From f8eadba3db152fa3af78e428b244e859f27f2a54 Mon Sep 17 00:00:00 2001 From: Mikalai Radchuk Date: Tue, 8 Oct 2024 16:46:21 +0200 Subject: [PATCH] UPSTREAM: : Add global-pull-secret flag Pass global-pull-secret to the manager container. Signed-off-by: Mikalai Radchuk --- openshift/generate-manifests.sh | 25 ++++++++++++++++- .../overlays/openshift/kustomization.yaml | 28 ++----------------- .../openshift/olmv1-ns/kustomization.yaml | 27 ++++++++++++++++++ .../patches/manager_deployment_ca.yaml | 0 .../manager_deployment_log_verbosity.yaml | 0 ...nager_deployment_mount_etc_containers.yaml | 0 .../patches/manager_namespace_privileged.yaml | 0 .../{ => olmv1-ns}/patches/manager_role.yaml | 0 .../resources/ca_configmap.yaml | 0 .../openshift-config/kustomization.yaml | 6 ++++ .../operator-controller_manager_role.yaml | 17 +++++++++++ ...rator-controller_manager_role_binding.yaml | 15 ++++++++++ ...onfig-operator-controller-manager-role.yml | 18 ++++++++++++ ...rator-controller-leader-election-role.yml} | 0 ...ller-operator-controller-manager-role.yml} | 0 ...ntroller-clusterextension-editor-role.yml} | 0 ...ntroller-clusterextension-viewer-role.yml} | 0 ...ator-controller-extension-editor-role.yml} | 0 ...ator-controller-extension-viewer-role.yml} | 0 ...role-operator-controller-manager-role.yml} | 0 ...le-operator-controller-metrics-reader.yml} | 0 ...errole-operator-controller-proxy-role.yml} | 0 ...perator-controller-manager-rolebinding.yml | 17 +++++++++++ ...ontroller-leader-election-rolebinding.yml} | 0 ...erator-controller-manager-rolebinding.yml} | 0 ...erator-controller-manager-rolebinding.yml} | 0 ...operator-controller-proxy-rolebinding.yml} | 0 ...ller-operator-controller-openshift-ca.yml} | 0 ...er-controller-manager-metrics-service.yml} | 0 ...perator-controller-controller-manager.yml} | 1 + 30 files changed, 127 insertions(+), 27 deletions(-) create mode 100644 openshift/kustomize/overlays/openshift/olmv1-ns/kustomization.yaml rename openshift/kustomize/overlays/openshift/{ => olmv1-ns}/patches/manager_deployment_ca.yaml (100%) rename openshift/kustomize/overlays/openshift/{ => olmv1-ns}/patches/manager_deployment_log_verbosity.yaml (100%) rename openshift/kustomize/overlays/openshift/{ => olmv1-ns}/patches/manager_deployment_mount_etc_containers.yaml (100%) rename openshift/kustomize/overlays/openshift/{ => olmv1-ns}/patches/manager_namespace_privileged.yaml (100%) rename openshift/kustomize/overlays/openshift/{ => olmv1-ns}/patches/manager_role.yaml (100%) rename openshift/kustomize/overlays/openshift/{ => olmv1-ns}/resources/ca_configmap.yaml (100%) create mode 100644 openshift/kustomize/overlays/openshift/openshift-config/kustomization.yaml create mode 100644 openshift/kustomize/overlays/openshift/openshift-config/rbac/operator-controller_manager_role.yaml create mode 100644 openshift/kustomize/overlays/openshift/openshift-config/rbac/operator-controller_manager_role_binding.yaml create mode 100644 openshift/manifests/03-role-openshift-config-operator-controller-manager-role.yml rename openshift/manifests/{03-role-openshift-operator-controller-operator-controller-leader-election-role.yml => 04-role-openshift-operator-controller-operator-controller-leader-election-role.yml} (100%) rename openshift/manifests/{04-role-openshift-operator-controller-operator-controller-manager-role.yml => 05-role-openshift-operator-controller-operator-controller-manager-role.yml} (100%) rename openshift/manifests/{05-clusterrole-operator-controller-clusterextension-editor-role.yml => 06-clusterrole-operator-controller-clusterextension-editor-role.yml} (100%) rename openshift/manifests/{06-clusterrole-operator-controller-clusterextension-viewer-role.yml => 07-clusterrole-operator-controller-clusterextension-viewer-role.yml} (100%) rename openshift/manifests/{07-clusterrole-operator-controller-extension-editor-role.yml => 