --- a/containers/tenant-namespace-operator/Makefile +++ b/containers/tenant-namespace-operator/Makefile @@ -35,9 +35,21 @@ IMAGE_TAG_BASE ?= pnnlmiscscripts/tenant-namespace-operator # You can use it as an arg. (E.g make bundle-build BUNDLE_IMG=/:) BUNDLE_IMG ?= $(IMAGE_TAG_BASE)-bundle:v$(VERSION) +# BUNDLE_GEN_FLAGS are the flags passed to the operator-sdk generate bundle command +BUNDLE_GEN_FLAGS ?= -q --overwrite --version $(VERSION) $(BUNDLE_METADATA_OPTS) + +# USE_IMAGE_DIGESTS defines if images are resolved via tags or digests +# You can enable this value if you would like to use SHA Based Digests +# To enable set flag to true +USE_IMAGE_DIGESTS ?= false +ifeq ($(USE_IMAGE_DIGESTS), true) + BUNDLE_GEN_FLAGS += --use-image-digests +endif + # Image URL to use all building/pushing image targets IMG ?= $(IMAGE_TAG_BASE):$(VERSION) +.PHONY: all all: docker-build ##@ General @@ -53,32 +65,40 @@ all: docker-build # More info on the awk command: # http://linuxcommand.org/lc3_adv_awk.php +.PHONY: help help: ## Display this help. @awk 'BEGIN {FS = ":.*##"; printf "\nUsage:\n make \033[36m\033[0m\n"} /^[a-zA-Z_0-9-]+:.*?##/ { printf " \033[36m%-15s\033[0m %s\n", $$1, $$2 } /^##@/ { printf "\n\033[1m%s\033[0m\n", substr($$0, 5) } ' $(MAKEFILE_LIST) ##@ Build +.PHONY: run run: ansible-operator ## Run against the configured Kubernetes cluster in ~/.kube/config ANSIBLE_ROLES_PATH="$(ANSIBLE_ROLES_PATH):$(shell pwd)/roles" $(ANSIBLE_OPERATOR) run +.PHONY: docker-build docker-build: ## Build docker image with the manager. docker build -t ${IMG} . +.PHONY: docker-push docker-push: ## Push docker image with the manager. docker push ${IMG} ##@ Deployment +.PHONY: install install: kustomize ## Install CRDs into the K8s cluster specified in ~/.kube/config. $(KUSTOMIZE) build config/crd | kubectl apply -f - +.PHONY: uninstall uninstall: kustomize ## Uninstall CRDs from the K8s cluster specified in ~/.kube/config. $(KUSTOMIZE) build config/crd | kubectl delete -f - +.PHONY: deploy deploy: kustomize ## Deploy controller to the K8s cluster specified in ~/.kube/config. cd config/manager && $(KUSTOMIZE) edit set image controller=${IMG} $(KUSTOMIZE) build config/default | kubectl apply -f - +.PHONY: undeploy undeploy: ## Undeploy controller from the K8s cluster specified in ~/.kube/config. $(KUSTOMIZE) build config/default | kubectl delete -f - @@ -109,7 +129,7 @@ ifeq (,$(shell which ansible-operator 2>/dev/null)) @{ \ set -e ;\ mkdir -p $(dir $(ANSIBLE_OPERATOR)) ;\ - curl -sSLo $(ANSIBLE_OPERATOR) https://github.com/operator-framework/operator-sdk/releases/download/v1.15.0/ansible-operator_$(OS)_$(ARCH) ;\ + curl -sSLo $(ANSIBLE_OPERATOR) https://github.com/operator-framework/operator-sdk/releases/download/v1.18.0/ansible-operator_$(OS)_$(ARCH) ;\ chmod +x $(ANSIBLE_OPERATOR) ;\ } else @@ -140,7 +160,7 @@ ifeq (,$(shell which opm 2>/dev/null)) @{ \ set -e ;\ mkdir -p $(dir $(OPM)) ;\ - curl -sSLo $(OPM) https://github.com/operator-framework/operator-registry/releases/download/v1.15.1/$(OS)-$(ARCH)-opm ;\ + curl -sSLo $(OPM) https://github.com/operator-framework/operator-registry/releases/download/v1.19.1/$(OS)-$(ARCH)-opm ;\ chmod +x $(OPM) ;\ } else diff --git a/containers/tenant-namespace-operator/config/default/manager_auth_proxy_patch.yaml b/containers/tenant-namespace-operator/config/default/manager_auth_proxy_patch.yaml index 6b59115..c7ba056 100644 --- a/containers/tenant-namespace-operator/config/default/manager_auth_proxy_patch.yaml +++ b/containers/tenant-namespace-operator/config/default/manager_auth_proxy_patch.yaml @@ -15,11 +15,18 @@ spec: - "--secure-listen-address=0.0.0.0:8443" - "--upstream=http://127.0.0.1:8080/" - "--logtostderr=true" - - "--v=10" + - "--v=0" ports: - containerPort: 8443 protocol: TCP name: https + resources: + limits: + cpu: 500m + memory: 128Mi + requests: + cpu: 5m + memory: 64Mi - name: manager args: - "--health-probe-bind-address=:6789" diff --git a/containers/tenant-namespace-operator/config/manager/manager.yaml b/containers/tenant-namespace-operator/config/manager/manager.yaml index 5f854b2..983a33f 100644 --- a/containers/tenant-namespace-operator/config/manager/manager.yaml +++ b/containers/tenant-namespace-operator/config/manager/manager.yaml @@ -19,6 +19,8 @@ spec: replicas: 1 template: metadata: + annotations: + kubectl.kubernetes.io/default-container: manager labels: control-plane: controller-manager spec: @@ -47,5 +49,14 @@ spec: port: 6789 initialDelaySeconds: 5 periodSeconds: 10 + # TODO(user): Configure the resources accordingly based on the project requirements. + # More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + resources: + limits: + cpu: 500m + memory: 768Mi + requests: + cpu: 10m + memory: 256Mi serviceAccountName: controller-manager terminationGracePeriodSeconds: 10 diff --git a/containers/tenant-namespace-operator/config/scorecard/patches/basic.config.yaml b/containers/tenant-namespace-operator/config/scorecard/patches/basic.config.yaml index 2d4e0a9..b866bd1 100644 --- a/containers/tenant-namespace-operator/config/scorecard/patches/basic.config.yaml +++ b/containers/tenant-namespace-operator/config/scorecard/patches/basic.config.yaml @@ -4,7 +4,7 @@ entrypoint: - scorecard-test - basic-check-spec - image: quay.io/operator-framework/scorecard-test:v1.7.2 + image: quay.io/operator-framework/scorecard-test:v1.18.0 labels: suite: basic test: basic-check-spec-test diff --git a/containers/tenant-namespace-operator/config/scorecard/patches/olm.config.yaml b/containers/tenant-namespace-operator/config/scorecard/patches/olm.config.yaml index 59c5576..0c060e8 100644 --- a/containers/tenant-namespace-operator/config/scorecard/patches/olm.config.yaml +++ b/containers/tenant-namespace-operator/config/scorecard/patches/olm.config.yaml @@ -4,7 +4,7 @@ entrypoint: - scorecard-test - olm-bundle-validation - image: quay.io/operator-framework/scorecard-test:v1.7.2 + image: quay.io/operator-framework/scorecard-test:v1.18.0 