Skip to content

Commit

Permalink
RBAC changes and test bundle for installation via OLM (#10)
Browse files Browse the repository at this point in the history 
The supported installModes have been changed to ownNamespace only.

This commit separates the cluster permissions in two different services
accounts:
- manager/controller SA: changed from ClusterRole/ClusterRoleBinding to
Role/RoleBinding, so the controller has the minimum required permissions
to deal with Run/Report CRs.
- cnf certsuite pod SA: a cluster-wide permissions with
ClusterRole/ClusterRoleBinding that grants full access to every resource
in the cluster.

Also, some changes were done in the config/* structure in order to be
able to deploy and run the operator using the "make deploy" command.

An initial bundle for OLM was created using the "make bundle" command.
In order to test it, both a bundle and a catalog need to be built using
"make" commands plus the appropriated env vars as defined in the
operator-sdk docs:
- make bundle-build bundle-push
- make catalog-build catalog-push

See:
https://sdk.operatorframework.io/docs/olm-integration/quickstart-bundle/#steps
https://sdk.operatorframework.io/docs/olm-integration/tutorial-bundle/#deploying-bundles-in-production
  • Loading branch information
@greyerof
greyerof authored Jan 18, 2024
1 parent b60ec4b commit 88bfe1f
Show file tree
Hide file tree
Showing 26 changed files with 930 additions and 19 deletions.
1 change: 1 addition & 0 deletions .yamllint.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,3 +12,4 @@ rules:
no_warnings: true
ignore:
- config
- bundle
4 changes: 3 additions & 1 deletion Makefile
View file
Original file line number Diff line number Diff line change
Expand Up @@ -215,11 +215,13 @@ envtest: $(ENVTEST) ## Download envtest-setup locally if necessary.
$(ENVTEST): $(LOCALBIN)
test -s $(LOCALBIN)/setup-envtest || GOBIN=$(LOCALBIN) go install sigs.k8s.io/controller-runtime/tools/setup-envtest@latest

## IMPORTANT: The serviceaccount "cnf-certsuite-cluster-access" is needed by the CNF's cert pod. The prefix "cnf-certsuite" must match the one in
## config/default/kustomization.yaml field "namePrefix".
.PHONY: bundle
bundle: manifests kustomize ## Generate bundle manifests and metadata, then validate generated files.
operator-sdk generate kustomize manifests -q
cd config/manager && $(KUSTOMIZE) edit set image controller=$(IMG)
$(KUSTOMIZE) build config/manifests | operator-sdk generate bundle $(BUNDLE_GEN_FLAGS)
$(KUSTOMIZE) build config/manifests | operator-sdk generate bundle $(BUNDLE_GEN_FLAGS) --extra-service-accounts cnf-certsuite-cluster-access
operator-sdk bundle validate ./bundle

.PHONY: bundle-build
Expand Down
20 changes: 20 additions & 0 deletions bundle.Dockerfile
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
FROM scratch

# Core bundle labels.
LABEL operators.operatorframework.io.bundle.mediatype.v1=registry+v1
LABEL operators.operatorframework.io.bundle.manifests.v1=manifests/
LABEL operators.operatorframework.io.bundle.metadata.v1=metadata/
LABEL operators.operatorframework.io.bundle.package.v1=tnf-op
LABEL operators.operatorframework.io.bundle.channels.v1=alpha
LABEL operators.operatorframework.io.metrics.builder=operator-sdk-v1.33.0
LABEL operators.operatorframework.io.metrics.mediatype.v1=metrics+v1
LABEL operators.operatorframework.io.metrics.project_layout=go.kubebuilder.io/v3

# Labels for testing.
LABEL operators.operatorframework.io.test.mediatype.v1=scorecard+v1
LABEL operators.operatorframework.io.test.config.v1=tests/scorecard/