08-clusterrole-operator-controller-extension-editor-role.yml} (100%) rename openshift/manifests/{08-clusterrole-operator-controller-extension-viewer-role.yml => 09-clusterrole-operator-controller-extension-viewer-role.yml} (100%) rename openshift/manifests/{09-clusterrole-operator-controller-manager-role.yml => 10-clusterrole-operator-controller-manager-role.yml} (100%) rename openshift/manifests/{10-clusterrole-operator-controller-metrics-reader.yml => 11-clusterrole-operator-controller-metrics-reader.yml} (100%) rename openshift/manifests/{11-clusterrole-operator-controller-proxy-role.yml => 12-clusterrole-operator-controller-proxy-role.yml} (100%) create mode 100644 openshift/manifests/13-rolebinding-openshift-config-operator-controller-manager-rolebinding.yml rename openshift/manifests/{12-rolebinding-openshift-operator-controller-operator-controller-leader-election-rolebinding.yml => 14-rolebinding-openshift-operator-controller-operator-controller-leader-election-rolebinding.yml} (100%) rename openshift/manifests/{13-rolebinding-openshift-operator-controller-operator-controller-manager-rolebinding.yml => 15-rolebinding-openshift-operator-controller-operator-controller-manager-rolebinding.yml} (100%) rename openshift/manifests/{14-clusterrolebinding-operator-controller-manager-rolebinding.yml => 16-clusterrolebinding-operator-controller-manager-rolebinding.yml} (100%) rename openshift/manifests/{15-clusterrolebinding-operator-controller-proxy-rolebinding.yml => 17-clusterrolebinding-operator-controller-proxy-rolebinding.yml} (100%) rename openshift/manifests/{16-configmap-openshift-operator-controller-operator-controller-openshift-ca.yml => 18-configmap-openshift-operator-controller-operator-controller-openshift-ca.yml} (100%) rename openshift/manifests/{17-service-openshift-operator-controller-operator-controller-controller-manager-metrics-service.yml => 19-service-openshift-operator-controller-operator-controller-controller-manager-metrics-service.yml} (100%) rename openshift/manifests/{18-deployment-openshift-operator-controller-operator-controller-controller-manager.yml => 20-deployment-openshift-operator-controller-operator-controller-controller-manager.yml} (98%) diff --git a/openshift/generate-manifests.sh b/openshift/generate-manifests.sh index 0649a419a..e33b9a2a6 100755 --- a/openshift/generate-manifests.sh +++ b/openshift/generate-manifests.sh @@ -20,6 +20,19 @@ IMAGE_MAPPINGS[kube-rbac-proxy]='${KUBE_RBAC_PROXY_IMAGE}' # shellcheck disable=SC2016 IMAGE_MAPPINGS[manager]='${OPERATOR_CONTROLLER_IMAGE}' +# This is a mapping of catalogd flag names to values. For example, given a deployment with a container +# named "manager" and arguments: +# args: +# - --flagname=one +# and an entry to the FLAG_MAPPINGS of FLAG_MAPPINGS[flagname]='two', the argument will be updated to: +# args: +# - --flagname=two +# +# If the flag doesn't already exist - it will be appended to the list. +declare -A FLAG_MAPPINGS +# shellcheck disable=SC2016 +FLAG_MAPPINGS[global-pull-secret]="openshift-config/pull-secret" + ################################################## # You shouldn't need to change anything below here ################################################## @@ -60,6 +73,17 @@ for container_name in "${!IMAGE_MAPPINGS[@]}"; do $YQ -i 'select(.kind == "Namespace").metadata.annotations += {"workload.openshift.io/allowed": "management"}' "$TMP_KUSTOMIZE_OUTPUT" done +# Loop through any flag updates that need to be made to the manager container +for flag_name in "${!FLAG_MAPPINGS[@]}"; do + flagval="${FLAG_MAPPINGS[$flag_name]}" + + # First, update the flag if it exists + $YQ -i "(select(.kind == \"Deployment\") | .spec.template.spec.containers[] | select(.name == \"manager\") | .args[] | select(. | contains(\"--$flag_name=\")) | .) = \"--$flag_name=$flagval\"" "$TMP_KUSTOMIZE_OUTPUT" + + # Then, append the flag if it doesn't exist + $YQ -i "(select(.kind == \"Deployment\") | .spec.template.spec.containers[] | select(.name == \"manager\") | .args) |= (select(.