labels: suite: olm test: olm-bundle-validation-test @@ -14,7 +14,7 @@ entrypoint: - scorecard-test - olm-crds-have-validation - image: quay.io/operator-framework/scorecard-test:v1.7.2 + image: quay.io/operator-framework/scorecard-test:v1.18.0 labels: suite: olm test: olm-crds-have-validation-test @@ -24,7 +24,7 @@ entrypoint: - scorecard-test - olm-crds-have-resources - image: quay.io/operator-framework/scorecard-test:v1.7.2 + image: quay.io/operator-framework/scorecard-test:v1.18.0 labels: suite: olm test: olm-crds-have-resources-test @@ -34,7 +34,7 @@ entrypoint: - scorecard-test - olm-spec-descriptors - image: quay.io/operator-framework/scorecard-test:v1.7.2 + image: quay.io/operator-framework/scorecard-test:v1.18.0 labels: suite: olm test: olm-spec-descriptors-test @@ -44,7 +44,7 @@ entrypoint: - scorecard-test - olm-status-descriptors - image: quay.io/operator-framework/scorecard-test:v1.7.2 + image: quay.io/operator-framework/scorecard-test:v1.18.0 labels: suite: olm test: olm-status-descriptors-test diff --git a/containers/tenant-namespace-operator/requirements.yml b/containers/tenant-namespace-operator/requirements.yml index 6972920..b3543f6 100644 --- a/containers/tenant-namespace-operator/requirements.yml +++ b/containers/tenant-namespace-operator/requirements.yml @@ -1,6 +1,8 @@ --- collections: + - name: operator_sdk.util + version: "0.4.0" - name: kubernetes.core version: "2.2.0" - - name: operator_sdk.util - version: "0.2.0" + - name: cloud.common + version: "2.1.0" From b0865e8f879739feb6a94573f4855664f5d51ccf Mon Sep 17 00:00:00 2001 From: Peter Nordquist Date: Thu, 26 Oct 2023 20:39:14 -0700 Subject: [PATCH 09/16] Upgraded to 1.22.2 --- charts/charts/tenant-namespace-operator/values.yaml | 8 +++++--- containers/tenant-namespace-operator/Dockerfile | 2 +- containers/tenant-namespace-operator/Makefile | 4 ++-- .../config/default/manager_auth_proxy_patch.yaml | 7 ++++++- .../config/manager/controller_manager_config.yaml | 10 ++++++++++ .../config/manager/manager.yaml | 5 +++++ .../config/scorecard/patches/basic.config.yaml | 2 +- .../config/scorecard/patches/olm.config.yaml | 10 +++++----- containers/tenant-namespace-operator/requirements.yml | 4 ++-- 9 files changed, 37 insertions(+), 15 deletions(-) diff --git a/charts/charts/tenant-namespace-operator/values.yaml b/charts/charts/tenant-namespace-operator/values.yaml index a956462..bc1959b 100644 --- a/charts/charts/tenant-namespace-operator/values.yaml +++ b/charts/charts/tenant-namespace-operator/values.yaml @@ -30,13 +30,15 @@ serviceAccount: podSecurityContext: runAsNonRoot: true + seccompProfile: + type: RuntimeDefault # fsGroup: 2000 securityContext: allowPrivilegeEscalation: false - # capabilities: - # drop: - # - ALL + capabilities: + drop: + - ALL # readOnlyRootFilesystem: true # runAsUser: 1000 diff --git a/containers/tenant-namespace-operator/Dockerfile b/containers/tenant-namespace-operator/Dockerfile index a7a86ee..914bcbf 100644 --- a/containers/tenant-namespace-operator/Dockerfile +++ b/containers/tenant-namespace-operator/Dockerfile @@ -1,4 +1,4 @@ -FROM quay.io/operator-framework/ansible-operator:v1.18.0 +FROM quay.io/operator-framework/ansible-operator:v1.22.2 ARG helm_version=v3.5.2 USER 0 diff --git a/containers/tenant-namespace-operator/Makefile b/containers/tenant-namespace-operator/Makefile index b13ab44..ee5792c 100644 --- a/containers/tenant-namespace-operator/Makefile +++ b/containers/tenant-namespace-operator/Makefile @@ -129,7 +129,7 @@ ifeq (,$(shell which ansible-operator 2>/dev/null)) @{ \ set -e ;\ mkdir -p $(dir $(ANSIBLE_OPERATOR)) ;\ - curl -sSLo $(ANSIBLE_OPERATOR) https://github.com/operator-framework/operator-sdk/releases/download/v1.18.0/ansible-operator_$(OS)_$(ARCH) ;\ + curl -sSLo $(ANSIBLE_OPERATOR) https://github.com/operator-framework/operator-sdk/releases/download/v1.22.2/ansible-operator_$(OS)_$(ARCH) ;\ chmod +x $(ANSIBLE_OPERATOR) ;\ } else @@ -160,7 +160,7 @@ ifeq (,$(shell which opm 2>/dev/null)) @{ \ set -e ;\ mkdir -p $(dir $(OPM)) ;\ - curl -sSLo $(OPM) https://github.com/operator-framework/operator-registry/releases/download/v1.19.1/$(OS)-$(ARCH)-opm ;\ + curl -sSLo $(OPM) https://github.com/operator-framework/operator-registry/releases/download/v1.23.0/$(OS)-$(ARCH)-opm ;\ chmod +x $(OPM) ;\ } else diff --git a/containers/tenant-namespace-operator/config/default/manager_auth_proxy_patch.yaml b/containers/tenant-namespace-operator/config/default/manager_auth_proxy_patch.yaml index c7ba056..74461ab 100644 --- a/containers/tenant-namespace-operator/config/default/manager_auth_proxy_patch.yaml +++ b/containers/tenant-namespace-operator/config/default/manager_auth_proxy_patch.yaml @@ -10,7 +10,12 @@ spec: spec: containers: - name: kube-rbac-proxy - image: gcr.io/kubebuilder/kube-rbac-proxy:v0.8.0 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - "ALL" + image: gcr.io/kubebuilder/kube-rbac-proxy:v0.11.0 args: - "--secure-listen-address=0.0.0.0:8443" - "--upstream=http://127.0.0.1:8080/" diff --git a/containers/tenant-namespace-operator/config/manager/controller_manager_config.yaml b/containers/tenant-namespace-operator/config/manager/controller_manager_config.yaml index 68ada6b..88c9817 100644 --- a/containers/tenant-namespace-operator/config/manager/controller_manager_config.yaml +++ b/containers/tenant-namespace-operator/config/manager/controller_manager_config.yaml @@ -8,3 +8,13 @@ metrics: leaderElection: leaderElect: true resourceName: 811c9dc5.pnnl.gov +# leaderElectionReleaseOnCancel defines if the leader should step down volume +# when the Manager ends. This requires the binary to immediately end when the +# Manager is stopped, otherwise, this setting is unsafe. Setting this significantly +# speeds up voluntary leader transitions as the new leader don't have to wait +# LeaseDuration time first. +# In the default scaffold provided, the program ends immediately after +# the manager stops, so would be