From 88bfe1fd71a761d448d5062bad6f3f54e87908b1 Mon Sep 17 00:00:00 2001 From: Gonzalo Reyero Ferreras <87083379+greyerof@users.noreply.github.com> Date: Thu, 18 Jan 2024 16:07:14 +0100 Subject: [PATCH] RBAC changes and test bundle for installation via OLM (#10) The supported installModes have been changed to ownNamespace only. This commit separates the cluster permissions in two different services accounts: - manager/controller SA: changed from ClusterRole/ClusterRoleBinding to Role/RoleBinding, so the controller has the minimum required permissions to deal with Run/Report CRs. - cnf certsuite pod SA: a cluster-wide permissions with ClusterRole/ClusterRoleBinding that grants full access to every resource in the cluster. Also, some changes were done in the config/* structure in order to be able to deploy and run the operator using the "make deploy" command. An initial bundle for OLM was created using the "make bundle" command. In order to test it, both a bundle and a catalog need to be built using "make" commands plus the appropriated env vars as defined in the operator-sdk docs: - make bundle-build bundle-push - make catalog-build catalog-push See: https://sdk.operatorframework.io/docs/olm-integration/quickstart-bundle/#steps https://sdk.operatorframework.io/docs/olm-integration/tutorial-bundle/#deploying-bundles-in-production --- .yamllint.yml | 1 + Makefile | 4 +- bundle.Dockerfile | 20 ++ ...dhat.com_cnfcertificationsuitereports.yaml | 180 ++++++++++ ....redhat.com_cnfcertificationsuiteruns.yaml | 97 ++++++ ...er-manager-metrics-service_v1_service.yaml | 23 ++ ...c.authorization.k8s.io_v1_clusterrole.yaml | 17 + .../tnf-op.clusterserviceversion.yaml | 310 ++++++++++++++++++ bundle/metadata/annotations.yaml | 14 + bundle/tests/scorecard/config.yaml | 70 ++++ config/default/kustomization.yaml | 3 +- config/manager/kustomization.yaml | 2 +- config/manager/manager.yaml | 5 + .../cnf_certsuite_role.yaml | 15 + .../cnf_certsuite_rolebinding.yaml | 19 ++ .../cnf_certsuite_service_account.yaml | 5 + .../cnfpod-permissions/kustomization.yaml | 4 + .../bases/tnf-op.clusterserviceversion.yaml | 54 +++ config/manifests/kustomization.yaml | 2 +- config/rbac/role.yaml | 69 +++- config/rbac/role_binding.yaml | 4 +- .../{ => extra}/cnf-certsuite-configmap.yaml | 0 .../cnf-certsuite-preflight-secret.yaml | 0 config/samples/kustomization.yaml | 9 +- controllers/cnf-cert-job/cnfcertjob.go | 11 +- .../cnfcertificationsuiterun_controller.go | 11 +- 26 files changed, 930 insertions(+), 19 deletions(-) create mode 100644 bundle.Dockerfile create mode 100644 bundle/manifests/cnf-certifications.redhat.com_cnfcertificationsuitereports.yaml create mode 100644 bundle/manifests/cnf-certifications.redhat.com_cnfcertificationsuiteruns.yaml create mode 100644 bundle/manifests/cnf-certsuite-controller-manager-metrics-service_v1_service.yaml create mode 100644 bundle/manifests/cnf-certsuite-metrics-reader_rbac.authorization.k8s.io_v1_clusterrole.yaml create mode 100644 bundle/manifests/tnf-op.clusterserviceversion.yaml create mode 100644 bundle/metadata/annotations.yaml create mode 100644 bundle/tests/scorecard/config.yaml create mode 100644 config/manifests/bases/cnfpod-permissions/cnf_certsuite_role.yaml create mode 100644 config/manifests/bases/cnfpod-permissions/cnf_certsuite_rolebinding.yaml create mode 100644 config/manifests/bases/cnfpod-permissions/cnf_certsuite_service_account.yaml create mode 100644 config/manifests/bases/cnfpod-permissions/kustomization.yaml create mode 100644 config/manifests/bases/tnf-op.clusterserviceversion.yaml rename config/samples/{ => extra}/cnf-certsuite-configmap.yaml (100%) rename config/samples/{ => extra}/cnf-certsuite-preflight-secret.yaml (100%) diff --git a/.yamllint.yml b/.yamllint.yml index 6cece65..2c11ca7 100644 --- a/.yamllint.yml +++ b/.yamllint.yml @@ -12,3 +12,4 @@ rules: no_warnings: true ignore: - config + - bundle diff --git a/Makefile b/Makefile index fdd0eb9..3add1d5 100644 --- a/Makefile +++ b/Makefile @@ -215,11 +215,13 @@ envtest: $(ENVTEST) ## Download envtest-setup locally if necessary. $(ENVTEST): $(LOCALBIN) test -s $(LOCALBIN)/setup-envtest || GOBIN=$(LOCALBIN) go install sigs.k8s.io/controller-runtime/tools/setup-envtest@latest +## IMPORTANT: The serviceaccount "cnf-certsuite-cluster-access" is needed by the CNF's cert pod. The prefix "cnf-certsuite" must match the one in +## config/default/kustomization.yaml field "namePrefix". .PHONY: bundle bundle: manifests kustomize ## Generate bundle manifests and metadata, then validate generated files. operator-sdk generate kustomize manifests -q cd config/manager && $(KUSTOMIZE) edit set image controller=$(IMG) - $(KUSTOMIZE) build config/manifests | operator-sdk generate bundle $(BUNDLE_GEN_FLAGS) + $(KUSTOMIZE) build config/manifests | operator-sdk generate bundle $(BUNDLE_GEN_FLAGS) --extra-service-accounts cnf-certsuite-cluster-access operator-sdk bundle validate ./bundle .PHONY: bundle-build diff --git a/bundle.Dockerfile b/bundle.Dockerfile new file mode 100644 index 0000000..13d5c96 --- /dev/null +++ b/bundle.Dockerfile @@ -0,0 +1,20 @@ +FROM scratch + +# Core bundle labels. +LABEL operators.operatorframework.io.bundle.mediatype.v1=registry+v1 +LABEL operators.operatorframework.io.bundle.manifests.v1=manifests/ +LABEL operators.operatorframework.io.bundle.metadata.v1=metadata/ +LABEL operators.operatorframework.io.bundle.package.v1=tnf-op +LABEL operators.operatorframework.io.bundle.channels.v1=alpha +LABEL operators.operatorframework.io.metrics.builder=operator-sdk-v1.33.0 +LABEL operators.operatorframework.io.metrics.mediatype.v1=metrics+v1 +LABEL operators.operatorframework.io.metrics.project_layout=go.kubebuilder.io/v3 + +# Labels for testing. +LABEL operators.operatorframework.io.test.mediatype.v1=scorecard+v1 +LABEL operators.operatorframework.io.test.config.v1=tests/scorecard/ + +# Copy files to locations specified by labels. +COPY bundle/manifests /manifests/ +COPY bundle/metadata /metadata/ +COPY bundle/tests/scorecard /tests/scorecard/ diff --git a/bundle/manifests/cnf-certifications.redhat.com_cnfcertificationsuitereports.yaml b/bundle/manifests/cnf-certifications.redhat.com_cnfcertificationsuitereports.yaml new file mode 100644 index 0000000..27487f7 --- /dev/null +++ b/bundle/manifests/cnf-certifications.redhat.com_cnfcertificationsuitereports.yaml @@ -0,0 +1,180 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.11.1 + creationTimestamp: null + name: cnfcertificationsuitereports.cnf-certifications.redhat.com +spec: + group: cnf-certifications.redhat.com + names: + kind: CnfCertificationSuiteReport + listKind: CnfCertificationSuiteReportList + plural: cnfcertificationsuitereports + singular: cnfcertificationsuitereport + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: CnfCertificationSuiteReport is the Schema for the cnfcertificationsuitereports + API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: CnfCertificationSuiteReportSpec defines the desired state + of CnfCertificationSuiteReport + properties: + certSuiteConfigRunName: + type: string + cnf: + properties: + crds: + items: + type: string + type: array + csvs: + items: + properties: + name: + type: string + namespace: + type: string + type: object + type: array + deployments: + items: + properties: + name: + type: string + namespace: + type: string + type: object + type: array + helmChartReleases: + items: + properties: + name: + type: string + namespace: + type: string + type: object + type: array + namespaces: + items: + type: string + type: array + nodes: + items: + type: string + type: array + pods: + items: + properties: + containers: + items: + type: string + type: array + name: + type: string + namespace: + type: string + type: object + type: array + services: + items: + properties: + name: + type: string + namespace: + type: string + type: object + type: array + statefulSets: + items: + properties: + name: + type: string + namespace: + type: string + type: object + type: array + type: object + cnfCertSuiteVersion: + type: string + ocpVersion: + type: string + required: + - certSuiteConfigRunName + - cnfCertSuiteVersion + - ocpVersion + type: object + status: + description: CnfCertificationSuiteReportStatus