[] | contains(\"--$flag_name=\")) | .) // . + [\"--$flag_name=$flagval\"]" "$TMP_KUSTOMIZE_OUTPUT" +done + # Use yq to split the single yaml file into 1 per document. # Naming convention: $index-$kind-$namespace-$name. If $namespace is empty, just use the empty string. ( @@ -103,4 +127,3 @@ cp "$TMP_MANIFEST_DIR"/* "$MANIFEST_DIR"/ fi done ) - diff --git a/openshift/kustomize/overlays/openshift/kustomization.yaml b/openshift/kustomize/overlays/openshift/kustomization.yaml index d2d9dc3a0..d263908b3 100644 --- a/openshift/kustomize/overlays/openshift/kustomization.yaml +++ b/openshift/kustomize/overlays/openshift/kustomization.yaml @@ -1,29 +1,5 @@ -# Adds namespace to all resources. -namespace: OPENSHIFT-NAMESPACE - namePrefix: operator-controller- resources: - - resources/ca_configmap.yaml - - ../../../../config/base/crd - - ../../../../config/base/rbac - - ../../../../config/base/manager - -patches: - - target: - kind: ClusterRole - name: manager-role - path: patches/manager_role.yaml - - target: - kind: Deployment - name: controller-manager - path: patches/manager_deployment_ca.yaml - - target: - kind: Deployment - name: controller-manager - path: patches/manager_deployment_mount_etc_containers.yaml - - target: - kind: Deployment - name: controller-manager - path: patches/manager_deployment_log_verbosity.yaml - - path: patches/manager_namespace_privileged.yaml + - olmv1-ns + - openshift-config diff --git a/openshift/kustomize/overlays/openshift/olmv1-ns/kustomization.yaml b/openshift/kustomize/overlays/openshift/olmv1-ns/kustomization.yaml new file mode 100644 index 000000000..483799cc4 --- /dev/null +++ b/openshift/kustomize/overlays/openshift/olmv1-ns/kustomization.yaml @@ -0,0 +1,27 @@ +# Adds namespace to all resources. +namespace: OPENSHIFT-NAMESPACE + +resources: + - resources/ca_configmap.yaml + - ../../../../../config/base/crd + - ../../../../../config/base/rbac + - ../../../../../config/base/manager + +patches: + - target: + kind: ClusterRole + name: manager-role + path: patches/manager_role.yaml + - target: + kind: Deployment + name: controller-manager + path: patches/manager_deployment_ca.yaml + - target: + kind: Deployment + name: controller-manager + path: patches/manager_deployment_mount_etc_containers.yaml + - target: + kind: Deployment + name: controller-manager + path: patches/manager_deployment_log_verbosity.yaml + - path: patches/manager_namespace_privileged.yaml diff --git a/openshift/kustomize/overlays/openshift/patches/manager_deployment_ca.yaml b/openshift/kustomize/overlays/openshift/olmv1-ns/patches/manager_deployment_ca.yaml similarity index 100% rename from openshift/kustomize/overlays/openshift/patches/manager_deployment_ca.yaml rename to openshift/kustomize/overlays/openshift/olmv1-ns/patches/manager_deployment_ca.yaml diff --git a/openshift/kustomize/overlays/openshift/patches/manager_deployment_log_verbosity.yaml b/openshift/kustomize/overlays/openshift/olmv1-ns/patches/manager_deployment_log_verbosity.yaml similarity index 100% rename from openshift/kustomize/overlays/openshift/patches/manager_deployment_log_verbosity.yaml rename to openshift/kustomize/overlays/openshift/olmv1-ns/patches/manager_deployment_log_verbosity.yaml diff --git a/openshift/kustomize/overlays/openshift/patches/manager_deployment_mount_etc_containers.yaml b/openshift/kustomize/overlays/openshift/olmv1-ns/patches/manager_deployment_mount_etc_containers.yaml similarity index 100% rename from openshift/kustomize/overlays/openshift/patches/manager_deployment_mount_etc_containers.yaml rename to openshift/kustomize/overlays/openshift/olmv1-ns/patches/manager_deployment_mount_etc_containers.yaml diff --git a/openshift/kustomize/overlays/openshift/patches/manager_namespace_privileged.yaml