Releasing jfrog registry operator 2.1.0 - Added multi user support

Signed-off-by: oumk <oumk@jfrog.com>

Author: oumkale

.github/workflows/test.yml

@@ -30,7 +30,7 @@ jobs:
       - name: Install Go
         uses: actions/setup-go@v3
         with:
-          go-version: 1.20.x
+          go-version: 1.24.x
 
       - name: Go Cache
         uses: actions/cache@v3
@@ -76,7 +76,7 @@ jobs:
       - name: Setup Go
         uses: actions/setup-go@v3
         with:
-          go-version: 1.20.x
+          go-version: 1.24.x
 
       - name: Go Cache
         uses: actions/cache@v3

Makefile

@@ -31,7 +31,7 @@ BUNDLE_METADATA_OPTS ?= $(BUNDLE_CHANNELS) $(BUNDLE_DEFAULT_CHANNEL)
 #
 # For example, running 'make bundle-build bundle-push catalog-build catalog-push' will build and push both
 # jfrog.com/operator-bundle:$VERSION and jfrog.com/operator-catalog:$VERSION.
-IMAGE_TAG_BASE ?= docker.jfrog.io/jfrog/jfrog-registry-operator:2.0.0
+IMAGE_TAG_BASE ?= docker.jfrog.io/jfrog/jfrog-registry-operator:2.1.0
 
 # BUNDLE_IMG defines the image:tag used for the bundle.
 # You can use it as an arg. (E.g make bundle-build BUNDLE_IMG=<some-registry>/<project-name-bundle>:<tag>)
@@ -204,7 +204,7 @@ catalog-build: opm ## Build a catalog image.
 ## operator
 ##@ Build multiarch operator binaries
 .PHONY: operator
-operator: build-operator-linux-amd64 build-operator-linux-arm64 
+operator: build-operator-linux-amd64 build-operator-linux-arm64
 ## clean-build
 ##@ clean the bin directory
 .PHONY: clean-build

README.md

@@ -38,14 +38,38 @@ helm repo update
 
 # decide on the namespace and kubernetes service account name you will want to create
 export SERVICE_ACCOUNT_NAME="<service account name>"
+
+# Support for external service accounts has also been added. Users can now utilize an external service account; for this, follow the multi-user installation details relevant to external service accounts.
+# Setting SERVICE_ACCOUNT_NAME and ANNOTATIONS is optional for multi-user installations, available from release version 2.1.x.
 export ANNOTATIONS="<Role annotation for service account>" # Example: eks.amazonaws.com/role-arn: arn:aws:iam::000000000000:role/jfrog-operator-role
 export NAMESPACE="jfrog-operator"
 
 # install JFrog secret rotator operator
 helm upgrade --install secretrotator jfrog/jfrog-registry-operator --set "serviceAccount.name=${SERVICE_ACCOUNT_NAME}" --set serviceAccount.annotations=${ANNOTATIONS}  --namespace  ${NAMESPACE} --create-namespace
 ```
 
-Once operator is in running state, configure `artifactoryUrl`, `refreshTime`, `namespaceSelector`, and `secretMetadata` in [secretrotator.yaml](https://github.com/jfrog/jfrog-registry-operator/blob/master/charts/jfrog-registry-operator/examples/secretrotator.yaml)
+### For multi-user installations, if multiple service accounts need to be created:
+```
+# In a multi-user scenario, please create all service accounts using the role ARN as an annotation via the Helm chart. This will also update the ClusterRole to grant the necessary permissions to each specific service account.
+
+# Create a custom-values.yaml file with service account details and then install operator.
+exchangedServiceAccounts:
+ - name: "sample-service-account"
+   namespace: "<NAMESPACE>"
+   annotations:
+      eks.amazonaws.com/role-arn: < role arn >
+
+helm upgrade --install secretrotator jfrog/jfrog-registry-operator --create-namespace -f custom-values.yaml -n ${NAMESPACE}
+
+Important Note: After this, you can use the service account name and namespace in custom resources. You may install multiple custom resources with different service account details.
+
+Example:
+serviceAccount:
+  name: "sample-service-account"
+  namespace: "<NAMESPACE>"
+```
+
+Once operator is in running state, configure `artifactoryUrl`, `refreshTime`, `namespaceSelector`, `serviceAccount`, `generatedSecrets`, and `secretMetadata` in [secretrotator.yaml](https://github.com/jfrog/jfrog-registry-operator/blob/master/charts/jfrog-registry-operator/examples/secretrotator.yaml)
 
 Sample Manifest:
 
@@ -63,12 +87,20 @@ spec:
     matchLabels:
       kubernetes.io/metadata.name: jfrog-operator
   generatedSecrets:
-  - secretName: token-imagepull-secret
-    secretType: docker
-  - secretName: token-generic-secret
-    secretType: generic
+    - secretName: token-imagepull-secret
+      secretType: docker
+    # - secretName: token-generic-secret
+    #   secretType: generic
   artifactoryUrl: "artifactory.example.com"
-  refreshTime: 1m
+  refreshTime: 30m
+  # serviceAccount: # The default name and namespace will be the operator’s service account name and namespace
+  #   name: ""
+  #   namespace: ""
+  secretMetadata:
+    annotations:
+      annotationKey: annotationValue
+    labels:
+      labelName: labelValue
   security:
     enabled: false
     secretNamespace:
@@ -97,6 +129,19 @@ kubectl delete -f secretrotator.yaml -n ${NAMESPACE}
 kubectl delete crd secretrotators.apps.jfrog.com
 ```
 
