Improve reconciled resources

hack/run-e2e-tests.sh

@@ -70,6 +70,7 @@ fi
 echo "Kubeconfig is in $KUBECONFIG."
 
 KUBECTL="$(UGET_PRINT_PATH=absolute make --no-print-directory install-kubectl)"
+KUSTOMIZE="$(UGET_PRINT_PATH=absolute make --no-print-directory install-kustomize)"
 HELM="$(UGET_PRINT_PATH=absolute make --no-print-directory install-helm)"
 PROTOKOL="$(UGET_PRINT_PATH=absolute make --no-print-directory install-protokol)"
 
@@ -100,15 +101,17 @@ echo "Deploying cert-manager..."
 
 "$KUBECTL" apply --filename hack/ci/testdata/clusterissuer.yaml
 
-# build operator image and deploy it into kind
-echo "Building and deploying kcp-operator..."
-export IMG="ghcr.io/kcp-dev/kcp-operator:e2e"
-make --no-print-directory docker-build kind-load deploy
+# build operator image it into kind
+echo "Building and loading kcp-operator..."
+export IMG="ghcr.io/kcp-dev/kcp-operator:local"
+make --no-print-directory docker-build kind-load
+
+echo "Deploying kcp-operator..."
+"$KUSTOMIZE" build hack/ci/testdata | "$KUBECTL" apply --filename -
 
 "$PROTOKOL" --namespace 'e2e-*' --namespace kcp-operator-system --output "$DATA_DIR/kind-logs" 2>/dev/null &
 PROTOKOL_PID=$!
 
-
 echo "Running e2e tests..."
 
 export HELM_BINARY="$HELM"

internal/resources/frontproxy/certificates.go

@@ -114,6 +114,8 @@ func (r *reconciler) serverCertificateReconciler() reconciling.NamedCertificateR
 
 				Usages: []certmanagerv1.KeyUsage{
 					certmanagerv1.UsageServerAuth,
+					certmanagerv1.UsageKeyEncipherment,
+					certmanagerv1.UsageDigitalSignature,
 				},
 
 				DNSNames: dnsNames,

internal/resources/frontproxy/deployment.go

@@ -81,6 +81,13 @@ func (r *reconciler) deploymentReconciler() reconciling.NamedDeploymentReconcile
 					SeccompProfile: &corev1.SeccompProfile{
 						Type: corev1.SeccompProfileTypeRuntimeDefault,
 					},
+					ReadOnlyRootFilesystem:   ptr.To(true),
+					AllowPrivilegeEscalation: ptr.To(false),
+					Capabilities: &corev1.Capabilities{
+						Drop: []corev1.Capability{
+							corev1.Capability("ALL"),
+						},
+					},
 				},
 				Ports: []corev1.ContainerPort{
 					{
@@ -97,7 +104,7 @@ func (r *reconciler) deploymentReconciler() reconciling.NamedDeploymentReconcile
 					TimeoutSeconds:      10,
 					ProbeHandler: corev1.ProbeHandler{
 						HTTPGet: &corev1.HTTPGetAction{
-							Path:   "/livez",
+							Path:   "/readyz",
 							Port:   intstr.FromString("https"),
 							Scheme: corev1.URISchemeHTTPS,
 						},
@@ -111,7 +118,7 @@ func (r *reconciler) deploymentReconciler() reconciling.NamedDeploymentReconcile
 					TimeoutSeconds:      10,
 					ProbeHandler: corev1.ProbeHandler{
 						HTTPGet: &corev1.HTTPGetAction{
-							Path:   "/readyz",
+							Path:   "/livez",
 							Port:   intstr.FromString("https"),
 							Scheme: corev1.URISchemeHTTPS,
 						},

internal/resources/frontproxy/deployment_test.go

@@ -92,12 +92,12 @@ func TestDeploymentReconciler(t *testing.T) {
 
 				// Check readiness probe
 				assert.NotNil(t, container.ReadinessProbe)
-				assert.Equal(t, "/livez", container.ReadinessProbe.HTTPGet.Path)
+				assert.Equal(t, "/readyz", container.ReadinessProbe.HTTPGet.Path)
 				assert.Equal(t, "https", container.ReadinessProbe.HTTPGet.Port.StrVal)
 
