diff --git a/.ci-operator.yaml b/.ci-operator.yaml index 1a05e6069..df7900c64 100644 --- a/.ci-operator.yaml +++ b/.ci-operator.yaml @@ -1,4 +1,4 @@ build_root_image: name: tools namespace: openstack-k8s-operators - tag: ci-build-root-golang-1.24-sdk-1.31 + tag: ci-build-root-golang-1.24-sdk-1.41.1 diff --git a/.github/workflows/build-openstack-operator.yaml b/.github/workflows/build-openstack-operator.yaml index 061c3aa46..f475e490d 100644 --- a/.github/workflows/build-openstack-operator.yaml +++ b/.github/workflows/build-openstack-operator.yaml @@ -16,7 +16,7 @@ jobs: with: operator_name: openstack go_version: 1.24.x - operator_sdk_version: 1.31.0 + operator_sdk_version: 1.41.1 bundle_dockerfile: ./bundle.Dockerfile operator_version: 0.5.0 secrets: diff --git a/.github/workflows/force-bump-pr-manual.yaml b/.github/workflows/force-bump-pr-manual.yaml index 9f7adc7b7..952633a07 100644 --- a/.github/workflows/force-bump-pr-manual.yaml +++ b/.github/workflows/force-bump-pr-manual.yaml @@ -9,6 +9,6 @@ jobs: with: operator_name: openstack branch_name: ${{ github.ref_name }} - custom_image: quay.io/openstack-k8s-operators/openstack-k8s-operators-ci-build-tools:golang-1.24-sdk-1.31 + custom_image: quay.io/openstack-k8s-operators/openstack-k8s-operators-ci-build-tools:golang-1.24-sdk-1.41.1 secrets: FORCE_BUMP_PULL_REQUEST_PAT: ${{ secrets.FORCE_BUMP_PULL_REQUEST_PAT }} diff --git a/.github/workflows/force-bump-pr-scheduled.yaml b/.github/workflows/force-bump-pr-scheduled.yaml index 4aab072a5..034971266 100644 --- a/.github/workflows/force-bump-pr-scheduled.yaml +++ b/.github/workflows/force-bump-pr-scheduled.yaml @@ -10,6 +10,6 @@ jobs: uses: openstack-k8s-operators/openstack-k8s-operators-ci/.github/workflows/force-bump-branches.yaml@main with: operator_name: openstack - custom_image: quay.io/openstack-k8s-operators/openstack-k8s-operators-ci-build-tools:golang-1.24-sdk-1.31 + custom_image: quay.io/openstack-k8s-operators/openstack-k8s-operators-ci-build-tools:golang-1.24-sdk-1.41.1 secrets: FORCE_BUMP_PULL_REQUEST_PAT: ${{ secrets.FORCE_BUMP_PULL_REQUEST_PAT }} diff --git a/Dockerfile b/Dockerfile index e486cd4f0..f6561bd5c 100644 --- a/Dockerfile +++ b/Dockerfile @@ -25,7 +25,7 @@ RUN mkdir -p ${DEST_ROOT}/usr/local/bin/ RUN if [ ! -f $CACHITO_ENV_FILE ]; then go mod download ; fi # Build manager -RUN if [ -f $CACHITO_ENV_FILE ] ; then source $CACHITO_ENV_FILE ; fi ; env ${GO_BUILD_EXTRA_ENV_ARGS} go build ${GO_BUILD_EXTRA_ARGS} -a -o ${DEST_ROOT}/manager main.go +RUN if [ -f $CACHITO_ENV_FILE ] ; then source $CACHITO_ENV_FILE ; fi ; env ${GO_BUILD_EXTRA_ENV_ARGS} go build ${GO_BUILD_EXTRA_ARGS} -a -o ${DEST_ROOT}/manager cmd/main.go RUN if [ -f $CACHITO_ENV_FILE ] ; then source $CACHITO_ENV_FILE ; fi ; env ${GO_BUILD_EXTRA_ENV_ARGS} go build ${GO_BUILD_EXTRA_ARGS} -a -o ${DEST_ROOT}/operator cmd/operator/main.go RUN cp -r config/services ${DEST_ROOT}/services diff --git a/Makefile b/Makefile index 81a363252..69e631166 100644 --- a/Makefile +++ b/Makefile @@ -50,7 +50,7 @@ endif # Set the Operator SDK version to use. By default, what is installed on the system is used. # This is useful for CI or a project to utilize a specific version of the operator-sdk toolkit. -OPERATOR_SDK_VERSION ?= v1.31.0 +OPERATOR_SDK_VERSION ?= v1.41.1 # Image URL to use all building/pushing image targets DEFAULT_IMG ?= quay.io/openstack-k8s-operators/openstack-operator:latest @@ -139,9 +139,9 @@ help: ## Display this help. manifests: controller-gen ## Generate WebhookConfiguration, ClusterRole and CustomResourceDefinition objects. mkdir -p config/operator/rbac && \ $(CONTROLLER_GEN) crd$(CRDDESC_OVERRIDE) output:crd:artifacts:config=config/crd/bases webhook paths="./..." && \ - $(CONTROLLER_GEN) rbac:roleName=manager-role paths="{./apis/client/...,./apis/core/...,./apis/dataplane/...,./controllers/client/...,./controllers/core/...,./controllers/dataplane/...,./pkg/...}" output:dir=config/rbac && \ - $(CONTROLLER_GEN) rbac:roleName=operator-role paths="./controllers/operator/..." paths="./apis/operator/..." output:dir=config/operator/rbac && \ - rm -f apis/bases/* && cp -a config/crd/bases apis/ + $(CONTROLLER_GEN) rbac:roleName=manager-role paths="{./api/client/...,./api/core/...,./api/dataplane/...,./internal/controller/client/...,./internal/controller/core/...,./internal/controller/dataplane/...,./internal/...}" output:dir=config/rbac && \ + $(CONTROLLER_GEN) rbac:roleName=operator-role paths="./internal/controller/operator/..." paths="./api/operator/..." output:dir=config/operator/rbac && \ + rm -f api/bases/* && cp -a config/crd/bases api/ .PHONY: generate generate: controller-gen ## Generate code containing DeepCopy, DeepCopyInto, and DeepCopyObject method implementations. @@ -171,7 +171,7 @@ fmt: ## Run go fmt against code. .PHONY: vet vet: gowork ## Run go vet against code. go vet ./... - go vet ./apis/... + go vet ./api/... BRANCH ?= main .PHONY: force-bump @@ -179,14 +179,14 @@ force-bump: ## Force bump after tagging for dep in $$(cat go.mod | grep openstack-k8s-operators | grep -vE -- 'indirect|openstack-operator|^replace' | awk '{print $$1}'); do \ go get $$dep@$(BRANCH) ; \ done - for dep in $$(cat apis/go.mod | grep openstack-k8s-operators | grep -vE -- 'indirect|openstack-operator|^replace' | awk '{print $$1}'); do \ - cd ./apis && go get $$dep@$(BRANCH) && cd .. ; \ + for dep in $$(cat api/go.mod | grep openstack-k8s-operators | grep -vE -- 'indirect|openstack-operator|^replace' | awk '{print $$1}'); do \ + cd ./api && go get $$dep@$(BRANCH) && cd .. ; \ done .PHONY: tidy tidy: ## Run go mod tidy on every mod file in the repo go mod tidy - cd ./apis && go mod tidy + cd ./api && go mod tidy GOLANGCI_LINT_VERSION ?= v2.4.0 .PHONY: golangci-lint @@ -207,7 +207,7 @@ ginkgo-run: ## Run ginkgo. source hack/export_related_images.sh && \ KUBEBUILDER_ASSETS="$(shell $(ENVTEST) -v debug --bin-dir $(LOCALBIN) use $(ENVTEST_K8S_VERSION) -p path)" \ OPERATOR_TEMPLATES="$(PWD)/templates" \ - $(GINKGO) --trace --cover --coverpkg=./pkg/...,./controllers/...,./apis/... --coverprofile cover.out --covermode=atomic ${PROC_CMD} $(GINKGO_ARGS) $(GINKGO_TESTS) + $(GINKGO) --trace --cover --coverpkg=./internal/...,./api/... --coverprofile cover.out --covermode=atomic ${PROC_CMD} $(GINKGO_ARGS) $(GINKGO_TESTS) .PHONY: test-all test-all: test golint golangci golangci-lint ## Run all tests. @@ -220,7 +220,7 @@ cover: test ## Run tests and display functional test coverage .PHONY: build build: generate fmt vet ## Build manager binary. - go build -o bin/manager main.go + go build -o bin/manager cmd/main.go go build -o bin/operator cmd/operator/main.go .PHONY: run @@ -231,7 +231,7 @@ run: export ENABLE_WEBHOOKS?=false run: manifests generate fmt vet ## Run a controller from your host. /bin/bash hack/clean_local_webhook.sh source hack/export_related_images.sh && \ - go run ./main.go -metrics-bind-address ":$(METRICS_PORT)" -health-probe-bind-address ":$(HEALTH_PORT)" -pprof-bind-address ":$(PPROF_PORT)" + go run ./cmd/main.go -metrics-bind-address ":$(METRICS_PORT)" -health-probe-bind-address ":$(HEALTH_PORT)" -pprof-bind-address ":$(PPROF_PORT)" .PHONY: run-operator run-operator: export METRICS_PORT?=8080 @@ -270,6 +270,12 @@ docker-buildx: ## Build and push docker image for the manager for cross-platfor - docker buildx rm project-v3-builder rm Dockerfile.cross +.PHONY: build-installer +build-installer: manifests generate kustomize ## Generate a consolidated YAML with CRDs and deployment. + mkdir -p dist + cd config/manager && $(KUSTOMIZE) edit set image controller=${IMG} + $(KUSTOMIZE) build config/default > dist/install.yaml + ##@ Deployment ifndef ignore-not-found @@ -306,12 +312,12 @@ CONTROLLER_GEN ?= $(LOCALBIN)/controller-gen ENVTEST ?= $(LOCALBIN)/setup-envtest CRD_MARKDOWN ?= $(LOCALBIN)/crd-to-markdown GINKGO ?= $(LOCALBIN)/ginkgo -GINKGO_TESTS ?= ./tests/... ./apis/client/... ./apis/core/... ./apis/dataplane/... ./pkg/... +GINKGO_TESTS ?= ./test/... ./api/client/... ./api/core/... ./api/dataplane/... ./internal/... KUTTL ?= $(LOCALBIN)/kubectl-kuttl ## Tool Versions -KUSTOMIZE_VERSION ?= v5.5.0 #(dprince: bumped to aquire new features like --load-restrictor) +KUSTOMIZE_VERSION ?= v5.6.0 #(dprince: bumped to aquire new features like --load-restrictor) CONTROLLER_TOOLS_VERSION ?= v0.18.0 CRD_MARKDOWN_VERSION ?= v0.0.3 KUTTL_VERSION ?= 0.17.0 @@ -351,7 +357,7 @@ $(GINKGO): $(LOCALBIN) .PHONY: kuttl-test kuttl-test: ## Run kuttl tests - $(LOCALBIN)/kubectl-kuttl test --config kuttl-test.yaml tests/kuttl/tests $(KUTTL_ARGS) + $(LOCALBIN)/kubectl-kuttl test --config kuttl-test.yaml test/kuttl/tests $(KUTTL_ARGS) .PHONY: kuttl kuttl: $(KUTTL) ## Download kubectl-kuttl locally if necessary. @@ -380,8 +386,8 @@ endif bundle: manifests kustomize operator-sdk ## Generate bundle manifests and metadata, then validate generated files. $(OPERATOR_SDK) generate kustomize manifests -q cd config/operator/deployment/ && $(KUSTOMIZE) edit set image controller=$(IMG) && \ - $(KUSTOMIZE) edit add patch --kind Deployment --name openstack-operator-controller-operator --namespace system --patch "[{\"op\": \"replace\", \"path\": \"/spec/template/spec/containers/1/env/0\", \"value\": {\"name\": \"OPENSTACK_RELEASE_VERSION\", \"value\": \"$(OPENSTACK_RELEASE_VERSION)\"}}]" && \ - $(KUSTOMIZE) edit add patch --kind Deployment --name openstack-operator-controller-operator --namespace system --patch "[{\"op\": \"replace\", \"path\": \"/spec/template/spec/containers/1/env/1\", \"value\": {\"name\": \"OPERATOR_IMAGE_URL\", \"value\": \"$(IMG)\"}}]" + $(KUSTOMIZE) edit add patch --kind Deployment --name openstack-operator-controller-operator --namespace system --patch "[{\"op\": \"replace\", \"path\": \"/spec/template/spec/containers/0/env/0\", \"value\": {\"name\": \"OPENSTACK_RELEASE_VERSION\", \"value\": \"$(OPENSTACK_RELEASE_VERSION)\"}}]" && \ + $(KUSTOMIZE) edit add patch --kind Deployment --name openstack-operator-controller-operator --namespace system --patch "[{\"op\": \"replace\", \"path\": \"/spec/template/spec/containers/0/env/1\", \"value\": {\"name\": \"OPERATOR_IMAGE_URL\", \"value\": \"$(IMG)\"}}]" $(KUSTOMIZE) build config/operator --load-restrictor='LoadRestrictionsNone' | $(OPERATOR_SDK) generate bundle $(BUNDLE_GEN_FLAGS) $(OPERATOR_SDK) bundle validate ./bundle @@ -468,12 +474,12 @@ get-ci-tools: # Run go fmt against code gofmt: get-ci-tools GOWORK=off $(CI_TOOLS_REPO_DIR)/test-runner/gofmt.sh - GOWORK=off $(CI_TOOLS_REPO_DIR)/test-runner/gofmt.sh ./apis + GOWORK=off $(CI_TOOLS_REPO_DIR)/test-runner/gofmt.sh ./api # Run go vet against code govet: get-ci-tools GOWORK=off $(CI_TOOLS_REPO_DIR)/test-runner/govet.sh - GOWORK=off $(CI_TOOLS_REPO_DIR)/test-runner/govet.sh ./apis + GOWORK=off $(CI_TOOLS_REPO_DIR)/test-runner/govet.sh ./api # Run go test against code gotest: test @@ -481,24 +487,24 @@ gotest: test # Run golangci-lint test against code golangci: get-ci-tools GOWORK=off $(CI_TOOLS_REPO_DIR)/test-runner/golangci.sh - GOWORK=off $(CI_TOOLS_REPO_DIR)/test-runner/golangci.sh ./apis + GOWORK=off $(CI_TOOLS_REPO_DIR)/test-runner/golangci.sh ./api # Run go lint against code golint: get-ci-tools GOWORK=off PATH=$(GOBIN):$(PATH); $(CI_TOOLS_REPO_DIR)/test-runner/golint.sh - GOWORK=off PATH=$(GOBIN):$(PATH); $(CI_TOOLS_REPO_DIR)/test-runner/golint.sh ./apis + GOWORK=off PATH=$(GOBIN):$(PATH); $(CI_TOOLS_REPO_DIR)/test-runner/golint.sh ./api .PHONY: gowork gowork: ## Generate go.work file to support our multi module repository test -f go.work || GOTOOLCHAIN=$(GOTOOLCHAIN_VERSION) go work init go work use . - go work use ./apis + go work use ./api go work sync .PHONY: operator-lint operator-lint: gowork ## Runs operator-lint GOBIN=$(LOCALBIN) go install github.com/gibizer/operator-lint@v0.3.0 - go vet -vettool=$(LOCALBIN)/operator-lint ./... ./apis/... + go vet -vettool=$(LOCALBIN)/operator-lint ./... ./api/... # Used for webhook testing # The configure_local_webhook.sh script below will remove any OLM webhooks diff --git a/PROJECT b/PROJECT index 3a611a529..1f2ad9ab4 100644 --- a/PROJECT +++ b/PROJECT @@ -4,7 +4,7 @@ # More info: https://book.kubebuilder.io/reference/project-config.html domain: openstack.org layout: -- go.kubebuilder.io/v3 +- go.kubebuilder.io/v4 multigroup: true plugins: manifests.sdk.operatorframework.io/v2: {} @@ -19,9 +19,10 @@ resources: domain: openstack.org group: core kind: OpenStackControlPlane - path: github.com/openstack-k8s-operators/openstack-operator/apis/core/v1beta1 + path: github.com/openstack-k8s-operators/openstack-operator/api/core/v1beta1 version: v1beta1 webhooks: + defaulting: true validation: true webhookVersion: v1 - api: @@ -31,8 +32,12 @@ resources: domain: openstack.org group: client kind: OpenStackClient - path: github.com/openstack-k8s-operators/openstack-operator/apis/client/v1beta1 + path: github.com/openstack-k8s-operators/openstack-operator/api/client/v1beta1 version: v1beta1 + webhooks: + defaulting: true + validation: true + webhookVersion: v1 - api: crdVersion: v1 namespaced: true @@ -40,7 +45,7 @@ resources: domain: openstack.org group: core kind: OpenStackVersion - path: github.com/openstack-k8s-operators/openstack-operator/apis/core/v1beta1 + path: github.com/openstack-k8s-operators/openstack-operator/api/core/v1beta1 version: v1beta1 webhooks: defaulting: true @@ -53,7 +58,7 @@ resources: domain: openstack.org group: dataplane kind: OpenStackDataPlaneNodeSet - path: github.com/openstack-k8s-operators/openstack-operator/apis/dataplane/v1beta1 + path: github.com/openstack-k8s-operators/openstack-operator/api/dataplane/v1beta1 version: v1beta1 webhooks: defaulting: true @@ -66,8 +71,12 @@ resources: domain: openstack.org group: dataplane kind: OpenStackDataPlaneService - path: github.com/openstack-k8s-operators/openstack-operator/apis/dataplane/v1beta1 + path: github.com/openstack-k8s-operators/openstack-operator/api/dataplane/v1beta1 version: v1beta1 + webhooks: + defaulting: true + validation: true + webhookVersion: v1 - api: crdVersion: v1 namespaced: true @@ -75,8 +84,12 @@ resources: domain: openstack.org group: dataplane kind: OpenStackDataPlaneDeployment - path: github.com/openstack-k8s-operators/openstack-operator/apis/dataplane/v1beta1 + path: github.com/openstack-k8s-operators/openstack-operator/api/dataplane/v1beta1 version: v1beta1 + webhooks: + defaulting: true + validation: true + webhookVersion: v1 - api: crdVersion: v1 namespaced: true @@ -84,6 +97,6 @@ resources: domain: openstack.org group: operator kind: OpenStack - path: github.com/openstack-k8s-operators/openstack-operator/apis/operator/v1beta1 + path: github.com/openstack-k8s-operators/openstack-operator/api/operator/v1beta1 version: v1beta1 version: "3" diff --git a/apis/bases/client.openstack.org_openstackclients.yaml b/api/bases/client.openstack.org_openstackclients.yaml similarity index 100% rename from apis/bases/client.openstack.org_openstackclients.yaml rename to api/bases/client.openstack.org_openstackclients.yaml diff --git a/apis/bases/core.openstack.org_openstackcontrolplanes.yaml b/api/bases/core.openstack.org_openstackcontrolplanes.yaml similarity index 100% rename from apis/bases/core.openstack.org_openstackcontrolplanes.yaml rename to api/bases/core.openstack.org_openstackcontrolplanes.yaml diff --git a/apis/bases/core.openstack.org_openstackversions.yaml b/api/bases/core.openstack.org_openstackversions.yaml similarity index 100% rename from apis/bases/core.openstack.org_openstackversions.yaml rename to api/bases/core.openstack.org_openstackversions.yaml diff --git a/apis/bases/dataplane.openstack.org_openstackdataplanedeployments.yaml b/api/bases/dataplane.openstack.org_openstackdataplanedeployments.yaml similarity index 100% rename from apis/bases/dataplane.openstack.org_openstackdataplanedeployments.yaml rename to api/bases/dataplane.openstack.org_openstackdataplanedeployments.yaml diff --git a/apis/bases/dataplane.openstack.org_openstackdataplanenodesets.yaml b/api/bases/dataplane.openstack.org_openstackdataplanenodesets.yaml similarity index 100% rename from apis/bases/dataplane.openstack.org_openstackdataplanenodesets.yaml rename to api/bases/dataplane.openstack.org_openstackdataplanenodesets.yaml diff --git a/apis/bases/dataplane.openstack.org_openstackdataplaneservices.yaml b/api/bases/dataplane.openstack.org_openstackdataplaneservices.yaml similarity index 100% rename from apis/bases/dataplane.openstack.org_openstackdataplaneservices.yaml rename to api/bases/dataplane.openstack.org_openstackdataplaneservices.yaml diff --git a/apis/bases/operator.openstack.org_openstacks.yaml b/api/bases/operator.openstack.org_openstacks.yaml similarity index 100% rename from apis/bases/operator.openstack.org_openstacks.yaml rename to api/bases/operator.openstack.org_openstacks.yaml diff --git a/apis/client/v1beta1/conditions.go b/api/client/v1beta1/conditions.go similarity index 100% rename from apis/client/v1beta1/conditions.go rename to api/client/v1beta1/conditions.go diff --git a/apis/client/v1beta1/groupversion_info.go b/api/client/v1beta1/groupversion_info.go similarity index 100% rename from apis/client/v1beta1/groupversion_info.go rename to api/client/v1beta1/groupversion_info.go diff --git a/apis/client/v1beta1/openstackclient_types.go b/api/client/v1beta1/openstackclient_types.go similarity index 100% rename from apis/client/v1beta1/openstackclient_types.go rename to api/client/v1beta1/openstackclient_types.go diff --git a/apis/client/v1beta1/openstackclient_webhook.go b/api/client/v1beta1/openstackclient_webhook.go similarity index 100% rename from apis/client/v1beta1/openstackclient_webhook.go rename to api/client/v1beta1/openstackclient_webhook.go diff --git a/apis/client/v1beta1/webhook_suite_test.go b/api/client/v1beta1/webhook_suite_test.go similarity index 100% rename from apis/client/v1beta1/webhook_suite_test.go rename to api/client/v1beta1/webhook_suite_test.go diff --git a/apis/client/v1beta1/zz_generated.deepcopy.go b/api/client/v1beta1/zz_generated.deepcopy.go similarity index 100% rename from apis/client/v1beta1/zz_generated.deepcopy.go rename to api/client/v1beta1/zz_generated.deepcopy.go diff --git a/apis/core/v1beta1/conditions.go b/api/core/v1beta1/conditions.go similarity index 100% rename from apis/core/v1beta1/conditions.go rename to api/core/v1beta1/conditions.go diff --git a/apis/core/v1beta1/groupversion_info.go b/api/core/v1beta1/groupversion_info.go similarity index 100% rename from apis/core/v1beta1/groupversion_info.go rename to api/core/v1beta1/groupversion_info.go diff --git a/apis/core/v1beta1/openstackcontrolplane_types.go b/api/core/v1beta1/openstackcontrolplane_types.go similarity index 99% rename from apis/core/v1beta1/openstackcontrolplane_types.go rename to api/core/v1beta1/openstackcontrolplane_types.go index 0016d78a4..e0f96e00f 100644 --- a/apis/core/v1beta1/openstackcontrolplane_types.go +++ b/api/core/v1beta1/openstackcontrolplane_types.go @@ -42,7 +42,7 @@ import ( neutronv1 "github.com/openstack-k8s-operators/neutron-operator/api/v1beta1" novav1 "github.com/openstack-k8s-operators/nova-operator/api/v1beta1" octaviav1 "github.com/openstack-k8s-operators/octavia-operator/api/v1beta1" - "github.com/openstack-k8s-operators/openstack-operator/apis/client/v1beta1" + "github.com/openstack-k8s-operators/openstack-operator/api/client/v1beta1" ovnv1 "github.com/openstack-k8s-operators/ovn-operator/api/v1beta1" placementv1 "github.com/openstack-k8s-operators/placement-operator/api/v1beta1" swiftv1 "github.com/openstack-k8s-operators/swift-operator/api/v1beta1" diff --git a/apis/core/v1beta1/openstackcontrolplane_webhook.go b/api/core/v1beta1/openstackcontrolplane_webhook.go similarity index 95% rename from apis/core/v1beta1/openstackcontrolplane_webhook.go rename to api/core/v1beta1/openstackcontrolplane_webhook.go index 6eabdb2cd..f5ed80004 100644 --- a/apis/core/v1beta1/openstackcontrolplane_webhook.go +++ b/api/core/v1beta1/openstackcontrolplane_webhook.go @@ -34,10 +34,8 @@ import ( "k8s.io/apimachinery/pkg/runtime/schema" "k8s.io/apimachinery/pkg/util/validation/field" "k8s.io/utils/ptr" - ctrl "sigs.k8s.io/controller-runtime" "sigs.k8s.io/controller-runtime/pkg/client" logf "sigs.k8s.io/controller-runtime/pkg/log" - "sigs.k8s.io/controller-runtime/pkg/webhook" "sigs.k8s.io/controller-runtime/pkg/webhook/admission" barbicanv1 "github.com/openstack-k8s-operators/barbican-operator/api/v1beta1" @@ -60,28 +58,11 @@ import ( telemetryv1 "github.com/openstack-k8s-operators/telemetry-operator/api/v1beta1" ) -var ctlplaneWebhookClient client.Client - // log is for logging in this package. var openstackcontrolplanelog = logf.Log.WithName("openstackcontrolplane-resource") -// SetupWebhookWithManager sets up the Webhook with the Manager. -func (r *OpenStackControlPlane) SetupWebhookWithManager(mgr ctrl.Manager) error { - if ctlplaneWebhookClient == nil { - ctlplaneWebhookClient = mgr.GetClient() - } - - return ctrl.NewWebhookManagedBy(mgr). - For(r). - Complete() -} - -// +kubebuilder:webhook:path=/validate-core-openstack-org-v1beta1-openstackcontrolplane,mutating=false,failurePolicy=Fail,sideEffects=None,groups=core.openstack.org,resources=openstackcontrolplanes,verbs=create;update,versions=v1beta1,name=vopenstackcontrolplane.kb.io,admissionReviewVersions=v1 - -var _ webhook.Validator = &OpenStackControlPlane{} - -// ValidateCreate implements webhook.Validator so a webhook will be registered for the type -func (r *OpenStackControlPlane) ValidateCreate() (admission.Warnings, error) { +// ValidateCreate validates the OpenStackControlPlane on creation +func (r *OpenStackControlPlane) ValidateCreate(ctx context.Context, c client.Client) (admission.Warnings, error) { openstackcontrolplanelog.Info("validate create", "name", r.Name) var allWarn []string @@ -91,7 +72,7 @@ func (r *OpenStackControlPlane) ValidateCreate() (admission.Warnings, error) { listOpts := []client.ListOption{ client.InNamespace(r.Namespace), } - if err := ctlplaneWebhookClient.List(context.TODO(), ctlplaneList, listOpts...); err != nil { + if err := c.List(ctx, ctlplaneList, listOpts...); err != nil { return nil, apierrors.NewForbidden( schema.GroupResource{ Group: GroupVersion.WithKind("OpenStackControlPlane").Group, @@ -118,7 +99,7 @@ func (r *OpenStackControlPlane) ValidateCreate() (admission.Warnings, error) { ) } - allErrs, err := r.ValidateVersion() + allErrs, err := r.ValidateVersion(ctx, c) // Version validation can generate non-field errors, so we consider those first if err != nil { @@ -145,8 +126,8 @@ func (r *OpenStackControlPlane) ValidateCreate() (admission.Warnings, error) { return allWarn, nil } -// ValidateUpdate implements webhook.Validator so a webhook will be registered for the type -func (r *OpenStackControlPlane) ValidateUpdate(old runtime.Object) (admission.Warnings, error) { +// ValidateUpdate validates the OpenStackControlPlane on update +func (r *OpenStackControlPlane) ValidateUpdate(ctx context.Context, old runtime.Object, c client.Client) (admission.Warnings, error) { openstackcontrolplanelog.Info("validate update", "name", r.Name) oldControlPlane, ok := old.(*OpenStackControlPlane) @@ -178,8 +159,8 @@ func (r *OpenStackControlPlane) ValidateUpdate(old runtime.Object) (admission.Wa return allWarn, nil } -// ValidateDelete implements webhook.Validator so a webhook will be registered for the type -func (r *OpenStackControlPlane) ValidateDelete() (admission.Warnings, error) { +// ValidateDelete validates the OpenStackControlPlane on deletion +func (r *OpenStackControlPlane) ValidateDelete(ctx context.Context, c client.Client) (admission.Warnings, error) { openstackcontrolplanelog.Info("validate delete", "name", r.Name) return nil, nil @@ -734,10 +715,11 @@ func (r *OpenStackControlPlane) ValidateServiceDependencies(basePath *field.Path return allErrs } -func (r *OpenStackControlPlane) ValidateVersion() (field.ErrorList, error) { +// ValidateVersion validates the OpenStackVersion reference in the OpenStackControlPlane +func (r *OpenStackControlPlane) ValidateVersion(ctx context.Context, c client.Client) (field.ErrorList, error) { var allErrs field.ErrorList - openStackVersionList, err := GetOpenStackVersions(r.Namespace, ctlplaneWebhookClient) + openStackVersionList, err := GetOpenStackVersions(r.Namespace, c) if err != nil { return allErrs, apierrors.NewForbidden( @@ -784,11 +766,7 @@ func (r *OpenStackControlPlane) ValidateVersion() (field.ErrorList, error) { return allErrs, nil } -// +kubebuilder:webhook:path=/mutate-core-openstack-org-v1beta1-openstackcontrolplane,mutating=true,failurePolicy=fail,sideEffects=None,groups=core.openstack.org,resources=openstackcontrolplanes,verbs=create;update,versions=v1beta1,name=mopenstackcontrolplane.kb.io,admissionReviewVersions=v1 - -var _ webhook.Defaulter = &OpenStackControlPlane{} - -// Default implements webhook.Defaulter so a webhook will be registered for the type +// Default sets default values for the OpenStackControlPlane func (r *OpenStackControlPlane) Default() { openstackcontrolplanelog.Info("default", "name", r.Name) @@ -874,7 +852,7 @@ func (r *OpenStackControlPlane) DefaultServices() { // clean up the APIOverrides for each glanceAPI that has been // deleted from the ctlplane apis := maps.Keys(r.Spec.Glance.Template.GlanceAPIs) - for k, _ := range r.Spec.Glance.APIOverride { + for k := range r.Spec.Glance.APIOverride { if !slices.Contains(apis, k) { delete(r.Spec.Glance.APIOverride, k) } @@ -1136,6 +1114,7 @@ func validateTLSOverrideSpec(override **route.OverrideSpec, basePath *field.Path return allErrs } +// ValidateTopology validates the TopologyRef in the OpenStackControlPlane func (r *OpenStackControlPlane) ValidateTopology(basePath *field.Path) *field.Error { // When a TopologyRef CR is referenced, fail if a different Namespace is // referenced because is not supported diff --git a/apis/core/v1beta1/openstackversion_types.go b/api/core/v1beta1/openstackversion_types.go similarity index 99% rename from apis/core/v1beta1/openstackversion_types.go rename to api/core/v1beta1/openstackversion_types.go index 7c3f9a3b9..2d4f58f4a 100644 --- a/apis/core/v1beta1/openstackversion_types.go +++ b/api/core/v1beta1/openstackversion_types.go @@ -213,7 +213,8 @@ type OpenStackVersionStatus struct { // +kubebuilder:printcolumn:name="Target Version",type=string,JSONPath=`.spec.targetVersion` // +kubebuilder:printcolumn:name="Available Version",type=string,JSONPath=`.status.availableVersion` // +kubebuilder:printcolumn:name="Deployed Version",type=string,JSONPath=`.status.deployedVersion` -// OpenStackVersion is the Schema for the openstackversionupdates API + +// OpenStackVersion defines the Schema for the openstackversionupdates API type OpenStackVersion struct { metav1.TypeMeta `json:",inline"` metav1.ObjectMeta `json:"metadata,omitempty"` @@ -223,6 +224,7 @@ type OpenStackVersion struct { } // +kubebuilder:object:root=true + // OpenStackVersionList contains a list of OpenStackVersion type OpenStackVersionList struct { metav1.TypeMeta `json:",inline"` @@ -256,9 +258,8 @@ func getOpenStackReleaseVersion(openstackReleaseVersion string, releaseVersionSc operatorConditionEpoch := re.FindString(operatorConditionName) if operatorConditionEpoch == "" { return openstackReleaseVersion - } else { - return openstackReleaseVersion + operatorConditionEpoch } + return openstackReleaseVersion + operatorConditionEpoch } return openstackReleaseVersion } diff --git a/apis/core/v1beta1/openstackversion_webhook.go b/api/core/v1beta1/openstackversion_webhook.go similarity index 77% rename from apis/core/v1beta1/openstackversion_webhook.go rename to api/core/v1beta1/openstackversion_webhook.go index 6fa642a1b..97de0b774 100644 --- a/apis/core/v1beta1/openstackversion_webhook.go +++ b/api/core/v1beta1/openstackversion_webhook.go @@ -17,6 +17,7 @@ limitations under the License. package v1beta1 import ( + "context" "fmt" "os" "reflect" @@ -26,15 +27,11 @@ import ( "k8s.io/apimachinery/pkg/util/validation/field" "k8s.io/apimachinery/pkg/runtime" - ctrl "sigs.k8s.io/controller-runtime" goClient "sigs.k8s.io/controller-runtime/pkg/client" logf "sigs.k8s.io/controller-runtime/pkg/log" - "sigs.k8s.io/controller-runtime/pkg/webhook" "sigs.k8s.io/controller-runtime/pkg/webhook/admission" ) -var versionWebhookClient goClient.Client - // OpenStackVersionDefaults - type OpenStackVersionDefaults struct { AvailableVersion string @@ -51,39 +48,16 @@ func SetupOpenStackVersionDefaults(defaults OpenStackVersionDefaults) { openstackversionlog.Info("OpenStackVersion defaults initialized", "defaults", defaults) } -// SetupWebhookWithManager - register OpenStackVersion with the controller manager -func (r *OpenStackVersion) SetupWebhookWithManager(mgr ctrl.Manager) error { - - if versionWebhookClient == nil { - versionWebhookClient = mgr.GetClient() - } - - return ctrl.NewWebhookManagedBy(mgr). - For(r). - Complete() -} - -// +kubebuilder:webhook:path=/mutate-core-openstack-org-v1beta1-openstackversion,mutating=true,failurePolicy=fail,sideEffects=None,groups=core.openstack.org,resources=openstackversions,verbs=create;update,versions=v1beta1,name=mopenstackversion.kb.io,admissionReviewVersions=v1 - -var _ webhook.Defaulter = &OpenStackVersion{} - -// Default implements webhook.Defaulter so a webhook will be registered for the type +// Default sets default values for the OpenStackVersion func (r *OpenStackVersion) Default() { openstackversionlog.Info("default", "name", r.Name) if r.Spec.TargetVersion == "" { r.Spec.TargetVersion = openstackVersionDefaults.AvailableVersion } - - // TODO(user): fill in your defaulting logic. } -// TODO(user): change verbs to "verbs=create;update;delete" if you want to enable deletion validation. -// +kubebuilder:webhook:path=/validate-core-openstack-org-v1beta1-openstackversion,mutating=false,failurePolicy=fail,sideEffects=None,groups=core.openstack.org,resources=openstackversions,verbs=create;update,versions=v1beta1,name=vopenstackversion.kb.io,admissionReviewVersions=v1 - -var _ webhook.Validator = &OpenStackVersion{} - -// ValidateCreate implements webhook.Validator so a webhook will be registered for the type -func (r *OpenStackVersion) ValidateCreate() (admission.Warnings, error) { +// ValidateCreate validates the OpenStackVersion on creation +func (r *OpenStackVersion) ValidateCreate(ctx context.Context, c goClient.Client) (admission.Warnings, error) { openstackversionlog.Info("validate create", "name", r.Name) if r.Spec.TargetVersion != openstackVersionDefaults.AvailableVersion { @@ -100,7 +74,7 @@ func (r *OpenStackVersion) ValidateCreate() (admission.Warnings, error) { ) } - versionList, err := GetOpenStackVersions(r.Namespace, versionWebhookClient) + versionList, err := GetOpenStackVersions(r.Namespace, c) if err != nil { @@ -136,8 +110,8 @@ func (r *OpenStackVersion) ValidateCreate() (admission.Warnings, error) { return nil, nil } -// ValidateUpdate implements webhook.Validator so a webhook will be registered for the type -func (r *OpenStackVersion) ValidateUpdate(old runtime.Object) (admission.Warnings, error) { +// ValidateUpdate validates the OpenStackVersion on update +func (r *OpenStackVersion) ValidateUpdate(ctx context.Context, old runtime.Object, c goClient.Client) (admission.Warnings, error) { openstackversionlog.Info("validate update", "name", r.Name) _, ok := r.Status.ContainerImageVersionDefaults[r.Spec.TargetVersion] @@ -236,11 +210,10 @@ func hasAnyCustomImage(images CustomContainerImages) bool { return false } -// ValidateDelete implements webhook.Validator so a webhook will be registered for the type -func (r *OpenStackVersion) ValidateDelete() (admission.Warnings, error) { +// ValidateDelete validates the OpenStackVersion on deletion +func (r *OpenStackVersion) ValidateDelete(ctx context.Context, c goClient.Client) (admission.Warnings, error) { openstackversionlog.Info("validate delete", "name", r.Name) - // TODO(user): fill in your validation logic upon object deletion. return nil, nil } diff --git a/apis/core/v1beta1/openstackversion_webhook_test.go b/api/core/v1beta1/openstackversion_webhook_test.go similarity index 87% rename from apis/core/v1beta1/openstackversion_webhook_test.go rename to api/core/v1beta1/openstackversion_webhook_test.go index 915e2a9a6..8c3e046a0 100644 --- a/apis/core/v1beta1/openstackversion_webhook_test.go +++ b/api/core/v1beta1/openstackversion_webhook_test.go @@ -1,6 +1,8 @@ package v1beta1 import ( + "context" + . "github.com/onsi/ginkgo/v2" . "github.com/onsi/gomega" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" @@ -111,7 +113,7 @@ var _ = Describe("OpenStackVersion Webhook", func() { }) It("should reject update when CustomContainerImages are unchanged and no skip annotation", func() { - _, err := newVersion.ValidateUpdate(oldVersion) + _, err := newVersion.ValidateUpdate(context.Background(), oldVersion, nil) Expect(err).To(HaveOccurred()) Expect(err.Error()).To(ContainSubstring("CustomContainerImages must be updated when changing targetVersion")) }) @@ -120,7 +122,7 @@ var _ = Describe("OpenStackVersion Webhook", func() { newVersion.Annotations = map[string]string{ "core.openstack.org/skip-custom-images-validation": "true", } - _, err := newVersion.ValidateUpdate(oldVersion) + _, err := newVersion.ValidateUpdate(context.Background(), oldVersion, nil) Expect(err).ToNot(HaveOccurred()) }) @@ -128,7 +130,7 @@ var _ = Describe("OpenStackVersion Webhook", func() { newVersion.Annotations = map[string]string{ "core.openstack.org/skip-custom-images-validation": "", } - _, err := newVersion.ValidateUpdate(oldVersion) + _, err := newVersion.ValidateUpdate(context.Background(), oldVersion, nil) Expect(err).ToNot(HaveOccurred()) }) @@ -136,31 +138,31 @@ var _ = Describe("OpenStackVersion Webhook", func() { newKeystoneImage := "registry.example.com/keystone:v2.0.0" newVersion.Spec.CustomContainerImages.ContainerTemplate.KeystoneAPIImage = &newKeystoneImage - _, err := newVersion.ValidateUpdate(oldVersion) + _, err := newVersion.ValidateUpdate(context.Background(), oldVersion, nil) Expect(err).ToNot(HaveOccurred()) }) It("should allow update when there are no custom images configured", func() { newVersion.Spec.CustomContainerImages = CustomContainerImages{} - _, err := newVersion.ValidateUpdate(oldVersion) + _, err := newVersion.ValidateUpdate(context.Background(), oldVersion, nil) Expect(err).ToNot(HaveOccurred()) }) It("should allow update when DeployedVersion is nil (fresh install)", func() { oldVersion.Status.DeployedVersion = nil - _, err := newVersion.ValidateUpdate(oldVersion) + _, err := newVersion.ValidateUpdate(context.Background(), oldVersion, nil) Expect(err).ToNot(HaveOccurred()) }) It("should allow update when target version is not changing", func() { newVersion.Spec.TargetVersion = "1.0.0" // Same as old version - _, err := newVersion.ValidateUpdate(oldVersion) + _, err := newVersion.ValidateUpdate(context.Background(), oldVersion, nil) Expect(err).ToNot(HaveOccurred()) }) It("should handle edge case where TrackedCustomImages is nil", func() { newVersion.Status.TrackedCustomImages = nil - _, err := newVersion.ValidateUpdate(oldVersion) + _, err := newVersion.ValidateUpdate(context.Background(), oldVersion, nil) Expect(err).ToNot(HaveOccurred()) }) @@ -168,13 +170,13 @@ var _ = Describe("OpenStackVersion Webhook", func() { newVersion.Status.TrackedCustomImages = map[string]CustomContainerImages{ "0.9.0": {}, // Different version than oldVersion.Spec.TargetVersion } - _, err := newVersion.ValidateUpdate(oldVersion) + _, err := newVersion.ValidateUpdate(context.Background(), oldVersion, nil) Expect(err).ToNot(HaveOccurred()) }) It("should handle invalid old object type gracefully", func() { invalidOld := &DummyObject{} // Wrong type - _, err := newVersion.ValidateUpdate(invalidOld) + _, err := newVersion.ValidateUpdate(context.Background(), invalidOld, nil) Expect(err).To(HaveOccurred()) Expect(err.Error()).To(ContainSubstring("failed to convert old object to OpenStackVersion")) }) diff --git a/apis/core/v1beta1/version_test.go b/api/core/v1beta1/version_test.go similarity index 100% rename from apis/core/v1beta1/version_test.go rename to api/core/v1beta1/version_test.go diff --git a/apis/core/v1beta1/webhook_suite_test.go b/api/core/v1beta1/webhook_suite_test.go similarity index 100% rename from apis/core/v1beta1/webhook_suite_test.go rename to api/core/v1beta1/webhook_suite_test.go diff --git a/apis/core/v1beta1/zz_generated.deepcopy.go b/api/core/v1beta1/zz_generated.deepcopy.go similarity index 100% rename from apis/core/v1beta1/zz_generated.deepcopy.go rename to api/core/v1beta1/zz_generated.deepcopy.go diff --git a/apis/dataplane/v1beta1/common.go b/api/dataplane/v1beta1/common.go similarity index 100% rename from apis/dataplane/v1beta1/common.go rename to api/dataplane/v1beta1/common.go diff --git a/apis/dataplane/v1beta1/conditions.go b/api/dataplane/v1beta1/conditions.go similarity index 100% rename from apis/dataplane/v1beta1/conditions.go rename to api/dataplane/v1beta1/conditions.go diff --git a/apis/dataplane/v1beta1/const.go b/api/dataplane/v1beta1/const.go similarity index 100% rename from apis/dataplane/v1beta1/const.go rename to api/dataplane/v1beta1/const.go diff --git a/apis/dataplane/v1beta1/groupversion_info.go b/api/dataplane/v1beta1/groupversion_info.go similarity index 100% rename from apis/dataplane/v1beta1/groupversion_info.go rename to api/dataplane/v1beta1/groupversion_info.go diff --git a/apis/dataplane/v1beta1/openstackdataplanedeployment_types.go b/api/dataplane/v1beta1/openstackdataplanedeployment_types.go similarity index 100% rename from apis/dataplane/v1beta1/openstackdataplanedeployment_types.go rename to api/dataplane/v1beta1/openstackdataplanedeployment_types.go diff --git a/apis/dataplane/v1beta1/openstackdataplanedeployment_webhook.go b/api/dataplane/v1beta1/openstackdataplanedeployment_webhook.go similarity index 85% rename from