fine to enable this option. However, +# if you are doing or is intended to do any operation such as perform cleanups +# after the manager stops then its usage might be unsafe. +# leaderElectionReleaseOnCancel: true diff --git a/containers/tenant-namespace-operator/config/manager/manager.yaml b/containers/tenant-namespace-operator/config/manager/manager.yaml index 983a33f..1dfd91f 100644 --- a/containers/tenant-namespace-operator/config/manager/manager.yaml +++ b/containers/tenant-namespace-operator/config/manager/manager.yaml @@ -26,6 +26,8 @@ spec: spec: securityContext: runAsNonRoot: true + seccompProfile: + type: RuntimeDefault containers: - args: - --leader-elect @@ -37,6 +39,9 @@ spec: value: explicit securityContext: allowPrivilegeEscalation: false + capabilities: + drop: + - "ALL" livenessProbe: httpGet: path: /healthz diff --git a/containers/tenant-namespace-operator/config/scorecard/patches/basic.config.yaml b/containers/tenant-namespace-operator/config/scorecard/patches/basic.config.yaml index b866bd1..4a6c816 100644 --- a/containers/tenant-namespace-operator/config/scorecard/patches/basic.config.yaml +++ b/containers/tenant-namespace-operator/config/scorecard/patches/basic.config.yaml @@ -4,7 +4,7 @@ entrypoint: - scorecard-test - basic-check-spec - image: quay.io/operator-framework/scorecard-test:v1.18.0 + image: quay.io/operator-framework/scorecard-test:v1.22.2 labels: suite: basic test: basic-check-spec-test diff --git a/containers/tenant-namespace-operator/config/scorecard/patches/olm.config.yaml b/containers/tenant-namespace-operator/config/scorecard/patches/olm.config.yaml index 0c060e8..c342410 100644 --- a/containers/tenant-namespace-operator/config/scorecard/patches/olm.config.yaml +++ b/containers/tenant-namespace-operator/config/scorecard/patches/olm.config.yaml @@ -4,7 +4,7 @@ entrypoint: - scorecard-test - olm-bundle-validation - image: quay.io/operator-framework/scorecard-test:v1.18.0 + image: quay.io/operator-framework/scorecard-test:v1.22.2 labels: suite: olm test: olm-bundle-validation-test @@ -14,7 +14,7 @@ entrypoint: - scorecard-test - olm-crds-have-validation - image: quay.io/operator-framework/scorecard-test:v1.18.0 + image: quay.io/operator-framework/scorecard-test:v1.22.2 labels: suite: olm test: olm-crds-have-validation-test @@ -24,7 +24,7 @@ entrypoint: - scorecard-test - olm-crds-have-resources - image: quay.io/operator-framework/scorecard-test:v1.18.0 + image: quay.io/operator-framework/scorecard-test:v1.22.2 labels: suite: olm test: olm-crds-have-resources-test @@ -34,7 +34,7 @@ entrypoint: - scorecard-test - olm-spec-descriptors - image: quay.io/operator-framework/scorecard-test:v1.18.0 + image: quay.io/operator-framework/scorecard-test:v1.22.2 labels: suite: olm test: olm-spec-descriptors-test @@ -44,7 +44,7 @@ entrypoint: - scorecard-test - olm-status-descriptors - image: quay.io/operator-framework/scorecard-test:v1.18.0 + image: quay.io/operator-framework/scorecard-test:v1.22.2 labels: suite: olm test: olm-status-descriptors-test diff --git a/containers/tenant-namespace-operator/requirements.yml b/containers/tenant-namespace-operator/requirements.yml index b3543f6..6fd8849 100644 --- a/containers/tenant-namespace-operator/requirements.yml +++ b/containers/tenant-namespace-operator/requirements.yml @@ -3,6 +3,6 @@ collections: - name: operator_sdk.util version: "0.4.0" - name: kubernetes.core - version: "2.2.0" + version: "2.3.1" - name: cloud.common - version: "2.1.0" + version: "2.1.1" From 5927592e3f9e47fda7b3dd12a250e9cfec784cb6 Mon Sep 17 00:00:00 2001 From: Peter Nordquist Date: Thu, 26 Oct 2023 21:51:09 -0700 Subject: [PATCH 10/16] Upgraded to 1.28.1 --- .../tenant-namespace-operator/values.yaml | 14 +++++++++- .../tenant-namespace-operator/Dockerfile | 15 +++++----- containers/tenant-namespace-operator/Makefile | 28 +++++++++++++++---- containers/tenant-namespace-operator/PROJECT | 4 +++ .../config/default/kustomization.yaml | 12 ++++---- .../default/manager_auth_proxy_patch.yaml | 18 +++++++++++- .../config/default/manager_config_patch.yaml | 10 ------- .../manager/controller_manager_config.yaml | 20 ------------- .../config/manager/kustomization.yaml | 8 ------ .../config/manager/manager.yaml | 14 ++++++++++ .../config/samples/kustomization.yaml | 2 +- .../scorecard/patches/basic.config.yaml | 2 +- .../config/scorecard/patches/olm.config.yaml | 10 +++---- .../requirements.yml | 4 ++- 14 files changed, 95 insertions(+), 66 deletions(-) delete mode 100644 containers/tenant-namespace-operator/config/manager/controller_manager_config.yaml diff --git a/charts/charts/tenant-namespace-operator/values.yaml b/charts/charts/tenant-namespace-operator/values.yaml index bc1959b..e236cf7 100644 --- a/charts/charts/tenant-namespace-operator/values.yaml +++ b/charts/charts/tenant-namespace-operator/values.yaml @@ -58,7 +58,19 @@ nodeSelector: {} tolerations: [] -affinity: {} +affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: kubernetes.io/arch + operator: In + values: + - amd64 + - key: kubernetes.io/os + operator: In + values: + - linux ingressClass: enabled: true diff --git a/containers/tenant-namespace-operator/Dockerfile b/containers/tenant-namespace-operator/Dockerfile index 914bcbf..b380f4f 100644 --- a/containers/tenant-namespace-operator/Dockerfile +++ b/containers/tenant-namespace-operator/Dockerfile @@ -1,16 +1,17 @@ -FROM quay.io/operator-framework/ansible-operator:v1.22.2 +FROM quay.io/operator-framework/ansible-operator:v1.28.1 ARG helm_version=v3.5.2 USER 0 RUN \ - yum clean all && \ - yum install -y git patch && \ - yum clean all && \ - curl -o helm.tar.gz https://get.helm.sh/helm-${helm_version}-linux-amd64.tar.gz && \ + dnf clean all && \ + dnf install -y git patch && \ + dnf clean all && \ + ARCH=$(uname -m | sed 's/x86_64/amd64/' | sed 's/aarch64/arm64/') && \ + curl -o helm.tar.gz https://get.helm.sh/helm-${helm_version}-linux-${ARCH}.tar.gz && \ tar -zxvf helm.tar.gz && \ - mv linux-amd64/helm /usr/local/bin/helm && \ + mv linux-${ARCH}/helm /usr/local/bin/helm && \ rm -f helm.tar.gz && \ - rm -rf linux-amd64 && \ + rm -rf linux-${ARCH} && \ touch /.extrafingerprints && \ chown ${USER_UID}:0 /.extrafingerprints diff --git a/containers/tenant-namespace-operator/Makefile b/containers/tenant-namespace-operator/Makefile index ee5792c..703e992 100644 --- a/containers/tenant-namespace-operator/Makefile +++ b/containers/tenant-namespace-operator/Makefile @@ -72,8 +72,9 @@ help: ## Display this help. ##@ Build .PHONY: run +ANSIBLE_ROLES_PATH?