diff --git a/Makefile b/Makefile index 4afef0d0..1d17dc98 100644 --- a/Makefile +++ b/Makefile @@ -43,6 +43,7 @@ USE_IMAGE_DIGESTS ?= false ifeq ($(USE_IMAGE_DIGESTS), true) BUNDLE_GEN_FLAGS += --use-image-digests endif +BUNDLE_INSTALL_MODE ?= AllNamespaces IMAGE_BUILDER ?= podman # Image URL to use all building/pushing image targets @@ -88,6 +89,7 @@ CUSTOM_SCORECARD_VERSION ?= 2.3.0-$(shell date -u '+%Y%m%d%H%M%S') export CUSTOM_SCORECARD_IMG ?= $(IMAGE_TAG_BASE)-scorecard:$(CUSTOM_SCORECARD_VERSION) DEPLOY_NAMESPACE ?= cryostat-operator-system +TARGET_NAMESPACES ?= $(DEPLOY_NAMESPACE) SCORECARD_NAMESPACE ?= cryostat-operator-scorecard # Get the currently used golang install path (in GOPATH/bin, unless GOBIN is set) @@ -190,6 +192,7 @@ endif .PHONY: undeploy undeploy: - $(CLUSTER_CLIENT) delete --ignore-not-found=$(ignore-not-found) -f config/samples/operator_v1beta1_cryostat.yaml + - $(CLUSTER_CLIENT) delete --ignore-not-found=$(ignore-not-found) -f config/samples/operator_v1beta1_clustercryostat.yaml - $(KUSTOMIZE) build config/default | $(CLUSTER_CLIENT) delete --ignore-not-found=$(ignore-not-found) -f - # Generate manifests e.g. CRD, RBAC etc. @@ -311,7 +314,7 @@ bundle-build: .PHONY: deploy_bundle deploy_bundle: check_cert_manager undeploy_bundle - operator-sdk run bundle $(BUNDLE_IMG) + operator-sdk run bundle --install-mode $(BUNDLE_INSTALL_MODE) $(BUNDLE_IMG) ifeq ($(DISABLE_SERVICE_TLS), true) @echo "Disabling TLS for in-cluster communication between Services" @current_ns=`$(CLUSTER_CLIENT) config view --minify -o 'jsonpath={.contexts[0].context.namespace}'` && \ @@ -336,11 +339,22 @@ undeploy_bundle: create_cryostat_cr: destroy_cryostat_cr $(CLUSTER_CLIENT) create -f config/samples/operator_v1beta1_cryostat.yaml +.PHONY: create_clustercryostat_cr +create_clustercryostat_cr: destroy_clustercryostat_cr + target_ns_json=$$(jq -nc '$$ARGS.positional' --args -- $(TARGET_NAMESPACES)) && \ + $(CLUSTER_CLIENT) patch -f config/samples/operator_v1beta1_clustercryostat.yaml --local=true --type=merge \ + -p "{\"spec\": {\"installNamespace\": \"$(DEPLOY_NAMESPACE)\", \"targetNamespaces\": $$target_ns_json}}" -o yaml | \ + oc apply -f - + # Undeploy a Cryostat instance .PHONY: destroy_cryostat_cr destroy_cryostat_cr: - $(CLUSTER_CLIENT) delete --ignore-not-found=$(ignore-not-found) -f config/samples/operator_v1beta1_cryostat.yaml +.PHONY: destroy_clustercryostat_cr +destroy_clustercryostat_cr: + - $(CLUSTER_CLIENT) delete --ignore-not-found=$(ignore-not-found) -f config/samples/operator_v1beta1_clustercryostat.yaml + # Build custom scorecard tests .PHONY: custom-scorecard-tests custom-scorecard-tests: fmt vet diff --git a/README.md b/README.md index 61343364..cec8cc2f 100644 --- a/README.md +++ b/README.md @@ -53,6 +53,7 @@ kubectl get secret ${CRYOSTAT_NAME}-jmx-auth -o jsonpath='{$.data.CRYOSTAT_RJMX_ - [`operator-sdk`](https://github.com/operator-framework/operator-sdk) v1.22.2 - [`cert-manager`](https://github.com/jetstack/cert-manager) v1.7.1+ (Recommended) - `podman` or `docker` +- [`jq`](https://stedolan.github.io/jq/) v1.6+ - `ginkgo` (Optional) ## Instructions diff --git a/bundle/manifests/cryostat-operator.clusterserviceversion.yaml b/bundle/manifests/cryostat-operator.clusterserviceversion.yaml index 256ecc41..f3434381 100644 --- a/bundle/manifests/cryostat-operator.clusterserviceversion.yaml +++ b/bundle/manifests/cryostat-operator.clusterserviceversion.yaml @@ -857,6 +857,20 @@ spec: spec: clusterPermissions: - rules: + - apiGroups: + - "" + resources: + - configmaps + - endpoints + - events + - persistentvolumeclaims + - pods + - secrets + - serviceaccounts + - services + - services/finalizers + verbs: + - '*' - apiGroups: - "" resources: @@ -865,6 +879,27 @@ spec: - get - list - watch + - apiGroups: + - "" + resources: + - replicationcontrollers + verbs: + - get + - apiGroups: + - apps + resources: + - daemonsets + - deployments + - replicasets + - statefulsets + verbs: + - '*' + - apiGroups: + - apps.openshift.io + resources: + - deploymentconfigs + verbs: + - get - apiGroups: - authentication.k8s.io resources: @@ -877,6 +912,18 @@ spec: - selfsubjectaccessreviews verbs: - create + - apiGroups: + - cert-manager.io + resources: + - certificates + - issuers + verbs: + - create + - delete + - get + - list + - update + - watch - apiGroups: - config.openshift.io resources: @@ -896,6 +943,12 @@ spec: - get - list - update + - apiGroups: + - networking.k8s.io + resources: + - ingresses + verbs: + - '*' - apiGroups: - oauth.openshift.io resources: @@ -923,6 +976,26 @@ spec: - get - patch - update + - apiGroups: + - operator.cryostat.io + resources: + - cryostats + verbs: + - '*' + - apiGroups: + - operator.cryostat.io + resources: + - cryostats/finalizers + verbs: + - update + - apiGroups: + - operator.cryostat.io + resources: + - cryostats/status + verbs: + - get + - patch + - update - apiGroups: - rbac.authorization.k8s.io resources: @@ -934,6 +1007,25 @@ spec: - list - update - watch + - apiGroups: + - rbac.authorization.k8s.io + resources: + - rolebindings + - roles + verbs: + - create + - delete + - get + - list + - update + - watch + - apiGroups: + - route.openshift.io + resources: + - routes + - routes/custom-host + verbs: + - '*' serviceAccountName: cryostat-operator-service-account deployments: - label: @@ -1036,53 +1128,6 @@ spec: verbs: - create - patch - - apiGroups: - - "" - resources: - - configmaps - - endpoints - - events - - persistentvolumeclaims - - pods - - secrets - - serviceaccounts - - services - - services/finalizers - verbs: - - '*' - - apiGroups: - - "" - resources: - - replicationcontrollers - verbs: - - get - - apiGroups: - - apps - resources: - - daemonsets - - deployments - - replicasets - - statefulsets - verbs: - - '*' - - apiGroups: - - apps.openshift.io - resources: - - deploymentconfigs - verbs: - - get - - apiGroups: - - cert-manager.io - resources: - - certificates - - issuers - verbs: - - create - - delete - - get - - list - - update - - watch - apiGroups: - monitoring.coreos.com resources: @@ -1090,51 +1135,6 @@ spec: verbs: - create - get - - apiGroups: - - networking.k8s.io - resources: - - ingresses - verbs: - - '*' - - apiGroups: - - operator.cryostat.io - resources: - - cryostats - verbs: - - '*' - - apiGroups: - - operator.cryostat.io - resources: - - cryostats/finalizers - verbs: - - update - - apiGroups: - - operator.cryostat.io - resources: - - cryostats/status - verbs: - - get - - patch - - update - - apiGroups: - - rbac.authorization.k8s.io - resources: - - rolebindings - - roles - verbs: - - create - - delete - - get - - list - - update - - watch - - apiGroups: - - route.openshift.io - resources: - - routes - - routes/custom-host - verbs: - - '*' serviceAccountName: cryostat-operator-service-account strategy: deployment installModes: diff --git a/config/manager/manager.yaml b/config/manager/manager.yaml index 5a323ce8..d231596e 100644 --- a/config/manager/manager.yaml +++ b/config/manager/manager.yaml @@ -48,9 +48,7 @@ spec: periodSeconds: 10 env: - name: WATCH_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace + value: "" resources: limits: cpu: 1000m diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml index 15c10582..0e3fb7dd 100644 --- a/config/rbac/role.yaml +++ b/config/rbac/role.yaml @@ -5,6 +5,20 @@ metadata: creationTimestamp: null name: role rules: +- apiGroups: + - "" + resources: + - configmaps + - endpoints + - events + - persistentvolumeclaims + - pods + - secrets + - serviceaccounts + - services + - services/finalizers + verbs: + - '*' - apiGroups: - "" resources: @@ -13,6 +27,27 @@ rules: - get - list - watch +- apiGroups: + - "" + resources: + - replicationcontrollers + verbs: + - get +- apiGroups: + - apps + resources: + - daemonsets + - deployments + - replicasets + - statefulsets + verbs: + - '*' +- apiGroups: + - apps.openshift.io + resources: + - deploymentconfigs + verbs: + - get - apiGroups: - authentication.k8s.io resources: @@ -25,6 +60,18 @@ rules: - selfsubjectaccessreviews verbs: - create +- apiGroups: + - cert-manager.io + resources: + - certificates + - issuers + verbs: + - create + - delete + - get + - list + - update + - watch - apiGroups: - config.openshift.io resources: @@ -44,6 +91,12 @@ rules: - get - list - update +- apiGroups: + - networking.k8s.io + resources: + - ingresses + verbs: + - '*' - apiGroups: - oauth.openshift.io resources: @@ -71,85 +124,6 @@ rules: - get - patch - update -- apiGroups: - - rbac.authorization.k8s.io - resources: - - clusterrolebindings - verbs: - - create - - delete - - get - - list - - update - - watch ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - creationTimestamp: null - name: role - namespace: system -rules: -- apiGroups: - - "" - resources: - - configmaps - - endpoints - - events - - persistentvolumeclaims - - pods - - secrets - - serviceaccounts - - services - - services/finalizers - verbs: - - '*' -- apiGroups: - - "" - resources: - - replicationcontrollers - verbs: - - get -- apiGroups: - - apps - resources: - - daemonsets - - deployments - - replicasets - - statefulsets - verbs: - - '*' -- apiGroups: - - apps.openshift.io - resources: - - deploymentconfigs - verbs: - - get -- apiGroups: - - cert-manager.io - resources: - - certificates - - issuers - verbs: - - create - - delete - - get - - list - - update - - watch -- apiGroups: - - monitoring.coreos.com - resources: - - servicemonitors - verbs: - - create - - get -- apiGroups: - - networking.k8s.io - resources: - - ingresses - verbs: - - '*' - apiGroups: - operator.cryostat.io resources: @@ -170,6 +144,17 @@ rules: - get - patch - update +- apiGroups: + - rbac.authorization.k8s.io + resources: + - clusterrolebindings + verbs: + - create + - delete + - get + - list + - update + - watch - apiGroups: - rbac.authorization.k8s.io resources: @@ -189,3 +174,18 @@ rules: - routes/custom-host verbs: - '*' +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + creationTimestamp: null + name: role + namespace: system +rules: +- apiGroups: + - monitoring.coreos.com + resources: + - servicemonitors + verbs: + - create + - get diff --git a/internal/controllers/clustercryostat_controller.go b/internal/controllers/clustercryostat_controller.go index fdfaf6f8..4042e9a9 100644 --- a/internal/controllers/clustercryostat_controller.go +++ b/internal/controllers/clustercryostat_controller.go @@ -69,25 +69,25 @@ func NewClusterCryostatReconciler(config *ReconcilerConfig) *ClusterCryostatReco } } -// +kubebuilder:rbac:namespace=system,groups="",resources=pods;services;services/finalizers;endpoints;persistentvolumeclaims;events;configmaps;secrets;serviceaccounts,verbs=* -// +kubebuilder:rbac:namespace=system,groups="",resources=replicationcontrollers,verbs=get -// +kubebuilder:rbac:namespace=system,groups=rbac.authorization.k8s.io,resources=roles;rolebindings,verbs=create;get;list;update;watch;delete +// +kubebuilder:rbac:groups="",resources=pods;services;services/finalizers;endpoints;persistentvolumeclaims;events;configmaps;secrets;serviceaccounts,verbs=* +// +kubebuilder:rbac:groups="",resources=replicationcontrollers,verbs=get +// +kubebuilder:rbac:groups=rbac.authorization.k8s.io,resources=roles;rolebindings,verbs=create;get;list;update;watch;delete // +kubebuilder:rbac:groups=rbac.authorization.k8s.io,resources=clusterrolebindings,verbs=create;get;list;update;watch;delete // +kubebuilder:rbac:groups=authentication.k8s.io,resources=tokenreviews,verbs=create // +kubebuilder:rbac:groups=authorization.k8s.io,resources=selfsubjectaccessreviews,verbs=create // +kubebuilder:rbac:groups="",resources=namespaces,verbs=get;list;watch // +kubebuilder:rbac:groups=oauth.openshift.io,resources=oauthaccesstokens,verbs=list;delete // +kubebuilder:rbac:groups=config.openshift.io,resources=apiservers,verbs=get;list;update;watch -// +kubebuilder:rbac:namespace=system,groups=route.openshift.io,resources=routes;routes/custom-host,verbs=* -// +kubebuilder:rbac:namespace=system,groups=apps.openshift.io,resources=deploymentconfigs,verbs=get -// +kubebuilder:rbac:namespace=system,groups=apps,resources=deployments;daemonsets;replicasets;statefulsets,verbs=* +// +kubebuilder:rbac:groups=route.openshift.io,resources=routes;routes/custom-host,verbs=* +// +kubebuilder:rbac:groups=apps.openshift.io,resources=deploymentconfigs,verbs=get +// +kubebuilder:rbac:groups=apps,resources=deployments;daemonsets;replicasets;statefulsets,verbs=* // +kubebuilder:rbac:namespace=system,groups=monitoring.coreos.com,resources=servicemonitors,verbs=get;create -// +kubebuilder:rbac:namespace=system,groups=cert-manager.io,resources=issuers;certificates,verbs=create;get;list;update;watch;delete +// +kubebuilder:rbac:groups=cert-manager.io,resources=issuers;certificates,verbs=create;get;list;update;watch;delete // +kubebuilder:rbac:groups=operator.cryostat.io,resources=clustercryostats,verbs=* // +kubebuilder:rbac:groups=operator.cryostat.io,resources=clustercryostats/status,verbs=get;update;patch // +kubebuilder:rbac:groups=operator.cryostat.io,resources=clustercryostats/finalizers,verbs=update // +kubebuilder:rbac:groups=console.openshift.io,resources=consolelinks,verbs=get;create;list;update;delete -// +kubebuilder:rbac:namespace=system,groups=networking.k8s.io,resources=ingresses,verbs=* +// +kubebuilder:rbac:groups=networking.k8s.io,resources=ingresses,verbs=* // Reconcile processes a ClusterCryostat CR and manages a Cryostat installation accordingly func (r *ClusterCryostatReconciler) Reconcile(ctx context.Context, request ctrl.Request) (ctrl.Result, error) { diff --git a/internal/controllers/cryostat_controller.go b/internal/controllers/cryostat_controller.go index b151ba5e..68027094 100644 --- a/internal/controllers/cryostat_controller.go +++ b/internal/controllers/cryostat_controller.go @@ -66,9 +66,9 @@ func NewCryostatReconciler(config *ReconcilerConfig) *CryostatReconciler { } } -// +kubebuilder:rbac:namespace=system,groups=operator.cryostat.io,resources=cryostats,verbs=* -// +kubebuilder:rbac:namespace=system,groups=operator.cryostat.io,resources=cryostats/status,verbs=get;update;patch -// +kubebuilder:rbac:namespace=system,groups=operator.cryostat.io,resources=cryostats/finalizers,verbs=update +// +kubebuilder:rbac:groups=operator.cryostat.io,resources=cryostats,verbs=* +// +kubebuilder:rbac:groups=operator.cryostat.io,resources=cryostats/status,verbs=get;update;patch +// +kubebuilder:rbac:groups=operator.cryostat.io,resources=cryostats/finalizers,verbs=update // Reconcile processes a Cryostat CR and manages a Cryostat installation accordingly func (r *CryostatReconciler) Reconcile(ctx context.Context, request ctrl.Request) (ctrl.Result, error) {