+### Upgrading JFrog Secret Rotator operator
+
+```shell
+# update the helm repo
+helm repo update
+
+# To upgrade the Custom Resource Definition (CRD), run the following command:
+kubectl apply -f https://raw.githubusercontent.com/jfrog/jfrog-registry-operator/refs/heads/master/config/crd/bases/apps.jfrog.com_secretrotators.yaml
+
+# Uninstall the secretrotator using the following command
+helm upgrade --install secretrotator jfrog/jfrog-registry-operator --set "serviceAccount.name=${SERVICE_ACCOUNT_NAME}" --set serviceAccount.annotations=${ANNOTATIONS}  --namespace  ${NAMESPACE} --create-namespace
+```
+
 ### Check Resources in your cluster
 
 ```shell

api/v1alpha1/secretrotator_types.go

@@ -63,11 +63,18 @@ type SecretRotatorSpec struct {
 	// ArtifactoryUrl, URL of Artifactory
 	ArtifactoryUrl string `json:"artifactoryUrl,omitempty"`
 
-	// RefreshInterval The time in which the controller should reconcile its objects and recheck namespaces for labels.
+	// Each target user's ServiceAccount, restricting access to only the specified service accounts and ensuring the role is limited to the jfrog operator service account.
+	ServiceAccount ServiceAccountDetails `json:"serviceAccount,omitempty"`
+
+	// RefreshInterval The time in which the controller should reconcile it's objects and recheck namespaces for labels.
 	RefreshInterval *metav1.Duration `json:"refreshTime,omitempty"`
 
 	// Security holding tls/ssl certificates details
 	Security SecurityDetails `json:"security,omitempty"`
+
+	// AwsRegion holding aws region name
+	// +optional
+	AwsRegion string `json:"awsRegion,omitempty"`
 }
 
 // GeneratedSecret defines an individual secret to be created
@@ -94,6 +101,14 @@ type SecurityDetails struct {
 	InsecureSkipVerify bool `default:"false" json:"insecureSkipVerify,omitempty"`
 }
 
+// ServiceAccountDetails defines name and namespace of the service account.
+type ServiceAccountDetails struct {
+	// Name of the service account
+	Name string `default:"false" json:"name,omitempty"`
+	// Namespace of the service account
+	Namespace string `json:"namespace,omitempty"`
+}
+
 // SecretMetadata defines metadata fields for the ExternalSecret generated by the SecretOperator.
 type SecretMetadata struct {
 	// +optional

api/v1alpha1/zz_generated.deepcopy.go

@@ -1,10 +1,17 @@
 # JFrog Secret Rotator Operator Chart Changelog
 All changes to this chart will be documented in this file.
 
-## [2.0.0] - May 19, 2025
+## [2.1.0] - May 27, 2025
+* Added support for `exchangedServiceAccounts`. Using this, multiple service accounts can be created, which can later be used in `serviceAccount.name` and `serviceAccount.namespace` in the custom resource
+* Added permissions for `serviceaccounts` and `serviceaccounts/token` for the target service accounts.
+* Removed support for operator-specific service account annotations support. Users can now create custom service accounts or use `exchangedServiceAccounts`.
+* The operator's service account requires an optional ARN annotation. If the user does not configure any service account, they will need to update the annotation using `serviceAccount.annotations`
+* Removed default labels from the deployment. Customers can now pass the required labels to avoid any duplication with Kustomize. [GH-32](https://github.com/jfrog/jfrog-registry-operator/issues/32)
+
+## [2.0.0] - May 15, 2025
 *** Important Changes ***
 * In the custom resource, the introduced `spec.generatedSecrets` configuration typically involves specifying: `secretName` – the name of the Secret to be generated, and `secretType` – the type of Secret to generate (e.g., Docker, Generic)
-* Scope : Scope can be anything (Optional)
+* Scope: Scope can be anything (Optional)
 * Note: Currently spec.secretName is supported but going forward this will be deprecated soon.
 
 ## [1.4.2] - Mar 26, 2025

charts/jfrog-registry-operator/CHANGELOG.md