b/openshift/kustomize/overlays/openshift/olmv1-ns/patches/manager_namespace_privileged.yaml similarity index 100% rename from openshift/kustomize/overlays/openshift/patches/manager_namespace_privileged.yaml rename to openshift/kustomize/overlays/openshift/olmv1-ns/patches/manager_namespace_privileged.yaml diff --git a/openshift/kustomize/overlays/openshift/patches/manager_role.yaml b/openshift/kustomize/overlays/openshift/olmv1-ns/patches/manager_role.yaml similarity index 100% rename from openshift/kustomize/overlays/openshift/patches/manager_role.yaml rename to openshift/kustomize/overlays/openshift/olmv1-ns/patches/manager_role.yaml diff --git a/openshift/kustomize/overlays/openshift/resources/ca_configmap.yaml b/openshift/kustomize/overlays/openshift/olmv1-ns/resources/ca_configmap.yaml similarity index 100% rename from openshift/kustomize/overlays/openshift/resources/ca_configmap.yaml rename to openshift/kustomize/overlays/openshift/olmv1-ns/resources/ca_configmap.yaml diff --git a/openshift/kustomize/overlays/openshift/openshift-config/kustomization.yaml b/openshift/kustomize/overlays/openshift/openshift-config/kustomization.yaml new file mode 100644 index 000000000..34440c434 --- /dev/null +++ b/openshift/kustomize/overlays/openshift/openshift-config/kustomization.yaml @@ -0,0 +1,6 @@ +# Adds namespace to all resources. +namespace: openshift-config + +resources: +- rbac/operator-controller_manager_role.yaml +- rbac/operator-controller_manager_role_binding.yaml diff --git a/openshift/kustomize/overlays/openshift/openshift-config/rbac/operator-controller_manager_role.yaml b/openshift/kustomize/overlays/openshift/openshift-config/rbac/operator-controller_manager_role.yaml new file mode 100644 index 000000000..0fcd8cf39 --- /dev/null +++ b/openshift/kustomize/overlays/openshift/openshift-config/rbac/operator-controller_manager_role.yaml @@ -0,0 +1,17 @@ +# permissions to do leader election. +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + labels: + app.kubernetes.io/part-of: olm + app.kubernetes.io/name: catalogd + name: manager-role +rules: +- apiGroups: + - "" + resources: + - secrets + verbs: + - get + - list + - watch diff --git a/openshift/kustomize/overlays/openshift/openshift-config/rbac/operator-controller_manager_role_binding.yaml b/openshift/kustomize/overlays/openshift/openshift-config/rbac/operator-controller_manager_role_binding.yaml new file mode 100644 index 000000000..74d61a43e --- /dev/null +++ b/openshift/kustomize/overlays/openshift/openshift-config/rbac/operator-controller_manager_role_binding.yaml @@ -0,0 +1,15 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + labels: + app.kubernetes.io/part-of: olm + app.kubernetes.io/name: catalogd + name: manager-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: manager-role +subjects: +- kind: ServiceAccount + name: controller-manager + namespace: OPENSHIFT-NAMESPACE diff --git a/openshift/manifests/03-role-openshift-config-operator-controller-manager-role.yml b/openshift/manifests/03-role-openshift-config-operator-controller-manager-role.yml new file mode 100644 index 000000000..d74a44986 --- /dev/null +++ b/openshift/manifests/03-role-openshift-config-operator-controller-manager-role.yml @@ -0,0 +1,18 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + labels: + app.kubernetes.io/name: catalogd + app.kubernetes.io/part-of: olm + name: operator-controller-manager-role + namespace: openshift-config +rules: + - apiGroups: + - "" + resources: + - secrets + verbs: + - get + - list + - watch diff --git a/openshift/manifests/03-role-openshift-operator-controller-operator-controller-leader-election-role.yml b/openshift/manifests/04-role-openshift-operator-controller-operator-controller-leader-election-role.yml similarity index 100% rename from openshift/manifests/03-role-openshift-operator-controller-operator-controller-leader-election-role.yml