apis/dataplane/v1beta1/openstackdataplanedeployment_webhook.go rename to api/dataplane/v1beta1/openstackdataplanedeployment_webhook.go index d82983546..185ca0632 100644 --- a/apis/dataplane/v1beta1/openstackdataplanedeployment_webhook.go +++ b/api/dataplane/v1beta1/openstackdataplanedeployment_webhook.go @@ -57,6 +57,7 @@ func (spec *OpenStackDataPlaneDeploymentSpec) Default() { var _ webhook.Validator = &OpenStackDataPlaneDeployment{} +// ValidateCreate implements webhook.Validator so a webhook will be registered for the type func (r *OpenStackDataPlaneDeployment) ValidateCreate() (admission.Warnings, error) { openstackdataplanedeploymentlog.Info("validate create", "name", r.Name) @@ -74,12 +75,14 @@ func (r *OpenStackDataPlaneDeployment) ValidateCreate() (admission.Warnings, err return nil, nil } -func (r *OpenStackDataPlaneDeploymentSpec) ValidateCreate() field.ErrorList { +// ValidateCreate validates the OpenStackDataPlaneDeploymentSpec on creation +func (spec *OpenStackDataPlaneDeploymentSpec) ValidateCreate() field.ErrorList { // TODO(user): fill in your validation logic upon object creation. return field.ErrorList{} } +// ValidateUpdate implements webhook.Validator so a webhook will be registered for the type func (r *OpenStackDataPlaneDeployment) ValidateUpdate(original runtime.Object) (admission.Warnings, error) { openstackdataplanedeploymentlog.Info("validate update", "name", r.Name) @@ -97,12 +100,14 @@ func (r *OpenStackDataPlaneDeployment) ValidateUpdate(original runtime.Object) ( return nil, nil } -func (r *OpenStackDataPlaneDeploymentSpec) ValidateUpdate() field.ErrorList { +// ValidateUpdate validates the OpenStackDataPlaneDeploymentSpec on update +func (spec *OpenStackDataPlaneDeploymentSpec) ValidateUpdate() field.ErrorList { // TODO(user): fill in your validation logic upon object update. return field.ErrorList{} } +// ValidateDelete implements webhook.Validator so a webhook will be registered for the type func (r *OpenStackDataPlaneDeployment) ValidateDelete() (admission.Warnings, error) { openstackdataplanedeploymentlog.Info("validate delete", "name", r.Name) @@ -119,7 +124,8 @@ func (r *OpenStackDataPlaneDeployment) ValidateDelete() (admission.Warnings, err return nil, nil } -func (r *OpenStackDataPlaneDeploymentSpec) ValidateDelete() field.ErrorList { +// ValidateDelete validates the OpenStackDataPlaneDeploymentSpec on delete +func (spec *OpenStackDataPlaneDeploymentSpec) ValidateDelete() field.ErrorList { // TODO(user): fill in your validation logic upon object creation. return field.ErrorList{} diff --git a/apis/dataplane/v1beta1/openstackdataplanenodeset.go b/api/dataplane/v1beta1/openstackdataplanenodeset.go similarity index 100% rename from apis/dataplane/v1beta1/openstackdataplanenodeset.go rename to api/dataplane/v1beta1/openstackdataplanenodeset.go diff --git a/apis/dataplane/v1beta1/openstackdataplanenodeset_types.go b/api/dataplane/v1beta1/openstackdataplanenodeset_types.go similarity index 98% rename from apis/dataplane/v1beta1/openstackdataplanenodeset_types.go rename to api/dataplane/v1beta1/openstackdataplanenodeset_types.go index 24004f3c4..6731593ae 100644 --- a/apis/dataplane/v1beta1/openstackdataplanenodeset_types.go +++ b/api/dataplane/v1beta1/openstackdataplanenodeset_types.go @@ -27,7 +27,7 @@ import ( condition "github.com/openstack-k8s-operators/lib-common/modules/common/condition" "github.com/openstack-k8s-operators/lib-common/modules/common/util" baremetalv1 "github.com/openstack-k8s-operators/openstack-baremetal-operator/api/v1beta1" - openstackv1 "github.com/openstack-k8s-operators/openstack-operator/apis/core/v1beta1" + openstackv1 "github.com/openstack-k8s-operators/openstack-operator/api/core/v1beta1" corev1 "k8s.io/api/core/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/util/validation/field" @@ -315,10 +315,10 @@ func (r *OpenStackDataPlaneNodeSetSpec) duplicateNodeCheck(nodeSetList *OpenStac return } -// Compare TLS settings of control plane and data plane -// if control plane name is specified attempt to retrieve it +// ValidateTLS compares TLS settings of control plane and data plane. +// If control plane name is specified attempt to retrieve it, // otherwise get any control plane in the namespace -func (r *OpenStackDataPlaneNodeSetSpec) ValidateTLS(namespace string, reconcilerClient client.Client, ctx context.Context) error { +func (r *OpenStackDataPlaneNodeSetSpec) ValidateTLS(ctx context.Context, namespace string, reconcilerClient client.Client) error { var err error controlPlanes := openstackv1.OpenStackControlPlaneList{} opts := client.ListOptions{ @@ -342,7 +342,7 @@ func (r *OpenStackDataPlaneNodeSetSpec) ValidateTLS(namespace string, reconciler return err } -// Do TLS flags match in control plane ingress, pods and data plane +// TLSMatch checks if TLS flags match in control plane ingress, pods and data plane func (r *OpenStackDataPlaneNodeSetSpec) TLSMatch(controlPlane openstackv1.OpenStackControlPlane) *field.Error { if controlPlane.Spec.TLS.PodLevel.Enabled != r.TLSEnabled { diff --git a/apis/dataplane/v1beta1/openstackdataplanenodeset_webhook.go b/api/dataplane/v1beta1/openstackdataplanenodeset_webhook.go similarity index 71% rename from apis/dataplane/v1beta1/openstackdataplanenodeset_webhook.go rename to api/dataplane/v1beta1/openstackdataplanenodeset_webhook.go index 5f2ac6592..4a3db4537 100644 --- a/apis/dataplane/v1beta1/openstackdataplanenodeset_webhook.go +++ b/api/dataplane/v1beta1/openstackdataplanenodeset_webhook.go @@ -29,38 +29,15 @@ import ( "k8s.io/apimachinery/pkg/runtime/schema" apimachineryvalidation "k8s.io/apimachinery/pkg/util/validation" "k8s.io/apimachinery/pkg/util/validation/field" - ctrl "sigs.k8s.io/controller-runtime" "sigs.k8s.io/controller-runtime/pkg/client" logf "sigs.k8s.io/controller-runtime/pkg/log" - "sigs.k8s.io/controller-runtime/pkg/webhook" "sigs.k8s.io/controller-runtime/pkg/webhook/admission" ) -// Client needed for API calls (manager's client, set by first SetupWebhookWithManager() call -// to any particular webhook) -var webhookClient client.Client - // log is for logging in this package. var openstackdataplanenodesetlog = logf.Log.WithName("openstackdataplanenodeset-resource") -// SetupWebhookWithManager sets up the webhook with the Manager -func (r *OpenStackDataPlaneNodeSet) SetupWebhookWithManager(mgr ctrl.Manager) error { - if webhookClient == nil { - webhookClient = mgr.GetClient() - } - - return ctrl.NewWebhookManagedBy(mgr). - For(r). - Complete() -} - -// TODO(user): EDIT THIS FILE! THIS IS SCAFFOLDING FOR YOU TO OWN! - -// +kubebuilder:webhook:path=/mutate-dataplane-openstack-org-v1beta1-openstackdataplanenodeset,mutating=true,failurePolicy=fail,sideEffects=None,groups=dataplane.openstack.org,resources=openstackdataplanenodesets,verbs=create;update,versions=v1beta1,name=mopenstackdataplanenodeset.kb.io,admissionReviewVersions=v1 - -var _ webhook.Defaulter = &OpenStackDataPlaneNodeSet{} - -// Default implements webhook.Defaulter so a webhook will be registered for the type +// Default sets default values for the OpenStackDataPlaneNodeSet func (r *OpenStackDataPlaneNodeSet) Default() { openstackdataplanenodesetlog.Info("default", "name", r.Name) r.Spec.Default() @@ -96,16 +73,11 @@ func (spec *OpenStackDataPlaneNodeSetSpec) Default() { } } -// TODO(user): change verbs to "verbs=create;update;delete" if you want to enable deletion validation. -// +kubebuilder:webhook:path=/validate-dataplane-openstack-org-v1beta1-openstackdataplanenodeset,mutating=false,failurePolicy=fail,sideEffects=None,groups=dataplane.openstack.org,resources=openstackdataplanenodesets,verbs=create;update,versions=v1beta1,name=vopenstackdataplanenodeset.kb.io,admissionReviewVersions=v1 - -var _ webhook.Validator = &OpenStackDataPlaneNodeSet{} - -// ValidateCreate implements webhook.Validator so a webhook will be registered for the type -func (r *OpenStackDataPlaneNodeSet) ValidateCreate() (admission.Warnings, error) { +// ValidateCreate validates the OpenStackDataPlaneNodeSet on creation +func (r *OpenStackDataPlaneNodeSet) ValidateCreate(ctx context.Context, c client.Client) (admission.Warnings, error) { openstackdataplanenodesetlog.Info("validate create", "name", r.Name) var errors field.ErrorList - errors, err := r.validateNodes() + errors, err := r.validateNodes(ctx, c) if err != nil { return nil, err } @@ -141,14 +113,14 @@ func (r *OpenStackDataPlaneNodeSet) ValidateCreate() (admission.Warnings, error) return nil, nil } -func (r *OpenStackDataPlaneNodeSet) validateNodes() (field.ErrorList, error) { +func (r *OpenStackDataPlaneNodeSet) validateNodes(ctx context.Context, c client.Client) (field.ErrorList, error) { var errors field.ErrorList nodeSetList := &OpenStackDataPlaneNodeSetList{} opts := &client.ListOptions{ Namespace: r.ObjectMeta.Namespace, } - err := webhookClient.List(context.TODO(), nodeSetList, opts) + err := c.List(ctx, nodeSetList, opts) if err != nil { return nil, err } @@ -165,15 +137,15 @@ func (r *OpenStackDataPlaneNodeSet) validateNodes() (field.ErrorList, error) { } -// ValidateUpdate implements webhook.Validator so a webhook will be registered for the type -func (r *OpenStackDataPlaneNodeSet) ValidateUpdate(old runtime.Object) (admission.Warnings, error) { +// ValidateUpdate validates the OpenStackDataPlaneNodeSet on update +func (r *OpenStackDataPlaneNodeSet) ValidateUpdate(ctx context.Context, old runtime.Object, c client.Client) (admission.Warnings, error) { openstackdataplanenodesetlog.Info("validate update", "name", r.Name) oldNodeSet, ok := old.(*OpenStackDataPlaneNodeSet) if !ok { return nil, apierrors.NewInternalError( fmt.Errorf("expected a OpenStackDataPlaneNodeSet object, but got %T", oldNodeSet)) } - errors, err := r.validateNodes() + errors, err := r.validateNodes(ctx, c) if err != nil { return nil, err } @@ -206,7 +178,8 @@ func (r *OpenStackDataPlaneNodeSet) ValidateUpdate(old runtime.Object) (admissio return nil, nil } -func (r *OpenStackDataPlaneNodeSetSpec) ValidateUpdate(oldSpec *OpenStackDataPlaneNodeSetSpec) field.ErrorList { +// ValidateUpdate validates the OpenStackDataPlaneNodeSetSpec on update +func (spec *OpenStackDataPlaneNodeSetSpec) ValidateUpdate(oldSpec *OpenStackDataPlaneNodeSetSpec) field.ErrorList { var errors field.ErrorList // Some changes to the baremetalSetTemplate after the initial deployment would necessitate @@ -214,10 +187,10 @@ func (r *OpenStackDataPlaneNodeSetSpec) ValidateUpdate(oldSpec *OpenStackDataPla // delete and redeploy should they wish to make such changes after the initial deploy. // If the BaremetalSetTemplate is changed, we will offload the parsing of these details // to the openstack-baremetal-operator webhook to avoid duplicating logic. - if !reflect.DeepEqual(r.BaremetalSetTemplate, oldSpec.BaremetalSetTemplate) { + if !reflect.DeepEqual(spec.BaremetalSetTemplate, oldSpec.BaremetalSetTemplate) { // Call openstack-baremetal-operator webhook Validate() to parse changes - if r.BaremetalSetTemplate != nil && oldSpec.BaremetalSetTemplate != nil { - err := r.BaremetalSetTemplate.ValidateTemplate( + if spec.BaremetalSetTemplate != nil && oldSpec.BaremetalSetTemplate != nil { + err := spec.BaremetalSetTemplate.ValidateTemplate( len(oldSpec.Nodes), *oldSpec.BaremetalSetTemplate) if err != nil { errors = append(errors, field.Forbidden( @@ -230,8 +203,8 @@ func (r *OpenStackDataPlaneNodeSetSpec) ValidateUpdate(oldSpec *OpenStackDataPla return errors } -// ValidateDelete implements webhook.Validator so a webhook will be registered for the type -func (r *OpenStackDataPlaneNodeSet) ValidateDelete() (admission.Warnings, error) { +// ValidateDelete validates the OpenStackDataPlaneNodeSet on deletion +func (r *OpenStackDataPlaneNodeSet) ValidateDelete(ctx context.Context, c client.Client) (admission.Warnings, error) { openstackdataplanenodesetlog.Info("validate delete", "name", r.Name) errors := r.Spec.ValidateDelete() @@ -247,7 +220,8 @@ func (r *OpenStackDataPlaneNodeSet) ValidateDelete() (admission.Warnings, error) return nil, nil } -func (r *OpenStackDataPlaneNodeSetSpec) ValidateDelete() field.ErrorList { +// ValidateDelete validates the OpenStackDataPlaneNodeSetSpec on delete +func (spec *OpenStackDataPlaneNodeSetSpec) ValidateDelete() field.ErrorList { // TODO(user): fill in your validation logic upon object deletion. return field.ErrorList{} diff --git a/apis/dataplane/v1beta1/openstackdataplaneservice_types.go b/api/dataplane/v1beta1/openstackdataplaneservice_types.go similarity index 97% rename from apis/dataplane/v1beta1/openstackdataplaneservice_types.go rename to api/dataplane/v1beta1/openstackdataplaneservice_types.go index d8f7104e7..ab3fa4ed3 100644 --- a/apis/dataplane/v1beta1/openstackdataplaneservice_types.go +++ b/api/dataplane/v1beta1/openstackdataplaneservice_types.go @@ -130,7 +130,8 @@ type OpenStackDataPlaneServiceStatus struct { // +kubebuilder:subresource:status // +kubebuilder:resource:shortName=osdps;osdpservice;osdpservices // +operator-sdk:csv:customresourcedefinitions:displayName="OpenStack Data Plane Service" -// OpenStackDataPlaneService is the Schema for the openstackdataplaneservices API + +// OpenStackDataPlaneService defines the Schema for the openstackdataplaneservices API. // OpenStackDataPlaneService name must be a valid RFC1123 as it is used in labels type OpenStackDataPlaneService struct { metav1.TypeMeta `json:",inline"` @@ -141,6 +142,7 @@ type OpenStackDataPlaneService struct { } // +kubebuilder:object:root=true + // OpenStackDataPlaneServiceList contains a list of OpenStackDataPlaneService type OpenStackDataPlaneServiceList struct { metav1.TypeMeta `json:",inline"` @@ -152,7 +154,7 @@ func init() { SchemeBuilder.Register(&OpenStackDataPlaneService{}, &OpenStackDataPlaneServiceList{}) } -// DefaultLabel - adding default label to the OpenStackDataPlaneService +// DefaultLabels adds default labels to the OpenStackDataPlaneService func (r *OpenStackDataPlaneService) DefaultLabels() { labels := map[string]string{ "app.kubernetes.io/name": "openstackdataplaneservice", diff --git a/apis/dataplane/v1beta1/openstackdataplaneservice_webhook.go b/api/dataplane/v1beta1/openstackdataplaneservice_webhook.go similarity index 76% rename from apis/dataplane/v1beta1/openstackdataplaneservice_webhook.go rename to api/dataplane/v1beta1/openstackdataplaneservice_webhook.go index 5aa41daad..1b9aac90a 100644 --- a/apis/dataplane/v1beta1/openstackdataplaneservice_webhook.go +++ b/api/dataplane/v1beta1/openstackdataplaneservice_webhook.go @@ -60,6 +60,7 @@ func (spec *OpenStackDataPlaneServiceSpec) Default(name string) { var _ webhook.Validator = &OpenStackDataPlaneService{} +// ValidateCreate implements webhook.Validator so a webhook will be registered for the type func (r *OpenStackDataPlaneService) ValidateCreate() (admission.Warnings, error) { openstackdataplaneservicelog.Info("validate create", "name", r.Name) @@ -78,20 +79,21 @@ func (r *OpenStackDataPlaneService) ValidateCreate() (admission.Warnings, error) return nil, nil } -func (r *OpenStackDataPlaneServiceSpec) ValidateArtifact() field.ErrorList { - if len(r.Playbook) == len(r.PlaybookContents) && len(r.Playbook) == len(r.Role) && len(r.Playbook) == 0 { +// ValidateArtifact validates that at least one of Playbook, PlaybookContents, or Role is specified +func (spec *OpenStackDataPlaneServiceSpec) ValidateArtifact() field.ErrorList { + if len(spec.Playbook) == len(spec.PlaybookContents) && len(spec.Playbook) == len(spec.Role) && len(spec.Playbook) == 0 { return field.ErrorList{ field.Invalid( field.NewPath("Playbook"), - r.Playbook, "Playbook, PlaybookContents and Role cannot be empty at the same time", + spec.Playbook, "Playbook, PlaybookContents and Role cannot be empty at the same time", ), field.Invalid( field.NewPath("PlaybookContents"), - r.Playbook, "Playbook, PlaybookContents and Role cannot be empty at the same time", + spec.Playbook, "Playbook, PlaybookContents and Role cannot be empty at the same time", ), field.Invalid( field.NewPath("Role"), - r.Playbook, "Playbook, PlaybookContents and Role cannot be empty at the same time", + spec.Playbook, "Playbook, PlaybookContents and Role cannot be empty at the same time", ), } } @@ -99,10 +101,12 @@ func (r *OpenStackDataPlaneServiceSpec) ValidateArtifact() field.ErrorList { return field.ErrorList{} } -func (r *OpenStackDataPlaneServiceSpec) ValidateCreate() field.ErrorList { - return r.ValidateArtifact() +// ValidateCreate validates the OpenStackDataPlaneServiceSpec on creation +func (spec *OpenStackDataPlaneServiceSpec) ValidateCreate() field.ErrorList { + return spec.ValidateArtifact() } +// ValidateUpdate implements webhook.Validator so a webhook will be registered for the type func (r *OpenStackDataPlaneService) ValidateUpdate(original runtime.Object) (admission.Warnings, error) { openstackdataplaneservicelog.Info("validate update", "name", r.Name) errors := r.Spec.ValidateUpdate() @@ -118,10 +122,12 @@ func (r *OpenStackDataPlaneService) ValidateUpdate(original runtime.Object) (adm return nil, nil } -func (r *OpenStackDataPlaneServiceSpec) ValidateUpdate() field.ErrorList { - return r.ValidateArtifact() +// ValidateUpdate validates the OpenStackDataPlaneServiceSpec on update +func (spec *OpenStackDataPlaneServiceSpec) ValidateUpdate() field.ErrorList { + return spec.ValidateArtifact() } +// ValidateDelete implements webhook.Validator so a webhook will be registered for the type func (r *OpenStackDataPlaneService) ValidateDelete() (admission.Warnings, error) { openstackdataplaneservicelog.Info("validate delete", "name", r.Name) @@ -138,7 +144,8 @@ func (r *OpenStackDataPlaneService) ValidateDelete() (admission.Warnings, error) return nil, nil } -func (r *OpenStackDataPlaneServiceSpec) ValidateDelete() field.ErrorList { +// ValidateDelete validates the OpenStackDataPlaneServiceSpec on delete +func (spec *OpenStackDataPlaneServiceSpec) ValidateDelete() field.ErrorList { // TODO(user): fill in your validation logic upon object creation. return field.ErrorList{} diff --git a/apis/dataplane/v1beta1/zz_generated.deepcopy.go b/api/dataplane/v1beta1/zz_generated.deepcopy.go similarity index 100% rename from apis/dataplane/v1beta1/zz_generated.deepcopy.go rename to api/dataplane/v1beta1/zz_generated.deepcopy.go diff --git a/apis/go.mod b/api/go.mod similarity index 99% rename from apis/go.mod rename to api/go.mod index c5a4c8d61..af37e331c 100644 --- a/apis/go.mod +++ b/api/go.mod @@ -1,4 +1,4 @@ -module github.com/openstack-k8s-operators/openstack-operator/apis +module github.com/openstack-k8s-operators/openstack-operator/api go 1.24.4 diff --git a/apis/go.sum b/api/go.sum similarity index 100% rename from apis/go.sum rename to api/go.sum diff --git a/apis/operator/v1beta1/conditions.go b/api/operator/v1beta1/conditions.go similarity index 100% rename from apis/operator/v1beta1/conditions.go rename to api/operator/v1beta1/conditions.go diff --git a/apis/operator/v1beta1/groupversion_info.go