defines the observed state + of CnfCertificationSuiteReport + properties: + results: + items: + description: TestCaseResult holds a test case result + properties: + logs: + type: string + reason: + type: string + result: + type: string + testCaseName: + type: string + required: + - result + - testCaseName + type: object + type: array + summary: + properties: + errored: + type: integer + failed: + type: integer + passed: + type: integer + skipped: + type: integer + total: + type: integer + required: + - errored + - failed + - passed + - skipped + - total + type: object + verdict: + type: string + required: + - results + - summary + - verdict + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: null + storedVersions: null diff --git a/bundle/manifests/cnf-certifications.redhat.com_cnfcertificationsuiteruns.yaml b/bundle/manifests/cnf-certifications.redhat.com_cnfcertificationsuiteruns.yaml new file mode 100644 index 0000000..66a34b2 --- /dev/null +++ b/bundle/manifests/cnf-certifications.redhat.com_cnfcertificationsuiteruns.yaml @@ -0,0 +1,97 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.11.1 + creationTimestamp: null + name: cnfcertificationsuiteruns.cnf-certifications.redhat.com +spec: + group: cnf-certifications.redhat.com + names: + kind: CnfCertificationSuiteRun + listKind: CnfCertificationSuiteRunList + plural: cnfcertificationsuiteruns + singular: cnfcertificationsuiterun + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + - description: CnfCertificationSuiteRun current status + jsonPath: .status.phase + name: Status + type: string + name: v1alpha1 + schema: + openAPIV3Schema: + description: CnfCertificationSuiteRun is the Schema for the cnfcertificationsuiteruns + API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: CnfCertificationSuiteRunSpec defines the desired state of + CnfCertificationSuiteRun + properties: + configMapName: + description: ConfigMapName holds the cnf certification suite yaml + config. + type: string + labelsFilter: + description: LabelsFilter holds the labels filter/expression of the + test cases we want to run. + type: string + logLevel: + description: LogLevel sets the CNF Certification Suite log level (TNF_LOG_LEVEL) + type: string + preflightSecretName: + description: PreflightSecretName holds the secret name for preflight's + dockerconfig. + type: string + timeout: + description: Total timeout for the CNF Cert Suite to run. + type: string + required: + - configMapName + - labelsFilter + - logLevel + - preflightSecretName + - timeout + type: object + status: + description: CnfCertificationSuiteRunStatus defines the observed state + of CnfCertificationSuiteRun + properties: + phase: + description: Phase holds the current phase of the CNF Certification + Suite run. + type: string + reportName: + description: Report Name of the CnfCertificationSuiteReport that has + been created. + type: string + required: + - phase + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: null + storedVersions: null diff --git a/bundle/manifests/cnf-certsuite-controller-manager-metrics-service_v1_service.yaml b/bundle/manifests/cnf-certsuite-controller-manager-metrics-service_v1_service.yaml new file mode 100644 index 0000000..f2757e1 --- /dev/null +++ b/bundle/manifests/cnf-certsuite-controller-manager-metrics-service_v1_service.yaml @@ -0,0 +1,23 @@ +apiVersion: v1 +kind: Service +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/component: kube-rbac-proxy + app.kubernetes.io/created-by: tnf-op + app.kubernetes.io/instance: controller-manager-metrics-service + app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/name: service + app.kubernetes.io/part-of: tnf-op + control-plane: controller-manager + name: cnf-certsuite-controller-manager-metrics-service +spec: + ports: + - name: https + port: 8443 + protocol: TCP + targetPort: https + selector: + control-plane: controller-manager +status: + loadBalancer: {} diff --git a/bundle/manifests/cnf-certsuite-metrics-reader_rbac.authorization.k8s.io_v1_clusterrole.yaml b/bundle/manifests/cnf-certsuite-metrics-reader_rbac.authorization.k8s.io_v1_clusterrole.yaml