@@ -3,7 +3,7 @@ kubeVersion: ">= 1.19.0-0"
 type: application
 name: jfrog-registry-operator
 home: https://jfrog.com/platform/
-version: 2.0.0
+version: 2.1.0
 appVersion: 2.x-SNAPSHOT
 dependencies:
   - name: jfrog-common

charts/jfrog-registry-operator/Chart.yaml

@@ -51,6 +51,9 @@ spec:
               artifactoryUrl:
                 description: ArtifactoryUrl, URL of Artifactory
                 type: string
+              awsRegion:
+                description: AwsRegion holding aws region name
+                type: string
               generatedSecrets:
                 description: GeneratedSecrets defines the secrets to be created
                 items:
@@ -118,7 +121,7 @@ spec:
                 x-kubernetes-map-type: atomic
               refreshTime:
                 description: RefreshInterval The time in which the controller should
-                  reconcile its objects and recheck namespaces for labels.
+                  reconcile it's objects and recheck namespaces for labels.
                 type: string
               secretMetadata:
                 description: |-
@@ -156,6 +159,18 @@ spec:
                   secretNamespace:
                     type: string
                 type: object
+              serviceAccount:
+                description: Each target user's ServiceAccount, restricting access
+                  to only the specified service accounts and ensuring the role is
+                  limited to the jfrog operator service account.
+                properties:
+                  name:
+                    description: Name of the service account
+                    type: string
+                  namespace:
+                    description: Namespace of the service account
+                    type: string
+                type: object
             required:
             - namespaceSelector
             type: object

charts/jfrog-registry-operator/crds/apps.jfrog.com_secretrotators.yaml

@@ -10,12 +10,12 @@ spec:
   namespaceSelector:
     matchLabels:
       kubernetes.io/metadata.name: jfrog-operator
-  secretName: token-secret
+  # secretName: token-secret
   generatedSecrets:
     - secretName: token-imagepull-secret
       secretType: docker
-    - secretName: token-generic-secret
-      secretType: generic
+    # - secretName: token-generic-secret
+    #   secretType: generic
   artifactoryUrl: ""
   refreshTime: 30m
   secretMetadata:
@@ -30,4 +30,6 @@ spec:
     ## NOTE: You can provide either a pair of cert.pem and key.pem, or ca.pem, or all three: cert.pem, key.pem, and ca.pem. But make sure that key needs to same as cert.pem, key.pem, and ca.pem in secret
     certificateSecretName:
     insecureSkipVerify: false
-
+  #  serviceAccount: # The default name and namespace will be the operator’s service account name and namespace
+  #    name: ""
+  #    namespace: ""

charts/jfrog-registry-operator/examples/secretrotator.yaml

@@ -8,7 +8,7 @@ global:
 image:
   registry: releases-docker.jfrog.io
   repository: jfrog/jfrog-registry-operator
-  tag: 2.0.0
+  tag: 2.1.0
 
   pullPolicy: IfNotPresent
   # pullSecrets:
@@ -130,13 +130,7 @@ podAnnotations: {}
 ## @param deploymentLabels jfrog-registry-operator deployment labels. Evaluated as a template
 ## Ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
 ##
-deploymentLabels:
-  AutomationCleanupIgnore: "true"
-  control-plane: controller-manager
-  app.kubernetes.io/name: namespace
-  app.kubernetes.io/instance: system
-  app.kubernetes.io/created-by: artifactory-secrets-rotator
-  app.kubernetes.io/part-of: artifactory-secrets-rotator
+deploymentLabels: {}
 
 ## @param priorityClassName Name of the priority class to be used by jfrog-registry-operator pods, priority class needs to be created beforehand
 ## Ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/