="$(shell pwd)/roles" run: ansible-operator ## Run against the configured Kubernetes cluster in ~/.kube/config - ANSIBLE_ROLES_PATH="$(ANSIBLE_ROLES_PATH):$(shell pwd)/roles" $(ANSIBLE_OPERATOR) run + $(ANSIBLE_OPERATOR) run .PHONY: docker-build docker-build: ## Build docker image with the manager. @@ -83,6 +84,23 @@ docker-build: ## Build docker image with the manager. docker-push: ## Push docker image with the manager. docker push ${IMG} +# PLATFORMS defines the target platforms for the manager image be build to provide support to multiple +# architectures. (i.e. make docker-buildx IMG=myregistry/mypoperator:0.0.1). To use this option you need to: +# - able to use docker buildx . More info: https://docs.docker.com/build/buildx/ +# - have enable BuildKit, More info: https://docs.docker.com/develop/develop-images/build_enhancements/ +# - be able to push the image for your registry (i.e. if you do not inform a valid value via IMG=> than the export will fail) +# To properly provided solutions that supports more than one platform you should use this option. +PLATFORMS ?= linux/arm64,linux/amd64 +.PHONY: docker-buildx +docker-buildx: test ## Build and push docker image for the manager for cross-platform support + # copy existing Dockerfile and insert --platform=${BUILDPLATFORM} into Dockerfile.cross, and preserve the original Dockerfile + sed -e '1 s/\(^FROM\)/FROM --platform=\$$\{BUILDPLATFORM\}/; t' -e ' 1,// s//FROM --platform=\$$\{BUILDPLATFORM\}/' Dockerfile > Dockerfile.cross + - docker buildx create --name project-v3-builder + docker buildx use project-v3-builder + - docker buildx build --push --platform=$(PLATFORMS) --tag ${IMG} -f Dockerfile.cross . + - docker buildx rm project-v3-builder + rm Dockerfile.cross + ##@ Deployment .PHONY: install @@ -103,7 +121,7 @@ undeploy: ## Undeploy controller from the K8s cluster specified in ~/.kube/confi $(KUSTOMIZE) build config/default | kubectl delete -f - OS := $(shell uname -s | tr '[:upper:]' '[:lower:]') -ARCH := $(shell uname -m | sed 's/x86_64/amd64/') +ARCH := $(shell uname -m | sed 's/x86_64/amd64/' | sed 's/aarch64/arm64/') .PHONY: kustomize KUSTOMIZE = $(shell pwd)/bin/kustomize @@ -113,7 +131,7 @@ ifeq (,$(shell which kustomize 2>/dev/null)) @{ \ set -e ;\ mkdir -p $(dir $(KUSTOMIZE)) ;\ - curl -sSLo - https://github.com/kubernetes-sigs/kustomize/releases/download/kustomize/v3.8.7/kustomize_v3.8.7_$(OS)_$(ARCH).tar.gz | \ + curl -sSLo - https://github.com/kubernetes-sigs/kustomize/releases/download/kustomize/v4.5.7/kustomize_v4.5.7_$(OS)_$(ARCH).tar.gz | \ tar xzf - -C bin/ ;\ } else @@ -129,7 +147,7 @@ ifeq (,$(shell which ansible-operator 2>/dev/null)) @{ \ set -e ;\ mkdir -p $(dir $(ANSIBLE_OPERATOR)) ;\ - curl -sSLo $(ANSIBLE_OPERATOR) https://github.com/operator-framework/operator-sdk/releases/download/v1.22.2/ansible-operator_$(OS)_$(ARCH) ;\ + curl -sSLo $(ANSIBLE_OPERATOR) https://github.com/operator-framework/operator-sdk/releases/download/v1.28.1/ansible-operator_$(OS)_$(ARCH) ;\ chmod +x $(ANSIBLE_OPERATOR) ;\ } else @@ -141,7 +159,7 @@ endif bundle: kustomize ## Generate bundle manifests and metadata, then validate generated files. operator-sdk generate kustomize manifests -q cd config/manager && $(KUSTOMIZE) edit set image controller=$(IMG) - $(KUSTOMIZE) build config/manifests | operator-sdk generate bundle -q --overwrite --version $(VERSION) $(BUNDLE_METADATA_OPTS) + $(KUSTOMIZE) build config/manifests | operator-sdk generate bundle $(BUNDLE_GEN_FLAGS) operator-sdk bundle validate ./bundle .PHONY: bundle-build diff --git a/containers/tenant-namespace-operator/PROJECT b/containers/tenant-namespace-operator/PROJECT index 7b78fd7..7195632 100644 --- a/containers/tenant-namespace-operator/PROJECT +++ b/containers/tenant-namespace-operator/PROJECT @@ -1,3 +1,7 @@ +# Code generated by tool. DO NOT EDIT. +# This file is used to track the info used to scaffold your project +# and allow the plugins properly work. +# More info: https://book.kubebuilder.io/reference/project-config.html domain: pnnl.gov layout: - ansible.sdk.operatorframework.io/v1 diff --git a/containers/tenant-namespace-operator/config/default/kustomization.yaml b/containers/tenant-namespace-operator/config/default/kustomization.yaml index 78d7a6c..bfb2076 100644 --- a/containers/tenant-namespace-operator/config/default/kustomization.yaml +++ b/containers/tenant-namespace-operator/config/default/kustomization.yaml @@ -9,10 +9,12 @@ namespace: tenant-namespace-operator namePrefix: tenant-namespace-operator- # Labels to add to all resources and selectors. -#commonLabels: -# someName: someValue +#labels: +#- includeSelectors: true +# pairs: +# someName: someValue -bases: +resources: - ../crd - ../rbac - ../manager @@ -25,6 +27,4 @@ patchesStrategicMerge: # endpoint w/o any authn/z, please comment the following line. - manager_auth_proxy_patch.yaml -# Mount the controller config file for loading manager configurations -# through a ComponentConfig type -#- manager_config_patch.yaml + diff --git a/containers/tenant-namespace-operator/config/default/manager_auth_proxy_patch.yaml b/containers/tenant-namespace-operator/config/default/manager_auth_proxy_patch.yaml index 74461ab..9e1fc82 100644 --- a/containers/tenant-namespace-operator/config/default/manager_auth_proxy_patch.yaml +++ b/containers/tenant-namespace-operator/config/default/manager_auth_proxy_patch.yaml @@ -8,6 +8,22 @@ metadata: spec: template: spec: + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: kubernetes.io/arch + operator: In + values: + - amd64 + - arm64 + - ppc64le + - s390x + - key: kubernetes.io/os + operator: In + values: + - linux containers: - name: kube-rbac-proxy securityContext: @@ -15,7 +31,7 @@ spec: capabilities: drop: - "ALL" - image: gcr.io/kubebuilder/kube-rbac-proxy:v0.11.0 + image: gcr.io/kubebuilder/kube-rbac-proxy:v0.13.1 args: - "--secure-listen-address=0.0.0.0:8443" - "--upstream=http://127.0.0.1:8080/" diff --git a/containers/tenant-namespace-operator/config/default/manager_config_patch.yaml b/containers/tenant-namespace-operator/config/default/manager_config_patch.yaml index 6c40015..f6f5891 100644 --- a/containers/tenant-namespace-operator/config/default/manager_config_patch.yaml +++ b/containers/tenant-namespace-operator/config/default/manager_config_patch.yaml @@ -8,13 +8,3 @@ spec: spec: containers: - name: manager - args: - - "--config=controller_manager_config.yaml" - volumeMounts: - - name: manager-config - mountPath: /controller_manager_config.yaml - subPath: controller_manager_config.yaml - volumes: - - name: manager-config - configMap: - name: manager-config diff --git a/containers/tenant-namespace-operator/config/manager/controller_manager_config.yaml b/containers/tenant-namespace-operator/config/manager/controller_manager_config.yaml deleted file mode 100644 index 88c9817..0000000 --- a/containers/tenant-namespace-operator/config/manager/controller_manager_config.yaml +++ /dev/null @@ -1,20 +0,0 @@ -apiVersion: controller-runtime.sigs.k8s.io/v1alpha1 -kind: ControllerManagerConfig -health: - healthProbeBindAddress: :6789 -metrics: - bindAddress: 127.0.0.1:8080 - -leaderElection: - leaderElect: true - resourceName: 811c9dc5.pnnl.gov -# leaderElectionReleaseOnCancel defines if the leader should step down volume -# when the Manager ends. This requires the binary to immediately end when the -# Manager is stopped, otherwise, this setting is unsafe. Setting this significantly -# speeds up voluntary leader transitions as the new leader don't have to wait -# LeaseDuration time first. -# In the default scaffold provided, the program ends immediately after -# the manager stops, so would be fine to enable this option. However, -# if you are doing or is intended to do any operation such as perform cleanups -# after the manager stops then its usage might be unsafe. -# leaderElectionReleaseOnCancel: true diff --git a/containers/tenant-namespace-operator/config/manager/kustomization.yaml b/containers/tenant-namespace-operator/config/manager/kustomization.yaml index 2bcd3ee..5c5f0b8 100644 --- a/containers/tenant-namespace-operator/config/manager/kustomization.yaml +++ b/containers/tenant-namespace-operator/config/manager/kustomization.yaml @@ -1,10 +1,2 @@ resources: - manager.yaml - -generatorOptions: - disableNameSuffixHash: true - -configMapGenerator: -- name: manager-config - files: - - controller_manager_config.yaml diff --git a/containers/tenant-namespace-operator/config/manager/manager.yaml b/containers/tenant-namespace-operator/config/manager/manager.yaml index 1dfd91f..4710fb7 100644 --- a/containers/tenant-namespace-operator/config/manager/manager.yaml +++ b/containers/tenant-namespace-operator/config/manager/manager.yaml @@ -24,6 +24,20 @@ spec: labels: control-plane: controller-manager spec: + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: kubernetes.io/arch + operator: In + values: + - amd64 + - arm64 + - key: kubernetes.io/os + operator: In + values: + - linux securityContext: runAsNonRoot: true seccompProfile: diff --git a/containers/tenant-namespace-operator/config/samples/kustomization.yaml b/containers/tenant-namespace-operator/config/samples/kustomization.yaml index b5d5245..ea2ca2e 100644 --- a/containers/tenant-namespace-operator/config/samples/kustomization.yaml +++ b/containers/tenant-namespace-operator/config/samples/kustomization.yaml @@ -1,4 +1,4 @@ -## Append samples you want in your CSV to this file as resources ## +## Append samples of your project ## resources: - miscscripts_v1beta1_tenantnamespace.yaml - miscscripts_v1beta1_tenantnamespaceflavor.yaml diff --git a/containers/tenant-namespace-operator/config/scorecard/patches/basic.config.yaml b/containers/tenant-namespace-operator/config/scorecard/patches/basic.config.yaml index 4a6c816..c8455f1 100644 --- a/containers/tenant-namespace-operator/config/scorecard/patches/basic.config.yaml +++ b/containers/tenant-namespace-operator/config/scorecard/patches/basic.config.yaml @@ -4,7 +4,7 @@ entrypoint: - scorecard-test - basic-check-spec - image: quay.io/operator-framework/scorecard-test:v1.22.2 + image: quay.io/operator-framework/scorecard-test:v1.28.1 labels: suite: basic test: basic-check-spec-test diff --git a/containers/tenant-namespace-operator/config/scorecard/patches/olm.config.yaml b/containers/tenant-namespace-operator/config/scorecard/patches/olm.config.yaml index c342410..8680989 100644 --- a/containers/tenant-namespace-operator/config/scorecard/patches/olm.config.yaml +++ b/containers/tenant-namespace-operator/config/scorecard/patches/olm.config.yaml @@ -4,7 +4,7 @@ entrypoint: - scorecard-test - olm-bundle-validation - image: quay.io/operator-framework/scorecard-test:v1.22.2 + image: quay.io/operator-framework/scorecard-test:v1.28.1 labels: suite: olm test: olm-bundle-validation-test @@ -14,7 +14,7 @@ entrypoint: - scorecard-test - olm-crds-have-validation - image: quay.io/operator-framework/scorecard-test:v1.22.2 + image: quay.io/operator-framework/scorecard-test:v1.28.1 labels: suite: olm test: olm-crds-have-validation-test @@ -24,7 +24,7 @@ entrypoint: - scorecard-test - olm-crds-have-resources - image: quay.io/operator-framework/scorecard-test:v1.22.2 + image: quay.io/operator-framework/scorecard-test:v1.28.1 labels: suite: olm test: olm-crds-have-resources-test @@ -34,7 +34,7 @@ entrypoint: - scorecard-test - olm-spec-descriptors - image: quay.io/operator-framework/scorecard-test:v1.22.2 + image: quay.io/operator-framework/scorecard-test:v1.28.1 labels: suite: olm test: olm-spec-descriptors-test @@ -44,7 +44,7 @@ entrypoint: - scorecard-test - olm-status-descriptors - image: quay.io/operator-framework/scorecard-test:v1.22.2 + image: quay.io/operator-framework/scorecard-test:v1.28.1 labels: suite: olm test: olm-status-descriptors-test diff --git a/containers/tenant-namespace-operator/requirements.yml b/containers/tenant-namespace-operator/requirements.yml index 6fd8849..6fcdac3 100644 --- a/containers/tenant-namespace-operator/requirements.yml +++ b/containers/tenant-namespace-operator/requirements.yml @@ -3,6 +3,8 @@ collections: - name: operator_sdk.util version: "0.4.0" - name: kubernetes.core - version: "2.3.1" + version: "2.4.0" - name: cloud.common version: "2.1.1" + - name: community.docker + version: "3.4.0" From 28d01b2ea507dbd544414677e5f200817878b526 Mon Sep 17 00:00:00 2001 From: Peter Nordquist Date: Fri, 27 Oct 2023 12:20:33 -0700 Subject: [PATCH 11/16] Moved b64encode to diff string set_fact --- .../roles/tenantnamespace/tasks/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/containers/tenant-namespace-operator/roles/tenantnamespace/tasks/main.yml b/containers/tenant-namespace-operator/roles/tenantnamespace/tasks/main.yml index 343a48a..2666091 100644 --- a/containers/tenant-namespace-operator/roles/tenantnamespace/tasks/main.yml +++ b/containers/tenant-namespace-operator/roles/tenantnamespace/tasks/main.yml @@ -205,7 +205,7 @@ no_log: true - name: Set diff ansible.builtin.set_fact: - differ: "{{ diffhelm.stdout }}\n" + differ: "{{ (diffhelm.stdout + '\n') | b64encode }}" - name: Remove temp file ansible.builtin.file: path: "{{ temp_filename.path }}" @@ -218,7 +218,7 @@ name: "{{ ansible_operator_meta.name }}" namespace: "{{ ansible_operator_meta.namespace }}" status: - diff: "{{ differ | b64encode }}" + diff: "{{ differ }}" - name: Set user labels ansible.builtin.set_fact: From c042a5ab266c95b7c0f932d564e3462f4993f4cf Mon Sep 17 00:00:00 2001 From: Peter Nordquist Date: Fri, 27 Oct 2023 14:08:23 -0700 Subject: [PATCH 12/16] Started using check/diff mode on tasks Switched to use the helm task diff output and check mode for dryrun Switched k8s tasks to use check mode for dryrun The helm task does not output a diff if the release is not installed --- .../roles/tenantnamespace/tasks/main.yml | 43 +++---------------- 1 file changed, 5 insertions(+), 38 deletions(-) diff --git a/containers/tenant-namespace-operator/roles/tenantnamespace/tasks/main.yml b/containers/tenant-namespace-operator/roles/tenantnamespace/tasks/main.yml index 2666091..cf3a554 100644 --- a/containers/tenant-namespace-operator/roles/tenantnamespace/tasks/main.yml +++ b/containers/tenant-namespace-operator/roles/tenantnamespace/tasks/main.yml @@ -19,8 +19,7 @@ name: "{{ ansible_operator_meta.name }}-admin" labels: "{{ adminlabels }}" annotations: "{{ _miscscripts_pnnl_gov_tenantnamespace_spec.extraNamespaceAnnotations | default({}) }}" - when: - - not dryrun + check_mode: "{{ dryrun }}" - name: Set initial defaults. They be overridden. ansible.builtin.set_fact: @@ -177,39 +176,8 @@ chart_ref: ${HOME}/tenant-namespace values: "{{ merged_values }}" register: objs - when: - - not dryrun - -- name: Set diff - ansible.builtin.set_fact: - differ: "" - -- name: Dry Run Helm - when: - - dryrun - block: - - name: Make temp file - ansible.builtin.tempfile: - state: file - suffix: .yaml - register: temp_filename - - name: Copy values to temp file - ansible.builtin.copy: - content: "{{ merged_values | to_yaml }}" - dest: "{{ temp_filename.path }}" - no_log: true - - name: Do dry run of helm - ansible.builtin.shell: "helm diff upgrade --install --detailed-exitcode --namespace {{ ansible_operator_meta.name }}-admin {{ ansible_operator_meta.name }} ${HOME}/tenant-namespace -f {{ temp_filename.path }}" - register: diffhelm - ignore_errors: true - no_log: true - - name: Set diff - ansible.builtin.set_fact: - differ: "{{ (diffhelm.stdout + '\n') | b64encode }}" - - name: Remove temp file - ansible.builtin.file: - path: "{{ temp_filename.path }}" - state: absent + check_mode: "{{ dryrun }}" + diff: "{{ dryrun }}" - name: Set diff output on status operator_sdk.util.k8s_status: @@ -218,7 +186,7 @@ name: "{{ ansible_operator_meta.name }}" namespace: "{{ ansible_operator_meta.namespace }}" status: - diff: "{{ differ }}" + diff: "{{ ((objs.diff.prepared | default('')) + '\n') | b64encode }}" - name: Set user labels ansible.builtin.set_fact: @@ -234,5 +202,4 @@ name: "{{ ansible_operator_meta.name }}" labels: "{{ userlabels }}" annotations: "{{ _miscscripts_pnnl_gov_tenantnamespace_spec.extraNamespaceAnnotations | default({}) }}" - when: - - not dryrun + check_mode: "{{ dryrun }}" From 3d47a41226307a216aca13eea819fab9963bc0a5 Mon Sep 17 00:00:00 2001 From: Peter Nordquist Date: Fri, 27 Oct 2023 14:10:18 -0700 Subject: [PATCH 13/16] Addressed when/block ordering ansible-lint issues --- .../roles/tenantnamespace/tasks/main.yml | 30 +++++++++---------- 1 file changed, 15 insertions(+), 15 deletions(-) diff --git a/containers/tenant-namespace-operator/roles/tenantnamespace/tasks/main.yml b/containers/tenant-namespace-operator/roles/tenantnamespace/tasks/main.yml index cf3a554..72d29dd 100644 --- a/containers/tenant-namespace-operator/roles/tenantnamespace/tasks/main.yml +++ b/containers/tenant-namespace-operator/roles/tenantnamespace/tasks/main.yml @@ -36,6 +36,10 @@ enabled: true - name: Load in Flavor values if referenced + when: + - flavor_ref is defined + - flavor_ref.kind == "TenantNamespaceFlavor" + - flavor_ref.group == "miscscripts.pnnl.gov" block: - name: Fetch referenced flavor kubernetes.core.k8s_info: @@ -49,10 +53,6 @@ - name: Merge in flavor values ansible.builtin.set_fact: merged_values: "{{ merged_values | combine(flavor.resources[0].spec, recursive=True) }}" - when: - - flavor_ref is defined - - flavor_ref.kind == "TenantNamespaceFlavor" - - flavor_ref.group == "miscscripts.pnnl.gov" - name: Set values from CR ansible.builtin.set_fact: merged_values: "{{ merged_values | combine(_miscscripts_pnnl_gov_tenantnamespace_spec, recursive=True) }}" @@ -119,6 +119,17 @@ _miscscripts_pnnl_gov_tenantnamespace.status.loadBalancerIP is not defined - name: Merge in existing ingress ip if exists + when: + - _miscscripts_pnnl_gov_tenantnamespace.status.loadBalancerIP is not defined + - merged_values.ingress.controller.service.loadBalancerIP is not defined + - ingressService is defined + - ingressService.resources is defined + - ingressService.resources[0] is defined + - ingressService.resources[0].status is defined + - ingressService.resources[0].status.loadBalancer is defined + - ingressService.resources[0].status.loadBalancer.ingress is defined + - ingressService.resources[0].status.loadBalancer.ingress[0] is defined + - ingressService.resources[0].status.loadBalancer.ingress[0].ip is defined block: - name: Set ingress ip. ansible.builtin.set_fact: @@ -131,17 +142,6 @@ namespace: "{{ ansible_operator_meta.namespace }}" status: loadBalancerIP: "{{ ingressService.resources[0].status.loadBalancer.ingress[0].ip }}" - when: - - _miscscripts_pnnl_gov_tenantnamespace.status.loadBalancerIP is not defined - - merged_values.ingress.controller.service.loadBalancerIP is not defined - - ingressService is defined - - ingressService.resources is defined - - ingressService.resources[0] is defined - - ingressService.resources[0].status is defined - - ingressService.resources[0].status.loadBalancer is defined - - ingressService.resources[0].status.loadBalancer.ingress is defined - - ingressService.resources[0].status.loadBalancer.ingress[0] is defined - - ingressService.resources[0].status.loadBalancer.ingress[0].ip is defined - name: Set ingress ip if specified ansible.builtin.set_fact: From 5c40e9d9ab5a0a17ddb9bd0b903dee1e8e12e484 Mon Sep 17 00:00:00 2001 From: Peter Nordquist Date: Fri, 27 Oct 2023 15:15:48 -0700 Subject: [PATCH 14/16] Upgraded to 1.32.0 --- .../tenant-namespace-operator/Dockerfile | 6 ++-- containers/tenant-namespace-operator/Makefile | 30 +++++++++++++++---- .../scorecard/patches/basic.config.yaml | 2 +- .../config/scorecard/patches/olm.config.yaml | 10 +++---- .../requirements.yml | 2 +- 5 files changed, 35 insertions(+), 15 deletions(-) diff --git a/containers/tenant-namespace-operator/Dockerfile b/containers/tenant-namespace-operator/Dockerfile index b380f4f..30bca69 100644 --- a/containers/tenant-namespace-operator/Dockerfile +++ b/containers/tenant-namespace-operator/Dockerfile @@ -1,4 +1,4 @@ -FROM quay.io/operator-framework/ansible-operator:v1.28.1 +FROM quay.io/operator-framework/ansible-operator:v1.32.0 ARG helm_version=v3.5.2 USER 0 @@ -23,7 +23,7 @@ COPY roles/ ${HOME}/roles/ #FIXME forcing ingress newer to work on newer k8s clusters. Fix upstream chart. RUN \ - ansible-galaxy collection install -r ${HOME}/requirements.yml && \ + ansible-galaxy install -r ${HOME}/requirements.yml && \ chmod -R ug+rwx ${HOME}/.ansible && \ helm plugin install https://github.com/databus23/helm-diff --version master && \ helm pull --repo https://pnnl-miscscripts.github.io/charts tenant-namespace --version 0.6.13 --untar && \ @@ -33,4 +33,4 @@ RUN \ echo 0.1.13 >> /.extrafingerprints && \ md5sum watches.yaml >> /.extrafingerprints -ENTRYPOINT ["/usr/local/bin/ansible-operator", "run", "--watches-file=./watches.yaml", "--inject-owner-ref=false"] +ENTRYPOINT ["/tini", "--", "/usr/local/bin/ansible-operator", "run", "--watches-file=./watches.yaml", "--inject-owner-ref=false"] diff --git a/containers/tenant-namespace-operator/Makefile b/containers/tenant-namespace-operator/Makefile index 703e992..047ef55 100644 --- a/containers/tenant-namespace-operator/Makefile +++ b/containers/tenant-namespace-operator/Makefile @@ -46,6 +46,10 @@ ifeq ($(USE_IMAGE_DIGESTS), true) BUNDLE_GEN_FLAGS += --use-image-digests endif +# Set the Operator SDK version to use. By default, what is installed on the system is used. +# This is useful for CI or a project to utilize a specific version of the operator-sdk toolkit. +OPERATOR_SDK_VERSION ?= v1.32.0 + # Image URL to use all building/pushing image targets IMG ?= $(IMAGE_TAG_BASE):$(VERSION) @@ -147,7 +151,7 @@ ifeq (,$(shell which ansible-operator 2>/dev/null)) @{ \ set -e ;\ mkdir -p $(dir $(ANSIBLE_OPERATOR)) ;\ - curl -sSLo $(ANSIBLE_OPERATOR) https://github.com/operator-framework/operator-sdk/releases/download/v1.28.1/ansible-operator_$(OS)_$(ARCH) ;\ + curl -sSLo $(ANSIBLE_OPERATOR) https://github.com/operator-framework/ansible-operator-plugins/releases/download/v1.32.0/ansible-operator_$(OS)_$(ARCH) ;\ chmod +x $(ANSIBLE_OPERATOR) ;\ } else @@ -155,12 +159,28 @@ ANSIBLE_OPERATOR = $(shell which ansible-operator) endif endif +.PHONY: operator-sdk +OPERATOR_SDK ?= ./bin/operator-sdk +operator-sdk: ## Download operator-sdk locally if necessary. +ifeq (,$(wildcard $(OPERATOR_SDK))) +ifeq (, $(shell which operator-sdk 2>/dev/null)) + @{ \ + set -e ;\ + mkdir -p $(dir $(OPERATOR_SDK)) ;\ + curl -sSLo $(OPERATOR_SDK) https://github.com/operator-framework/operator-sdk/releases/download/$(OPERATOR_SDK_VERSION)/operator-sdk_$(OS)_$(ARCH) ;\ + chmod +x $(OPERATOR_SDK) ;\ + } +else +OPERATOR_SDK = $(shell which operator-sdk) +endif +endif + .PHONY: bundle -bundle: kustomize ## Generate bundle manifests and metadata, then validate generated files. - operator-sdk generate kustomize manifests -q +bundle: kustomize operator-sdk ## Generate bundle manifests and metadata, then validate generated files. + $(OPERATOR_SDK) generate kustomize manifests -q cd config/manager && $(KUSTOMIZE) edit set image controller=$(IMG) - $(KUSTOMIZE) build config/manifests | operator-sdk generate bundle $(BUNDLE_GEN_FLAGS) - operator-sdk bundle validate ./bundle + $(KUSTOMIZE) build config/manifests | $(OPERATOR_SDK) generate bundle $(BUNDLE_GEN_FLAGS) + $(OPERATOR_SDK) bundle validate ./bundle .PHONY: bundle-build bundle-build: ## Build the bundle image. diff --git a/containers/tenant-namespace-operator/config/scorecard/patches/basic.config.yaml b/containers/tenant-namespace-operator/config/scorecard/patches/basic.config.yaml index c8455f1..472a988 100644 --- a/containers/tenant-namespace-operator/config/scorecard/patches/basic.config.yaml +++ b/containers/tenant-namespace-operator/config/scorecard/patches/basic.config.yaml @@ -4,7 +4,7 @@ entrypoint: - scorecard-test - basic-check-spec - image: quay.io/operator-framework/scorecard-test:v1.28.1 + image: quay.io/operator-framework/scorecard-test:v1.32.0 labels: suite: basic test: basic-check-spec-test diff --git a/containers/tenant-namespace-operator/config/scorecard/patches/olm.config.yaml b/containers/tenant-namespace-operator/config/scorecard/patches/olm.config.yaml index 8680989..343c6d8 100644 --- a/containers/tenant-namespace-operator/config/scorecard/patches/olm.config.yaml +++ b/containers/tenant-namespace-operator/config/scorecard/patches/olm.config.yaml @@ -4,7 +4,7 @@ entrypoint: - scorecard-test - olm-bundle-validation - image: quay.io/operator-framework/scorecard-test:v1.28.1 + image: quay.io/operator-framework/scorecard-test:v1.32.0 labels: suite: olm test: olm-bundle-validation-test @@ -14,7 +14,7 @@ entrypoint: - scorecard-test - olm-crds-have-validation - image: quay.io/operator-framework/scorecard-test:v1.28.1 + image: quay.io/operator-framework/scorecard-test:v1.32.0 labels: suite: olm test: olm-crds-have-validation-test @@ -24,7 +24,7 @@ entrypoint: - scorecard-test - olm-crds-have-resources - image: quay.io/operator-framework/scorecard-test:v1.28.1 + image: quay.io/operator-framework/scorecard-test:v1.32.0 labels: suite: olm test: olm-crds-have-resources-test @@ -34,7 +34,7 @@ entrypoint: - scorecard-test - olm-spec-descriptors - image: quay.io/operator-framework/scorecard-test:v1.28.1 + image: quay.io/operator-framework/scorecard-test:v1.32.0 labels: suite: olm test: olm-spec-descriptors-test @@ -44,7 +44,7 @@ entrypoint: - scorecard-test - olm-status-descriptors - image: quay.io/operator-framework/scorecard-test:v1.28.1 + image: quay.io/operator-framework/scorecard-test:v1.32.0 labels: suite: olm test: olm-status-descriptors-test diff --git a/containers/tenant-namespace-operator/requirements.yml b/containers/tenant-namespace-operator/requirements.yml index 6fcdac3..8baf919 100644 --- a/containers/tenant-namespace-operator/requirements.yml +++ b/containers/tenant-namespace-operator/requirements.yml @@ -1,7 +1,7 @@ --- collections: - name: operator_sdk.util - version: "0.4.0" + version: "0.5.0" - name: kubernetes.core version: "2.4.0" - name: cloud.common From a4783b99de589074e883e15b2152af4967ac09fe Mon Sep 17 00:00:00 2001 From: Peter Nordquist Date: Mon, 30 Oct 2023 15:29:07 -0700 Subject: [PATCH 15/16] Cleaned up chart clusterrole Cleaned up duplicate rules Removed single quotes where not necessary Removed apiGroup version --- .../templates/clusterrole.yaml | 28 ++++++------------- 1 file changed, 8 insertions(+), 20 deletions(-) diff --git a/charts/charts/tenant-namespace-operator/templates/clusterrole.yaml b/charts/charts/tenant-namespace-operator/templates/clusterrole.yaml index 586554b..a2dc509 100644 --- a/charts/charts/tenant-namespace-operator/templates/clusterrole.yaml +++ b/charts/charts/tenant-namespace-operator/templates/clusterrole.yaml @@ -8,7 +8,7 @@ rules: - apiGroups: - miscscripts.pnnl.gov resources: - - 'tenantnamespaceflavors' + - tenantnamespaceflavors verbs: - get - list @@ -16,37 +16,25 @@ rules: - apiGroups: - "" resources: - - 'namespaces' - - 'resourcequotas' - - 'limitranges' + - namespaces + - resourcequotas + - limitranges verbs: - "*" - apiGroups: - rbac.authorization.k8s.io resources: - - 'rolebindings' + - rolebindings + - clusterroles + - clusterrolebindings verbs: - "*" - apiGroups: - - rbac.authorization.k8s.io - resources: - - 'clusterroles' - - 'clusterrolebindings' - verbs: - - "*" -- apiGroups: - - networking.k8s.io/v1 + - networking.k8s.io resources: - networkpolicies verbs: - "*" -- apiGroups: - - rbac.authorization.k8s.io - resources: - - 'clusterroles' - - 'clusterrolebindings' - verbs: - - "*" - apiGroups: - extensions - "networking.k8s.io" # k8s 1.14+ From 2a6f41e8a6abc355daf138a3609fbe444a9cf670 Mon Sep 17 00:00:00 2001 From: Peter Nordquist Date: Mon, 30 Oct 2023 15:30:19 -0700 Subject: [PATCH 16/16] Added leases rule for pre 1.24 clusters K8s 1.24 added leases to default namespace admin roles --- .../tenant-namespace-operator/templates/role.yaml | 13 +++++++++++++ .../config/rbac/role.yaml | 14 ++++++++++++++ 2 files changed, 27 insertions(+) diff --git a/charts/charts/tenant-namespace-operator/templates/role.yaml b/charts/charts/tenant-namespace-operator/templates/role.yaml index ab2b6bb..c32fb7c 100644 --- a/charts/charts/tenant-namespace-operator/templates/role.yaml +++ b/charts/charts/tenant-namespace-operator/templates/role.yaml @@ -39,6 +39,19 @@ rules: - patch - update - watch +# needed for ingress leader election pre 1.24 +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - get + - list + - watch + - create + - update + - patch + - delete - apiGroups: - monitoring.coreos.com resources: diff --git a/containers/tenant-namespace-operator/config/rbac/role.yaml b/containers/tenant-namespace-operator/config/rbac/role.yaml index 2d370b7..bee268b 100644 --- a/containers/tenant-namespace-operator/config/rbac/role.yaml +++ b/containers/tenant-namespace-operator/config/rbac/role.yaml @@ -21,6 +21,19 @@ rules: - patch - update - watch + # needed for ingress leader election pre 1.24 + - apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - get + - list + - watch + - create + - update + - patch + - delete - apiGroups: - apps resources: @@ -38,6 +51,7 @@ rules: - monitoring.coreos.com resources: - servicemonitors + - prometheusrules verbs: - get - create