rename to openshift/manifests/04-role-openshift-operator-controller-operator-controller-leader-election-role.yml diff --git a/openshift/manifests/04-role-openshift-operator-controller-operator-controller-manager-role.yml b/openshift/manifests/05-role-openshift-operator-controller-operator-controller-manager-role.yml similarity index 100% rename from openshift/manifests/04-role-openshift-operator-controller-operator-controller-manager-role.yml rename to openshift/manifests/05-role-openshift-operator-controller-operator-controller-manager-role.yml diff --git a/openshift/manifests/05-clusterrole-operator-controller-clusterextension-editor-role.yml b/openshift/manifests/06-clusterrole-operator-controller-clusterextension-editor-role.yml similarity index 100% rename from openshift/manifests/05-clusterrole-operator-controller-clusterextension-editor-role.yml rename to openshift/manifests/06-clusterrole-operator-controller-clusterextension-editor-role.yml diff --git a/openshift/manifests/06-clusterrole-operator-controller-clusterextension-viewer-role.yml b/openshift/manifests/07-clusterrole-operator-controller-clusterextension-viewer-role.yml similarity index 100% rename from openshift/manifests/06-clusterrole-operator-controller-clusterextension-viewer-role.yml rename to openshift/manifests/07-clusterrole-operator-controller-clusterextension-viewer-role.yml diff --git a/openshift/manifests/07-clusterrole-operator-controller-extension-editor-role.yml b/openshift/manifests/08-clusterrole-operator-controller-extension-editor-role.yml similarity index 100% rename from openshift/manifests/07-clusterrole-operator-controller-extension-editor-role.yml rename to openshift/manifests/08-clusterrole-operator-controller-extension-editor-role.yml diff --git a/openshift/manifests/08-clusterrole-operator-controller-extension-viewer-role.yml b/openshift/manifests/09-clusterrole-operator-controller-extension-viewer-role.yml similarity index 100% rename from openshift/manifests/08-clusterrole-operator-controller-extension-viewer-role.yml rename to openshift/manifests/09-clusterrole-operator-controller-extension-viewer-role.yml diff --git a/openshift/manifests/09-clusterrole-operator-controller-manager-role.yml b/openshift/manifests/10-clusterrole-operator-controller-manager-role.yml similarity index 100% rename from openshift/manifests/09-clusterrole-operator-controller-manager-role.yml rename to openshift/manifests/10-clusterrole-operator-controller-manager-role.yml diff --git a/openshift/manifests/10-clusterrole-operator-controller-metrics-reader.yml b/openshift/manifests/11-clusterrole-operator-controller-metrics-reader.yml similarity index 100% rename from openshift/manifests/10-clusterrole-operator-controller-metrics-reader.yml rename to openshift/manifests/11-clusterrole-operator-controller-metrics-reader.yml diff --git a/openshift/manifests/11-clusterrole-operator-controller-proxy-role.yml b/openshift/manifests/12-clusterrole-operator-controller-proxy-role.yml similarity index 100% rename from openshift/manifests/11-clusterrole-operator-controller-proxy-role.yml rename to openshift/manifests/12-clusterrole-operator-controller-proxy-role.yml diff --git a/openshift/manifests/13-rolebinding-openshift-config-operator-controller-manager-rolebinding.yml b/openshift/manifests/13-rolebinding-openshift-config-operator-controller-manager-rolebinding.yml new file mode 100644 index 000000000..5f5d6bd95 --- /dev/null +++ b/openshift/manifests/13-rolebinding-openshift-config-operator-controller-manager-rolebinding.yml @@ -0,0 +1,17 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + labels: + app.kubernetes.io/name: catalogd + app.kubernetes.io/part-of: olm + name: operator-controller-manager-rolebinding + namespace: openshift-config +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: operator-controller-manager-role +subjects: + - kind: ServiceAccount + name: operator-controller-controller-manager + namespace: openshift-operator-controller diff --git a/openshift/manifests/12-rolebinding-openshift-operator-controller-operator-controller-leader-election-rolebinding.yml b/openshift/manifests/14-rolebinding-openshift-operator-controller-operator-controller-leader-election-rolebinding.yml similarity index 100% rename from openshift/manifests/12-rolebinding-openshift-operator-controller-operator-controller-leader-election-rolebinding.yml rename to openshift/manifests/14-rolebinding-openshift-operator-controller-operator-controller-leader-election-rolebinding.yml diff --git a/openshift/manifests/13-rolebinding-openshift-operator-controller-operator-controller-manager-rolebinding.yml b/openshift/manifests/15-rolebinding-openshift-operator-controller-operator-controller-manager-rolebinding.yml similarity index 100% rename from openshift/manifests/13-rolebinding-openshift-operator-controller-operator-controller-manager-rolebinding.yml rename to openshift/manifests/15-rolebinding-openshift-operator-controller-operator-controller-manager-rolebinding.yml diff --git a/openshift/manifests/14-clusterrolebinding-operator-controller-manager-rolebinding.yml b/openshift/manifests/16-clusterrolebinding-operator-controller-manager-rolebinding.yml similarity index 100% rename from openshift/manifests/14-clusterrolebinding-operator-controller-manager-rolebinding.yml rename to openshift/manifests/16-clusterrolebinding-operator-controller-manager-rolebinding.yml diff --git a/openshift/manifests/15-clusterrolebinding-operator-controller-proxy-rolebinding.yml b/openshift/manifests/17-clusterrolebinding-operator-controller-proxy-rolebinding.yml similarity index 100% rename from openshift/manifests/15-clusterrolebinding-operator-controller-proxy-rolebinding.yml rename to openshift/manifests/17-clusterrolebinding-operator-controller-proxy-rolebinding.yml diff --git a/openshift/manifests/16-configmap-openshift-operator-controller-operator-controller-openshift-ca.yml b/openshift/manifests/18-configmap-openshift-operator-controller-operator-controller-openshift-ca.yml similarity index 100% rename from openshift/manifests/16-configmap-openshift-operator-controller-operator-controller-openshift-ca.yml rename to openshift/manifests/18-configmap-openshift-operator-controller-operator-controller-openshift-ca.yml diff --git a/openshift/manifests/17-service-openshift-operator-controller-operator-controller-controller-manager-metrics-service.yml b/openshift/manifests/19-service-openshift-operator-controller-operator-controller-controller-manager-metrics-service.yml similarity index 100% rename from openshift/manifests/17-service-openshift-operator-controller-operator-controller-controller-manager-metrics-service.yml rename to openshift/manifests/19-service-openshift-operator-controller-operator-controller-controller-manager-metrics-service.yml diff --git a/openshift/manifests/18-deployment-openshift-operator-controller-operator-controller-controller-manager.yml b/openshift/manifests/20-deployment-openshift-operator-controller-operator-controller-controller-manager.yml similarity index 98% rename from openshift/manifests/18-deployment-openshift-operator-controller-operator-controller-controller-manager.yml rename to openshift/manifests/20-deployment-openshift-operator-controller-operator-controller-controller-manager.yml index 78151d330..971ee61a7 100644 --- a/openshift/manifests/18-deployment-openshift-operator-controller-operator-controller-controller-manager.yml +++ b/openshift/manifests/20-deployment-openshift-operator-controller-operator-controller-controller-manager.yml @@ -45,6 +45,7 @@ spec: - --leader-elect - --ca-certs-dir=/var/certs - --v=${LOG_VERBOSITY} + - --global-pull-secret=openshift-config/pull-secret command: - /manager image: ${OPERATOR_CONTROLLER_IMAGE}