 				// Check liveness probe
 				assert.NotNil(t, container.LivenessProbe)
-				assert.Equal(t, "/readyz", container.LivenessProbe.HTTPGet.Path)
+				assert.Equal(t, "/livez", container.LivenessProbe.HTTPGet.Path)
 				assert.Equal(t, "https", container.LivenessProbe.HTTPGet.Port.StrVal)
 			},
 		},

internal/resources/rootshard/certificates.go

@@ -52,6 +52,8 @@ func ServerCertificateReconciler(rootShard *operatorv1alpha1.RootShard) reconcil
 
 				Usages: []certmanagerv1.KeyUsage{
 					certmanagerv1.UsageServerAuth,
+					certmanagerv1.UsageKeyEncipherment,
+					certmanagerv1.UsageDigitalSignature,
 				},
 
 				DNSNames: []string{
@@ -135,6 +137,11 @@ func ServiceAccountCertificateReconciler(rootShard *operatorv1alpha1.RootShard)
 				Duration:    &operatorv1alpha1.DefaultCertificateDuration,
 				RenewBefore: &operatorv1alpha1.DefaultCertificateRenewal,
 
+				Usages: []certmanagerv1.KeyUsage{
+					certmanagerv1.UsageDigitalSignature,
+					certmanagerv1.UsageKeyEncipherment,
+				},
+
 				PrivateKey: &certmanagerv1.CertificatePrivateKey{
 					Algorithm: certmanagerv1.RSAKeyAlgorithm,
 					Size:      4096,
@@ -162,8 +169,13 @@ func LogicalClusterAdminCertificateReconciler(rootShard *operatorv1alpha1.RootSh
 		return name, func(cert *certmanagerv1.Certificate) (*certmanagerv1.Certificate, error) {
 			cert.SetLabels(resources.GetRootShardResourceLabels(rootShard))
 			cert.Spec = certmanagerv1.CertificateSpec{
-				CommonName:  "logical-cluster-admin",
-				SecretName:  name,
+				CommonName: "logical-cluster-admin",
+				SecretName: name,
+				SecretTemplate: &certmanagerv1.CertificateSecretTemplate{
+					Labels: map[string]string{
+						resources.RootShardLabel: rootShard.Name,
+					},
+				},
 				Duration:    &operatorv1alpha1.DefaultCertificateDuration,
 				RenewBefore: &operatorv1alpha1.DefaultCertificateRenewal,
 
@@ -202,8 +214,13 @@ func ExternalLogicalClusterAdminCertificateReconciler(rootShard *operatorv1alpha
 		return name, func(cert *certmanagerv1.Certificate) (*certmanagerv1.Certificate, error) {
 			cert.SetLabels(resources.GetRootShardResourceLabels(rootShard))
 			cert.Spec = certmanagerv1.CertificateSpec{
-				CommonName:  "external-logical-cluster-admin",
-				SecretName:  name,
+				CommonName: "external-logical-cluster-admin",
+				SecretName: name,
+				SecretTemplate: &certmanagerv1.CertificateSecretTemplate{
+					Labels: map[string]string{
+						resources.RootShardLabel: rootShard.Name,
+					},
+				},
 				Duration:    &operatorv1alpha1.DefaultCertificateDuration,
 				RenewBefore: &operatorv1alpha1.DefaultCertificateRenewal,
 
@@ -242,8 +259,13 @@ func OperatorClientCertificateReconciler(rootShard *operatorv1alpha1.RootShard)
 		return name, func(cert *certmanagerv1.Certificate) (*certmanagerv1.Certificate, error) {
 			cert.SetLabels(resources.GetRootShardResourceLabels(rootShard))
 			cert.Spec = certmanagerv1.CertificateSpec{
-				CommonName:  resources.OperatorUsername,
-				SecretName:  name,
+				CommonName: resources.OperatorUsername,
+				SecretName: name,
+				SecretTemplate: &certmanagerv1.CertificateSecretTemplate{
+					Labels: map[string]string{
+						resources.RootShardLabel: rootShard.Name,
+					},
+				},
 				Duration:    &operatorv1alpha1.DefaultCertificateDuration,
 				RenewBefore: &operatorv1alpha1.DefaultCertificateRenewal,
 

internal/resources/rootshard/deployment.go

@@ -147,13 +147,10 @@ func DeploymentReconciler(rootShard *operatorv1alpha1.RootShard) reconciling.Nam
 				Args:         args,
 				VolumeMounts: volumeMounts,
 				Resources:    defaultResourceRequirements,
-				SecurityContext: &corev1.SecurityContext{
-					ReadOnlyRootFilesystem:   ptr.To(true),
-					AllowPrivilegeEscalation: ptr.To(false),
-				},
 			}}
 			dep.Spec.Template.Spec.Volumes = volumes
 