new file mode 100644 index 0000000..12535db --- /dev/null +++ b/bundle/manifests/cnf-certsuite-metrics-reader_rbac.authorization.k8s.io_v1_clusterrole.yaml @@ -0,0 +1,17 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/component: kube-rbac-proxy + app.kubernetes.io/created-by: tnf-op + app.kubernetes.io/instance: metrics-reader + app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/name: clusterrole + app.kubernetes.io/part-of: tnf-op + name: cnf-certsuite-metrics-reader +rules: +- nonResourceURLs: + - /metrics + verbs: + - get diff --git a/bundle/manifests/tnf-op.clusterserviceversion.yaml b/bundle/manifests/tnf-op.clusterserviceversion.yaml new file mode 100644 index 0000000..6dfba15 --- /dev/null +++ b/bundle/manifests/tnf-op.clusterserviceversion.yaml @@ -0,0 +1,310 @@ +apiVersion: operators.coreos.com/v1alpha1 +kind: ClusterServiceVersion +metadata: + annotations: + alm-examples: |- + [ + { + "apiVersion": "cnf-certifications.redhat.com/v1alpha1", + "kind": "CnfCertificationSuiteRun", + "metadata": { + "labels": { + "app.kubernetes.io/created-by": "tnf-op", + "app.kubernetes.io/instance": "cnfcertificationsuiterun-sample", + "app.kubernetes.io/managed-by": "kustomize", + "app.kubernetes.io/name": "cnfcertificationsuiterun", + "app.kubernetes.io/part-of": "tnf-op" + }, + "name": "cnfcertificationsuiterun-sample", + "namespace": "cnf-certification-operator" + }, + "spec": { + "configMapName": "cnf-certsuite-config", + "labelsFilter": "observability", + "logLevel": "info", + "preflightSecretName": "cnf-certsuite-preflight-dockerconfig", + "timeout": "2h" + } + } + ] + capabilities: Basic Install + createdAt: "2024-01-12T12:33:33Z" + operators.operatorframework.io/builder: operator-sdk-v1.33.0 + operators.operatorframework.io/project_layout: go.kubebuilder.io/v3 + name: tnf-op.v0.0.3 + namespace: placeholder +spec: + apiservicedefinitions: {} + customresourcedefinitions: + owned: + - description: CnfCertificationSuiteReport is the Schema for the cnfcertificationsuitereports + API + displayName: Cnf Certification Suite Report + kind: CnfCertificationSuiteReport + name: cnfcertificationsuitereports.cnf-certifications.redhat.com + version: v1alpha1 + - description: CnfCertificationSuiteRun is the Schema for the cnfcertificationsuiteruns + API + displayName: Cnf Certification Suite Run + kind: CnfCertificationSuiteRun + name: cnfcertificationsuiteruns.cnf-certifications.redhat.com + version: v1alpha1 + description: CNF Certification Suite Operator + displayName: CNF Op + icon: + - base64data: "" + mediatype: "" + install: + spec: + clusterPermissions: + - rules: + - nonResourceURLs: + - '*' + verbs: + - '*' + - apiGroups: + - '*' + resources: + - '*' + verbs: + - '*' + serviceAccountName: cnf-certsuite-cluster-access + - rules: + - apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create + - apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create + serviceAccountName: cnf-certsuite-controller-manager + deployments: + - label: + app.kubernetes.io/component: manager + app.kubernetes.io/created-by: tnf-op + app.kubernetes.io/instance: controller-manager + app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/name: deployment + app.kubernetes.io/part-of: tnf-op + control-plane: controller-manager + name: cnf-certsuite-controller-manager + spec: + replicas: 1 + selector: + matchLabels: + control-plane: controller-manager + strategy: {} + template: + metadata: + annotations: + kubectl.kubernetes.io/default-container: manager + labels: + control-plane: controller-manager + spec: + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: kubernetes.io/arch + operator: In + values: + - amd64 + - arm64 + - ppc64le + - s390x + - key: kubernetes.io/os + operator: In + values: + - linux + containers: + - args: + - --secure-listen-address=0.0.0.0:8443 + - --upstream=http://127.0.0.1:8080/ + - --logtostderr=true + - --v=0 + image: gcr.io/kubebuilder/kube-rbac-proxy:v0.13.1 + name: kube-rbac-proxy + ports: + - containerPort: 8443 + name: https + protocol: TCP + resources: + limits: + cpu: 500m + memory: 128Mi + requests: + cpu: 5m + memory: 64Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + - args: + - --health-probe-bind-address=:8081 + - --metrics-bind-address=127.0.0.1:8080 + - --leader-elect + command: + - /manager + env: + - name: WATCH_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.annotations['olm.targetNamespaces'] + image: quay.io/greyerof/cnf-op:initialtestv5 + imagePullPolicy: Always + livenessProbe: + httpGet: + path: /healthz + port: 8081 + initialDelaySeconds: 15 + periodSeconds: 20 + name: manager + readinessProbe: + httpGet: + path: /readyz + port: 8081 + initialDelaySeconds: 5 + periodSeconds: 10 + resources: + limits: + cpu: 500m + memory: 128Mi + requests: + cpu: 10m + memory: 64Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + serviceAccountName: cnf-certsuite-controller-manager + terminationGracePeriodSeconds: 10 + permissions: + - rules: + - apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - watch + - create + - update + - patch + - delete + - apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - get + - list + - watch + - create + - update + - patch + - delete + - apiGroups: + - "" + resources: + - events + verbs: + - create + - patch + - apiGroups: + - "" + resources: + - pods + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - cnf-certifications.redhat.com + resources: + - cnfcertificationsuitereports + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - cnf-certifications.redhat.com + resources: + - cnfcertificationsuitereports/finalizers + verbs: + - update + - apiGroups: + - cnf-certifications.redhat.com + resources: + - cnfcertificationsuitereports/status + verbs: + - get + - patch + - update + - apiGroups: + - cnf-certifications.redhat.com + resources: + - cnfcertificationsuiteruns + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - cnf-certifications.redhat.com + resources: + - cnfcertificationsuiteruns/finalizers + verbs: + - update + - apiGroups: + - cnf-certifications.redhat.com + resources: + - cnfcertificationsuiteruns/status + verbs: + - get + - patch + - update + serviceAccountName: cnf-certsuite-controller-manager + strategy: deployment + installModes: + - supported: true + type: OwnNamespace + - supported: false + type: SingleNamespace + - supported: false + type: MultiNamespace + - supported: false + type: AllNamespaces + keywords: + - redhat + - certification + - cnf + - openshift + links: + - name: Tnf Op + url: https://tnf-op.domain + maturity: alpha + provider: + name: RedHat + version: 0.0.3 diff --git a/bundle/metadata/annotations.yaml b/bundle/metadata/annotations.yaml new file mode 100644 index 0000000..64cd5ac --- /dev/null +++ b/bundle/metadata/annotations.yaml @@ -0,0 +1,14 @@ +annotations: + # Core bundle annotations. + operators.operatorframework.io.bundle.mediatype.v1: registry+v1 + operators.operatorframework.io.bundle.manifests.v1: manifests/ + operators.operatorframework.io.bundle.metadata.v1: metadata/ + operators.operatorframework.io.bundle.package.v1: tnf-op + operators.operatorframework.io.bundle.channels.v1: alpha + operators.operatorframework.io.metrics.builder: operator-sdk-v1.33.0 + operators.operatorframework.io.metrics.mediatype.v1: metrics+v1 + operators.operatorframework.io.metrics.project_layout: go.kubebuilder.io/v3 + + # Annotations for testing. + operators.operatorframework.io.test.mediatype.v1: scorecard+v1 + operators.operatorframework.io.test.config.v1: tests/scorecard/ diff --git a/bundle/tests/scorecard/config.yaml b/bundle/tests/scorecard/config.yaml new file mode 100644 index 0000000..8cf7fae --- /dev/null +++ b/bundle/tests/scorecard/config.yaml @@ -0,0 +1,70 @@ +apiVersion: scorecard.operatorframework.io/v1alpha3 +kind: Configuration +metadata: + name: config +stages: +- parallel: true + tests: + - entrypoint: + - scorecard-test + - basic-check-spec + image: quay.io/operator-framework/scorecard-test:v1.28.1 + labels: + suite: basic + test: basic-check-spec-test + storage: + spec: + mountPath: {} + - entrypoint: + - scorecard-test + - olm-bundle-validation + image: quay.io/operator-framework/scorecard-test:v1.28.1 + labels: + suite: olm + test: olm-bundle-validation-test + storage: + spec: + mountPath: {} + - entrypoint: + - scorecard-test + - olm-crds-have-validation + image: quay.io/operator-framework/scorecard-test:v1.28.1 + labels: + suite: olm + test: olm-crds-have-validation-test + storage: + spec: + mountPath: {} + - entrypoint: + - scorecard-test + - olm-crds-have-resources + image: quay.io/operator-framework/scorecard-test:v1.28.1 + labels: + suite: olm + test: olm-crds-have-resources-test + storage: + spec: + mountPath: {} + - entrypoint: + - scorecard-test + - olm-spec-descriptors + image: quay.io/operator-framework/scorecard-test:v1.28.1 + labels: + suite: olm + test: olm-spec-descriptors-test + storage: + spec: + mountPath: {} + - entrypoint: + - scorecard-test + - olm-status-descriptors + image: quay.io/operator-framework/scorecard-test:v1.28.1 + labels: + suite: olm + test: olm-status-descriptors-test + storage: + spec: + mountPath: {} +storage: + spec: + mountPath: {} diff --git a/config/default/kustomization.yaml b/config/default/kustomization.yaml index 386a765..1afcba0 100644 --- a/config/default/kustomization.yaml +++ b/config/default/kustomization.yaml @@ -6,7 +6,7 @@ namespace: cnf-certification-operator # "wordpress" becomes "alices-wordpress". # Note that it should also match with the prefix (text before '-') of the namespace # field above. -namePrefix: cnf-certification-operator- +namePrefix: cnf-certsuite- # Labels to add to all resources and selectors. #commonLabels: @@ -16,6 +16,7 @@ bases: - ../crd - ../rbac - ../manager +- ../manifests/bases/cnfpod-permissions # [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix including the one in # crd/kustomization.yaml #- ../webhook diff --git a/config/manager/kustomization.yaml b/config/manager/kustomization.yaml index 447df2b..220e8d2 100644 --- a/config/manager/kustomization.yaml +++ b/config/manager/kustomization.yaml @@ -5,4 +5,4 @@ kind: Kustomization images: - name: controller newName: quay.io/greyerof/cnf-op - newTag: initialtestv4 + newTag: initialtestv5 diff --git a/config/manager/manager.yaml b/config/manager/manager.yaml index ce562de..1bd1190 100644 --- a/config/manager/manager.yaml +++ b/config/manager/manager.yaml @@ -70,6 +70,11 @@ spec: - /manager args: - --leader-elect + env: + - name: WATCH_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace image: controller:latest name: manager imagePullPolicy: Always diff --git a/config/manifests/bases/cnfpod-permissions/cnf_certsuite_role.yaml b/config/manifests/bases/cnfpod-permissions/cnf_certsuite_role.yaml new file mode 100644 index 0000000..4c541a8 --- /dev/null +++ b/config/manifests/bases/cnfpod-permissions/cnf_certsuite_role.yaml @@ -0,0 +1,15 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: cluster-role +rules: +- nonResourceURLs: + - '*' + verbs: + - '*' +- apiGroups: + - '*' + resources: + - '*' + verbs: + - '*' diff --git a/config/manifests/bases/cnfpod-permissions/cnf_certsuite_rolebinding.yaml b/config/manifests/bases/cnfpod-permissions/cnf_certsuite_rolebinding.yaml new file mode 100644 index 0000000..512ca44 --- /dev/null +++ b/config/manifests/bases/cnfpod-permissions/cnf_certsuite_rolebinding.yaml @@ -0,0 +1,19 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app.kubernetes.io/name: clusterrolebinding + app.kubernetes.io/instance: cnf-certsuite-rolebinding + app.kubernetes.io/component: rbac + app.kubernetes.io/created-by: tnf-op + app.kubernetes.io/part-of: tnf-op + app.kubernetes.io/managed-by: kustomize + name: cluster-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cluster-role +subjects: +- kind: ServiceAccount + name: cluster-access + namespace: system diff --git a/config/manifests/bases/cnfpod-permissions/cnf_certsuite_service_account.yaml b/config/manifests/bases/cnfpod-permissions/cnf_certsuite_service_account.yaml new file mode 100644 index 0000000..ac83e75 --- /dev/null +++ b/config/manifests/bases/cnfpod-permissions/cnf_certsuite_service_account.yaml @@ -0,0 +1,5 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: cluster-access + namespace: system diff --git