From 472ad44a8737e5cd5df8744ffc94b9ed200a41f4 Mon Sep 17 00:00:00 2001 From: Daniel Farrell Date: Mon, 1 Feb 2021 15:10:13 -0500 Subject: [PATCH 01/15] Use markdownlint from Shipyard Instead of an external GitHub action, use the same markdownlint make target from Shipyard that we use in other repos. Signed-off-by: Daniel Farrell --- .github/workflows/linting.yml | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/.github/workflows/linting.yml b/.github/workflows/linting.yml index f99ae45b..9e22a90b 100644 --- a/.github/workflows/linting.yml +++ b/.github/workflows/linting.yml @@ -40,10 +40,7 @@ jobs: - name: Check out the repository uses: actions/checkout@v2 - name: Run markdownlint - uses: nosborn/github-action-markdown-cli@v1.1.1 - with: - files: . - config_file: ".markdownlint.yml" + run: make markdownlint yaml-lint: name: YAML From 8754508eb02e627cbc6928aa6da553d364c891ef Mon Sep 17 00:00:00 2001 From: Daniel Farrell Date: Mon, 1 Feb 2021 17:46:51 -0500 Subject: [PATCH 02/15] Add .dapper and .shflags to gitignore Both are generated by our standard make commands, both are ignored in other Submariner repos. Signed-off-by: Daniel Farrell --- .gitignore | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/.gitignore b/.gitignore index 8d5c0a69..730ba579 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,4 @@ +.dapper .idea -*.tgz \ No newline at end of file +.shflags +*.tgz From ad064a97b29a65985db2a3a525bd565adf36c012 Mon Sep 17 00:00:00 2001 From: Daniel Farrell Date: Mon, 1 Feb 2021 17:42:27 -0500 Subject: [PATCH 03/15] Add git commit message linting As implemented and configured in other Submariner repos. Signed-off-by: Daniel Farrell --- .github/workflows/linting.yml | 11 +++++++++++ .gitlint | 9 +++++++++ 2 files changed, 20 insertions(+) create mode 100644 .gitlint diff --git a/.github/workflows/linting.yml b/.github/workflows/linting.yml index 9e22a90b..66bf6f09 100644 --- a/.github/workflows/linting.yml +++ b/.github/workflows/linting.yml @@ -19,6 +19,17 @@ jobs: with: commits: ${{ steps.get-pr-commits.outputs.commits }} + gitlint: + name: Commit Message(s) + runs-on: ubuntu-latest + steps: + - name: Check out the repository + uses: actions/checkout@v2 + with: + fetch-depth: 0 + - name: Run gitlint + run: make gitlint + markdown-link-check: name: Markdown Links (modified files) runs-on: ubuntu-latest diff --git a/.gitlint b/.gitlint new file mode 100644 index 00000000..6314f158 --- /dev/null +++ b/.gitlint @@ -0,0 +1,9 @@ +[general] +# body-is-missing: Allow commit messages with only a title +# body-min-length: Allow short body lines, like "Relates-to: #issue" +ignore=body-is-missing,body-min-length + +[ignore-by-body] +# Dependabot doesn't follow our conventions, unfortunately +regex=^Signed-off-by: dependabot\[bot\](.*) +ignore=all From af9332cb538a19e0dffc43ba109610c7f8c57fb5 Mon Sep 17 00:00:00 2001 From: Stephen Kitt Date: Thu, 4 Feb 2021 14:59:59 +0100 Subject: [PATCH 04/15] Track the devel branch for release Signed-off-by: Stephen Kitt --- .github/workflows/release.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 2989e8ca..0a403505 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -4,7 +4,7 @@ name: Release Charts on: push: branches: - - master + - devel jobs: release: From c1177daa36c93d76b34bd3aee0923d7a067fced9 Mon Sep 17 00:00:00 2001 From: Daniel Farrell Date: Sat, 6 Feb 2021 23:01:25 -0500 Subject: [PATCH 05/15] Use shared GHAs from Shipyard Run the E2E tests using Submariner's custom GitHub Actions. Signed-off-by: Daniel Farrell --- .github/workflows/e2e.yml | 15 ++------------- 1 file changed, 2 insertions(+), 13 deletions(-) diff --git a/.github/workflows/e2e.yml b/.github/workflows/e2e.yml index 9afc988e..46001a19 100644 --- a/.github/workflows/e2e.yml +++ b/.github/workflows/e2e.yml @@ -15,20 +15,9 @@ jobs: - name: Check out the repository uses: actions/checkout@v2 - - name: Reclaim free space - run: | - sudo swapoff -a - sudo rm -f /swapfile - df -h - free -h - - name: Run E2E deployment and tests - run: | - make e2e + uses: submariner-io/shipyard/gh-actions/e2e@devel - name: Post mortem if: failure() - run: | - df -h - free -h - make post-mortem + uses: submariner-io/shipyard/gh-actions/post-mortem@devel From 7f2d832e6fc35474fbdf7e45f424058431eed9bb Mon Sep 17 00:00:00 2001 From: Steve Mattar Date: Tue, 23 Feb 2021 17:08:55 +0200 Subject: [PATCH 06/15] fix(rbac): sa and rbac definitions (#117) Sync the SA and RBAC definitions with what we have in submariner-operator. Signed-off-by: Steve Mattar --- submariner-operator/templates/_helpers.tpl | 27 +- submariner-operator/templates/rbac.yaml | 637 +++++++++++++++++-- submariner-operator/templates/svc-acct.yaml | 16 +- submariner-operator/values.yaml | 7 +- submariner/templates/_helpers.tpl | 27 +- submariner/templates/lighthouse-coredns.yaml | 2 +- submariner/templates/lighthouse.yaml | 2 +- submariner/templates/rbac.yaml | 635 ++++++++++++++++-- submariner/templates/svc-acct.yaml | 16 +- submariner/values.yaml | 9 +- 10 files changed, 1219 insertions(+), 159 deletions(-) diff --git a/submariner-operator/templates/_helpers.tpl b/submariner-operator/templates/_helpers.tpl index 911eaa98..2df8baaa 100644 --- a/submariner-operator/templates/_helpers.tpl +++ b/submariner-operator/templates/_helpers.tpl @@ -47,7 +47,7 @@ Create the name of the submariner-engine service account to use */}} {{- define "submariner.engineServiceAccountName" -}} {{- if .Values.serviceAccounts.engine.create -}} - {{ default (printf "%s-engine" (include "submariner.fullname" .)) .Values.serviceAccounts.engine.name }} + {{ default "submariner-engine" .Values.serviceAccounts.engine.name }} {{- else -}} {{ default "default" .Values.serviceAccounts.engine.name }} {{- end -}} @@ -58,7 +58,7 @@ Create the name of the submariner-route-agent service account to use */}} {{- define "submariner.routeAgentServiceAccountName" -}} {{- if .Values.serviceAccounts.routeAgent.create -}} - {{ default (printf "%s-routeagent" (include "submariner.fullname" .)) .Values.serviceAccounts.routeAgent.name }} + {{ default "submariner-routeagent" .Values.serviceAccounts.routeAgent.name }} {{- else -}} {{ default "default" .Values.serviceAccounts.routeAgent.name }} {{- end -}} @@ -69,20 +69,31 @@ Create the name of the submariner-globalnet service account to use */}} {{- define "submariner.globalnetServiceAccountName" -}} {{- if .Values.serviceAccounts.globalnet.create -}} - {{ default (printf "%s-globalnet" (include "submariner.fullname" .)) .Values.serviceAccounts.globalnet.name }} + {{ default "submariner-globalnet" .Values.serviceAccounts.globalnet.name }} {{- else -}} {{ default "default" .Values.serviceAccounts.globalnet.name }} {{- end -}} {{- end -}} {{/* -Create the name of the submariner-lighthouse service account to use +Create the name of the submariner-lighthouse-agent service account to use */}} -{{- define "submariner.lighthouseServiceAccountName" -}} -{{- if .Values.submariner.serviceDiscovery -}} - {{ default (printf "%s-lighthouse" (include "submariner.fullname" .)) .Values.serviceAccounts.lighthouse.name }} +{{- define "submariner.lighthouseAgentServiceAccountName" -}} +{{- if and (.Values.submariner.serviceDiscovery ) (.Values.serviceAccounts.lighthouseAgent.create) -}} + {{ default "submariner-lighthouse-agent" .Values.serviceAccounts.lighthouseAgent.name }} {{- else -}} - {{ default "default" .Values.serviceAccounts.lighthouse.name }} + {{ default "default" .Values.serviceAccounts.lighthouseAgent.name }} +{{- end -}} +{{- end -}} + +{{/* +Create the name of the submariner-lighthouse-coredns service account to use +*/}} +{{- define "submariner.lighthouseCoreDnsServiceAccountName" -}} +{{- if and (.Values.submariner.serviceDiscovery ) (.Values.serviceAccounts.lighthouseCoreDns.create) -}} + {{ default "submariner-lighthouse-coredns" .Values.serviceAccounts.lighthouseCoreDns.name }} +{{- else -}} + {{ default "default" .Values.serviceAccounts.lighthouseCoreDns.name }} {{- end -}} {{- end -}} diff --git a/submariner-operator/templates/rbac.yaml b/submariner-operator/templates/rbac.yaml index 8fbb6a79..1000bfc0 100644 --- a/submariner-operator/templates/rbac.yaml +++ b/submariner-operator/templates/rbac.yaml @@ -77,7 +77,7 @@ metadata: app: {{ template "submariner.name" . }} subjects: - kind: ServiceAccount - name: {{ template "submariner.fullname" . }} + name: {{ template "submariner.operatorServiceAccountName" . }} roleRef: kind: Role name: {{ template "submariner.fullname" . }} @@ -93,15 +93,75 @@ metadata: chart: {{ template "submariner.chart" . }} app: {{ template "submariner.name" . }} rules: -- apiGroups: [""] - resources: ["configmaps"] - verbs: ["create", "get", "list", "watch", "patch", "update"] -- apiGroups: ["submariner.io"] - resources: ["clusters", "endpoints", "gateways"] - verbs: ["create", "get", "list", "watch", "patch", "update", "delete"] -- apiGroups: [""] - resources: ["events"] - verbs: ["create", "patch"] +- apiGroups: + - "" + resources: + - pods + - services + - services/finalizers + - endpoints + - persistentvolumeclaims + - events + - configmaps + - secrets + verbs: + - '*' +- apiGroups: + - apps + resources: + - deployments + - daemonsets + - replicasets + - statefulsets + verbs: + - '*' +- apiGroups: + - monitoring.coreos.com + resources: + - servicemonitors + verbs: + - get + - create +- apiGroups: + - apps + resourceNames: + - submariner-operator + resources: + - deployments/finalizers + verbs: + - update +- apiGroups: + - "" + resources: + - pods + verbs: + - get +- apiGroups: + - apps + resources: + - replicasets + verbs: + - get +- apiGroups: + - submariner.io + resources: + - '*' + - servicediscoveries + verbs: + - '*' +- apiGroups: + - lighthouse.submariner.io + resources: + - '*' + - serviceexports + verbs: + - create + - delete + - get + - list + - patch + - update + - watch --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding @@ -118,7 +178,7 @@ roleRef: name: {{ template "submariner.fullname" . }}:engine subjects: - kind: ServiceAccount - name: {{ template "submariner.operatorServiceAccountName" . }} + name: {{ template "submariner.engineServiceAccountName" . }} namespace: {{ .Release.Namespace }} --- apiVersion: rbac.authorization.k8s.io/v1 @@ -131,12 +191,75 @@ metadata: chart: {{ template "submariner.chart" . }} app: {{ template "submariner.name" . }} rules: -- apiGroups: ["submariner.io"] - resources: ["clusters", "endpoints", "gateways"] - verbs: ["create", "get", "list", "watch", "patch", "update"] -- apiGroups: [""] - resources: ["pods"] - verbs: ["get", "watch", "list"] + - apiGroups: + - "" + resources: + - pods + - services + - services/finalizers + - endpoints + - persistentvolumeclaims + - events + - configmaps + - secrets + verbs: + - '*' + - apiGroups: + - apps + resources: + - deployments + - daemonsets + - replicasets + - statefulsets + verbs: + - '*' + - apiGroups: + - monitoring.coreos.com + resources: + - servicemonitors + verbs: + - get + - create + - apiGroups: + - apps + resourceNames: + - submariner-operator + resources: + - deployments/finalizers + verbs: + - update + - apiGroups: + - "" + resources: + - pods + verbs: + - get + - apiGroups: + - apps + resources: + - replicasets + verbs: + - get + - apiGroups: + - submariner.io + resources: + - '*' + - servicediscoveries + verbs: + - '*' + - apiGroups: + - lighthouse.submariner.io + resources: + - '*' + - serviceexports + verbs: + - create + - delete + - get + - list + - patch + - update + - watch --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding @@ -153,9 +276,109 @@ roleRef: name: {{ template "submariner.fullname" . }}:routeagent subjects: - kind: ServiceAccount - name: {{ template "submariner.operatorServiceAccountName" . }} + name: {{ template "submariner.routeAgentServiceAccountName" . }} namespace: {{ .Release.Namespace }} --- +{{- if ne .Values.submariner.globalCidr "" }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ template "submariner.fullname" . }}:globalnet + labels: + heritage: {{ .Release.Service | quote }} + release: {{ .Release.Name | quote }} + chart: {{ template "submariner.chart" . }} + app: {{ template "submariner.name" . }} +rules: + - apiGroups: + - "" + resources: + - pods + - services + - services/finalizers + - endpoints + - persistentvolumeclaims + - events + - configmaps + - secrets + verbs: + - '*' + - apiGroups: + - apps + resources: + - deployments + - daemonsets + - replicasets + - statefulsets + verbs: + - '*' + - apiGroups: + - monitoring.coreos.com + resources: + - servicemonitors + verbs: + - get + - create + - apiGroups: + - apps + resourceNames: + - submariner-operator + resources: + - deployments/finalizers + verbs: + - update + - apiGroups: + - "" + resources: + - pods + verbs: + - get + - apiGroups: + - apps + resources: + - replicasets + verbs: + - get + - apiGroups: + - submariner.io + resources: + - '*' + - servicediscoveries + verbs: + - '*' + - apiGroups: + - lighthouse.submariner.io + resources: + - '*' + - serviceexports + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ template "submariner.fullname" . }}:globalnet + labels: + heritage: {{ .Release.Service | quote }} + release: {{ .Release.Name | quote }} + chart: {{ template "submariner.chart" . }} + app: {{ template "submariner.name" . }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ template "submariner.fullname" . }}:globalnet +subjects: + - kind: ServiceAccount + name: {{ template "submariner.globalnetServiceAccountName" . }} + namespace: {{ .Release.Namespace }} +--- +{{- end -}} apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: @@ -169,24 +392,50 @@ rules: # submariner-operator updates the config map of core-dns to forward requests to # clusterset.local to Lighthouse DNS, also looks at existing configmaps # to figure out network settings - - apiGroups: [""] - resources: ["configmaps"] - verbs: ["get", "list", "watch", "update"] - - apiGroups: ["apiextensions.k8s.io"] - resources: ["customresourcedefinitions"] - verbs: ["get", "list", "create", "update", "delete"] - - apiGroups: [""] # pods and services are looked up to figure out network settings - resources: ["pods", "services"] - verbs: ["get", "list", "watch"] - - apiGroups: ["operator.openshift.io"] - resources: ["dnses"] - verbs: ["get", "list", "watch", "update"] - - apiGroups: ["config.openshift.io"] - resources: ["networks"] - verbs: ["get", "list"] - - apiGroups: ["multicluster.x-k8s.io"] - resources: ["*"] - verbs: ["create", "get", "list", "watch", "update", "delete"] + - apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - watch + - update + - apiGroups: + - apiextensions.k8s.io + resources: + - customresourcedefinitions + verbs: + - get + - list + - create + - update + - delete + - apiGroups: # pods and services are looked up to figure out network settings + - "" + resources: + - pods + - services + verbs: + - get + - list + - watch + - apiGroups: + - operator.openshift.io + resources: + - dnses + verbs: + - get + - list + - watch + - update + - apiGroups: + - config.openshift.io + resources: + - networks + verbs: + - get + - list --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding @@ -208,6 +457,91 @@ roleRef: --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole +metadata: + name: {{ template "submariner.fullname" . }}:engine + labels: + heritage: {{ .Release.Service | quote }} + release: {{ .Release.Name | quote }} + chart: {{ template "submariner.chart" . }} + app: {{ template "submariner.name" . }} +rules: + - apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - watch + - create + - update + - apiGroups: + - apiextensions.k8s.io + resources: + - customresourcedefinitions + verbs: + - get + - list + - create + - update + - delete + - apiGroups: # pods and services are looked up to figure out network settings + - "" + resources: + - pods + - services + - nodes + verbs: + - get + - list + - watch + - apiGroups: + - operator.openshift.io + resources: + - dnses + verbs: + - get + - list + - watch + - update + - apiGroups: + - config.openshift.io + resources: + - networks + verbs: + - get + - list + - apiGroups: + - submariner.io + resources: + - endpoints + - gateways + - clusters + verbs: + - get + - list + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ template "submariner.fullname" . }}:engine + labels: + heritage: {{ .Release.Service | quote }} + release: {{ .Release.Name | quote }} + chart: {{ template "submariner.chart" . }} + app: {{ template "submariner.name" . }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "submariner.fullname" . }}:engine +subjects: + - kind: ServiceAccount + name: {{ template "submariner.engineServiceAccountName" . }} + namespace: {{ .Release.Namespace }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole metadata: name: {{ template "submariner.fullname" . }}:routeagent labels: @@ -216,9 +550,59 @@ metadata: chart: {{ template "submariner.chart" . }} app: {{ template "submariner.name" . }} rules: - - apiGroups: [""] - resources: ["nodes"] - verbs: ["get", "update"] + - apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - watch + - update + - apiGroups: + - apiextensions.k8s.io + resources: + - customresourcedefinitions + verbs: + - get + - list + - create + - update + - delete + - apiGroups: # pods and services are looked up to figure out network settings + - "" + resources: + - pods + - services + verbs: + - get + - list + - watch + - apiGroups: + - operator.openshift.io + resources: + - dnses + verbs: + - get + - list + - watch + - update + - apiGroups: + - config.openshift.io + resources: + - networks + verbs: + - get + - list + - apiGroups: + - "" + verbs: + - get + - list + - watch + - update + resources: + - nodes --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding @@ -235,9 +619,10 @@ roleRef: name: {{ template "submariner.fullname" . }}:routeagent subjects: - kind: ServiceAccount - name: {{ template "submariner.operatorServiceAccountName" . }} + name: {{ template "submariner.routeAgentServiceAccountName" . }} namespace: {{ .Release.Namespace }} --- +{{- if ne .Values.submariner.globalCidr "" }} apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: @@ -248,13 +633,37 @@ metadata: chart: {{ template "submariner.chart" . }} app: {{ template "submariner.name" . }} rules: -- apiGroups: [""] - resources: ["services", "namespaces", "pods", "nodes"] - verbs: ["get", "list", "watch", "update"] -- apiGroups: ["submariner.io"] - resources: ["clusters", "endpoints", "gateways"] - verbs: ["get", "list", "watch"] + - apiGroups: + - "" + resources: + - pods + - services + - namespaces + - nodes + verbs: + - get + - list + - watch + - update + - apiGroups: + - submariner.io + resources: + - endpoints + - clusters + verbs: + - get + - list + - watch + - apiGroups: + - multicluster.x-k8s.io + resources: + - "serviceexports" + verbs: + - get + - list + - watch --- +{{- end -}} apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: @@ -270,37 +679,67 @@ roleRef: name: {{ template "submariner.fullname" . }}:globalnet subjects: - kind: ServiceAccount - name: {{ template "submariner.operatorServiceAccountName" . }} + name: {{ template "submariner.globalnetServiceAccountName" . }} namespace: {{ .Release.Namespace }} --- {{- if .Values.submariner.serviceDiscovery }} apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: - name: {{ template "submariner.fullname" . }}:lighthouse + name: {{ template "submariner.fullname" . }}:lighthouse-agent labels: heritage: {{ .Release.Service | quote }} release: {{ .Release.Name | quote }} chart: {{ template "submariner.chart" . }} app: {{ template "submariner.name" . }} rules: - - apiGroups: [""] - resources: ["services", "namespaces", "configmaps", "endpoints"] - verbs: ["get", "list", "watch", "update"] - - apiGroups: ["discovery.k8s.io"] - resources: ["endpointslices"] - verbs: ["create", "get", "list", "watch", "update", "delete"] - - apiGroups: ["lighthouse.submariner.io"] - resources: ["*"] - verbs: ["create", "get", "list", "watch", "update", "delete"] - - apiGroups: ["submariner.io"] - resources: ["gateways"] - verbs: ["get", "list", "watch"] + - apiGroups: + - "" + resources: + - services + - namespaces + - endpoints + verbs: + - get + - list + - watch + - update + - apiGroups: + - discovery.k8s.io + resources: + - endpointslices + verbs: + - create + - get + - list + - watch + - update + - delete + - deletecollection + - apiGroups: + - submariner.io + resources: + - "gateways" + verbs: + - get + - list + - watch + - apiGroups: + - multicluster.x-k8s.io + resources: + - "*" + verbs: + - create + - get + - list + - watch + - update + - delete --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: - name: {{ template "submariner.fullname" . }}:lighthouse + name: {{ template "submariner.fullname" . }}:lighthouse-agent labels: heritage: {{ .Release.Service | quote }} release: {{ .Release.Name | quote }} @@ -309,10 +748,82 @@ metadata: roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: {{ template "submariner.fullname" . }}:lighthouse + name: {{ template "submariner.fullname" . }}:lighthouse-agent subjects: - kind: ServiceAccount - name: {{ template "submariner.operatorServiceAccountName" . }} + name: {{ template "submariner.lighthouseAgentServiceAccountName" . }} + namespace: {{ .Release.Namespace }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "submariner.fullname" . }}:lighthouse-coredns +rules: + - apiGroups: + - "" + resources: + - services + - namespaces + - endpoints + verbs: + - get + - list + - watch + - update + - apiGroups: + - discovery.k8s.io + resources: + - endpointslices + verbs: + - create + - get + - list + - watch + - update + - delete + - deletecollection + - apiGroups: + - lighthouse.submariner.io + resources: + - "*" + verbs: + - create + - get + - list + - watch + - update + - delete + - apiGroups: + - submariner.io + resources: + - "gateways" + verbs: + - get + - list + - watch + - apiGroups: + - multicluster.x-k8s.io + resources: + - "*" + verbs: + - create + - get + - list + - watch + - update + - delete +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ template "submariner.fullname" . }}:lighthouse-coredns +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "submariner.fullname" . }}:lighthouse-coredns +subjects: + - kind: ServiceAccount + name: {{ template "submariner.lighthouseCoreDnsServiceAccountName" . }} namespace: {{ .Release.Namespace }} {{- end -}} {{- end -}} diff --git a/submariner-operator/templates/svc-acct.yaml b/submariner-operator/templates/svc-acct.yaml index f7abcad2..2cfc525c 100644 --- a/submariner-operator/templates/svc-acct.yaml +++ b/submariner-operator/templates/svc-acct.yaml @@ -46,14 +46,26 @@ metadata: app: {{ template "submariner.name" . }} {{- end }} --- -{{- if .Values.serviceAccounts.lighthouse.create }} +{{- if .Values.serviceAccounts.lighthouseAgent.create }} apiVersion: v1 kind: ServiceAccount metadata: - name: {{ template "submariner.lighthouseServiceAccountName" . }} + name: {{ template "submariner.lighthouseAgentServiceAccountName" . }} labels: heritage: {{ .Release.Service | quote }} release: {{ .Release.Name | quote }} chart: {{ template "submariner.chart" . }} app: {{ template "submariner.name" . }} {{- end }} +--- + {{- if .Values.serviceAccounts.lighthouseCoreDns.create }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "submariner.lighthouseCoreDnsServiceAccountName" . }} + labels: + heritage: {{ .Release.Service | quote }} + release: {{ .Release.Name | quote }} + chart: {{ template "submariner.chart" . }} + app: {{ template "submariner.name" . }} + {{- end }} diff --git a/submariner-operator/values.yaml b/submariner-operator/values.yaml index 1e60d968..0e03d025 100644 --- a/submariner-operator/values.yaml +++ b/submariner-operator/values.yaml @@ -54,6 +54,9 @@ serviceAccounts: globalnet: create: true name: "" - lighthouse: - create: false + lighthouseAgent: + create: true + name: "" + lighthouseCoreDns: + create: true name: "" diff --git a/submariner/templates/_helpers.tpl b/submariner/templates/_helpers.tpl index d5123722..99477b3e 100644 --- a/submariner/templates/_helpers.tpl +++ b/submariner/templates/_helpers.tpl @@ -36,7 +36,7 @@ Create the name of the submariner-engine service account to use */}} {{- define "submariner.engineServiceAccountName" -}} {{- if .Values.serviceAccounts.engine.create -}} - {{ default (printf "%s-engine" (include "submariner.fullname" .)) .Values.serviceAccounts.engine.name }} + {{ default "submariner-engine" .Values.serviceAccounts.engine.name }} {{- else -}} {{ default "default" .Values.serviceAccounts.engine.name }} {{- end -}} @@ -47,7 +47,7 @@ Create the name of the submariner-route-agent service account to use */}} {{- define "submariner.routeAgentServiceAccountName" -}} {{- if .Values.serviceAccounts.routeAgent.create -}} - {{ default (printf "%s-routeagent" (include "submariner.fullname" .)) .Values.serviceAccounts.routeAgent.name }} + {{ default "submariner-routeagent" .Values.serviceAccounts.routeAgent.name }} {{- else -}} {{ default "default" .Values.serviceAccounts.routeAgent.name }} {{- end -}} @@ -58,20 +58,31 @@ Create the name of the submariner-globalnet service account to use */}} {{- define "submariner.globalnetServiceAccountName" -}} {{- if .Values.serviceAccounts.globalnet.create -}} - {{ default (printf "%s-globalnet" (include "submariner.fullname" .)) .Values.serviceAccounts.globalnet.name }} + {{ default "submariner-globalnet" .Values.serviceAccounts.globalnet.name }} {{- else -}} {{ default "default" .Values.serviceAccounts.globalnet.name }} {{- end -}} {{- end -}} {{/* -Create the name of the submariner-lighthouse service account to use +Create the name of the submariner-lighthouse-agent service account to use */}} -{{- define "submariner.lighthouseServiceAccountName" -}} -{{- if .Values.submariner.serviceDiscovery -}} - {{ default (printf "%s-lighthouse" (include "submariner.fullname" .)) .Values.serviceAccounts.lighthouse.name }} +{{- define "submariner.lighthouseAgentServiceAccountName" -}} +{{- if and (.Values.submariner.serviceDiscovery ) (.Values.serviceAccounts.lighthouseAgent.create) -}} + {{ default "submariner-lighthouse-agent" .Values.serviceAccounts.lighthouseAgent.name }} {{- else -}} - {{ default "default" .Values.serviceAccounts.lighthouse.name }} + {{ default "default" .Values.serviceAccounts.lighthouseAgent.name }} +{{- end -}} +{{- end -}} + +{{/* +Create the name of the submariner-lighthouse-coredns service account to use +*/}} +{{- define "submariner.lighthouseCoreDnsServiceAccountName" -}} +{{- if and (.Values.submariner.serviceDiscovery ) (.Values.serviceAccounts.lighthouseCoreDns.create) -}} + {{ default "submariner-lighthouse-coredns" .Values.serviceAccounts.lighthouseCoreDns.name }} +{{- else -}} + {{ default "default" .Values.serviceAccounts.lighthouseCoreDns.name }} {{- end -}} {{- end -}} diff --git a/submariner/templates/lighthouse-coredns.yaml b/submariner/templates/lighthouse-coredns.yaml index 99430d2f..e7897b01 100644 --- a/submariner/templates/lighthouse-coredns.yaml +++ b/submariner/templates/lighthouse-coredns.yaml @@ -30,7 +30,7 @@ spec: - mountPath: /etc/coredns name: config-volume readOnly: true - serviceAccountName: {{ template "submariner.lighthouseServiceAccountName" . }} + serviceAccountName: {{ template "submariner.lighthouseCoreDnsServiceAccountName" . }} volumes: - configMap: defaultMode: 420 diff --git a/submariner/templates/lighthouse.yaml b/submariner/templates/lighthouse.yaml index 8be02407..f47ce49f 100644 --- a/submariner/templates/lighthouse.yaml +++ b/submariner/templates/lighthouse.yaml @@ -19,7 +19,7 @@ spec: labels: app: {{ template "submariner.fullname" . }}-lighthouse-agent spec: - serviceAccountName: {{ template "submariner.lighthouseServiceAccountName" . }} + serviceAccountName: {{ template "submariner.lighthouseAgentServiceAccountName" . }} containers: - command: - lighthouse-agent.sh diff --git a/submariner/templates/rbac.yaml b/submariner/templates/rbac.yaml index 814f045f..94563eb8 100644 --- a/submariner/templates/rbac.yaml +++ b/submariner/templates/rbac.yaml @@ -9,15 +9,93 @@ metadata: chart: {{ template "submariner.chart" . }} app: {{ template "submariner.name" . }} rules: -- apiGroups: [""] - resources: ["configmaps"] - verbs: ["create", "get", "list", "watch", "patch", "update"] -- apiGroups: ["submariner.io"] - resources: ["clusters", "endpoints", "gateways"] - verbs: ["create", "get", "list", "watch", "patch", "update", "delete"] -- apiGroups: [""] - resources: ["events"] - verbs: ["create", "patch"] + - apiGroups: + - "" + resources: + - pods + - services + - services/finalizers + - endpoints + - persistentvolumeclaims + - events + - configmaps + - secrets + verbs: + - '*' + - apiGroups: + - apps + resources: + - deployments + - daemonsets + - replicasets + - statefulsets + verbs: + - '*' + - apiGroups: + - monitoring.coreos.com + resources: + - servicemonitors + verbs: + - get + - create + - apiGroups: + - apps + resourceNames: + - submariner-operator + resources: + - deployments/finalizers + verbs: + - update + - apiGroups: + - "" + resources: + - pods + verbs: + - get + - apiGroups: + - apps + resources: + - replicasets + verbs: + - get + - apiGroups: + - submariner.io + resources: + - '*' + - servicediscoveries + verbs: + - '*' + - apiGroups: + - lighthouse.submariner.io + resources: + - '*' + - serviceexports + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ template "submariner.fullname" . }}:engine + labels: + heritage: {{ .Release.Service | quote }} + release: {{ .Release.Name | quote }} + chart: {{ template "submariner.chart" . }} + app: {{ template "submariner.name" . }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ template "submariner.fullname" . }}:engine +subjects: + - kind: ServiceAccount + name: {{ template "submariner.engineServiceAccountName" . }} + namespace: {{ .Release.Namespace }} --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role @@ -29,52 +107,353 @@ metadata: chart: {{ template "submariner.chart" . }} app: {{ template "submariner.name" . }} rules: -- apiGroups: ["submariner.io"] - resources: ["clusters", "endpoints", "gateways"] - verbs: ["create", "get", "list", "watch", "patch", "update"] -- apiGroups: [""] - resources: ["pods"] - verbs: ["get", "watch", "list"] + - apiGroups: + - "" + resources: + - pods + - services + - services/finalizers + - endpoints + - persistentvolumeclaims + - events + - configmaps + - secrets + verbs: + - '*' + - apiGroups: + - apps + resources: + - deployments + - daemonsets + - replicasets + - statefulsets + verbs: + - '*' + - apiGroups: + - monitoring.coreos.com + resources: + - servicemonitors + verbs: + - get + - create + - apiGroups: + - apps + resourceNames: + - submariner-operator + resources: + - deployments/finalizers + verbs: + - update + - apiGroups: + - "" + resources: + - pods + verbs: + - get + - apiGroups: + - apps + resources: + - replicasets + verbs: + - get + - apiGroups: + - submariner.io + resources: + - '*' + - servicediscoveries + verbs: + - '*' + - apiGroups: + - lighthouse.submariner.io + resources: + - '*' + - serviceexports + verbs: + - create + - delete + - get + - list + - patch + - update + - watch --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: - name: {{ template "submariner.fullname" . }}:engine + name: {{ template "submariner.fullname" . }}:routeagent + labels: + heritage: {{ .Release.Service | quote }} + release: {{ .Release.Name | quote }} + chart: {{ template "submariner.chart" . }} + app: {{ template "submariner.name" . }} roleRef: apiGroup: rbac.authorization.k8s.io kind: Role - name: {{ template "submariner.fullname" . }}:engine + name: {{ template "submariner.fullname" . }}:routeagent subjects: -- kind: ServiceAccount - name: {{ template "submariner.engineServiceAccountName" . }} - namespace: {{ .Release.Namespace }} + - kind: ServiceAccount + name: {{ template "submariner.routeAgentServiceAccountName" . }} + namespace: {{ .Release.Namespace }} +--- +{{- if ne .Values.submariner.globalCidr "" }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ template "submariner.fullname" . }}:globalnet + labels: + heritage: {{ .Release.Service | quote }} + release: {{ .Release.Name | quote }} + chart: {{ template "submariner.chart" . }} + app: {{ template "submariner.name" . }} +rules: + - apiGroups: + - "" + resources: + - pods + - services + - services/finalizers + - endpoints + - persistentvolumeclaims + - events + - configmaps + - secrets + verbs: + - '*' + - apiGroups: + - apps + resources: + - deployments + - daemonsets + - replicasets + - statefulsets + verbs: + - '*' + - apiGroups: + - monitoring.coreos.com + resources: + - servicemonitors + verbs: + - get + - create + - apiGroups: + - apps + resourceNames: + - submariner-operator + resources: + - deployments/finalizers + verbs: + - update + - apiGroups: + - "" + resources: + - pods + verbs: + - get + - apiGroups: + - apps + resources: + - replicasets + verbs: + - get + - apiGroups: + - submariner.io + resources: + - '*' + - servicediscoveries + verbs: + - '*' + - apiGroups: + - lighthouse.submariner.io + resources: + - '*' + - serviceexports + verbs: + - create + - delete + - get + - list + - patch + - update + - watch --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: - name: {{ template "submariner.fullname" . }}:routeagent + name: {{ template "submariner.fullname" . }}:globalnet + labels: + heritage: {{ .Release.Service | quote }} + release: {{ .Release.Name | quote }} + chart: {{ template "submariner.chart" . }} + app: {{ template "submariner.name" . }} roleRef: apiGroup: rbac.authorization.k8s.io kind: Role - name: {{ template "submariner.fullname" . }}:routeagent + name: {{ template "submariner.fullname" . }}:globalnet subjects: -- kind: ServiceAccount - name: {{ template "submariner.routeAgentServiceAccountName" . }} - namespace: {{ .Release.Namespace }} + - kind: ServiceAccount + name: {{ template "submariner.globalnetServiceAccountName" . }} + namespace: {{ .Release.Namespace }} +--- +{{- end -}} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "submariner.fullname" . }}:engine + labels: + heritage: {{ .Release.Service | quote }} + release: {{ .Release.Name | quote }} + chart: {{ template "submariner.chart" . }} + app: {{ template "submariner.name" . }} +rules: + - apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - watch + - create + - update + - apiGroups: + - apiextensions.k8s.io + resources: + - customresourcedefinitions + verbs: + - get + - list + - create + - update + - delete + - apiGroups: # pods and services are looked up to figure out network settings + - "" + resources: + - pods + - services + - nodes + verbs: + - get + - list + - watch + - apiGroups: + - operator.openshift.io + resources: + - dnses + verbs: + - get + - list + - watch + - update + - apiGroups: + - config.openshift.io + resources: + - networks + verbs: + - get + - list + - apiGroups: + - submariner.io + resources: + - endpoints + - gateways + - clusters + verbs: + - get + - list + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ template "submariner.fullname" . }}:engine + labels: + heritage: {{ .Release.Service | quote }} + release: {{ .Release.Name | quote }} + chart: {{ template "submariner.chart" . }} + app: {{ template "submariner.name" . }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "submariner.fullname" . }}:engine +subjects: + - kind: ServiceAccount + name: {{ template "submariner.engineServiceAccountName" . }} + namespace: {{ .Release.Namespace }} --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: {{ template "submariner.fullname" . }}:routeagent + labels: + heritage: {{ .Release.Service | quote }} + release: {{ .Release.Name | quote }} + chart: {{ template "submariner.chart" . }} + app: {{ template "submariner.name" . }} rules: - - apiGroups: [""] - resources: ["nodes"] - verbs: ["get", "list", "watch", "update"] + - apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - watch + - update + - apiGroups: + - apiextensions.k8s.io + resources: + - customresourcedefinitions + verbs: + - get + - list + - create + - update + - delete + - apiGroups: # pods and services are looked up to figure out network settings + - "" + resources: + - pods + - services + verbs: + - get + - list + - watch + - apiGroups: + - operator.openshift.io + resources: + - dnses + verbs: + - get + - list + - watch + - update + - apiGroups: + - config.openshift.io + resources: + - networks + verbs: + - get + - list + - apiGroups: + - "" + verbs: + - get + - list + - watch + - update + resources: + - nodes --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: {{ template "submariner.fullname" . }}:routeagent + labels: + heritage: {{ .Release.Service | quote }} + release: {{ .Release.Name | quote }} + chart: {{ template "submariner.chart" . }} + app: {{ template "submariner.name" . }} roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole @@ -89,85 +468,203 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: {{ template "submariner.fullname" . }}:globalnet + labels: + heritage: {{ .Release.Service | quote }} + release: {{ .Release.Name | quote }} + chart: {{ template "submariner.chart" . }} + app: {{ template "submariner.name" . }} rules: -- apiGroups: [""] - resources: ["services", "namespaces", "pods", "nodes"] - verbs: ["get", "list", "watch", "update"] -- apiGroups: ["submariner.io"] - resources: ["clusters", "endpoints", "gateways"] - verbs: ["get", "list", "watch"] + - apiGroups: + - "" + resources: + - pods + - services + - namespaces + - nodes + verbs: + - get + - list + - watch + - update + - apiGroups: + - submariner.io + resources: + - endpoints + - clusters + verbs: + - get + - list + - watch + - apiGroups: + - multicluster.x-k8s.io + resources: + - "serviceexports" + verbs: + - get + - list + - watch --- +{{- end -}} apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: {{ template "submariner.fullname" . }}:globalnet + labels: + heritage: {{ .Release.Service | quote }} + release: {{ .Release.Name | quote }} + chart: {{ template "submariner.chart" . }} + app: {{ template "submariner.name" . }} roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: {{ template "submariner.fullname" . }}:globalnet subjects: -- kind: ServiceAccount - name: {{ template "submariner.globalnetServiceAccountName" . }} - namespace: {{ .Release.Namespace }} + - kind: ServiceAccount + name: {{ template "submariner.globalnetServiceAccountName" . }} + namespace: {{ .Release.Namespace }} --- -{{- end -}} -{{- if ne .Values.submariner.globalCidr "" }} +{{- if .Values.submariner.serviceDiscovery }} apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: - name: {{ template "submariner.fullname" . }}:engine + name: {{ template "submariner.fullname" . }}:lighthouse-agent + labels: + heritage: {{ .Release.Service | quote }} + release: {{ .Release.Name | quote }} + chart: {{ template "submariner.chart" . }} + app: {{ template "submariner.name" . }} rules: -- apiGroups: [""] - resources: ["nodes"] - verbs: ["get", "list", "watch"] + - apiGroups: + - "" + resources: + - services + - namespaces + - endpoints + verbs: + - get + - list + - watch + - update + - apiGroups: + - discovery.k8s.io + resources: + - endpointslices + verbs: + - create + - get + - list + - watch + - update + - delete + - deletecollection + - apiGroups: + - submariner.io + resources: + - "gateways" + verbs: + - get + - list + - watch + - apiGroups: + - multicluster.x-k8s.io + resources: + - "*" + verbs: + - create + - get + - list + - watch + - update + - delete --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: - name: {{ template "submariner.fullname" . }}:engine + name: {{ template "submariner.fullname" . }}:lighthouse-agent + labels: + heritage: {{ .Release.Service | quote }} + release: {{ .Release.Name | quote }} + chart: {{ template "submariner.chart" . }} + app: {{ template "submariner.name" . }} roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: {{ template "submariner.fullname" . }}:engine + name: {{ template "submariner.fullname" . }}:lighthouse-agent subjects: -- kind: ServiceAccount - name: {{ template "submariner.engineServiceAccountName" . }} - namespace: {{ .Release.Namespace }} + - kind: ServiceAccount + name: {{ template "submariner.lighthouseAgentServiceAccountName" . }} + namespace: {{ .Release.Namespace }} --- -{{- end -}} -{{- if .Values.submariner.serviceDiscovery }} apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: - name: {{ template "submariner.fullname" . }}:lighthouse + name: {{ template "submariner.fullname" . }}:lighthouse-coredns rules: - - apiGroups: [""] - resources: ["services", "namespaces", "configmaps", "endpoints"] - verbs: ["get", "list", "watch", "update"] - - apiGroups: ["discovery.k8s.io"] - resources: ["endpointslices"] - verbs: ["create", "get", "list", "watch", "update", "delete", "deletecollection"] - - apiGroups: ["lighthouse.submariner.io"] - resources: ["*"] - verbs: ["create", "get", "list", "watch", "update", "delete"] - - apiGroups: ["submariner.io"] - resources: ["gateways"] - verbs: ["get", "list", "watch"] - - apiGroups: ["multicluster.x-k8s.io"] - resources: ["*"] - verbs: ["create", "get", "list", "watch", "update", "delete"] + - apiGroups: + - "" + resources: + - services + - namespaces + - endpoints + verbs: + - get + - list + - watch + - update + - apiGroups: + - discovery.k8s.io + resources: + - endpointslices + verbs: + - create + - get + - list + - watch + - update + - delete + - deletecollection + - apiGroups: + - lighthouse.submariner.io + resources: + - "*" + verbs: + - create + - get + - list + - watch + - update + - delete + - apiGroups: + - submariner.io + resources: + - "gateways" + verbs: + - get + - list + - watch + - apiGroups: + - multicluster.x-k8s.io + resources: + - "*" + verbs: + - create + - get + - list + - watch + - update + - delete --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: - name: {{ template "submariner.fullname" . }}:lighthouse + name: {{ template "submariner.fullname" . }}:lighthouse-coredns roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: {{ template "submariner.fullname" . }}:lighthouse + name: {{ template "submariner.fullname" . }}:lighthouse-coredns subjects: - kind: ServiceAccount - name: {{ template "submariner.lighthouseServiceAccountName" . }} + name: {{ template "submariner.lighthouseCoreDnsServiceAccountName" . }} namespace: {{ .Release.Namespace }} {{- end -}} {{- end -}} diff --git a/submariner/templates/svc-acct.yaml b/submariner/templates/svc-acct.yaml index cecf8e1b..154c2c97 100644 --- a/submariner/templates/svc-acct.yaml +++ b/submariner/templates/svc-acct.yaml @@ -34,14 +34,26 @@ metadata: app: {{ template "submariner.name" . }} {{- end }} --- -{{- if .Values.serviceAccounts.lighthouse.create }} +{{- if .Values.serviceAccounts.lighthouseAgent.create }} apiVersion: v1 kind: ServiceAccount metadata: - name: {{ template "submariner.lighthouseServiceAccountName" . }} + name: {{ template "submariner.lighthouseAgentServiceAccountName" . }} labels: heritage: {{ .Release.Service | quote }} release: {{ .Release.Name | quote }} chart: {{ template "submariner.chart" . }} app: {{ template "submariner.name" . }} {{- end }} +--- +{{- if .Values.serviceAccounts.lighthouseCoreDns.create }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "submariner.lighthouseCoreDnsServiceAccountName" . }} + labels: + heritage: {{ .Release.Service | quote }} + release: {{ .Release.Name | quote }} + chart: {{ template "submariner.chart" . }} + app: {{ template "submariner.name" . }} + {{- end }} diff --git a/submariner/values.yaml b/submariner/values.yaml