+			dep = utils.ApplyCommonShardDeploymentProperties(dep)
 			dep = utils.ApplyCommonShardConfig(dep, &rootShard.Spec.CommonShardSpec)
 			dep = utils.ApplyDeploymentTemplate(dep, rootShard.Spec.DeploymentTemplate)
 			dep = utils.ApplyAuthConfiguration(dep, rootShard.Spec.Auth)

internal/resources/shard/certificates.go

@@ -38,7 +38,14 @@ func ServerCertificateReconciler(shard *operatorv1alpha1.Shard, rootShard *opera
 		return name, func(cert *certmanagerv1.Certificate) (*certmanagerv1.Certificate, error) {
 			cert.SetLabels(resources.GetShardResourceLabels(shard))
 			cert.Spec = certmanagerv1.CertificateSpec{
-				SecretName:  name,
+				SecretName: name,
+				SecretTemplate: &certmanagerv1.CertificateSecretTemplate{
+					Labels: map[string]string{
+						resources.RootShardLabel: rootShard.Name,
+						resources.ShardLabel:     shard.Name,
+					},
+				},
+
 				Duration:    &operatorv1alpha1.DefaultCertificateDuration,
 				RenewBefore: &operatorv1alpha1.DefaultCertificateRenewal,
 
@@ -49,6 +56,8 @@ func ServerCertificateReconciler(shard *operatorv1alpha1.Shard, rootShard *opera
 
 				Usages: []certmanagerv1.KeyUsage{
 					certmanagerv1.UsageServerAuth,
+					certmanagerv1.UsageKeyEncipherment,
+					certmanagerv1.UsageDigitalSignature,
 				},
 
 				DNSNames: []string{
@@ -78,7 +87,14 @@ func VirtualWorkspacesCertificateReconciler(shard *operatorv1alpha1.Shard, rootS
 		return name, func(cert *certmanagerv1.Certificate) (*certmanagerv1.Certificate, error) {
 			cert.SetLabels(resources.GetShardResourceLabels(shard))
 			cert.Spec = certmanagerv1.CertificateSpec{
-				SecretName:  name,
+				SecretName: name,
+				SecretTemplate: &certmanagerv1.CertificateSecretTemplate{
+					Labels: map[string]string{
+						resources.RootShardLabel: rootShard.Name,
+						resources.ShardLabel:     shard.Name,
+					},
+				},
+
 				Duration:    &operatorv1alpha1.DefaultCertificateDuration,
 				RenewBefore: &operatorv1alpha1.DefaultCertificateRenewal,
 
@@ -117,11 +133,23 @@ func ServiceAccountCertificateReconciler(shard *operatorv1alpha1.Shard, rootShar
 		return name, func(cert *certmanagerv1.Certificate) (*certmanagerv1.Certificate, error) {
 			cert.SetLabels(resources.GetShardResourceLabels(shard))
 			cert.Spec = certmanagerv1.CertificateSpec{
+				SecretName: name,
+				SecretTemplate: &certmanagerv1.CertificateSecretTemplate{
+					Labels: map[string]string{
+						resources.RootShardLabel: rootShard.Name,
+						resources.ShardLabel:     shard.Name,
+					},
+				},
+
 				CommonName:  name,
-				SecretName:  name,
 				Duration:    &operatorv1alpha1.DefaultCertificateDuration,
 				RenewBefore: &operatorv1alpha1.DefaultCertificateRenewal,
 