a/config/manifests/bases/cnfpod-permissions/kustomization.yaml b/config/manifests/bases/cnfpod-permissions/kustomization.yaml new file mode 100644 index 0000000..4f925bc --- /dev/null +++ b/config/manifests/bases/cnfpod-permissions/kustomization.yaml @@ -0,0 +1,4 @@ +resources: +- cnf_certsuite_role.yaml +- cnf_certsuite_rolebinding.yaml +- cnf_certsuite_service_account.yaml diff --git a/config/manifests/bases/tnf-op.clusterserviceversion.yaml b/config/manifests/bases/tnf-op.clusterserviceversion.yaml new file mode 100644 index 0000000..11b384c --- /dev/null +++ b/config/manifests/bases/tnf-op.clusterserviceversion.yaml @@ -0,0 +1,54 @@ +apiVersion: operators.coreos.com/v1alpha1 +kind: ClusterServiceVersion +metadata: + annotations: + alm-examples: '[]' + capabilities: Basic Install + name: tnf-op.v0.0.0 + namespace: placeholder +spec: + apiservicedefinitions: {} + customresourcedefinitions: + owned: + - description: CnfCertificationSuiteReport is the Schema for the cnfcertificationsuitereports + API + displayName: Cnf Certification Suite Report + kind: CnfCertificationSuiteReport + name: cnfcertificationsuitereports.cnf-certifications.redhat.com + version: v1alpha1 + - description: CnfCertificationSuiteRun is the Schema for the cnfcertificationsuiteruns + API + displayName: Cnf Certification Suite Run + kind: CnfCertificationSuiteRun + name: cnfcertificationsuiteruns.cnf-certifications.redhat.com + version: v1alpha1 + description: CNF Certification Suite Operator + displayName: CNF Op + icon: + - base64data: "" + mediatype: "" + install: + spec: + deployments: null + strategy: "" + installModes: + - supported: false + type: OwnNamespace + - supported: false + type: SingleNamespace + - supported: false + type: MultiNamespace + - supported: true + type: AllNamespaces + keywords: + - redhat + - certification + - cnf + - openshift + links: + - name: Tnf Op + url: https://tnf-op.domain + maturity: alpha + provider: + name: RedHat + version: 0.0.0 diff --git a/config/manifests/kustomization.yaml b/config/manifests/kustomization.yaml index bd9f81a..5a3f2a5 100644 --- a/config/manifests/kustomization.yaml +++ b/config/manifests/kustomization.yaml @@ -15,7 +15,7 @@ patches: value: - supported: true type: OwnNamespace - - supported: true + - supported: false type: SingleNamespace - supported: false type: MultiNamespace diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml index 2ce844f..ebd61c5 100644 --- a/config/rbac/role.yaml +++ b/config/rbac/role.yaml @@ -1,17 +1,72 @@ --- apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole +kind: Role metadata: creationTimestamp: null name: manager-role + namespace: cnf-certification-operator rules: -- nonResourceURLs: - - '*' +- apiGroups: + - "" + resources: + - pods + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - cnf-certifications.redhat.com + resources: + - cnfcertificationsuitereports + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - cnf-certifications.redhat.com + resources: + - cnfcertificationsuitereports/finalizers + verbs: + - update +- apiGroups: + - cnf-certifications.redhat.com + resources: + - cnfcertificationsuitereports/status + verbs: + - get + - patch + - update +- apiGroups: + - cnf-certifications.redhat.com + resources: + - cnfcertificationsuiteruns + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - cnf-certifications.redhat.com + resources: + - cnfcertificationsuiteruns/finalizers verbs: - - '*' + - update - apiGroups: - - '*' + - cnf-certifications.redhat.com resources: - - '*' + - cnfcertificationsuiteruns/status verbs: - - '*' + - get + - patch + - update diff --git a/config/rbac/role_binding.yaml b/config/rbac/role_binding.yaml index 767fc79..37ba8c2 100644 --- a/config/rbac/role_binding.yaml +++ b/config/rbac/role_binding.yaml @@ -1,5 +1,5 @@ apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding +kind: RoleBinding metadata: labels: app.kubernetes.io/name: clusterrolebinding @@ -11,7 +11,7 @@ metadata: name: manager-rolebinding roleRef: apiGroup: rbac.authorization.k8s.io - kind: ClusterRole + kind: Role name: manager-role subjects: - kind: ServiceAccount