index b847cbe9..4a2ced62 100644 --- a/submariner/values.yaml +++ b/submariner/values.yaml @@ -72,8 +72,11 @@ serviceAccounts: create: true name: "" globalnet: - create: false + create: true + name: "" + lighthouseAgent: + create: true name: "" - lighthouse: - create: false + lighthouseCoreDns: + create: true name: "" From 83177c808303291f4e2308808540ff282b23411d Mon Sep 17 00:00:00 2001 From: Steve Mattar Date: Wed, 24 Feb 2021 12:21:57 +0200 Subject: [PATCH 07/15] fix(crd): add the broker crd Signed-off-by: Steve Mattar --- submariner-operator/crds/crd.yaml | 66 +++++++++++++++++++++++++++++++ 1 file changed, 66 insertions(+) diff --git a/submariner-operator/crds/crd.yaml b/submariner-operator/crds/crd.yaml index 73b7ff87..f6bb90a2 100644 --- a/submariner-operator/crds/crd.yaml +++ b/submariner-operator/crds/crd.yaml @@ -720,3 +720,69 @@ status: plural: "" conditions: [] storedVersions: [] +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.3.0 + creationTimestamp: null + name: brokers.submariner.io +spec: + group: submariner.io + names: + kind: Broker + listKind: BrokerList + plural: brokers + singular: broker + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: Broker is the Schema for the brokers API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: BrokerSpec defines the desired state of Broker + properties: + components: + items: + type: string + type: array + defaultCustomDomains: + items: + type: string + type: array + defaultGlobalnetClusterSize: + type: integer + globalnetCIDRRange: + type: string + globalnetEnabled: + type: boolean + type: object + status: + description: BrokerStatus defines the observed state of Broker + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] \ No newline at end of file From cce1bf6494bdbe7133d187e93dae6862ec152fef Mon Sep 17 00:00:00 2001 From: Steve Mattar Date: Wed, 24 Feb 2021 13:25:10 +0200 Subject: [PATCH 08/15] fix(crd): add the missing service discovery crd Signed-off-by: Steve Mattar --- submariner-operator/crds/crd.yaml | 89 +++++++++++++++++++++++++++++++ 1 file changed, 89 insertions(+) diff --git a/submariner-operator/crds/crd.yaml b/submariner-operator/crds/crd.yaml index f6bb90a2..46302724 100644 --- a/submariner-operator/crds/crd.yaml +++ b/submariner-operator/crds/crd.yaml @@ -723,6 +723,95 @@ status: --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.3.0 + creationTimestamp: null + name: servicediscoveries.submariner.io +spec: + group: submariner.io + names: + kind: ServiceDiscovery + listKind: ServiceDiscoveryList + plural: servicediscoveries + singular: servicediscovery + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: ServiceDiscovery is the Schema for the servicediscoveries API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: ServiceDiscoverySpec defines the desired state of ServiceDiscovery + properties: + brokerK8sApiServer: + type: string + brokerK8sApiServerToken: + type: string + brokerK8sCA: + type: string + brokerK8sRemoteNamespace: + type: string + clusterID: + type: string + customDomains: + items: + type: string + type: array + x-kubernetes-list-type: set + debug: + type: boolean + globalnetEnabled: + type: boolean + imageOverrides: + additionalProperties: + type: string + type: object + namespace: + type: string + repository: + type: string + version: + type: string + required: + - brokerK8sApiServer + - brokerK8sApiServerToken + - brokerK8sCA + - brokerK8sRemoteNamespace + - clusterID + - debug + - namespace + type: object + status: + description: ServiceDiscoveryStatus defines the observed state of ServiceDiscovery + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition metadata: annotations: controller-gen.kubebuilder.io/version: v0.3.0 From f3787856f691e6a54e04f92f2e920879f8d33377 Mon Sep 17 00:00:00 2001 From: Miguel Angel Ajo Date: Wed, 24 Feb 2021 14:29:16 +0100 Subject: [PATCH 09/15] Add globalCidr mappings to the submariner template also includes the questions.yaml which is UI. Signed-off-by: Miguel Angel Ajo --- submariner-operator/questions.yml | 7 +++++++ submariner-operator/templates/submariner.yaml | 1 + 2 files changed, 8 insertions(+) diff --git a/submariner-operator/questions.yml b/submariner-operator/questions.yml index 07700ed0..da77e0f6 100644 --- a/submariner-operator/questions.yml +++ b/submariner-operator/questions.yml @@ -92,6 +92,13 @@ questions: label: "Service CIDR" group: "CIDR Configuration" required: true +- variable: submariner.globalCidr + default: "" + description: "Enter the globalnet CIDR (i.e. 169.254.1.0/24) for this cluster if using globalnet" + type: string + label: "Globalnet CIDR" + group: "CIDR Configuration" + required: false - variable: submariner.natEnabled type: boolean default: false diff --git a/submariner-operator/templates/submariner.yaml b/submariner-operator/templates/submariner.yaml index 3ea35a14..b9751540 100644 --- a/submariner-operator/templates/submariner.yaml +++ b/submariner-operator/templates/submariner.yaml @@ -22,4 +22,5 @@ spec: repository: {{ .Values.submariner.images.repository }} version: {{ .Values.submariner.images.tag }} serviceCIDR: "{{ .Values.submariner.serviceCidr }}" + globalCIDR: "{{ .Values.submariner.globalCidr }}" serviceDiscoveryEnabled: {{ .Values.submariner.serviceDiscovery }} From dd6bc283c7e8eb6dc028f2387e35f7cd663299ca Mon Sep 17 00:00:00 2001 From: Miguel Angel Ajo Date: Wed, 24 Feb 2021 14:39:49 +0100 Subject: [PATCH 10/15] Enable globalnet E2E matrix Signed-off-by: Miguel Angel Ajo --- .github/workflows/e2e.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/e2e.yml b/.github/workflows/e2e.yml index 46001a19..d5fb9970 100644 --- a/.github/workflows/e2e.yml +++ b/.github/workflows/e2e.yml @@ -11,12 +11,16 @@ jobs: runs-on: ubuntu-latest strategy: fail-fast: false + matrix: + globalnet: ['', 'globalnet'] steps: - name: Check out the repository uses: actions/checkout@v2 - name: Run E2E deployment and tests uses: submariner-io/shipyard/gh-actions/e2e@devel + with: + globalnet: ${{ matrix.globalnet }} - name: Post mortem if: failure() From 0c0e73c57fae857c8d85344613d64b0170492f9e Mon Sep 17 00:00:00 2001 From: Mike Kolesnik Date: Mon, 1 Mar 2021 17:57:14 +0200 Subject: [PATCH 11/15] Remove reliance on `version` script (#121) The script has been migrated to `Makefile.versions` so we can just rely on the `$VERSION` from there. Signed-off-by: Mike Kolesnik --- Makefile | 1 - 1 file changed, 1 deletion(-) diff --git a/Makefile b/Makefile index d124a17b..699a312c 100644 --- a/Makefile +++ b/Makefile @@ -22,7 +22,6 @@ e2e: E2E_ARGS=cluster1 cluster2 preload-images: source $(SCRIPTS_DIR)/lib/debug_functions; \ source $(SCRIPTS_DIR)/lib/deploy_funcs; \ - source $(SCRIPTS_DIR)/lib/version; \ set -e; \ for image in submariner submariner-route-agent submariner-operator lighthouse-agent submariner-globalnet lighthouse-coredns; do \ import_image quay.io/submariner/$${image}; \ From 4a59718a34df3087548561ad5284abc4162ccffb Mon Sep 17 00:00:00 2001 From: Steve Mattar Date: Tue, 2 Mar 2021 15:57:52 +0200 Subject: [PATCH 12/15] refactor: rename submariner-engine to submariner-gateway (#122) Signed-off-by: Steve Mattar --- Makefile | 2 +- submariner-operator/crds/crd.yaml | 2 +- submariner-operator/templates/NOTES.txt | 2 +- submariner-operator/templates/_helpers.tpl | 10 +++---- .../templates/operator-deployment.yaml | 2 +- submariner-operator/templates/rbac.yaml | 16 ++++++------ submariner-operator/templates/svc-acct.yaml | 4 +-- submariner-operator/values.yaml | 6 ++--- submariner/questions.yml | 22 ++++++++-------- submariner/templates/NOTES.txt | 2 +- submariner/templates/_helpers.tpl | 10 +++---- submariner/templates/engine-deploy.yaml | 26 +++++++++---------- submariner/templates/rbac.yaml | 16 ++++++------ submariner/templates/svc-acct.yaml | 4 +-- submariner/values.yaml | 6 ++--- 15 files changed, 65 insertions(+), 65 deletions(-) diff --git a/Makefile b/Makefile index 699a312c..8694e726 100644 --- a/Makefile +++ b/Makefile @@ -23,7 +23,7 @@ preload-images: source $(SCRIPTS_DIR)/lib/debug_functions; \ source $(SCRIPTS_DIR)/lib/deploy_funcs; \ set -e; \ - for image in submariner submariner-route-agent submariner-operator lighthouse-agent submariner-globalnet lighthouse-coredns; do \ + for image in submariner-gateway submariner-route-agent submariner-operator lighthouse-agent submariner-globalnet lighthouse-coredns; do \ import_image quay.io/submariner/$${image}; \ done diff --git a/submariner-operator/crds/crd.yaml b/submariner-operator/crds/crd.yaml index 46302724..763e82c2 100644 --- a/submariner-operator/crds/crd.yaml +++ b/submariner-operator/crds/crd.yaml @@ -105,7 +105,7 @@ spec: type: string colorCodes: type: string - engineDaemonSetStatus: + gatewayDaemonSetStatus: properties: lastResourceVersion: type: string diff --git a/submariner-operator/templates/NOTES.txt b/submariner-operator/templates/NOTES.txt index 98126181..1ea590ca 100644 --- a/submariner-operator/templates/NOTES.txt +++ b/submariner-operator/templates/NOTES.txt @@ -1,6 +1,6 @@ Submariner is now installed. -{{- if .Values.engine.nodeSelectorEnabled }} +{{- if .Values.gateway.nodeSelectorEnabled }} If you haven't done so yet, please label a node as `submariner.io/gateway=true` to elect it for running Submariner. {{- end }} diff --git a/submariner-operator/templates/_helpers.tpl b/submariner-operator/templates/_helpers.tpl index 2df8baaa..778ac0a6 100644 --- a/submariner-operator/templates/_helpers.tpl +++ b/submariner-operator/templates/_helpers.tpl @@ -43,13 +43,13 @@ Create the name of the submariner-operator service account to use {{- end -}} {{/* -Create the name of the submariner-engine service account to use +Create the name of the submariner-gateway service account to use */}} -{{- define "submariner.engineServiceAccountName" -}} -{{- if .Values.serviceAccounts.engine.create -}} - {{ default "submariner-engine" .Values.serviceAccounts.engine.name }} +{{- define "submariner.gatewayServiceAccountName" -}} +{{- if .Values.serviceAccounts.gateway.create -}} + {{ default "submariner-gateway" .Values.serviceAccounts.gateway.name }} {{- else -}} - {{ default "default" .Values.serviceAccounts.engine.name }} + {{ default "default" .Values.serviceAccounts.gateway.name }} {{- end -}} {{- end -}} diff --git a/submariner-operator/templates/operator-deployment.yaml b/submariner-operator/templates/operator-deployment.yaml index fc2812e3..5f84969c 100644 --- a/submariner-operator/templates/operator-deployment.yaml +++ b/submariner-operator/templates/operator-deployment.yaml @@ -6,7 +6,7 @@ metadata: release: {{ .Release.Name | quote }} chart: {{ template "submariner.chart" . }} app: {{ template "submariner.fullname" . }} - component: engine + component: gateway name: {{ template "submariner.fullname" . }} spec: progressDeadlineSeconds: 600 diff --git a/submariner-operator/templates/rbac.yaml b/submariner-operator/templates/rbac.yaml index 1000bfc0..dde1aee2 100644 --- a/submariner-operator/templates/rbac.yaml +++ b/submariner-operator/templates/rbac.yaml @@ -86,7 +86,7 @@ roleRef: apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: - name: {{ template "submariner.fullname" . }}:engine + name: {{ template "submariner.fullname" . }}:gateway labels: heritage: {{ .Release.Service | quote }} release: {{ .Release.Name | quote }} @@ -166,7 +166,7 @@ rules: apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: - name: {{ template "submariner.fullname" . }}:engine + name: {{ template "submariner.fullname" . }}:gateway labels: heritage: {{ .Release.Service | quote }} release: {{ .Release.Name | quote }} @@ -175,10 +175,10 @@ metadata: roleRef: apiGroup: rbac.authorization.k8s.io kind: Role - name: {{ template "submariner.fullname" . }}:engine + name: {{ template "submariner.fullname" . }}:gateway subjects: - kind: ServiceAccount - name: {{ template "submariner.engineServiceAccountName" . }} + name: {{ template "submariner.gatewayServiceAccountName" . }} namespace: {{ .Release.Namespace }} --- apiVersion: rbac.authorization.k8s.io/v1 @@ -458,7 +458,7 @@ roleRef: apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: - name: {{ template "submariner.fullname" . }}:engine + name: {{ template "submariner.fullname" . }}:gateway labels: heritage: {{ .Release.Service | quote }} release: {{ .Release.Name | quote }} @@ -525,7 +525,7 @@ rules: apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: - name: {{ template "submariner.fullname" . }}:engine + name: {{ template "submariner.fullname" . }}:gateway labels: heritage: {{ .Release.Service | quote }} release: {{ .Release.Name | quote }} @@ -534,10 +534,10 @@ metadata: roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: {{ template "submariner.fullname" . }}:engine + name: {{ template "submariner.fullname" . }}:gateway subjects: - kind: ServiceAccount - name: {{ template "submariner.engineServiceAccountName" . }} + name: {{ template "submariner.gatewayServiceAccountName" . }} namespace: {{ .Release.Namespace }} --- apiVersion: rbac.authorization.k8s.io/v1 diff --git a/submariner-operator/templates/svc-acct.yaml b/submariner-operator/templates/svc-acct.yaml index 2cfc525c..a725fac9 100644 --- a/submariner-operator/templates/svc-acct.yaml +++ b/submariner-operator/templates/svc-acct.yaml @@ -10,11 +10,11 @@ metadata: app: {{ template "submariner.name" . }} {{- end }} --- -{{- if .Values.serviceAccounts.engine.create }} +{{- if .Values.serviceAccounts.gateway.create }} apiVersion: v1 kind: ServiceAccount metadata: - name: {{ template "submariner.engineServiceAccountName" . }} + name: {{ template "submariner.gatewayServiceAccountName" . }} labels: heritage: {{ .Release.Service | quote }} release: {{ .Release.Name | quote }} diff --git a/submariner-operator/values.yaml b/submariner-operator/values.yaml index 0e03d025..e680c8e9 100644 --- a/submariner-operator/values.yaml +++ b/submariner-operator/values.yaml @@ -37,15 +37,15 @@ operator: resources: {} tolerations: [] affinity: {} -engine: +gateway: image: - repository: quay.io/submariner/submariner + repository: quay.io/submariner/submariner-gateway tag: "0.7.0" serviceAccounts: operator: create: true name: "" - engine: + gateway: create: true name: "" routeAgent: diff --git a/submariner/questions.yml b/submariner/questions.yml index 5760c9fe..d04fa30d 100644 --- a/submariner/questions.yml +++ b/submariner/questions.yml @@ -1,22 +1,22 @@ questions: -- variable: defaultEngineImage +- variable: defaultGatewayImage default: true - description: "Use default Submariner Engine image or specify a custom one" - label: Use default submariner engine image + description: "Use default Submariner Gateway image or specify a custom one" + label: Use default submariner gateway image type: boolean show_subquestion_if: false group: "Container Images" subquestions: - - variable: engine.image.repository - default: "quay.io/submariner/submariner" - description: "Submariner Engine Image Repository" + - variable: gateway.image.repository + default: "quay.io/submariner/submariner-gateway" + description: "Submariner Gateway Image Repository" type: string - label: Submariner Engine Image Repository - - variable: engine.image.tag + label: Submariner Gateway Image Repository + - variable: gateway.image.tag default: "0.6.0" - description: "Submariner Engine Image Tag" + description: "Submariner Gateway Image Tag" type: string - label: Submariner Engine Image Tag + label: Submariner Gateway Image Tag - variable: defaultRouteAgentImage default: true description: "Use default Submariner Route Agent image or specify a custom one" @@ -35,7 +35,7 @@ questions: description: "Submariner Route Agent Image Tag" type: string label: Submariner Route Agent Image Tag -- variable: engine.nodeSelectorEnabled +- variable: gateway.nodeSelectorEnabled default: true description: "Restrict submariner to nodes labeled with submariner.io/gateway=true" label: Restrict gateway deployments to specific nodes diff --git a/submariner/templates/NOTES.txt b/submariner/templates/NOTES.txt index 98126181..1ea590ca 100644 --- a/submariner/templates/NOTES.txt +++ b/submariner/templates/NOTES.txt @@ -1,6 +1,6 @@ Submariner is now installed. -{{- if .Values.engine.nodeSelectorEnabled }} +{{- if .Values.gateway.nodeSelectorEnabled }} If you haven't done so yet, please label a node as `submariner.io/gateway=true` to elect it for running Submariner. {{- end }} diff --git a/submariner/templates/_helpers.tpl b/submariner/templates/_helpers.tpl index 99477b3e..b0104c95 100644 --- a/submariner/templates/_helpers.tpl +++ b/submariner/templates/_helpers.tpl @@ -32,13 +32,13 @@ Create chart name and version as used by the chart label. {{- end -}} {{/* -Create the name of the submariner-engine service account to use +Create the name of the submariner-gateway service account to use */}} -{{- define "submariner.engineServiceAccountName" -}} -{{- if .Values.serviceAccounts.engine.create -}} - {{ default "submariner-engine" .Values.serviceAccounts.engine.name }} +{{- define "submariner.gatewayServiceAccountName" -}} +{{- if .Values.serviceAccounts.gateway.create -}} + {{ default "submariner-gateway" .Values.serviceAccounts.gateway.name }} {{- else -}} - {{ default "default" .Values.serviceAccounts.engine.name }} + {{ default "default" .Values.serviceAccounts.gateway.name }} {{- end -}} {{- end -}} diff --git a/submariner/templates/engine-deploy.yaml b/submariner/templates/engine-deploy.yaml index a58747cf..259f87ab 100644 --- a/submariner/templates/engine-deploy.yaml +++ b/submariner/templates/engine-deploy.yaml @@ -5,14 +5,14 @@ metadata: heritage: {{ .Release.Service | quote }} release: {{ .Release.Name | quote }} chart: {{ template "submariner.chart" . }} - app: {{ template "submariner.fullname" . }}-engine - component: engine + app: {{ template "submariner.fullname" . }}-gateway + component: gateway name: {{ template "submariner.fullname" . }}-gateway spec: revisionHistoryLimit: 5 selector: matchLabels: - app: {{ template "submariner.fullname" . }}-engine + app: {{ template "submariner.fullname" . }}-gateway updateStrategy: rollingUpdate: maxUnavailable: 1 @@ -21,7 +21,7 @@ spec: metadata: creationTimestamp: null labels: - app: {{ template "submariner.fullname" . }}-engine + app: {{ template "submariner.fullname" . }}-gateway spec: affinity: podAntiAffinity: @@ -31,19 +31,19 @@ spec: - key: app operator: In values: - - {{ template "submariner.fullname" . }}-engine + - {{ template "submariner.fullname" . }}-gateway topologyKey: "kubernetes.io/hostname" -{{- with .Values.engine.affinity }} +{{- with .Values.gateway.affinity }} {{ toYaml . | indent 8 }} {{- end }} nodeSelector: -{{- if .Values.engine.nodeSelectorEnabled }} +{{- if .Values.gateway.nodeSelectorEnabled }} submariner.io/gateway: "true" {{- end }} -{{- with .Values.engine.nodeSelector }} +{{- with .Values.gateway.nodeSelector }} {{ toYaml . | indent 8 }} {{- end }} -{{- with .Values.engine.tolerations }} +{{- with .Values.gateway.tolerations }} tolerations: {{ toYaml . | indent 8 }} {{- end }} @@ -112,11 +112,11 @@ spec: valueFrom: fieldRef: fieldPath: "spec.nodeName" - image: {{ .Values.engine.image.repository }}:{{ default .Chart.AppVersion .Values.engine.image.tag }} - imagePullPolicy: {{ .Values.engine.image.pullPolicy }} + image: {{ .Values.gateway.image.repository }}:{{ default .Chart.AppVersion .Values.gateway.image.tag }} + imagePullPolicy: {{ .Values.gateway.image.pullPolicy }} name: submariner resources: -{{ toYaml .Values.engine.resources | indent 10 }} +{{ toYaml .Values.gateway.resources | indent 10 }} securityContext: allowPrivilegeEscalation: true capabilities: @@ -135,4 +135,4 @@ spec: schedulerName: default-scheduler securityContext: {} terminationGracePeriodSeconds: 1 - serviceAccountName: {{ template "submariner.engineServiceAccountName" . }} + serviceAccountName: {{ template "submariner.gatewayServiceAccountName" . }} diff --git a/submariner/templates/rbac.yaml b/submariner/templates/rbac.yaml index 94563eb8..d2240bce 100644 --- a/submariner/templates/rbac.yaml +++ b/submariner/templates/rbac.yaml @@ -2,7 +2,7 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: - name: {{ template "submariner.fullname" . }}:engine + name: {{ template "submariner.fullname" . }}:gateway labels: heritage: {{ .Release.Service | quote }} release: {{ .Release.Name | quote }} @@ -82,7 +82,7 @@ rules: apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: - name: {{ template "submariner.fullname" . }}:engine + name: {{ template "submariner.fullname" . }}:gateway labels: heritage: {{ .Release.Service | quote }} release: {{ .Release.Name | quote }} @@ -91,10 +91,10 @@ metadata: roleRef: apiGroup: rbac.authorization.k8s.io kind: Role - name: {{ template "submariner.fullname" . }}:engine + name: {{ template "submariner.fullname" . }}:gateway subjects: - kind: ServiceAccount - name: {{ template "submariner.engineServiceAccountName" . }} + name: {{ template "submariner.gatewayServiceAccountName" . }} namespace: {{ .Release.Namespace }} --- apiVersion: rbac.authorization.k8s.io/v1 @@ -299,7 +299,7 @@ subjects: apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: - name: {{ template "submariner.fullname" . }}:engine + name: {{ template "submariner.fullname" . }}:gateway labels: heritage: {{ .Release.Service | quote }} release: {{ .Release.Name | quote }} @@ -366,7 +366,7 @@ rules: apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: - name: {{ template "submariner.fullname" . }}:engine + name: {{ template "submariner.fullname" . }}:gateway labels: heritage: {{ .Release.Service | quote }} release: {{ .Release.Name | quote }} @@ -375,10 +375,10 @@ metadata: roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: {{ template "submariner.fullname" . }}:engine + name: {{ template "submariner.fullname" . }}:gateway subjects: - kind: ServiceAccount - name: {{ template "submariner.engineServiceAccountName" . }} + name: {{ template "submariner.gatewayServiceAccountName" . }} namespace: {{ .Release.Namespace }} --- apiVersion: rbac.authorization.k8s.io/v1 diff --git a/submariner/templates/svc-acct.yaml b/submariner/templates/svc-acct.yaml index 154c2c97..0bfb5a93 100644 --- a/submariner/templates/svc-acct.yaml +++ b/submariner/templates/svc-acct.yaml @@ -1,8 +1,8 @@ -{{- if .Values.serviceAccounts.engine.create }} +{{- if .Values.serviceAccounts.gateway.create }} apiVersion: v1 kind: ServiceAccount metadata: - name: {{ template "submariner.engineServiceAccountName" . }} + name: {{ template "submariner.gatewayServiceAccountName" . }} labels: heritage: {{ .Release.Service | quote }} release: {{ .Release.Name | quote }} diff --git a/submariner/values.yaml b/submariner/values.yaml index 4a2ced62..72e800f0 100644 --- a/submariner/values.yaml +++ b/submariner/values.yaml @@ -29,9 +29,9 @@ leadership: leaseDuration: 10 renewDeadline: 5 retryPeriod: 2 -engine: +gateway: image: - repository: quay.io/submariner/submariner + repository: quay.io/submariner/submariner-gateway tag: "" pullPolicy: IfNotPresent resources: {} @@ -65,7 +65,7 @@ lighthouseCoredns: tag: "" pullPolicy: IfNotPresent serviceAccounts: - engine: + gateway: create: true name: "" routeAgent: From 8d13ad14fbaad02cda5ca8afaec6798b72087497 Mon Sep 17 00:00:00 2001 From: Steve Mattar Date: Wed, 3 Mar 2021 23:56:03 +0200 Subject: [PATCH 13/15] refactor: rename the gateway deployment file Rename to maintain consistency and to follow the standards. Signed-off-by: Steve Mattar --- submariner/templates/{engine-deploy.yaml => gateway.yaml} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename submariner/templates/{engine-deploy.yaml => gateway.yaml} (100%) diff --git a/submariner/templates/engine-deploy.yaml b/submariner/templates/gateway.yaml similarity index 100% rename from submariner/templates/engine-deploy.yaml rename to submariner/templates/gateway.yaml From 86ba2b8857f40caa375251a99667fd18b9fc5b3b Mon Sep 17 00:00:00 2001 From: Steve Mattar Date: Wed, 3 Mar 2021 23:44:11 +0200 Subject: [PATCH 14/15] feat: support cableDriver value default is libreswan Closes #33 Signed-off-by: Steve Mattar --- submariner-operator/templates/submariner.yaml | 1 + submariner-operator/values.yaml | 1 + submariner/values.yaml | 1 + 3 files changed, 3 insertions(+) diff --git a/submariner-operator/templates/submariner.yaml b/submariner-operator/templates/submariner.yaml index b9751540..040c570d 100644 --- a/submariner-operator/templates/submariner.yaml +++ b/submariner-operator/templates/submariner.yaml @@ -24,3 +24,4 @@ spec: serviceCIDR: "{{ .Values.submariner.serviceCidr }}" globalCIDR: "{{ .Values.submariner.globalCidr }}" serviceDiscoveryEnabled: {{ .Values.submariner.serviceDiscovery }} + cableDriver: {{ .Values.submariner.cableDriver }} diff --git a/submariner-operator/values.yaml b/submariner-operator/values.yaml index e680c8e9..3b7584a8 100644 --- a/submariner-operator/values.yaml +++ b/submariner-operator/values.yaml @@ -9,6 +9,7 @@ submariner: colorCodes: blue debug: false serviceDiscovery: true + cableDriver: "libreswan" images: repository: quay.io/submariner tag: "0.7.0" diff --git a/submariner/values.yaml b/submariner/values.yaml index 72e800f0..ae718f22 100644 --- a/submariner/values.yaml +++ b/submariner/values.yaml @@ -9,6 +9,7 @@ submariner: colorCodes: blue debug: false serviceDiscovery: false + cableDriver: "libreswan" crd: create: true broker: From 274b2cad889b7fcd7645fdda8150530027dab3cd Mon Sep 17 00:00:00 2001 From: Daniel Farrell Date: Thu, 10 Dec 2020 04:45:58 -0500 Subject: [PATCH 15/15] Add cable driver to E2E matrix Run E2E tests for all currently-supported cable drivers. Signed-off-by: Daniel Farrell --- .github/workflows/e2e.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/e2e.yml b/.github/workflows/e2e.yml index d5fb9970..0ed84e6f 100644 --- a/.github/workflows/e2e.yml +++ b/.github/workflows/e2e.yml @@ -12,6 +12,7 @@ jobs: strategy: fail-fast: false matrix: + cable_driver: ['libreswan', 'wireguard'] globalnet: ['', 'globalnet'] steps: - name: Check out the repository @@ -20,6 +21,7 @@ jobs: - name: Run E2E deployment and tests uses: submariner-io/shipyard/gh-actions/e2e@devel with: + cabledriver: ${{ matrix.cable_driver }} globalnet: ${{ matrix.globalnet }} - name: Post mortem