# Copy files to locations specified by labels.
COPY bundle/manifests /manifests/
COPY bundle/metadata /metadata/
COPY bundle/tests/scorecard /tests/scorecard/
180 changes: 180 additions & 0 deletions bundle/manifests/cnf-certifications.redhat.com_cnfcertificationsuitereports.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,180 @@
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.11.1
creationTimestamp: null
name: cnfcertificationsuitereports.cnf-certifications.redhat.com
spec:
group: cnf-certifications.redhat.com
names:
kind: CnfCertificationSuiteReport
listKind: CnfCertificationSuiteReportList
plural: cnfcertificationsuitereports
singular: cnfcertificationsuitereport
scope: Namespaced
versions:
- name: v1alpha1
schema:
openAPIV3Schema:
description: CnfCertificationSuiteReport is the Schema for the cnfcertificationsuitereports
API
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: CnfCertificationSuiteReportSpec defines the desired state
of CnfCertificationSuiteReport
properties:
certSuiteConfigRunName:
type: string
cnf:
properties:
crds:
items:
type: string
type: array
csvs:
items:
properties:
name:
type: string
namespace:
type: string
type: object
type: array
deployments:
items:
properties:
name:
type: string
namespace:
type: string
type: object
type: array
helmChartReleases:
items:
properties:
name:
type: string
namespace:
type: string
type: object
type: array
namespaces:
items:
type: string
type: array
nodes:
items:
type: string
type: array
pods:
items:
properties:
containers:
items:
type: string
type: array
name:
type: string
namespace:
type: string
type: object
type: array
services:
items:
properties:
name:
type: string
namespace:
type: string
type: object
type: array
statefulSets:
items:
properties:
name:
type: string
namespace:
type: string
type: object
type: array
type: object
cnfCertSuiteVersion:
type: string
ocpVersion:
type: string
required:
- certSuiteConfigRunName
- cnfCertSuiteVersion
- ocpVersion
type: object
status:
description: CnfCertificationSuiteReportStatus defines the observed state
of CnfCertificationSuiteReport
properties:
results:
items:
description: TestCaseResult holds a test case result
properties:
logs:
type: string
reason:
type: string
result:
type: string
testCaseName:
type: string
required:
- result
- testCaseName
type: object
type: array
summary:
properties:
errored:
type: integer
failed:
type: integer
passed:
type: integer
skipped:
type: integer
total:
type: integer
required:
- errored
- failed
- passed
- skipped
- total
type: object
verdict:
type: string
required:
- results
- summary
- verdict
type: object
type: object
served: true
storage: true
subresources:
status: {}
status:
acceptedNames:
kind: ""
plural: ""
conditions: null
storedVersions: null
97 changes: 97 additions & 0 deletions bundle/manifests/cnf-certifications.redhat.com_cnfcertificationsuiteruns.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,97 @@
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.11.1
creationTimestamp: null
name: cnfcertificationsuiteruns.cnf-certifications.redhat.com
spec:
group: cnf-certifications.redhat.com
names:
kind: CnfCertificationSuiteRun
listKind: CnfCertificationSuiteRunList
plural: cnfcertificationsuiteruns
singular: cnfcertificationsuiterun
scope: Namespaced
versions:
- additionalPrinterColumns:
- jsonPath: .metadata.creationTimestamp
name: Age
type: date
- description: CnfCertificationSuiteRun current status
jsonPath: .status.phase
name: Status
type: string
name: v1alpha1
schema:
openAPIV3Schema:
description: CnfCertificationSuiteRun is the Schema for the cnfcertificationsuiteruns
API
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: CnfCertificationSuiteRunSpec defines the desired state of
CnfCertificationSuiteRun
properties:
configMapName:
description: ConfigMapName holds the cnf certification suite yaml
config.
type: string
labelsFilter:
description: LabelsFilter holds the labels filter/expression of the
test cases we want to run.
type: string
logLevel:
description: LogLevel sets the CNF Certification Suite log level (TNF_LOG_LEVEL)
type: string
preflightSecretName:
description: PreflightSecretName holds the secret name for preflight's
dockerconfig.
type: string
timeout:
description: Total timeout for the CNF Cert Suite to run.
type: string
required:
- configMapName
- labelsFilter
- logLevel
- preflightSecretName
- timeout
type: object
status:
description: CnfCertificationSuiteRunStatus defines the observed state
of CnfCertificationSuiteRun
properties:
phase:
description: Phase holds the current phase of the CNF Certification
Suite run.
type: string
reportName:
description: Report Name of the CnfCertificationSuiteReport that has
been created.
type: string
required:
- phase
type: object
type: object
served: true
storage: true
subresources:
status: {}
status:
acceptedNames:
kind: ""
plural: ""
conditions: null
storedVersions: null
23 changes: 23 additions & 0 deletions bundle/manifests/cnf-certsuite-controller-manager-metrics-service_v1_service.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,23 @@
apiVersion: v1
kind: Service
metadata:
creationTimestamp: null
labels:
app.kubernetes.io/component: kube-rbac-proxy
app.kubernetes.io/created-by: tnf-op
app.kubernetes.io/instance: controller-manager-metrics-service
app.kubernetes.io/managed-by: kustomize
app.kubernetes.io/name: service
app.kubernetes.io/part-of: tnf-op
control-plane: controller-manager
name: cnf-certsuite-controller-manager-metrics-service
spec:
ports:
- name: https
port: 8443
protocol: TCP
targetPort: https
selector:
control-plane: controller-manager
status:
loadBalancer: {}
17 changes: 17 additions & 0 deletions bundle/manifests/cnf-certsuite-metrics-reader_rbac.authorization.k8s.io_v1_clusterrole.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
creationTimestamp: null
labels:
app.kubernetes.io/component: kube-rbac-proxy
app.kubernetes.io/created-by: tnf-op
app.kubernetes.io/instance: metrics-reader
app.kubernetes.io/managed-by: kustomize
app.kubernetes.io/name: clusterrole
app.kubernetes.io/part-of: tnf-op
name: cnf-certsuite-metrics-reader
rules:
- nonResourceURLs:
- /metrics
verbs:
- get
Loading

0 comments on commit 88bfe1f

Please sign in to comment.