+				Usages: []certmanagerv1.KeyUsage{
+					certmanagerv1.UsageDigitalSignature,
+					certmanagerv1.UsageKeyEncipherment,
+				},
+
 				PrivateKey: &certmanagerv1.CertificatePrivateKey{
 					Algorithm: certmanagerv1.RSAKeyAlgorithm,
 					Size:      4096,
@@ -149,8 +177,15 @@ func RootShardClientCertificateReconciler(shard *operatorv1alpha1.Shard, rootSha
 		return name, func(cert *certmanagerv1.Certificate) (*certmanagerv1.Certificate, error) {
 			cert.SetLabels(resources.GetShardResourceLabels(shard))
 			cert.Spec = certmanagerv1.CertificateSpec{
+				SecretName: name,
+				SecretTemplate: &certmanagerv1.CertificateSecretTemplate{
+					Labels: map[string]string{
+						resources.RootShardLabel: rootShard.Name,
+						resources.ShardLabel:     shard.Name,
+					},
+				},
+
 				CommonName:  fmt.Sprintf("shard-%s", shard.Name),
-				SecretName:  name,
 				Duration:    &operatorv1alpha1.DefaultCertificateDuration,
 				RenewBefore: &operatorv1alpha1.DefaultCertificateRenewal,
 
@@ -189,8 +224,15 @@ func LogicalClusterAdminCertificateReconciler(shard *operatorv1alpha1.Shard, roo
 		return name, func(cert *certmanagerv1.Certificate) (*certmanagerv1.Certificate, error) {
 			cert.SetLabels(resources.GetShardResourceLabels(shard))
 			cert.Spec = certmanagerv1.CertificateSpec{
+				SecretName: name,
+				SecretTemplate: &certmanagerv1.CertificateSecretTemplate{
+					Labels: map[string]string{
+						resources.RootShardLabel: rootShard.Name,
+						resources.ShardLabel:     shard.Name,
+					},
+				},
+
 				CommonName:  fmt.Sprintf("logical-cluster-admin-shard-%s", shard.Name),
-				SecretName:  name,
 				Duration:    &operatorv1alpha1.DefaultCertificateDuration,
 				RenewBefore: &operatorv1alpha1.DefaultCertificateRenewal,
 
@@ -229,8 +271,15 @@ func ExternalLogicalClusterAdminCertificateReconciler(shard *operatorv1alpha1.Sh
 		return name, func(cert *certmanagerv1.Certificate) (*certmanagerv1.Certificate, error) {
 			cert.SetLabels(resources.GetShardResourceLabels(shard))
 			cert.Spec = certmanagerv1.CertificateSpec{
+				SecretName: name,
+				SecretTemplate: &certmanagerv1.CertificateSecretTemplate{
+					Labels: map[string]string{
+						resources.RootShardLabel: rootShard.Name,
+						resources.ShardLabel:     shard.Name,
+					},
+				},
+
 				CommonName:  fmt.Sprintf("external-logical-cluster-admin-shard-%s", shard.Name),
-				SecretName:  name,
 				Duration:    &operatorv1alpha1.DefaultCertificateDuration,
 				RenewBefore: &operatorv1alpha1.DefaultCertificateRenewal,
 

internal/resources/shard/deployment.go

@@ -149,13 +149,10 @@ func DeploymentReconciler(shard *operatorv1alpha1.Shard, rootShard *operatorv1al
 				Args:         args,
 				VolumeMounts: volumeMounts,
 				Resources:    defaultResourceRequirements,
-				SecurityContext: &corev1.SecurityContext{
-					ReadOnlyRootFilesystem:   ptr.To(true),
-					AllowPrivilegeEscalation: ptr.To(false),
-				},
 			}}
 			dep.Spec.Template.Spec.Volumes = volumes
 
+			dep = utils.ApplyCommonShardDeploymentProperties(dep)
 			dep = utils.ApplyCommonShardConfig(dep, &shard.Spec.CommonShardSpec)
 			dep = utils.ApplyDeploymentTemplate(dep, shard.Spec.DeploymentTemplate)
 			dep = utils.ApplyAuthConfiguration(dep, shard.Spec.Auth)

internal/resources/utils/secrets.go

@@ -39,6 +39,7 @@ func (sm SecretMount) Build() (corev1.Volume, corev1.VolumeMount) {
 	volumeMount := corev1.VolumeMount{
 		Name:      sm.VolumeName,
 		MountPath: sm.MountPath,
+		ReadOnly:  true,
 	}
 
 	return volume, volumeMount