diff --git a/config/samples/cnf-certsuite-configmap.yaml b/config/samples/extra/cnf-certsuite-configmap.yaml similarity index 100% rename from config/samples/cnf-certsuite-configmap.yaml rename to config/samples/extra/cnf-certsuite-configmap.yaml diff --git a/config/samples/cnf-certsuite-preflight-secret.yaml b/config/samples/extra/cnf-certsuite-preflight-secret.yaml similarity index 100% rename from config/samples/cnf-certsuite-preflight-secret.yaml rename to config/samples/extra/cnf-certsuite-preflight-secret.yaml diff --git a/config/samples/kustomization.yaml b/config/samples/kustomization.yaml index 4b7d0f5..68cc5d7 100644 --- a/config/samples/kustomization.yaml +++ b/config/samples/kustomization.yaml @@ -1,8 +1,13 @@ ## Append samples you want in your CSV to this file as resources ## resources: - cnf-certifications_v1alpha1_cnfcertificationsuiterun.yaml -- cnf-certsuite-configmap.yaml -- cnf-certsuite-preflight-secret.yaml + +## Uncomment this two files (configmap+secret) to create a runnable test CR in the test namespace. +## Then run them with: oc kustomize config/samples | oc apply -f - +#- extra/cnf-certsuite-configmap.yaml +#- extra/cnf-certsuite-preflight-secret.yaml + #+kubebuilder:scaffold:manifestskustomizesamples namespace: cnf-certification-operator + diff --git a/controllers/cnf-cert-job/cnfcertjob.go b/controllers/cnf-cert-job/cnfcertjob.go index 93f1452..bd595c5 100644 --- a/controllers/cnf-cert-job/cnfcertjob.go +++ b/controllers/cnf-cert-job/cnfcertjob.go @@ -7,6 +7,13 @@ import ( "github.com/greyerof/cnf-certification-operator/controllers/definitions" ) +const ( + // Be careful when changing this SA name. + // 1. It must match the flag --extra-service-accounts in "make bundle". + // 2. The prefix is "cnf-certsuite-". It should match the field namePrefix field in config/default/kustomization.yaml. + clusterAccessServiceAccountName = "cnf-certsuite-cluster-access" +) + type Config struct { PodName string Namespace string @@ -38,12 +45,12 @@ func New(config *Config) *corev1.Pod { Namespace: config.Namespace, }, Spec: corev1.PodSpec{ - ServiceAccountName: "cnf-certification-operator-controller-manager", + ServiceAccountName: clusterAccessServiceAccountName, RestartPolicy: "Never", Containers: []corev1.Container{ { Name: definitions.CnfCertSuiteSidecarContainerName, - Image: "quay.io/rh_ee_shmoran/tnf-op:sidecarv4", + Image: "quay.io/greyerof/cnf-op:sidecarv4", Env: []corev1.EnvVar{ { Name: "MY_POD_NAME", diff --git a/controllers/cnfcertificationsuiterun_controller.go b/controllers/cnfcertificationsuiterun_controller.go index 9c41da9..bccbd28 100644 --- a/controllers/cnfcertificationsuiterun_controller.go +++ b/controllers/cnfcertificationsuiterun_controller.go @@ -62,8 +62,15 @@ const ( defaultCnfCertSuiteTimeout = time.Hour ) -// +kubebuilder:rbac:groups="*",resources="*",verbs="*" -// +kubebuilder:rbac:urls="*",verbs="*" +// +kubebuilder:rbac:groups=cnf-certifications.redhat.com,namespace=cnf-certification-operator,resources=cnfcertificationsuiteruns,verbs=get;list;watch;create;update;patch;delete +// +kubebuilder:rbac:groups=cnf-certifications.redhat.com,namespace=cnf-certification-operator,resources=cnfcertificationsuiteruns/status,verbs=get;update;patch +// +kubebuilder:rbac:groups=cnf-certifications.redhat.com,namespace=cnf-certification-operator,resources=cnfcertificationsuiteruns/finalizers,verbs=update + +// +kubebuilder:rbac:groups=cnf-certifications.redhat.com,namespace=cnf-certification-operator,resources=cnfcertificationsuitereports,verbs=get;list;watch;create;update;patch;delete +// +kubebuilder:rbac:groups=cnf-certifications.redhat.com,namespace=cnf-certification-operator,resources=cnfcertificationsuitereports/status,verbs=get;update;patch +// +kubebuilder:rbac:groups=cnf-certifications.redhat.com,namespace=cnf-certification-operator,resources=cnfcertificationsuitereports/finalizers,verbs=update + +// +kubebuilder:rbac:groups="",namespace=cnf-certification-operator,resources=pods,verbs=get;list;watch;create;update;patch;delete func ignoreUpdatePredicate() predicate.Predicate { return predicate.Funcs{