b/api/operator/v1beta1/groupversion_info.go similarity index 100% rename from apis/operator/v1beta1/groupversion_info.go rename to api/operator/v1beta1/groupversion_info.go diff --git a/apis/operator/v1beta1/openstack_types.go b/api/operator/v1beta1/openstack_types.go similarity index 99% rename from apis/operator/v1beta1/openstack_types.go rename to api/operator/v1beta1/openstack_types.go index 9443082ee..9fd1508c4 100644 --- a/apis/operator/v1beta1/openstack_types.go +++ b/api/operator/v1beta1/openstack_types.go @@ -24,6 +24,7 @@ import ( "k8s.io/utils/ptr" ) +// Operator names for OpenStack components const ( OpenStackOperatorName = "openstack" BarbicanOperatorName = "barbican" @@ -270,7 +271,8 @@ type OpenStackStatus struct { // +operator-sdk:csv:customresourcedefinitions:displayName="OpenStack" // +kubebuilder:printcolumn:name="Deployed Operator Count",type=integer,JSONPath=`.status.deployedOperatorCount` // +kubebuilder:printcolumn:name="Status",type="string",JSONPath=".status.conditions[0].status",description="Status" -// OpenStack is the Schema for the openstacks API + +// OpenStack defines the Schema for the openstacks API type OpenStack struct { metav1.TypeMeta `json:",inline"` metav1.ObjectMeta `json:"metadata,omitempty"` diff --git a/apis/operator/v1beta1/zz_generated.deepcopy.go b/api/operator/v1beta1/zz_generated.deepcopy.go similarity index 100% rename from apis/operator/v1beta1/zz_generated.deepcopy.go rename to api/operator/v1beta1/zz_generated.deepcopy.go diff --git a/apis/bases/_.yaml b/apis/bases/_.yaml deleted file mode 100644 index 25f6032cf..000000000 --- a/apis/bases/_.yaml +++ /dev/null @@ -1,14 +0,0 @@ ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.10.0 - creationTimestamp: null -spec: - group: "" - names: - kind: "" - plural: "" - scope: "" - versions: null diff --git a/apis/client/OWNERS b/apis/client/OWNERS deleted file mode 100644 index b90dd082a..000000000 --- a/apis/client/OWNERS +++ /dev/null @@ -1,6 +0,0 @@ -# See the OWNERS docs at https://go.k8s.io/owners -approvers: - - openstack-approvers - -reviewers: - - openstack-approvers diff --git a/bindata/operator/infra-operator-webhooks.yaml b/bindata/operator/infra-operator-webhooks.yaml index 4b7288450..9eafeb4bd 100644 --- a/bindata/operator/infra-operator-webhooks.yaml +++ b/bindata/operator/infra-operator-webhooks.yaml @@ -6,7 +6,7 @@ metadata: app.kubernetes.io/created-by: openstack-operator app.kubernetes.io/instance: webhook-service app.kubernetes.io/managed-by: kustomize - app.kubernetes.io/name: service + app.kubernetes.io/name: infra-operator app.kubernetes.io/part-of: infra-operator name: infra-operator-webhook-service namespace: '{{ .OperatorNamespace }}' @@ -16,7 +16,8 @@ spec: protocol: TCP targetPort: 9443 selector: - openstack.org/operator-name: infra + app.kubernetes.io/name: infra-operator + control-plane: controller-manager --- apiVersion: cert-manager.io/v1 kind: Certificate @@ -26,8 +27,7 @@ metadata: app.kubernetes.io/created-by: openstack-operator app.kubernetes.io/instance: serving-cert app.kubernetes.io/managed-by: kustomize - app.kubernetes.io/name: certificate - app.kubernetes.io/part-of: infra-operator + app.kubernetes.io/name: infra-operator name: infra-operator-serving-cert namespace: '{{ .OperatorNamespace }}' spec: @@ -39,21 +39,6 @@ spec: name: infra-operator-selfsigned-issuer secretName: infra-operator-webhook-server-cert --- -apiVersion: cert-manager.io/v1 -kind: Issuer -metadata: - labels: - app.kubernetes.io/component: certificate - app.kubernetes.io/created-by: openstack-operator - app.kubernetes.io/instance: selfsigned-issuer - app.kubernetes.io/managed-by: kustomize - app.kubernetes.io/name: issuer - app.kubernetes.io/part-of: infra-operator - name: infra-operator-selfsigned-issuer - namespace: '{{ .OperatorNamespace }}' -spec: - selfSigned: {} ---- apiVersion: admissionregistration.k8s.io/v1 kind: MutatingWebhookConfiguration metadata: diff --git a/bindata/operator/managers.yaml b/bindata/operator/managers.yaml index 8b13757f0..ad130652a 100644 --- a/bindata/operator/managers.yaml +++ b/bindata/operator/managers.yaml @@ -5,13 +5,16 @@ metadata: labels: control-plane: controller-manager openstack.org/operator-name: {{ .Name }} + app.kubernetes.io/name: {{ .Name }} name: {{ .Name }}-operator-controller-manager namespace: {{ .Namespace }} spec: replicas: {{ .Deployment.Replicas }} selector: matchLabels: + control-plane: controller-manager openstack.org/operator-name: {{ .Name }} + app.kubernetes.io/name: {{ .Name }}-operator template: metadata: annotations: @@ -19,12 +22,21 @@ spec: labels: control-plane: controller-manager openstack.org/operator-name: {{ .Name }} + app.kubernetes.io/name: {{ .Name }}-operator spec: containers: - args: + - --leader-elect - --health-probe-bind-address=:8081 +{{- if isEnvVarTrue .Deployment.Manager.Env "METRICS_CERTS" }} + - --metrics-bind-address=:8443 + - --metrics-cert-path=/tmp/k8s-metrics-server/metrics-certs +{{- if isEnvVarTrue .Deployment.Manager.Env "ENABLE_WEBHOOKS" }} + - --webhook-cert-path=/tmp/k8s-webhook-server/serving-certs +{{- end }} +{{- else }} - --metrics-bind-address=127.0.0.1:8080 - - --leader-elect +{{- end }} command: - /manager env: @@ -55,12 +67,18 @@ spec: memory: {{ .Deployment.Manager.Resources.Requests.Memory }} securityContext: allowPrivilegeEscalation: false -{{- if isEnvVarTrue .Deployment.Manager.Env "ENABLE_WEBHOOKS" }} volumeMounts: +{{- if isEnvVarTrue .Deployment.Manager.Env "ENABLE_WEBHOOKS" }} - mountPath: /tmp/k8s-webhook-server/serving-certs name: cert readOnly: true {{- end }} +{{- if isEnvVarTrue .Deployment.Manager.Env "METRICS_CERTS" }} + - mountPath: /tmp/k8s-metrics-server/metrics-certs + name: metrics-certs + readOnly: true +{{- end }} +{{- if isEnvVarFalse .Deployment.Manager.Env "METRICS_CERTS" }} - args: - --secure-listen-address=0.0.0.0:8443 - --upstream=http://127.0.0.1:8080/ @@ -81,6 +99,7 @@ spec: memory: {{ .Deployment.KubeRbacProxy.Resources.Requests.Memory }} securityContext: allowPrivilegeEscalation: false +{{- end }} securityContext: runAsNonRoot: true serviceAccountName: {{ .Name }}-operator-controller-manager @@ -101,12 +120,25 @@ spec: tolerationSeconds: {{ .TolerationSeconds }} {{- end }} {{- end }} -{{- if isEnvVarTrue .Deployment.Manager.Env "ENABLE_WEBHOOKS" }} volumes: +{{- if isEnvVarTrue .Deployment.Manager.Env "ENABLE_WEBHOOKS" }} - name: cert secret: defaultMode: 420 secretName: {{ .Name }}-operator-webhook-server-cert {{ end }} +{{- if isEnvVarTrue .Deployment.Manager.Env "METRICS_CERTS" }} + - name: metrics-certs + secret: + items: + - key: ca.crt + path: ca.crt + - key: tls.crt + path: tls.crt + - key: tls.key + path: tls.key + optional: false + secretName: {{ .Name }}-operator-metrics-server-cert +{{ end }} --- {{ end }} diff --git a/bindata/operator/openstack-baremetal-operator-webhooks.yaml b/bindata/operator/openstack-baremetal-operator-webhooks.yaml index a1559bec7..9afcfec31 100644 --- a/bindata/operator/openstack-baremetal-operator-webhooks.yaml +++ b/bindata/operator/openstack-baremetal-operator-webhooks.yaml @@ -6,7 +6,7 @@ metadata: app.kubernetes.io/created-by: openstack-operator app.kubernetes.io/instance: webhook-service app.kubernetes.io/managed-by: kustomize - app.kubernetes.io/name: service + app.kubernetes.io/name: openstack-baremetal-operator app.kubernetes.io/part-of: openstack-baremetal-operator name: openstack-baremetal-operator-webhook-service namespace: '{{ .OperatorNamespace }}' @@ -16,7 +16,8 @@ spec: protocol: TCP targetPort: 9443 selector: - openstack.org/operator-name: openstack-baremetal + app.kubernetes.io/name: openstack-baremetal-operator + control-plane: controller-manager --- apiVersion: cert-manager.io/v1 kind: Certificate @@ -26,8 +27,7 @@ metadata: app.kubernetes.io/created-by: openstack-operator app.kubernetes.io/instance: serving-cert app.kubernetes.io/managed-by: kustomize - app.kubernetes.io/name: certificate - app.kubernetes.io/part-of: openstack-baremetal-operator + app.kubernetes.io/name: openstack-baremetal-operator name: openstack-baremetal-operator-serving-cert namespace: '{{ .OperatorNamespace }}' spec: @@ -39,21 +39,6 @@ spec: name: openstack-baremetal-operator-selfsigned-issuer secretName: openstack-baremetal-operator-webhook-server-cert --- -apiVersion: cert-manager.io/v1 -kind: Issuer -metadata: - labels: - app.kubernetes.io/component: certificate - app.kubernetes.io/created-by: openstack-operator - app.kubernetes.io/instance: selfsigned-issuer - app.kubernetes.io/managed-by: kustomize - app.kubernetes.io/name: issuer - app.kubernetes.io/part-of: openstack-baremetal-operator - name: openstack-baremetal-operator-selfsigned-issuer - namespace: '{{ .OperatorNamespace }}' -spec: - selfSigned: {} ---- apiVersion: admissionregistration.k8s.io/v1 kind: MutatingWebhookConfiguration metadata: diff --git a/bindata/operator/operator.yaml b/bindata/operator/operator.yaml index 5d43029d7..365126a46 100644 --- a/bindata/operator/operator.yaml +++ b/bindata/operator/operator.yaml @@ -2,39 +2,36 @@ apiVersion: v1 kind: Namespace metadata: labels: + app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/name: openstack-operator control-plane: controller-manager - openstack.org/operator-name: openstack name: '{{ .OperatorNamespace }}' --- apiVersion: v1 -data: - controller_manager_config.yaml: | - apiVersion: controller-runtime.sigs.k8s.io/v1alpha1 - kind: ControllerManagerConfig - health: - healthProbeBindAddress: :8081 - metrics: - bindAddress: 127.0.0.1:8080 - webhook: - port: 9443 - leaderElection: - leaderElect: true - resourceName: 40ba705e.openstack.org -kind: ConfigMap +kind: Service metadata: - name: openstack-operator-manager-config + labels: + app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/name: openstack-operator + control-plane: controller-manager + name: openstack-operator-controller-manager-metrics-service namespace: '{{ .OperatorNamespace }}' +spec: + ports: + - name: https + port: 8443 + protocol: TCP + targetPort: 8443 + selector: + app.kubernetes.io/name: openstack-operator + control-plane: controller-manager --- apiVersion: v1 kind: Service metadata: labels: - app.kubernetes.io/component: webhook - app.kubernetes.io/created-by: openstack-operator - app.kubernetes.io/instance: webhook-service app.kubernetes.io/managed-by: kustomize - app.kubernetes.io/name: service - app.kubernetes.io/part-of: openstack-operator + app.kubernetes.io/name: openstack-operator name: openstack-operator-webhook-service namespace: '{{ .OperatorNamespace }}' spec: @@ -43,12 +40,15 @@ spec: protocol: TCP targetPort: 9443 selector: - openstack.org/operator-name: openstack + app.kubernetes.io/name: openstack-operator + control-plane: controller-manager --- apiVersion: apps/v1 kind: Deployment metadata: labels: + app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/name: openstack-operator control-plane: controller-manager openstack.org/operator-name: openstack name: openstack-operator-controller-manager @@ -57,20 +57,25 @@ spec: replicas: {{ .OpenStackOperator.Deployment.Replicas }} selector: matchLabels: + app.kubernetes.io/name: openstack-operator + control-plane: controller-manager openstack.org/operator-name: openstack template: metadata: annotations: kubectl.kubernetes.io/default-container: manager labels: + app.kubernetes.io/name: openstack-operator control-plane: controller-manager openstack.org/operator-name: openstack spec: containers: - args: - - --health-probe-bind-address=:8081 - - --metrics-bind-address=127.0.0.1:8080 + - --metrics-bind-address=:8443 - --leader-elect + - --health-probe-bind-address=:8081 + - --metrics-cert-path=/tmp/k8s-metrics-server/metrics-certs + - --webhook-cert-path=/tmp/k8s-webhook-server/serving-certs command: - /manager env: @@ -105,66 +110,61 @@ spec: memory: {{ .OpenStackOperator.Deployment.Manager.Resources.Requests.Memory }} securityContext: allowPrivilegeEscalation: false + capabilities: + drop: + - ALL volumeMounts: + - mountPath: /tmp/k8s-metrics-server/metrics-certs + name: metrics-certs + readOnly: true - mountPath: /tmp/k8s-webhook-server/serving-certs - name: cert + name: webhook-certs readOnly: true - - args: - - --secure-listen-address=0.0.0.0:8443 - - --upstream=http://127.0.0.1:8080/ - - --logtostderr=true - - --v=0 - image: '{{ .OpenStackOperator.Deployment.KubeRbacProxy.Image }}' - name: kube-rbac-proxy - ports: - - containerPort: 8443 - name: https - protocol: TCP - resources: - limits: - cpu: 500m - memory: 128Mi - requests: - cpu: 5m - memory: 64Mi - securityContext: - allowPrivilegeEscalation: false - tolerations: -{{- range .OpenStackOperator.Deployment.Tolerations }} - - key: "{{ .Key }}" -{{- if .Operator }} - operator: "{{ .Operator }}" -{{- end }} -{{- if .Value }} - value: "{{ .Value }}" -{{- end }} -{{- if .Effect }} - effect: "{{ .Effect }}" -{{- end }} -{{- if .TolerationSeconds }} - tolerationSeconds: {{ .TolerationSeconds }} -{{- end }} -{{- end }} securityContext: runAsNonRoot: true + seccompProfile: + type: RuntimeDefault serviceAccountName: openstack-operator-controller-manager terminationGracePeriodSeconds: 10 volumes: - - name: cert + - name: metrics-certs + secret: + items: + - key: ca.crt + path: ca.crt + - key: tls.crt + path: tls.crt + - key: tls.key + path: tls.key + optional: false + secretName: metrics-server-cert + - name: webhook-certs secret: - defaultMode: 420 secretName: webhook-server-cert --- apiVersion: cert-manager.io/v1 kind: Certificate metadata: labels: - app.kubernetes.io/component: certificate - app.kubernetes.io/created-by: openstack-operator - app.kubernetes.io/instance: serving-cert app.kubernetes.io/managed-by: kustomize - app.kubernetes.io/name: certificate - app.kubernetes.io/part-of: openstack-operator + app.kubernetes.io/name: openstack-operator + name: openstack-operator-metrics-certs + namespace: '{{ .OperatorNamespace }}' +spec: + dnsNames: + - openstack-operator-controller-manager-metrics-service.{{ .OperatorNamespace }}.svc + - openstack-operator-controller-manager-metrics-service.{{ .OperatorNamespace }}.svc.cluster.local + issuerRef: + kind: Issuer + name: openstack-operator-selfsigned-issuer + secretName: metrics-server-cert +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + labels: + app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/name: openstack-operator name: openstack-operator-serving-cert namespace: '{{ .OperatorNamespace }}' spec: @@ -180,12 +180,8 @@ apiVersion: cert-manager.io/v1 kind: Issuer metadata: labels: - app.kubernetes.io/component: certificate - app.kubernetes.io/created-by: openstack-operator - app.kubernetes.io/instance: selfsigned-issuer app.kubernetes.io/managed-by: kustomize - app.kubernetes.io/name: issuer - app.kubernetes.io/part-of: openstack-operator + app.kubernetes.io/name: openstack-operator name: openstack-operator-selfsigned-issuer namespace: '{{ .OperatorNamespace }}' spec: @@ -196,13 +192,6 @@ kind: MutatingWebhookConfiguration metadata: annotations: cert-manager.io/inject-ca-from: '{{ .OperatorNamespace }}/openstack-operator-serving-cert' - labels: - app.kubernetes.io/component: webhook - app.kubernetes.io/created-by: openstack-operator - app.kubernetes.io/instance: mutating-webhook-configuration - app.kubernetes.io/managed-by: kustomize - app.kubernetes.io/name: mutatingingwebhookconfiguration - app.kubernetes.io/part-of: openstack-operator name: openstack-operator-mutating-webhook-configuration webhooks: - admissionReviewVersions: @@ -213,7 +202,7 @@ webhooks: namespace: '{{ .OperatorNamespace }}' path: /mutate-client-openstack-org-v1beta1-openstackclient failurePolicy: Fail - name: mopenstackclient.kb.io + name: mopenstackclient-v1beta1.kb.io rules: - apiGroups: - client.openstack.org @@ -233,7 +222,7 @@ webhooks: namespace: '{{ .OperatorNamespace }}' path: /mutate-core-openstack-org-v1beta1-openstackcontrolplane failurePolicy: Fail - name: mopenstackcontrolplane.kb.io + name: mopenstackcontrolplane-v1beta1.kb.io rules: - apiGroups: - core.openstack.org @@ -253,7 +242,7 @@ webhooks: namespace: '{{ .OperatorNamespace }}' path: /mutate-core-openstack-org-v1beta1-openstackversion failurePolicy: Fail - name: mopenstackversion.kb.io + name: mopenstackversion-v1beta1.kb.io rules: - apiGroups: - core.openstack.org @@ -273,7 +262,7 @@ webhooks: namespace: '{{ .OperatorNamespace }}' path: /mutate-dataplane-openstack-org-v1beta1-openstackdataplanedeployment failurePolicy: Fail - name: mopenstackdataplanedeployment.kb.io + name: mopenstackdataplanedeployment-v1beta1.kb.io rules: - apiGroups: - dataplane.openstack.org @@ -293,7 +282,7 @@ webhooks: namespace: '{{ .OperatorNamespace }}' path: /mutate-dataplane-openstack-org-v1beta1-openstackdataplanenodeset failurePolicy: Fail - name: mopenstackdataplanenodeset.kb.io + name: mopenstackdataplanenodeset-v1beta1.kb.io rules: - apiGroups: - dataplane.openstack.org @@ -305,6 +294,66 @@ webhooks: resources: - openstackdataplanenodesets sideEffects: None +- admissionReviewVersions: + - v1 + clientConfig: + service: + name: openstack-operator-webhook-service + namespace: '{{ .OperatorNamespace }}' + path: /mutate-dataplane-openstack-org-v1beta1-openstackdataplaneservice + failurePolicy: Fail + name: mopenstackdataplaneservice-v1beta1.kb.io + rules: + - apiGroups: + - dataplane.openstack.org + apiVersions: + - v1beta1 + operations: + - CREATE + - UPDATE + resources: + - openstackdataplaneservices + sideEffects: None +- admissionReviewVersions: + - v1 + clientConfig: + service: + name: openstack-operator-webhook-service + namespace: '{{ .OperatorNamespace }}' + path: /mutate-client-openstack-org-v1beta1-openstackclient + failurePolicy: Fail + name: mopenstackclient.kb.io + rules: + - apiGroups: + - client.openstack.org + apiVersions: + - v1beta1 + operations: + - CREATE + - UPDATE + resources: + - openstackclients + sideEffects: None +- admissionReviewVersions: + - v1 + clientConfig: + service: + name: openstack-operator-webhook-service + namespace: '{{ .OperatorNamespace }}' + path: /mutate-dataplane-openstack-org-v1beta1-openstackdataplanedeployment + failurePolicy: Fail + name: mopenstackdataplanedeployment.kb.io + rules: + - apiGroups: + - dataplane.openstack.org + apiVersions: + - v1beta1 + operations: + - CREATE + - UPDATE + resources: + - openstackdataplanedeployments + sideEffects: None - admissionReviewVersions: - v1 clientConfig: @@ -331,13 +380,6 @@ kind: ValidatingWebhookConfiguration metadata: annotations: cert-manager.io/inject-ca-from: '{{ .OperatorNamespace }}/openstack-operator-serving-cert' - labels: - app.kubernetes.io/component: webhook - app.kubernetes.io/created-by: openstack-operator - app.kubernetes.io/instance: validating-webhook-configuration - app.kubernetes.io/managed-by: kustomize - app.kubernetes.io/name: validatingwebhookconfiguration - app.kubernetes.io/part-of: openstack-operator name: openstack-operator-validating-webhook-configuration webhooks: - admissionReviewVersions: @@ -348,7 +390,7 @@ webhooks: namespace: '{{ .OperatorNamespace }}' path: /validate-client-openstack-org-v1beta1-openstackclient failurePolicy: Fail - name: vopenstackclient.kb.io + name: vopenstackclient-v1beta1.kb.io rules: - apiGroups: - client.openstack.org @@ -368,7 +410,7 @@ webhooks: namespace: '{{ .OperatorNamespace }}' path: /validate-core-openstack-org-v1beta1-openstackcontrolplane failurePolicy: Fail - name: vopenstackcontrolplane.kb.io + name: vopenstackcontrolplane-v1beta1.kb.io rules: - apiGroups: - core.openstack.org @@ -388,7 +430,7 @@ webhooks: namespace: '{{ .OperatorNamespace }}' path: /validate-core-openstack-org-v1beta1-openstackversion failurePolicy: Fail - name: vopenstackversion.kb.io + name: vopenstackversion-v1beta1.kb.io rules: - apiGroups: - core.openstack.org @@ -408,7 +450,7 @@ webhooks: namespace: '{{ .OperatorNamespace }}' path: /validate-dataplane-openstack-org-v1beta1-openstackdataplanedeployment failurePolicy: Fail - name: vopenstackdataplanedeployment.kb.io + name: vopenstackdataplanedeployment-v1beta1.kb.io rules: - apiGroups: - dataplane.openstack.org @@ -428,7 +470,7 @@ webhooks: namespace: '{{ .OperatorNamespace }}' path: /validate-dataplane-openstack-org-v1beta1-openstackdataplanenodeset failurePolicy: Fail - name: vopenstackdataplanenodeset.kb.io + name: vopenstackdataplanenodeset-v1beta1.kb.io rules: - apiGroups: - dataplane.openstack.org @@ -440,6 +482,66 @@ webhooks: resources: - openstackdataplanenodesets sideEffects: None +- admissionReviewVersions: + - v1 + clientConfig: + service: + name: openstack-operator-webhook-service + namespace: '{{ .OperatorNamespace }}' + path: /validate-dataplane-openstack-org-v1beta1-openstackdataplaneservice + failurePolicy: Fail + name: vopenstackdataplaneservice-v1beta1.kb.io + rules: + - apiGroups: + - dataplane.openstack.org + apiVersions: + - v1beta1 + operations: + - CREATE + - UPDATE + resources: + - openstackdataplaneservices + sideEffects: None +- admissionReviewVersions: + - v1 + clientConfig: + service: + name: openstack-operator-webhook-service + namespace: '{{ .OperatorNamespace }}' + path: /validate-client-openstack-org-v1beta1-openstackclient + failurePolicy: Fail + name: vopenstackclient.kb.io + rules: + - apiGroups: + - client.openstack.org + apiVersions: + - v1beta1 + operations: + - CREATE + - UPDATE + resources: + - openstackclients + sideEffects: None +- admissionReviewVersions: + - v1 + clientConfig: + service: + name: openstack-operator-webhook-service + namespace: '{{ .OperatorNamespace }}' + path: /validate-dataplane-openstack-org-v1beta1-openstackdataplanedeployment + failurePolicy: Fail + name: vopenstackdataplanedeployment.kb.io + rules: + - apiGroups: + - dataplane.openstack.org + apiVersions: + - v1beta1 + operations: + - CREATE + - UPDATE + resources: + - openstackdataplanedeployments + sideEffects: None - admissionReviewVersions: - v1 clientConfig: diff --git a/bindata/rbac/barbican-operator-rbac.yaml b/bindata/rbac/barbican-operator-rbac.yaml index accf4fa03..796abf0ff 100644 --- a/bindata/rbac/barbican-operator-rbac.yaml +++ b/bindata/rbac/barbican-operator-rbac.yaml @@ -1,5 +1,21 @@ # NOTE: this file is automatically generated by hack/sync-bindata.sh! # +--- +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + labels: + app.kubernetes.io/component: certificate + app.kubernetes.io/created-by: openstack-operator + app.kubernetes.io/instance: selfsigned-issuer + app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/name: issuer + app.kubernetes.io/part-of: barbican-operator + name: barbican-operator-selfsigned-issuer + namespace: '{{ .OperatorNamespace }}' +spec: + selfSigned: {} +--- apiVersion: v1 kind: ServiceAccount metadata: @@ -282,6 +298,7 @@ apiVersion: v1 kind: Service metadata: labels: + app.kubernetes.io/name: barbican-operator control-plane: controller-manager name: barbican-operator-controller-manager-metrics-service namespace: '{{ .OperatorNamespace }}' @@ -290,6 +307,7 @@ spec: - name: https port: 8443 protocol: TCP - targetPort: https + targetPort: 8443 selector: - openstack.org/operator-name: barbican + app.kubernetes.io/name: barbican-operator + control-plane: controller-manager diff --git a/bindata/rbac/cinder-operator-rbac.yaml b/bindata/rbac/cinder-operator-rbac.yaml index edc6a051a..830668a77 100644 --- a/bindata/rbac/cinder-operator-rbac.yaml +++ b/bindata/rbac/cinder-operator-rbac.yaml @@ -1,5 +1,21 @@ # NOTE: this file is automatically generated by hack/sync-bindata.sh! # +--- +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + labels: + app.kubernetes.io/component: certificate + app.kubernetes.io/created-by: openstack-operator + app.kubernetes.io/instance: selfsigned-issuer + app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/name: issuer + app.kubernetes.io/part-of: cinder-operator + name: cinder-operator-selfsigned-issuer + namespace: '{{ .OperatorNamespace }}' +spec: + selfSigned: {} +--- apiVersion: v1 kind: ServiceAccount metadata: @@ -295,6 +311,7 @@ apiVersion: v1 kind: Service metadata: labels: + app.kubernetes.io/name: cinder-operator control-plane: controller-manager name: cinder-operator-controller-manager-metrics-service namespace: '{{ .OperatorNamespace }}' @@ -303,6 +320,7 @@ spec: - name: https port: 8443 protocol: TCP - targetPort: https + targetPort: 8443 selector: - openstack.org/operator-name: cinder + app.kubernetes.io/name: cinder-operator + control-plane: controller-manager diff --git a/bindata/rbac/designate-operator-rbac.yaml b/bindata/rbac/designate-operator-rbac.yaml index c79059f82..1a8adea1b 100644 --- a/bindata/rbac/designate-operator-rbac.yaml +++ b/bindata/rbac/designate-operator-rbac.yaml @@ -1,5 +1,21 @@ # NOTE: this file is automatically generated by hack/sync-bindata.sh! # +--- +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + labels: + app.kubernetes.io/component: certificate + app.kubernetes.io/created-by: openstack-operator + app.kubernetes.io/instance: selfsigned-issuer + app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/name: issuer + app.kubernetes.io/part-of: designate-operator + name: designate-operator-selfsigned-issuer + namespace: '{{ .OperatorNamespace }}' +spec: + selfSigned: {} +--- apiVersion: v1 kind: ServiceAccount metadata: @@ -329,6 +345,7 @@ apiVersion: v1 kind: Service metadata: labels: + app.kubernetes.io/name: designate-operator control-plane: controller-manager name: designate-operator-controller-manager-metrics-service namespace: '{{ .OperatorNamespace }}' @@ -337,6 +354,7 @@ spec: - name: https port: 8443 protocol: TCP - targetPort: https + targetPort: 8443 selector: - openstack.org/operator-name: designate + app.kubernetes.io/name: designate-operator + control-plane: controller-manager diff --git a/bindata/rbac/glance-operator-rbac.yaml b/bindata/rbac/glance-operator-rbac.yaml index fdbed7872..f9f9d80f3 100644 --- a/bindata/rbac/glance-operator-rbac.yaml +++ b/bindata/rbac/glance-operator-rbac.yaml @@ -1,5 +1,21 @@ # NOTE: this file is automatically generated by hack/sync-bindata.sh! # +--- +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + labels: + app.kubernetes.io/component: certificate + app.kubernetes.io/created-by: openstack-operator + app.kubernetes.io/instance: selfsigned-issuer + app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/name: issuer + app.kubernetes.io/part-of: glance-operator + name: glance-operator-selfsigned-issuer + namespace: '{{ .OperatorNamespace }}' +spec: + selfSigned: {} +--- apiVersion: v1 kind: ServiceAccount metadata: @@ -311,6 +327,7 @@ apiVersion: v1 kind: Service metadata: labels: + app.kubernetes.io/name: glance-operator control-plane: controller-manager name: glance-operator-controller-manager-metrics-service namespace: '{{ .OperatorNamespace }}' @@ -319,6 +336,7 @@ spec: - name: https port: 8443 protocol: TCP - targetPort: https + targetPort: 8443 selector: - openstack.org/operator-name: glance + app.kubernetes.io/name: glance-operator + control-plane: controller-manager diff --git a/bindata/rbac/heat-operator-rbac.yaml b/bindata/rbac/heat-operator-rbac.yaml index c94480b91..0fcde2b82 100644 --- a/bindata/rbac/heat-operator-rbac.yaml +++ b/bindata/rbac/heat-operator-rbac.yaml @@ -1,5 +1,21 @@ # NOTE: this file is automatically generated by hack/sync-bindata.sh! # +--- +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + labels: + app.kubernetes.io/component: certificate + app.kubernetes.io/created-by: openstack-operator + app.kubernetes.io/instance: selfsigned-issuer + app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/name: issuer + app.kubernetes.io/part-of: heat-operator + name: heat-operator-selfsigned-issuer + namespace: '{{ .OperatorNamespace }}' +spec: + selfSigned: {} +--- apiVersion: v1 kind: ServiceAccount metadata: @@ -283,6 +299,7 @@ apiVersion: v1 kind: Service metadata: labels: + app.kubernetes.io/name: heat-operator control-plane: controller-manager name: heat-operator-controller-manager-metrics-service namespace: '{{ .OperatorNamespace }}' @@ -291,6 +308,7 @@ spec: - name: https port: 8443 protocol: TCP - targetPort: https + targetPort: 8443 selector: - openstack.org/operator-name: heat + app.kubernetes.io/name: heat-operator + control-plane: controller-manager diff --git a/bindata/rbac/horizon-operator-rbac.yaml b/bindata/rbac/horizon-operator-rbac.yaml index eb8ad7bfa..40b42d557 100644 --- a/bindata/rbac/horizon-operator-rbac.yaml +++ b/bindata/rbac/horizon-operator-rbac.yaml @@ -1,5 +1,21 @@ # NOTE: this file is automatically generated by hack/sync-bindata.sh! # +--- +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + labels: + app.kubernetes.io/component: certificate + app.kubernetes.io/created-by: openstack-operator + app.kubernetes.io/instance: selfsigned-issuer + app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/name: issuer + app.kubernetes.io/part-of: horizon-operator + name: horizon-operator-selfsigned-issuer + namespace: '{{ .OperatorNamespace }}' +spec: + selfSigned: {} +--- apiVersion: v1 kind: ServiceAccount metadata: @@ -235,6 +251,7 @@ apiVersion: v1 kind: Service metadata: labels: + app.kubernetes.io/name: horizon-operator control-plane: controller-manager name: horizon-operator-controller-manager-metrics-service namespace: '{{ .OperatorNamespace }}' @@ -243,6 +260,7 @@ spec: - name: https port: 8443 protocol: TCP - targetPort: https + targetPort: 8443 selector: - openstack.org/operator-name: horizon + app.kubernetes.io/name: horizon-operator + control-plane: controller-manager diff --git a/bindata/rbac/infra-operator-rbac.yaml b/bindata/rbac/infra-operator-rbac.yaml index 7662b71f4..44212593a 100644 --- a/bindata/rbac/infra-operator-rbac.yaml +++ b/bindata/rbac/infra-operator-rbac.yaml @@ -1,5 +1,21 @@ # NOTE: this file is automatically generated by hack/sync-bindata.sh! # +--- +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + labels: + app.kubernetes.io/component: certificate + app.kubernetes.io/created-by: openstack-operator + app.kubernetes.io/instance: selfsigned-issuer + app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/name: issuer + app.kubernetes.io/part-of: infra-operator + name: infra-operator-selfsigned-issuer + namespace: '{{ .OperatorNamespace }}' +spec: + selfSigned: {} +--- apiVersion: v1 kind: ServiceAccount metadata: @@ -398,6 +414,7 @@ apiVersion: v1 kind: Service metadata: labels: + app.kubernetes.io/name: infra-operator control-plane: controller-manager name: infra-operator-controller-manager-metrics-service namespace: '{{ .OperatorNamespace }}' @@ -406,6 +423,7 @@ spec: - name: https port: 8443 protocol: TCP - targetPort: https + targetPort: 8443 selector: - openstack.org/operator-name: infra + app.kubernetes.io/name: infra-operator + control-plane: controller-manager diff --git a/bindata/rbac/ironic-operator-rbac.yaml b/bindata/rbac/ironic-operator-rbac.yaml index 1f72f1dee..72548ff10 100644 --- a/bindata/rbac/ironic-operator-rbac.yaml +++ b/bindata/rbac/ironic-operator-rbac.yaml @@ -1,5 +1,21 @@ # NOTE: this file is automatically generated by hack/sync-bindata.sh! # +--- +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + labels: + app.kubernetes.io/component: certificate + app.kubernetes.io/created-by: openstack-operator + app.kubernetes.io/instance: selfsigned-issuer + app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/name: issuer + app.kubernetes.io/part-of: ironic-operator + name: ironic-operator-selfsigned-issuer + namespace: '{{ .OperatorNamespace }}' +spec: + selfSigned: {} +--- apiVersion: v1 kind: ServiceAccount metadata: @@ -308,6 +324,7 @@ apiVersion: v1 kind: Service metadata: labels: + app.kubernetes.io/name: ironic-operator control-plane: controller-manager name: ironic-operator-controller-manager-metrics-service namespace: '{{ .OperatorNamespace }}' @@ -316,6 +333,7 @@ spec: - name: https port: 8443 protocol: TCP - targetPort: https + targetPort: 8443 selector: - openstack.org/operator-name: ironic + app.kubernetes.io/name: ironic-operator + control-plane: controller-manager diff --git a/bindata/rbac/keystone-operator-rbac.yaml b/bindata/rbac/keystone-operator-rbac.yaml index d86c4d32e..e5288da5e 100644 --- a/bindata/rbac/keystone-operator-rbac.yaml +++ b/bindata/rbac/keystone-operator-rbac.yaml @@ -1,5 +1,21 @@ # NOTE: this file is automatically generated by hack/sync-bindata.sh! # +--- +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + labels: + app.kubernetes.io/component: certificate + app.kubernetes.io/created-by: openstack-operator + app.kubernetes.io/instance: selfsigned-issuer + app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/name: issuer + app.kubernetes.io/part-of: keystone-operator + name: keystone-operator-selfsigned-issuer + namespace: '{{ .OperatorNamespace }}' +spec: + selfSigned: {} +--- apiVersion: v1 kind: ServiceAccount metadata: @@ -289,6 +305,7 @@ apiVersion: v1 kind: Service metadata: labels: + app.kubernetes.io/name: keystone-operator control-plane: controller-manager name: keystone-operator-controller-manager-metrics-service namespace: '{{ .OperatorNamespace }}' @@ -297,6 +314,7 @@ spec: - name: https port: 8443 protocol: TCP - targetPort: https + targetPort: 8443 selector: - openstack.org/operator-name: keystone + app.kubernetes.io/name: keystone-operator + control-plane: controller-manager diff --git a/bindata/rbac/manila-operator-rbac.yaml b/bindata/rbac/manila-operator-rbac.yaml index 217dc4b55..7007a80e5 100644 --- a/bindata/rbac/manila-operator-rbac.yaml +++ b/bindata/rbac/manila-operator-rbac.yaml @@ -1,5 +1,21 @@ # NOTE: this file is automatically generated by hack/sync-bindata.sh! # +--- +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + labels: + app.kubernetes.io/component: certificate + app.kubernetes.io/created-by: openstack-operator + app.kubernetes.io/instance: selfsigned-issuer + app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/name: issuer + app.kubernetes.io/part-of: manila-operator + name: manila-operator-selfsigned-issuer + namespace: '{{ .OperatorNamespace }}' +spec: + selfSigned: {} +--- apiVersion: v1 kind: ServiceAccount metadata: @@ -294,6 +310,7 @@ apiVersion: v1 kind: Service metadata: labels: + app.kubernetes.io/name: manila-operator control-plane: controller-manager name: manila-operator-controller-manager-metrics-service namespace: '{{ .OperatorNamespace }}' @@ -302,6 +319,7 @@ spec: - name: https port: 8443 protocol: TCP - targetPort: https + targetPort: 8443 selector: - openstack.org/operator-name: manila + app.kubernetes.io/name: manila-operator + control-plane: controller-manager diff --git a/bindata/rbac/mariadb-operator-rbac.yaml b/bindata/rbac/mariadb-operator-rbac.yaml index 43077bf79..86dd6383e 100644 --- a/bindata/rbac/mariadb-operator-rbac.yaml +++ b/bindata/rbac/mariadb-operator-rbac.yaml @@ -1,5 +1,21 @@ # NOTE: this file is automatically generated by hack/sync-bindata.sh! # +--- +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + labels: + app.kubernetes.io/component: certificate + app.kubernetes.io/created-by: openstack-operator + app.kubernetes.io/instance: selfsigned-issuer + app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/name: issuer + app.kubernetes.io/part-of: mariadb-operator + name: mariadb-operator-selfsigned-issuer + namespace: '{{ .OperatorNamespace }}' +spec: + selfSigned: {} +--- apiVersion: v1 kind: ServiceAccount metadata: @@ -253,6 +269,7 @@ apiVersion: v1 kind: Service metadata: labels: + app.kubernetes.io/name: mariadb-operator control-plane: controller-manager name: mariadb-operator-controller-manager-metrics-service namespace: '{{ .OperatorNamespace }}' @@ -261,6 +278,7 @@ spec: - name: https port: 8443 protocol: TCP - targetPort: https + targetPort: 8443 selector: - openstack.org/operator-name: mariadb + app.kubernetes.io/name: mariadb-operator + control-plane: controller-manager diff --git a/bindata/rbac/neutron-operator-rbac.yaml b/bindata/rbac/neutron-operator-rbac.yaml index e9b5f05c5..3f5a6574f 100644 --- a/bindata/rbac/neutron-operator-rbac.yaml +++ b/bindata/rbac/neutron-operator-rbac.yaml @@ -1,5 +1,21 @@ # NOTE: this file is automatically generated by hack/sync-bindata.sh! # +--- +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + labels: + app.kubernetes.io/component: certificate + app.kubernetes.io/created-by: openstack-operator + app.kubernetes.io/instance: selfsigned-issuer + app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/name: issuer + app.kubernetes.io/part-of: neutron-operator + name: neutron-operator-selfsigned-issuer + namespace: '{{ .OperatorNamespace }}' +spec: + selfSigned: {} +--- apiVersion: v1 kind: ServiceAccount metadata: @@ -289,6 +305,7 @@ apiVersion: v1 kind: Service metadata: labels: + app.kubernetes.io/name: neutron-operator control-plane: controller-manager name: neutron-operator-controller-manager-metrics-service namespace: '{{ .OperatorNamespace }}' @@ -297,6 +314,7 @@ spec: - name: https port: 8443 protocol: TCP - targetPort: https + targetPort: 8443 selector: - openstack.org/operator-name: neutron + app.kubernetes.io/name: neutron-operator + control-plane: controller-manager diff --git a/bindata/rbac/nova-operator-rbac.yaml b/bindata/rbac/nova-operator-rbac.yaml index 03a3bb531..cd0d13ee6 100644 --- a/bindata/rbac/nova-operator-rbac.yaml +++ b/bindata/rbac/nova-operator-rbac.yaml @@ -1,5 +1,21 @@ # NOTE: this file is automatically generated by hack/sync-bindata.sh! # +--- +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + labels: + app.kubernetes.io/component: certificate + app.kubernetes.io/created-by: openstack-operator + app.kubernetes.io/instance: selfsigned-issuer + app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/name: issuer + app.kubernetes.io/part-of: nova-operator + name: nova-operator-selfsigned-issuer + namespace: '{{ .OperatorNamespace }}' +spec: + selfSigned: {} +--- apiVersion: v1 kind: ServiceAccount metadata: @@ -325,6 +341,7 @@ apiVersion: v1 kind: Service metadata: labels: + app.kubernetes.io/name: nova-operator control-plane: controller-manager name: nova-operator-controller-manager-metrics-service namespace: '{{ .OperatorNamespace }}' @@ -333,6 +350,7 @@ spec: - name: https port: 8443 protocol: TCP - targetPort: https + targetPort: 8443 selector: - openstack.org/operator-name: nova + app.kubernetes.io/name: nova-operator + control-plane: controller-manager diff --git a/bindata/rbac/octavia-operator-rbac.yaml b/bindata/rbac/octavia-operator-rbac.yaml index 65ce18905..89a229acd 100644 --- a/bindata/rbac/octavia-operator-rbac.yaml +++ b/bindata/rbac/octavia-operator-rbac.yaml @@ -1,5 +1,21 @@ # NOTE: this file is automatically generated by hack/sync-bindata.sh! # +--- +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + labels: + app.kubernetes.io/component: certificate + app.kubernetes.io/created-by: openstack-operator + app.kubernetes.io/instance: selfsigned-issuer + app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/name: issuer + app.kubernetes.io/part-of: octavia-operator + name: octavia-operator-selfsigned-issuer + namespace: '{{ .OperatorNamespace }}' +spec: + selfSigned: {} +--- apiVersion: v1 kind: ServiceAccount metadata: @@ -339,6 +355,7 @@ apiVersion: v1 kind: Service metadata: labels: + app.kubernetes.io/name: octavia-operator control-plane: controller-manager name: octavia-operator-controller-manager-metrics-service namespace: '{{ .OperatorNamespace }}' @@ -347,6 +364,7 @@ spec: - name: https port: 8443 protocol: TCP - targetPort: https + targetPort: 8443 selector: - openstack.org/operator-name: octavia + app.kubernetes.io/name: octavia-operator + control-plane: controller-manager diff --git a/bindata/rbac/openstack-baremetal-operator-rbac.yaml b/bindata/rbac/openstack-baremetal-operator-rbac.yaml index 61643a7dc..742e9041a 100644 --- a/bindata/rbac/openstack-baremetal-operator-rbac.yaml +++ b/bindata/rbac/openstack-baremetal-operator-rbac.yaml @@ -1,5 +1,21 @@ # NOTE: this file is automatically generated by hack/sync-bindata.sh! # +--- +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + labels: + app.kubernetes.io/component: certificate + app.kubernetes.io/created-by: openstack-operator + app.kubernetes.io/instance: selfsigned-issuer + app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/name: issuer + app.kubernetes.io/part-of: openstack-baremetal-operator + name: openstack-baremetal-operator-selfsigned-issuer + namespace: '{{ .OperatorNamespace }}' +spec: + selfSigned: {} +--- apiVersion: v1 kind: ServiceAccount metadata: @@ -251,6 +267,7 @@ apiVersion: v1 kind: Service metadata: labels: + app.kubernetes.io/name: openstack-baremetal-operator control-plane: controller-manager name: openstack-baremetal-operator-controller-manager-metrics-service namespace: '{{ .OperatorNamespace }}' @@ -259,6 +276,7 @@ spec: - name: https port: 8443 protocol: TCP - targetPort: https + targetPort: 8443 selector: - openstack.org/operator-name: openstack-baremetal + app.kubernetes.io/name: openstack-baremetal-operator + control-plane: controller-manager diff --git a/bindata/rbac/ovn-operator-rbac.yaml b/bindata/rbac/ovn-operator-rbac.yaml index a75660d4e..eb8d4dc25 100644 --- a/bindata/rbac/ovn-operator-rbac.yaml +++ b/bindata/rbac/ovn-operator-rbac.yaml @@ -1,5 +1,21 @@ # NOTE: this file is automatically generated by hack/sync-bindata.sh! # +--- +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + labels: + app.kubernetes.io/component: certificate + app.kubernetes.io/created-by: openstack-operator + app.kubernetes.io/instance: selfsigned-issuer + app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/name: issuer + app.kubernetes.io/part-of: ovn-operator + name: ovn-operator-selfsigned-issuer + namespace: '{{ .OperatorNamespace }}' +spec: + selfSigned: {} +--- apiVersion: v1 kind: ServiceAccount metadata: @@ -278,6 +294,7 @@ apiVersion: v1 kind: Service metadata: labels: + app.kubernetes.io/name: ovn-operator control-plane: controller-manager name: ovn-operator-controller-manager-metrics-service namespace: '{{ .OperatorNamespace }}' @@ -286,6 +303,7 @@ spec: - name: https port: 8443 protocol: TCP - targetPort: https + targetPort: 8443 selector: - openstack.org/operator-name: ovn + app.kubernetes.io/name: ovn-operator + control-plane: controller-manager diff --git a/bindata/rbac/placement-operator-rbac.yaml b/bindata/rbac/placement-operator-rbac.yaml index 9d2367f23..5bab76bf4 100644 --- a/bindata/rbac/placement-operator-rbac.yaml +++ b/bindata/rbac/placement-operator-rbac.yaml @@ -1,5 +1,21 @@ # NOTE: this file is automatically generated by hack/sync-bindata.sh! # +--- +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + labels: + app.kubernetes.io/component: certificate + app.kubernetes.io/created-by: openstack-operator + app.kubernetes.io/instance: selfsigned-issuer + app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/name: issuer + app.kubernetes.io/part-of: placement-operator + name: placement-operator-selfsigned-issuer + namespace: '{{ .OperatorNamespace }}' +spec: + selfSigned: {} +--- apiVersion: v1 kind: ServiceAccount metadata: @@ -263,6 +279,7 @@ apiVersion: v1 kind: Service metadata: labels: + app.kubernetes.io/name: placement-operator control-plane: controller-manager name: placement-operator-controller-manager-metrics-service namespace: '{{ .OperatorNamespace }}' @@ -271,6 +288,7 @@ spec: - name: https port: 8443 protocol: TCP - targetPort: https + targetPort: 8443 selector: - openstack.org/operator-name: placement + app.kubernetes.io/name: placement-operator + control-plane: controller-manager diff --git a/bindata/rbac/rabbitmq-cluster-operator-rbac.yaml b/bindata/rbac/rabbitmq-cluster-operator-rbac.yaml index 7803a6d72..43e0a0f84 100644 --- a/bindata/rbac/rabbitmq-cluster-operator-rbac.yaml +++ b/bindata/rbac/rabbitmq-cluster-operator-rbac.yaml @@ -1,5 +1,21 @@ # NOTE: this file is automatically generated by hack/sync-bindata.sh! # +--- +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + labels: + app.kubernetes.io/component: certificate + app.kubernetes.io/created-by: openstack-operator + app.kubernetes.io/instance: selfsigned-issuer + app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/name: issuer + app.kubernetes.io/part-of: rabbitmq-cluster-operator + name: rabbitmq-cluster-operator-selfsigned-issuer + namespace: '{{ .OperatorNamespace }}' +spec: + selfSigned: {} +--- apiVersion: v1 kind: ServiceAccount metadata: @@ -172,6 +188,7 @@ apiVersion: v1 kind: Service metadata: labels: + app.kubernetes.io/name: rabbitmq-cluster-operator control-plane: controller-manager name: rabbitmq-cluster-operator-controller-manager-metrics-service namespace: '{{ .OperatorNamespace }}' @@ -180,6 +197,7 @@ spec: - name: https port: 8443 protocol: TCP - targetPort: https + targetPort: 8443 selector: - openstack.org/operator-name: rabbitmq-cluster + app.kubernetes.io/name: rabbitmq-cluster-operator + control-plane: controller-manager diff --git a/bindata/rbac/rbac.yaml b/bindata/rbac/rbac.yaml index 09a3fd41b..7aed4290f 100644 --- a/bindata/rbac/rbac.yaml +++ b/bindata/rbac/rbac.yaml @@ -1,12 +1,18 @@ apiVersion: v1 kind: ServiceAccount metadata: + labels: + app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/name: openstack-operator name: openstack-operator-controller-manager namespace: '{{ .OperatorNamespace }}' --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: + labels: + app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/name: openstack-operator name: openstack-operator-leader-election-role namespace: '{{ .OperatorNamespace }}' rules: @@ -51,17 +57,9 @@ rules: - "" resources: - configmaps - - pods - - secrets - services verbs: - - create - - delete - - get - - list - - patch - - update - - watch + - '*' - apiGroups: - "" resources: @@ -79,15 +77,54 @@ rules: - "" resources: - namespaces - - projects verbs: + - '*' +- apiGroups: + - "" + resources: + - pods + - secrets + verbs: + - create + - delete - get + - list + - patch + - update + - watch - apiGroups: - "" resources: - serviceaccounts verbs: + - '*' +- apiGroups: + - "" + - project.openshift.io + resources: + - projects + verbs: + - get +- apiGroups: + - admissionregistration.k8s.io + resources: + - mutatingwebhookconfigurations + - validatingwebhookconfigurations + verbs: + - '*' +- apiGroups: + - apiextensions.k8s.io + resources: + - '*' + verbs: + - '*' +- apiGroups: + - apps + resources: + - deployments + verbs: - create + - delete - get - list - patch @@ -256,6 +293,7 @@ rules: resources: - openstackdataplanedeployments/status - openstackdataplanenodesets/status + - openstackdataplaneservices/status verbs: - get - patch @@ -264,20 +302,10 @@ rules: - dataplane.openstack.org resources: - openstackdataplanenodesets - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - dataplane.openstack.org - resources: - openstackdataplaneservices verbs: - create + - delete - get - list - patch @@ -437,6 +465,17 @@ rules: - patch - update - watch +- apiGroups: + - monitoring.coreos.com + resources: + - servicemonitors + verbs: + - create + - delete + - get + - list + - update + - watch - apiGroups: - network.openstack.org resources: @@ -519,6 +558,43 @@ rules: - get - list - watch +- apiGroups: + - operator.openstack.org + resources: + - openstacks + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - operator.openstack.org + resources: + - openstacks/finalizers + verbs: + - update +- apiGroups: + - operator.openstack.org + resources: + - openstacks/status + verbs: + - get + - patch + - update +- apiGroups: + - operators.coreos.com + resources: + - clusterserviceversions + - installplans + - operators + - subscriptions + verbs: + - delete + - get + - list - apiGroups: - ovn.openstack.org resources: @@ -545,12 +621,6 @@ rules: - patch - update - watch -- apiGroups: - - project.openshift.io - resources: - - projects - verbs: - - get - apiGroups: - rabbitmq.com resources: @@ -575,18 +645,20 @@ rules: - patch - update - watch +- apiGroups: + - rbac.authorization.k8s.io + resources: + - clusterrolebindings + - clusterroles + verbs: + - '*' - apiGroups: - rbac.authorization.k8s.io resources: - rolebindings - roles verbs: - - create - - get - - list - - patch - - update - - watch + - '*' - apiGroups: - redis.openstack.org resources: @@ -684,17 +756,7 @@ rules: apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: - name: openstack-operator-metrics-reader -rules: -- nonResourceURLs: - - /metrics - verbs: - - get ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: openstack-operator-proxy-role + name: openstack-operator-metrics-auth-role rules: - apiGroups: - authentication.k8s.io @@ -710,8 +772,21 @@ rules: - create --- apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: openstack-operator-metrics-reader +rules: +- nonResourceURLs: + - /metrics + verbs: + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: + labels: + app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/name: openstack-operator name: openstack-operator-leader-election-rolebinding namespace: '{{ .OperatorNamespace }}' roleRef: @@ -726,6 +801,9 @@ subjects: apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: + labels: + app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/name: openstack-operator name: openstack-operator-manager-rolebinding roleRef: apiGroup: rbac.authorization.k8s.io @@ -739,28 +817,12 @@ subjects: apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: - name: openstack-operator-proxy-rolebinding + name: openstack-operator-metrics-auth-rolebinding roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: openstack-operator-proxy-role + name: openstack-operator-metrics-auth-role subjects: - kind: ServiceAccount name: openstack-operator-controller-manager namespace: '{{ .OperatorNamespace }}' ---- -apiVersion: v1 -kind: Service -metadata: - labels: - control-plane: controller-manager - name: openstack-operator-controller-manager-metrics-service - namespace: '{{ .OperatorNamespace }}' -spec: - ports: - - name: https - port: 8443 - protocol: TCP - targetPort: https - selector: - openstack.org/operator-name: openstack diff --git a/bindata/rbac/swift-operator-rbac.yaml b/bindata/rbac/swift-operator-rbac.yaml index 717e222df..45276be0c 100644 --- a/bindata/rbac/swift-operator-rbac.yaml +++ b/bindata/rbac/swift-operator-rbac.yaml @@ -1,5 +1,21 @@ # NOTE: this file is automatically generated by hack/sync-bindata.sh! # +--- +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + labels: + app.kubernetes.io/component: certificate + app.kubernetes.io/created-by: openstack-operator + app.kubernetes.io/instance: selfsigned-issuer + app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/name: issuer + app.kubernetes.io/part-of: swift-operator + name: swift-operator-selfsigned-issuer + namespace: '{{ .OperatorNamespace }}' +spec: + selfSigned: {} +--- apiVersion: v1 kind: ServiceAccount metadata: @@ -331,6 +347,7 @@ apiVersion: v1 kind: Service metadata: labels: + app.kubernetes.io/name: swift-operator control-plane: controller-manager name: swift-operator-controller-manager-metrics-service namespace: '{{ .OperatorNamespace }}' @@ -339,6 +356,7 @@ spec: - name: https port: 8443 protocol: TCP - targetPort: https + targetPort: 8443 selector: - openstack.org/operator-name: swift + app.kubernetes.io/name: swift-operator + control-plane: controller-manager diff --git a/bindata/rbac/telemetry-operator-rbac.yaml b/bindata/rbac/telemetry-operator-rbac.yaml index 9572d6e6f..2632be648 100644 --- a/bindata/rbac/telemetry-operator-rbac.yaml +++ b/bindata/rbac/telemetry-operator-rbac.yaml @@ -1,5 +1,21 @@ # NOTE: this file is automatically generated by hack/sync-bindata.sh! # +--- +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + labels: + app.kubernetes.io/component: certificate + app.kubernetes.io/created-by: openstack-operator + app.kubernetes.io/instance: selfsigned-issuer + app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/name: issuer + app.kubernetes.io/part-of: telemetry-operator + name: telemetry-operator-selfsigned-issuer + namespace: '{{ .OperatorNamespace }}' +spec: + selfSigned: {} +--- apiVersion: v1 kind: ServiceAccount metadata: @@ -393,6 +409,7 @@ apiVersion: v1 kind: Service metadata: labels: + app.kubernetes.io/name: telemetry-operator control-plane: controller-manager name: telemetry-operator-controller-manager-metrics-service namespace: '{{ .OperatorNamespace }}' @@ -401,6 +418,7 @@ spec: - name: https port: 8443 protocol: TCP - targetPort: https + targetPort: 8443 selector: - openstack.org/operator-name: telemetry + app.kubernetes.io/name: telemetry-operator + control-plane: controller-manager diff --git a/bindata/rbac/test-operator-rbac.yaml b/bindata/rbac/test-operator-rbac.yaml index 1d611481a..ae2f9fad7 100644 --- a/bindata/rbac/test-operator-rbac.yaml +++ b/bindata/rbac/test-operator-rbac.yaml @@ -1,5 +1,21 @@ # NOTE: this file is automatically generated by hack/sync-bindata.sh! # +--- +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + labels: + app.kubernetes.io/component: certificate + app.kubernetes.io/created-by: openstack-operator + app.kubernetes.io/instance: selfsigned-issuer + app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/name: issuer + app.kubernetes.io/part-of: test-operator + name: test-operator-selfsigned-issuer + namespace: '{{ .OperatorNamespace }}' +spec: + selfSigned: {} +--- apiVersion: v1 kind: ServiceAccount metadata: @@ -168,22 +184,51 @@ subjects: namespace: '{{ .OperatorNamespace }}' --- apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: test-operator-operator-metrics-auth-role +rules: +- apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create +- apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: test-operator-operator-metrics-reader +rules: +- nonResourceURLs: + - /metrics + verbs: + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: - name: test-operator-proxy-rolebinding + name: test-operator-operator-metrics-auth-rolebinding roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: test-operator-proxy-role + name: test-operator-operator-metrics-auth-role subjects: - kind: ServiceAccount - name: test-operator-controller-manager + name: test-operator-operator-controller-manager namespace: '{{ .OperatorNamespace }}' --- apiVersion: v1 kind: Service metadata: labels: + app.kubernetes.io/name: test-operator control-plane: controller-manager name: test-operator-controller-manager-metrics-service namespace: '{{ .OperatorNamespace }}' @@ -192,6 +237,28 @@ spec: - name: https port: 8443 protocol: TCP - targetPort: https + targetPort: 8443 selector: - openstack.org/operator-name: test + app.kubernetes.io/name: test-operator + control-plane: controller-manager +--- +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + labels: + app.kubernetes.io/component: certificate + app.kubernetes.io/created-by: openstack-operator + app.kubernetes.io/instance: metrics-certs + app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/name: test-operator + name: test-operator-metrics-certs + namespace: '{{ .OperatorNamespace }}' +spec: + dnsNames: + - test-operator-metrics-service.{{ .OperatorNamespace }}.svc + - test-operator-metrics-service.{{ .OperatorNamespace }}.svc.cluster.local + issuerRef: + kind: Issuer + name: test-operator-selfsigned-issuer + secretName: test-operator-metrics-server-cert diff --git a/bindata/rbac/watcher-operator-rbac.yaml b/bindata/rbac/watcher-operator-rbac.yaml index fda0615f6..4335841a7 100644 --- a/bindata/rbac/watcher-operator-rbac.yaml +++ b/bindata/rbac/watcher-operator-rbac.yaml @@ -1,5 +1,21 @@ # NOTE: this file is automatically generated by hack/sync-bindata.sh! # +--- +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + labels: + app.kubernetes.io/component: certificate + app.kubernetes.io/created-by: openstack-operator + app.kubernetes.io/instance: selfsigned-issuer + app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/name: issuer + app.kubernetes.io/part-of: watcher-operator + name: watcher-operator-selfsigned-issuer + namespace: '{{ .OperatorNamespace }}' +spec: + selfSigned: {} +--- apiVersion: v1 kind: ServiceAccount metadata: @@ -310,6 +326,7 @@ apiVersion: v1 kind: Service metadata: labels: + app.kubernetes.io/name: watcher-operator control-plane: controller-manager name: watcher-operator-controller-manager-metrics-service namespace: '{{ .OperatorNamespace }}' @@ -318,6 +335,7 @@ spec: - name: https port: 8443 protocol: TCP - targetPort: https + targetPort: 8443 selector: - openstack.org/operator-name: watcher + app.kubernetes.io/name: watcher-operator + control-plane: controller-manager diff --git a/main.go b/cmd/main.go similarity index 56% rename from main.go rename to cmd/main.go index bd0cbbf8a..1a2062354 100644 --- a/main.go +++ b/cmd/main.go @@ -1,5 +1,5 @@ /* -Copyright 2022. +Copyright 2025. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. @@ -14,24 +14,45 @@ See the License for the specific language governing permissions and limitations under the License. */ -// Package main provides the entry point for the OpenStack operator +// Package main is the entry point for the OpenStack operator. package main import ( "crypto/tls" "flag" "os" - "strconv" - "strings" - - "go.uber.org/zap/zapcore" + "path/filepath" // Import all Kubernetes client auth plugins (e.g. Azure, GCP, OIDC, etc.) // to ensure that exec-entrypoint and run can make use of them. _ "k8s.io/client-go/plugin/pkg/client/auth" + "k8s.io/apimachinery/pkg/runtime" + utilruntime "k8s.io/apimachinery/pkg/util/runtime" + clientgoscheme "k8s.io/client-go/kubernetes/scheme" + ctrl "sigs.k8s.io/controller-runtime" + "sigs.k8s.io/controller-runtime/pkg/certwatcher" + "sigs.k8s.io/controller-runtime/pkg/healthz" + "sigs.k8s.io/controller-runtime/pkg/log/zap" + "sigs.k8s.io/controller-runtime/pkg/metrics/filters" + metricsserver "sigs.k8s.io/controller-runtime/pkg/metrics/server" + "sigs.k8s.io/controller-runtime/pkg/webhook" + + operatorv1beta1 "github.com/openstack-k8s-operators/openstack-operator/api/operator/v1beta1" + clientcontroller "github.com/openstack-k8s-operators/openstack-operator/internal/controller/client" + corecontroller "github.com/openstack-k8s-operators/openstack-operator/internal/controller/core" + dataplanecontroller "github.com/openstack-k8s-operators/openstack-operator/internal/controller/dataplane" + webhookclientv1beta1 "github.com/openstack-k8s-operators/openstack-operator/internal/webhook/client/v1beta1" + webhookcorev1beta1 "github.com/openstack-k8s-operators/openstack-operator/internal/webhook/core/v1beta1" + webhookdataplanev1beta1 "github.com/openstack-k8s-operators/openstack-operator/internal/webhook/dataplane/v1beta1" + + // +kubebuilder:scaffold:imports certmgrv1 "github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1" k8s_networkv1 "github.com/k8snetworkplumbingwg/network-attachment-definition-client/pkg/apis/k8s.cni.cncf.io/v1" + ocp_configv1 "github.com/openshift/api/config/v1" + machineconfig "github.com/openshift/api/machineconfiguration/v1" + ocp_image "github.com/openshift/api/operator/v1alpha1" + routev1 "github.com/openshift/api/route/v1" barbicanv1 "github.com/openstack-k8s-operators/barbican-operator/api/v1beta1" cinderv1 "github.com/openstack-k8s-operators/cinder-operator/api/v1beta1" designatev1 "github.com/openstack-k8s-operators/designate-operator/api/v1beta1" @@ -52,45 +73,19 @@ import ( novav1 "github.com/openstack-k8s-operators/nova-operator/api/v1beta1" octaviav1 "github.com/openstack-k8s-operators/octavia-operator/api/v1beta1" baremetalv1 "github.com/openstack-k8s-operators/openstack-baremetal-operator/api/v1beta1" + clientv1 "github.com/openstack-k8s-operators/openstack-operator/api/client/v1beta1" + corev1 "github.com/openstack-k8s-operators/openstack-operator/api/core/v1beta1" + dataplanev1 "github.com/openstack-k8s-operators/openstack-operator/api/dataplane/v1beta1" + "github.com/openstack-k8s-operators/openstack-operator/internal/openstack" ovnv1 "github.com/openstack-k8s-operators/ovn-operator/api/v1beta1" placementv1 "github.com/openstack-k8s-operators/placement-operator/api/v1beta1" swiftv1 "github.com/openstack-k8s-operators/swift-operator/api/v1beta1" telemetryv1 "github.com/openstack-k8s-operators/telemetry-operator/api/v1beta1" - watcherv1 "github.com/openstack-k8s-operators/watcher-operator/api/v1beta1" - - // Note(lpiwowar): Please, do not remove! This import is necessary in order - // to make the test-operator part of the openstack-operator-index. _ "github.com/openstack-k8s-operators/test-operator/api/v1beta1" + watcherv1 "github.com/openstack-k8s-operators/watcher-operator/api/v1beta1" rabbitmqclusterv2 "github.com/rabbitmq/cluster-operator/v2/api/v1beta1" - "sigs.k8s.io/controller-runtime/pkg/client/config" - - "k8s.io/apimachinery/pkg/runtime" - utilruntime "k8s.io/apimachinery/pkg/util/runtime" "k8s.io/client-go/kubernetes" - clientgoscheme "k8s.io/client-go/kubernetes/scheme" - ctrl "sigs.k8s.io/controller-runtime" - "sigs.k8s.io/controller-runtime/pkg/healthz" - "sigs.k8s.io/controller-runtime/pkg/log/zap" - "sigs.k8s.io/controller-runtime/pkg/webhook" - - metricsserver "sigs.k8s.io/controller-runtime/pkg/metrics/server" - - routev1 "github.com/openshift/api/route/v1" - - clientv1 "github.com/openstack-k8s-operators/openstack-operator/apis/client/v1beta1" - corev1 "github.com/openstack-k8s-operators/openstack-operator/apis/core/v1beta1" - dataplanev1 "github.com/openstack-k8s-operators/openstack-operator/apis/dataplane/v1beta1" - operatorv1beta1 "github.com/openstack-k8s-operators/openstack-operator/apis/operator/v1beta1" - - ocp_configv1 "github.com/openshift/api/config/v1" - machineconfig "github.com/openshift/api/machineconfiguration/v1" - ocp_image "github.com/openshift/api/operator/v1alpha1" - - clientcontrollers "github.com/openstack-k8s-operators/openstack-operator/controllers/client" - corecontrollers "github.com/openstack-k8s-operators/openstack-operator/controllers/core" - dataplanecontrollers "github.com/openstack-k8s-operators/openstack-operator/controllers/dataplane" - "github.com/openstack-k8s-operators/openstack-operator/pkg/openstack" - // +kubebuilder:scaffold:imports + "sigs.k8s.io/controller-runtime/pkg/client/config" ) var ( @@ -138,55 +133,140 @@ func init() { // +kubebuilder:scaffold:scheme } +// nolint:gocyclo func main() { var metricsAddr string + var metricsCertPath, metricsCertName, metricsCertKey string + var webhookCertPath, webhookCertName, webhookCertKey string var enableLeaderElection bool var probeAddr string var pprofAddr string - var webhookPort int + var secureMetrics bool var enableHTTP2 bool - flag.BoolVar(&enableHTTP2, "enable-http2", enableHTTP2, "If HTTP/2 should be enabled for the metrics and webhook servers.") - flag.StringVar(&metricsAddr, "metrics-bind-address", ":8080", "The address the metric endpoint binds to.") + var tlsOpts []func(*tls.Config) + flag.StringVar(&metricsAddr, "metrics-bind-address", "0", "The address the metrics endpoint binds to. "+ + "Use :8443 for HTTPS or :8080 for HTTP, or leave as 0 to disable the metrics service.") flag.StringVar(&probeAddr, "health-probe-bind-address", ":8081", "The address the probe endpoint binds to.") flag.StringVar(&pprofAddr, "pprof-bind-address", "", "The address the pprof endpoint binds to. Set to empty to disable pprof") - flag.IntVar(&webhookPort, "webhook-bind-address", 9443, "The port the webhook server binds to.") flag.BoolVar(&enableLeaderElection, "leader-elect", false, "Enable leader election for controller manager. "+ "Enabling this will ensure there is only one active controller manager.") - devMode, err := strconv.ParseBool(os.Getenv("DEV_MODE")) - if err != nil { - devMode = true - } + flag.BoolVar(&secureMetrics, "metrics-secure", true, + "If set, the metrics endpoint is served securely via HTTPS. Use --metrics-secure=false to use HTTP instead.") + flag.StringVar(&webhookCertPath, "webhook-cert-path", "", "The directory that contains the webhook certificate.") + flag.StringVar(&webhookCertName, "webhook-cert-name", "tls.crt", "The name of the webhook certificate file.") + flag.StringVar(&webhookCertKey, "webhook-cert-key", "tls.key", "The name of the webhook key file.") + flag.StringVar(&metricsCertPath, "metrics-cert-path", "", + "The directory that contains the metrics server certificate.") + flag.StringVar(&metricsCertName, "metrics-cert-name", "tls.crt", "The name of the metrics server certificate file.") + flag.StringVar(&metricsCertKey, "metrics-cert-key", "tls.key", "The name of the metrics server key file.") + flag.BoolVar(&enableHTTP2, "enable-http2", false, + "If set, HTTP/2 will be enabled for the metrics and webhook servers") opts := zap.Options{ - Development: devMode, - TimeEncoder: zapcore.ISO8601TimeEncoder, + Development: true, } opts.BindFlags(flag.CommandLine) flag.Parse() ctrl.SetLogger(zap.New(zap.UseFlagOptions(&opts))) + // if the enable-http2 flag is false (the default), http/2 should be disabled + // due to its vulnerabilities. More specifically, disabling http/2 will + // prevent from being vulnerable to the HTTP/2 Stream Cancellation and + // Rapid Reset CVEs. For more information see: + // - https://github.com/advisories/GHSA-qppj-fm5r-hxr3 + // - https://github.com/advisories/GHSA-4374-p667-p6c8 disableHTTP2 := func(c *tls.Config) { - if enableHTTP2 { - return - } + setupLog.Info("disabling http/2") c.NextProtos = []string{"http/1.1"} } + if !enableHTTP2 { + tlsOpts = append(tlsOpts, disableHTTP2) + } + + // Create watchers for metrics and webhooks certificates + var metricsCertWatcher, webhookCertWatcher *certwatcher.CertWatcher + + // Initial webhook TLS options + webhookTLSOpts := tlsOpts + + if len(webhookCertPath) > 0 { + setupLog.Info("Initializing webhook certificate watcher using provided certificates", + "webhook-cert-path", webhookCertPath, "webhook-cert-name", webhookCertName, "webhook-cert-key", webhookCertKey) + + var err error + webhookCertWatcher, err = certwatcher.New( + filepath.Join(webhookCertPath, webhookCertName), + filepath.Join(webhookCertPath, webhookCertKey), + ) + if err != nil { + setupLog.Error(err, "Failed to initialize webhook certificate watcher") + os.Exit(1) + } + + webhookTLSOpts = append(webhookTLSOpts, func(config *tls.Config) { + config.GetCertificate = webhookCertWatcher.GetCertificate + }) + } + + webhookServer := webhook.NewServer(webhook.Options{ + TLSOpts: webhookTLSOpts, + }) + + // Metrics endpoint is enabled in 'config/default/kustomization.yaml'. The Metrics options configure the server. + // More info: + // - https://pkg.go.dev/sigs.k8s.io/controller-runtime@v0.21.0/pkg/metrics/server + // - https://book.kubebuilder.io/reference/metrics.html + metricsServerOptions := metricsserver.Options{ + BindAddress: metricsAddr, + SecureServing: secureMetrics, + TLSOpts: tlsOpts, + } + + if secureMetrics { + // FilterProvider is used to protect the metrics endpoint with authn/authz. + // These configurations ensure that only authorized users and service accounts + // can access the metrics endpoint. The RBAC are configured in 'config/rbac/kustomization.yaml'. More info: + // https://pkg.go.dev/sigs.k8s.io/controller-runtime@v0.21.0/pkg/metrics/filters#WithAuthenticationAndAuthorization + metricsServerOptions.FilterProvider = filters.WithAuthenticationAndAuthorization + } + + // If the certificate is not specified, controller-runtime will automatically + // generate self-signed certificates for the metrics server. While convenient for development and testing, + // this setup is not recommended for production. + // + // TODO(user): If you enable certManager, uncomment the following lines: + // - [METRICS-WITH-CERTS] at config/default/kustomization.yaml to generate and use certificates + // managed by cert-manager for the metrics server. + // - [PROMETHEUS-WITH-CERTS] at config/prometheus/kustomization.yaml for TLS certification. + if len(metricsCertPath) > 0 { + setupLog.Info("Initializing metrics certificate watcher using provided certificates", + "metrics-cert-path", metricsCertPath, "metrics-cert-name", metricsCertName, "metrics-cert-key", metricsCertKey) + + var err error + metricsCertWatcher, err = certwatcher.New( + filepath.Join(metricsCertPath, metricsCertName), + filepath.Join(metricsCertPath, metricsCertKey), + ) + if err != nil { + setupLog.Error(err, "to initialize metrics certificate watcher", "error", err) + os.Exit(1) + } + + metricsServerOptions.TLSOpts = append(metricsServerOptions.TLSOpts, func(config *tls.Config) { + config.GetCertificate = metricsCertWatcher.GetCertificate + }) + } + options := ctrl.Options{ - Scheme: scheme, - Metrics: metricsserver.Options{ - BindAddress: metricsAddr, - }, - PprofBindAddress: pprofAddr, + Scheme: scheme, + Metrics: metricsServerOptions, + WebhookServer: webhookServer, HealthProbeBindAddress: probeAddr, + PprofBindAddress: pprofAddr, LeaderElection: enableLeaderElection, LeaderElectionID: "40ba705e.openstack.org", - WebhookServer: webhook.NewServer( - webhook.Options{ - Port: webhookPort, - TLSOpts: []func(config *tls.Config){disableHTTP2}, - }), // LeaderElectionReleaseOnCancel defines if the leader should step down voluntarily // when the Manager ends. This requires the binary to immediately end when the // Manager is stopped, otherwise, this setting is unsafe. Setting this significantly @@ -200,7 +280,7 @@ func main() { // LeaderElectionReleaseOnCancel: true, } - err = operator.SetManagerOptions(&options, setupLog) + err := operator.SetManagerOptions(&options, setupLog) if err != nil { setupLog.Error(err, "unable to set manager options") os.Exit(1) @@ -211,8 +291,11 @@ func main() { setupLog.Error(err, "unable to start manager") os.Exit(1) } - // Setup the context that's going to be used in controllers and for the manager. - ctx := ctrl.SetupSignalHandler() + + if err != nil { + setupLog.Error(err, "unable to start manager") + os.Exit(1) + } cfg, err := config.GetConfig() if err != nil { @@ -224,8 +307,9 @@ func main() { setupLog.Error(err, "") os.Exit(1) } + ctx := ctrl.SetupSignalHandler() - if err = (&corecontrollers.OpenStackControlPlaneReconciler{ + if err := (&corecontroller.OpenStackControlPlaneReconciler{ Client: mgr.GetClient(), Scheme: mgr.GetScheme(), Kclient: kclient, @@ -233,8 +317,7 @@ func main() { setupLog.Error(err, "unable to create controller", "controller", "OpenStackControlPlane") os.Exit(1) } - - if err = (&clientcontrollers.OpenStackClientReconciler{ + if err := (&clientcontroller.OpenStackClientReconciler{ Client: mgr.GetClient(), Scheme: mgr.GetScheme(), Kclient: kclient, @@ -242,8 +325,7 @@ func main() { setupLog.Error(err, "unable to create controller", "controller", "OpenStackClient") os.Exit(1) } - - if err = (&corecontrollers.OpenStackVersionReconciler{ + if err := (&corecontroller.OpenStackVersionReconciler{ Client: mgr.GetClient(), Scheme: mgr.GetScheme(), Kclient: kclient, @@ -251,8 +333,7 @@ func main() { setupLog.Error(err, "unable to create controller", "controller", "OpenStackVersion") os.Exit(1) } - - if err = (&dataplanecontrollers.OpenStackDataPlaneNodeSetReconciler{ + if err := (&dataplanecontroller.OpenStackDataPlaneNodeSetReconciler{ Client: mgr.GetClient(), Scheme: mgr.GetScheme(), Kclient: kclient, @@ -260,8 +341,14 @@ func main() { setupLog.Error(err, "unable to create controller", "controller", "OpenStackDataPlaneNodeSet") os.Exit(1) } - - if err = (&dataplanecontrollers.OpenStackDataPlaneDeploymentReconciler{ + if err := (&dataplanecontroller.OpenStackDataPlaneServiceReconciler{ + Client: mgr.GetClient(), + Scheme: mgr.GetScheme(), + }).SetupWithManager(mgr); err != nil { + setupLog.Error(err, "unable to create controller", "controller", "OpenStackDataPlaneService") + os.Exit(1) + } + if err := (&dataplanecontroller.OpenStackDataPlaneDeploymentReconciler{ Client: mgr.GetClient(), Scheme: mgr.GetScheme(), Kclient: kclient, @@ -269,7 +356,8 @@ func main() { setupLog.Error(err, "unable to create controller", "controller", "OpenStackDataPlaneDeployment") os.Exit(1) } - corecontrollers.SetupVersionDefaults() + + corecontroller.SetupVersionDefaults() // Defaults for service operators openstack.SetupServiceOperatorDefaults() @@ -283,43 +371,62 @@ func main() { // Defaults for anything else that was not covered by OpenStackClient nor service operator defaults corev1.SetupVersionDefaults() - // Webhooks - checker := healthz.Ping - if strings.ToLower(os.Getenv("ENABLE_WEBHOOKS")) != "false" { - - if err = (&corev1.OpenStackControlPlane{}).SetupWebhookWithManager(mgr); err != nil { + // nolint:goconst + if os.Getenv("ENABLE_WEBHOOKS") != "false" { + if err := webhookcorev1beta1.SetupOpenStackControlPlaneWebhookWithManager(mgr); err != nil { setupLog.Error(err, "unable to create webhook", "webhook", "OpenStackControlPlane") os.Exit(1) } - if err = (&clientv1.OpenStackClient{}).SetupWebhookWithManager(mgr); err != nil { - setupLog.Error(err, "unable to create webhook", "webhook", "OpenStackClient") + + // nolint:goconst + if err := webhookcorev1beta1.SetupOpenStackVersionWebhookWithManager(mgr); err != nil { + setupLog.Error(err, "unable to create webhook", "webhook", "OpenStackVersion") os.Exit(1) } - if err = (&corev1.OpenStackVersion{}).SetupWebhookWithManager(mgr); err != nil { - setupLog.Error(err, "unable to create webhook", "webhook", "OpenStackVersion") + // nolint:goconst + if err := webhookclientv1beta1.SetupOpenStackClientWebhookWithManager(mgr); err != nil { + setupLog.Error(err, "unable to create webhook", "webhook", "OpenStackClient") os.Exit(1) } - if err = (&dataplanev1.OpenStackDataPlaneNodeSet{}).SetupWebhookWithManager(mgr); err != nil { + // nolint:goconst + if err := webhookdataplanev1beta1.SetupOpenStackDataPlaneNodeSetWebhookWithManager(mgr); err != nil { setupLog.Error(err, "unable to create webhook", "webhook", "OpenStackDataPlaneNodeSet") os.Exit(1) } - if err = (&dataplanev1.OpenStackDataPlaneDeployment{}).SetupWebhookWithManager(mgr); err != nil { + // nolint:goconst + if err := webhookdataplanev1beta1.SetupOpenStackDataPlaneDeploymentWebhookWithManager(mgr); err != nil { setupLog.Error(err, "unable to create webhook", "webhook", "OpenStackDataPlaneDeployment") os.Exit(1) } - if err = (&dataplanev1.OpenStackDataPlaneService{}).SetupWebhookWithManager(mgr); err != nil { + // nolint:goconst + if err := webhookdataplanev1beta1.SetupOpenStackDataPlaneServiceWebhookWithManager(mgr); err != nil { setupLog.Error(err, "unable to create webhook", "webhook", "OpenStackDataPlaneService") os.Exit(1) } - checker = mgr.GetWebhookServer().StartedChecker() } - // +kubebuilder:scaffold:builder - if err := mgr.AddHealthzCheck("healthz", checker); err != nil { + + if metricsCertWatcher != nil { + setupLog.Info("Adding metrics certificate watcher to manager") + if err := mgr.Add(metricsCertWatcher); err != nil { + setupLog.Error(err, "unable to add metrics certificate watcher to manager") + os.Exit(1) + } + } + + if webhookCertWatcher != nil { + setupLog.Info("Adding webhook certificate watcher to manager") + if err := mgr.Add(webhookCertWatcher); err != nil { + setupLog.Error(err, "unable to add webhook certificate watcher to manager") + os.Exit(1) + } + } + + if err := mgr.AddHealthzCheck("healthz", healthz.Ping); err != nil { setupLog.Error(err, "unable to set up health check") os.Exit(1) } - if err := mgr.AddReadyzCheck("readyz", checker); err != nil { + if err := mgr.AddReadyzCheck("readyz", healthz.Ping); err != nil { setupLog.Error(err, "unable to set up ready check") os.Exit(1) } diff --git a/cmd/operator/main.go b/cmd/operator/main.go index 23cce6b47..5dd2787d4 100644 --- a/cmd/operator/main.go +++ b/cmd/operator/main.go @@ -21,15 +21,13 @@ import ( "crypto/tls" "flag" "os" - "strconv" - "strings" - - "go.uber.org/zap/zapcore" + "path/filepath" // Import all Kubernetes client auth plugins (e.g. Azure, GCP, OIDC, etc.) // to ensure that exec-entrypoint and run can make use of them. _ "k8s.io/client-go/plugin/pkg/client/auth" + "sigs.k8s.io/controller-runtime/pkg/certwatcher" "sigs.k8s.io/controller-runtime/pkg/client/config" "k8s.io/apimachinery/pkg/runtime" @@ -41,11 +39,12 @@ import ( "sigs.k8s.io/controller-runtime/pkg/log/zap" "sigs.k8s.io/controller-runtime/pkg/webhook" + "sigs.k8s.io/controller-runtime/pkg/metrics/filters" metricsserver "sigs.k8s.io/controller-runtime/pkg/metrics/server" "github.com/openstack-k8s-operators/lib-common/modules/common/operator" - operatorv1beta1 "github.com/openstack-k8s-operators/openstack-operator/apis/operator/v1beta1" - operatorcontrollers "github.com/openstack-k8s-operators/openstack-operator/controllers/operator" + operatorv1beta1 "github.com/openstack-k8s-operators/openstack-operator/api/operator/v1beta1" + operatorcontrollers "github.com/openstack-k8s-operators/openstack-operator/internal/controller/operator" ) var ( @@ -58,53 +57,140 @@ func init() { utilruntime.Must(operatorv1beta1.AddToScheme(scheme)) } +// nolint:gocyclo func main() { var metricsAddr string + var metricsCertPath, metricsCertName, metricsCertKey string + var webhookCertPath, webhookCertName, webhookCertKey string var enableLeaderElection bool var probeAddr string - var enableHTTP2 bool var pprofAddr string - flag.BoolVar(&enableHTTP2, "enable-http2", enableHTTP2, "If HTTP/2 should be enabled for the metrics and webhook servers.") - flag.StringVar(&metricsAddr, "metrics-bind-address", ":8080", "The address the metric endpoint binds to.") + var secureMetrics bool + var enableHTTP2 bool + var tlsOpts []func(*tls.Config) + flag.StringVar(&metricsAddr, "metrics-bind-address", "0", "The address the metrics endpoint binds to. "+ + "Use :8443 for HTTPS or :8080 for HTTP, or leave as 0 to disable the metrics service.") flag.StringVar(&probeAddr, "health-probe-bind-address", ":8081", "The address the probe endpoint binds to.") flag.StringVar(&pprofAddr, "pprof-bind-address", "", "The address the pprof endpoint binds to. Set to empty to disable pprof") flag.BoolVar(&enableLeaderElection, "leader-elect", false, "Enable leader election for controller manager. "+ "Enabling this will ensure there is only one active controller manager.") - devMode, err := strconv.ParseBool(os.Getenv("DEV_MODE")) - if err != nil { - devMode = true - } + flag.BoolVar(&secureMetrics, "metrics-secure", true, + "If set, the metrics endpoint is served securely via HTTPS. Use --metrics-secure=false to use HTTP instead.") + flag.StringVar(&webhookCertPath, "webhook-cert-path", "", "The directory that contains the webhook certificate.") + flag.StringVar(&webhookCertName, "webhook-cert-name", "tls.crt", "The name of the webhook certificate file.") + flag.StringVar(&webhookCertKey, "webhook-cert-key", "tls.key", "The name of the webhook key file.") + flag.StringVar(&metricsCertPath, "metrics-cert-path", "", + "The directory that contains the metrics server certificate.") + flag.StringVar(&metricsCertName, "metrics-cert-name", "tls.crt", "The name of the metrics server certificate file.") + flag.StringVar(&metricsCertKey, "metrics-cert-key", "tls.key", "The name of the metrics server key file.") + flag.BoolVar(&enableHTTP2, "enable-http2", false, + "If set, HTTP/2 will be enabled for the metrics and webhook servers") opts := zap.Options{ - Development: devMode, - TimeEncoder: zapcore.ISO8601TimeEncoder, + Development: true, } opts.BindFlags(flag.CommandLine) flag.Parse() ctrl.SetLogger(zap.New(zap.UseFlagOptions(&opts))) + // if the enable-http2 flag is false (the default), http/2 should be disabled + // due to its vulnerabilities. More specifically, disabling http/2 will + // prevent from being vulnerable to the HTTP/2 Stream Cancellation and + // Rapid Reset CVEs. For more information see: + // - https://github.com/advisories/GHSA-qppj-fm5r-hxr3 + // - https://github.com/advisories/GHSA-4374-p667-p6c8 disableHTTP2 := func(c *tls.Config) { - if enableHTTP2 { - return - } + setupLog.Info("disabling http/2") c.NextProtos = []string{"http/1.1"} } + if !enableHTTP2 { + tlsOpts = append(tlsOpts, disableHTTP2) + } + + // Create watchers for metrics and webhooks certificates + var metricsCertWatcher, webhookCertWatcher *certwatcher.CertWatcher + + // Initial webhook TLS options + webhookTLSOpts := tlsOpts + + if len(webhookCertPath) > 0 { + setupLog.Info("Initializing webhook certificate watcher using provided certificates", + "webhook-cert-path", webhookCertPath, "webhook-cert-name", webhookCertName, "webhook-cert-key", webhookCertKey) + + var err error + webhookCertWatcher, err = certwatcher.New( + filepath.Join(webhookCertPath, webhookCertName), + filepath.Join(webhookCertPath, webhookCertKey), + ) + if err != nil { + setupLog.Error(err, "Failed to initialize webhook certificate watcher") + os.Exit(1) + } + + webhookTLSOpts = append(webhookTLSOpts, func(config *tls.Config) { + config.GetCertificate = webhookCertWatcher.GetCertificate + }) + } + + webhookServer := webhook.NewServer(webhook.Options{ + TLSOpts: webhookTLSOpts, + }) + + // Metrics endpoint is enabled in 'config/default/kustomization.yaml'. The Metrics options configure the server. + // More info: + // - https://pkg.go.dev/sigs.k8s.io/controller-runtime@v0.21.0/pkg/metrics/server + // - https://book.kubebuilder.io/reference/metrics.html + metricsServerOptions := metricsserver.Options{ + BindAddress: metricsAddr, + SecureServing: secureMetrics, + TLSOpts: tlsOpts, + } + + if secureMetrics { + // FilterProvider is used to protect the metrics endpoint with authn/authz. + // These configurations ensure that only authorized users and service accounts + // can access the metrics endpoint. The RBAC are configured in 'config/rbac/kustomization.yaml'. More info: + // https://pkg.go.dev/sigs.k8s.io/controller-runtime@v0.21.0/pkg/metrics/filters#WithAuthenticationAndAuthorization + metricsServerOptions.FilterProvider = filters.WithAuthenticationAndAuthorization + } + + // If the certificate is not specified, controller-runtime will automatically + // generate self-signed certificates for the metrics server. While convenient for development and testing, + // this setup is not recommended for production. + // + // TODO(user): If you enable certManager, uncomment the following lines: + // - [METRICS-WITH-CERTS] at config/default/kustomization.yaml to generate and use certificates + // managed by cert-manager for the metrics server. + // - [PROMETHEUS-WITH-CERTS] at config/prometheus/kustomization.yaml for TLS certification. + if len(metricsCertPath) > 0 { + setupLog.Info("Initializing metrics certificate watcher using provided certificates", + "metrics-cert-path", metricsCertPath, "metrics-cert-name", metricsCertName, "metrics-cert-key", metricsCertKey) + + var err error + metricsCertWatcher, err = certwatcher.New( + filepath.Join(metricsCertPath, metricsCertName), + filepath.Join(metricsCertPath, metricsCertKey), + ) + if err != nil { + setupLog.Error(err, "to initialize metrics certificate watcher", "error", err) + os.Exit(1) + } + + metricsServerOptions.TLSOpts = append(metricsServerOptions.TLSOpts, func(config *tls.Config) { + config.GetCertificate = metricsCertWatcher.GetCertificate + }) + } + options := ctrl.Options{ - Scheme: scheme, - Metrics: metricsserver.Options{ - BindAddress: metricsAddr, - }, - PprofBindAddress: pprofAddr, + Scheme: scheme, + Metrics: metricsServerOptions, + WebhookServer: webhookServer, HealthProbeBindAddress: probeAddr, + PprofBindAddress: pprofAddr, LeaderElection: enableLeaderElection, LeaderElectionID: "20ca801f.openstack.org", - WebhookServer: webhook.NewServer( - webhook.Options{ - Port: 9443, - TLSOpts: []func(config *tls.Config){disableHTTP2}, - }), // LeaderElectionReleaseOnCancel defines if the leader should step down voluntarily // when the Manager ends. This requires the binary to immediately end when the // Manager is stopped, otherwise, this setting is unsafe. Setting this significantly @@ -118,7 +204,7 @@ func main() { // LeaderElectionReleaseOnCancel: true, } - err = operator.SetManagerOptions(&options, setupLog) + err := operator.SetManagerOptions(&options, setupLog) if err != nil { setupLog.Error(err, "unable to set manager options") os.Exit(1) @@ -129,8 +215,11 @@ func main() { setupLog.Error(err, "unable to start manager") os.Exit(1) } - // Setup the context that's going to be used in controllers and for the manager. - ctx := ctrl.SetupSignalHandler() + + if err != nil { + setupLog.Error(err, "unable to start manager") + os.Exit(1) + } cfg, err := config.GetConfig() if err != nil { @@ -142,13 +231,7 @@ func main() { setupLog.Error(err, "") os.Exit(1) } - - // Webhooks - checker := healthz.Ping - if strings.ToLower(os.Getenv("ENABLE_WEBHOOKS")) != "false" { - - checker = mgr.GetWebhookServer().StartedChecker() - } + ctx := ctrl.SetupSignalHandler() if err = (&operatorcontrollers.OpenStackReconciler{ Client: mgr.GetClient(), @@ -160,11 +243,29 @@ func main() { } operatorcontrollers.SetupEnv() - if err := mgr.AddHealthzCheck("healthz", checker); err != nil { + // +kubebuilder:scaffold:builder + + if metricsCertWatcher != nil { + setupLog.Info("Adding metrics certificate watcher to manager") + if err := mgr.Add(metricsCertWatcher); err != nil { + setupLog.Error(err, "unable to add metrics certificate watcher to manager") + os.Exit(1) + } + } + + if webhookCertWatcher != nil { + setupLog.Info("Adding webhook certificate watcher to manager") + if err := mgr.Add(webhookCertWatcher); err != nil { + setupLog.Error(err, "unable to add webhook certificate watcher to manager") + os.Exit(1) + } + } + + if err := mgr.AddHealthzCheck("healthz", healthz.Ping); err != nil { setupLog.Error(err, "unable to set up health check") os.Exit(1) } - if err := mgr.AddReadyzCheck("readyz", checker); err != nil { + if err := mgr.AddReadyzCheck("readyz", healthz.Ping); err != nil { setupLog.Error(err, "unable to set up ready check") os.Exit(1) } diff --git a/config/certmanager/certificate-metrics.yaml b/config/certmanager/certificate-metrics.yaml new file mode 100644 index 000000000..7a9f5d4af --- /dev/null +++ b/config/certmanager/certificate-metrics.yaml @@ -0,0 +1,20 @@ +# The following manifests contain a self-signed issuer CR and a metrics certificate CR. +# More document can be found at https://docs.cert-manager.io +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + labels: + app.kubernetes.io/name: openstack-operator + app.kubernetes.io/managed-by: kustomize + name: metrics-certs # this name should match the one appeared in kustomizeconfig.yaml + namespace: system +spec: + dnsNames: + # SERVICE_NAME and SERVICE_NAMESPACE will be substituted by kustomize + # replacements in the config/default/kustomization.yaml file. + - SERVICE_NAME.SERVICE_NAMESPACE.svc + - SERVICE_NAME.SERVICE_NAMESPACE.svc.cluster.local + issuerRef: + kind: Issuer + name: selfsigned-issuer + secretName: metrics-server-cert diff --git a/config/certmanager/certificate-webhook.yaml b/config/certmanager/certificate-webhook.yaml new file mode 100644 index 000000000..832a2a673 --- /dev/null +++ b/config/certmanager/certificate-webhook.yaml @@ -0,0 +1,20 @@ +# The following manifests contain a self-signed issuer CR and a certificate CR. +# More document can be found at https://docs.cert-manager.io +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + labels: + app.kubernetes.io/name: openstack-operator + app.kubernetes.io/managed-by: kustomize + name: serving-cert # this name should match the one appeared in kustomizeconfig.yaml + namespace: system +spec: + # SERVICE_NAME and SERVICE_NAMESPACE will be substituted by kustomize + # replacements in the config/default/kustomization.yaml file. + dnsNames: + - SERVICE_NAME.SERVICE_NAMESPACE.svc + - SERVICE_NAME.SERVICE_NAMESPACE.svc.cluster.local + issuerRef: + kind: Issuer + name: selfsigned-issuer + secretName: webhook-server-cert diff --git a/config/certmanager/certificate.yaml b/config/certmanager/certificate.yaml deleted file mode 100644 index 6c29388ea..000000000 --- a/config/certmanager/certificate.yaml +++ /dev/null @@ -1,39 +0,0 @@ -# The following manifests contain a self-signed issuer CR and a certificate CR. -# More document can be found at https://docs.cert-manager.io -# WARNING: Targets CertManager v1.0. Check https://cert-manager.io/docs/installation/upgrading/ for breaking changes. -apiVersion: cert-manager.io/v1 -kind: Issuer -metadata: - labels: - app.kubernetes.io/name: issuer - app.kubernetes.io/instance: selfsigned-issuer - app.kubernetes.io/component: certificate - app.kubernetes.io/created-by: openstack-operator - app.kubernetes.io/part-of: openstack-operator - app.kubernetes.io/managed-by: kustomize - name: selfsigned-issuer - namespace: system -spec: - selfSigned: {} ---- -apiVersion: cert-manager.io/v1 -kind: Certificate -metadata: - labels: - app.kubernetes.io/name: certificate - app.kubernetes.io/instance: serving-cert - app.kubernetes.io/component: certificate - app.kubernetes.io/created-by: openstack-operator - app.kubernetes.io/part-of: openstack-operator - app.kubernetes.io/managed-by: kustomize - name: serving-cert # this name should match the one appeared in kustomizeconfig.yaml - namespace: system -spec: - # $(SERVICE_NAME) and $(SERVICE_NAMESPACE) will be substituted by kustomize - dnsNames: - - $(SERVICE_NAME).$(SERVICE_NAMESPACE).svc - - $(SERVICE_NAME).$(SERVICE_NAMESPACE).svc.cluster.local - issuerRef: - kind: Issuer - name: selfsigned-issuer - secretName: webhook-server-cert # this secret will not be prefixed, since it's not managed by kustomize diff --git a/config/certmanager/issuer.yaml b/config/certmanager/issuer.yaml new file mode 100644 index 000000000..36366a19a --- /dev/null +++ b/config/certmanager/issuer.yaml @@ -0,0 +1,13 @@ +# The following manifest contains a self-signed issuer CR. +# More information can be found at https://docs.cert-manager.io +# WARNING: Targets CertManager v1.0. Check https://cert-manager.io/docs/installation/upgrading/ for breaking changes. +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + labels: + app.kubernetes.io/name: openstack-operator + app.kubernetes.io/managed-by: kustomize + name: selfsigned-issuer + namespace: system +spec: + selfSigned: {} diff --git a/config/certmanager/kustomization.yaml b/config/certmanager/kustomization.yaml index bebea5a59..fcb7498e4 100644 --- a/config/certmanager/kustomization.yaml +++ b/config/certmanager/kustomization.yaml @@ -1,5 +1,7 @@ resources: -- certificate.yaml +- issuer.yaml +- certificate-webhook.yaml +- certificate-metrics.yaml configurations: - kustomizeconfig.yaml diff --git a/config/certmanager/kustomizeconfig.yaml b/config/certmanager/kustomizeconfig.yaml index e631f7773..cf6f89e88 100644 --- a/config/certmanager/kustomizeconfig.yaml +++ b/config/certmanager/kustomizeconfig.yaml @@ -1,4 +1,4 @@ -# This configuration is for teaching kustomize how to update name ref and var substitution +# This configuration is for teaching kustomize how to update name ref substitution nameReference: - kind: Issuer group: cert-manager.io @@ -6,11 +6,3 @@ nameReference: - kind: Certificate group: cert-manager.io path: spec/issuerRef/name - -varReference: -- kind: Certificate - group: cert-manager.io - path: spec/commonName -- kind: Certificate - group: cert-manager.io - path: spec/dnsNames diff --git a/config/crd/bases/_.yaml b/config/crd/bases/_.yaml deleted file mode 100644 index 25f6032cf..000000000 --- a/config/crd/bases/_.yaml +++ /dev/null @@ -1,14 +0,0 @@ ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.10.0 - creationTimestamp: null -spec: - group: "" - names: - kind: "" - plural: "" - scope: "" - versions: null diff --git a/config/crd/kustomization.yaml b/config/crd/kustomization.yaml index d9616b021..40534231a 100644 --- a/config/crd/kustomization.yaml +++ b/config/crd/kustomization.yaml @@ -3,31 +3,20 @@ # It should be run by config/default resources: - bases/core.openstack.org_openstackcontrolplanes.yaml -- bases/core.openstack.org_openstackversions.yaml - bases/client.openstack.org_openstackclients.yaml +- bases/core.openstack.org_openstackversions.yaml - bases/dataplane.openstack.org_openstackdataplanenodesets.yaml - bases/dataplane.openstack.org_openstackdataplaneservices.yaml - bases/dataplane.openstack.org_openstackdataplanedeployments.yaml #- bases/operator.openstack.org_openstacks.yaml -#+kubebuilder:scaffold:crdkustomizeresource +# +kubebuilder:scaffold:crdkustomizeresource patches: # [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix. # patches here are for enabling the conversion webhook for each CRD -#- path: patches/webhook_in_core_openstackcontrolplanes.yaml -#- path: patches/webhook_in_client_openstackclients.yaml -#- path: patches/webhook_in_core_openstackversions.yaml -#- path: patches/webhook_in_operator_openstacks.yaml -#+kubebuilder:scaffold:crdkustomizewebhookpatch - -# [CERTMANAGER] To enable cert-manager, uncomment all the sections with [CERTMANAGER] prefix. -# patches here are for enabling the CA injection for each CRD -#- path: patches/cainjection_in_core_openstackcontrolplanes.yaml -#- path: patches/cainjection_in_client_openstackclients.yaml -#- path: patches/cainjection_in_core_openstackversions.yaml -#- path: patches/cainjection_in_operator_openstacks.yaml -#+kubebuilder:scaffold:crdkustomizecainjectionpatch +# +kubebuilder:scaffold:crdkustomizewebhookpatch +# [WEBHOOK] To enable webhook, uncomment the following section # the following config is for teaching kustomize how to do kustomization for CRDs. -configurations: -- kustomizeconfig.yaml +#configurations: +#- kustomizeconfig.yaml diff --git a/config/crd/patches/cainjection_in_client_openstackclients.yaml b/config/crd/patches/cainjection_in_client_openstackclients.yaml deleted file mode 100644 index d8a4f014d..000000000 --- a/config/crd/patches/cainjection_in_client_openstackclients.yaml +++ /dev/null @@ -1,7 +0,0 @@ -# The following patch adds a directive for certmanager to inject CA into the CRD -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME) - name: openstackclients.client.openstack.org diff --git a/config/crd/patches/cainjection_in_core_openstackcontrolplanes.yaml b/config/crd/patches/cainjection_in_core_openstackcontrolplanes.yaml deleted file mode 100644 index e37cb9cf1..000000000 --- a/config/crd/patches/cainjection_in_core_openstackcontrolplanes.yaml +++ /dev/null @@ -1,7 +0,0 @@ -# The following patch adds a directive for certmanager to inject CA into the CRD -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME) - name: openstackcontrolplanes.core.openstack.org diff --git a/config/crd/patches/cainjection_in_core_openstackversions.yaml b/config/crd/patches/cainjection_in_core_openstackversions.yaml deleted file mode 100644 index 03d16fa38..000000000 --- a/config/crd/patches/cainjection_in_core_openstackversions.yaml +++ /dev/null @@ -1,7 +0,0 @@ -# The following patch adds a directive for certmanager to inject CA into the CRD -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME) - name: openstackversions.core.openstack.org diff --git a/config/crd/patches/cainjection_in_operator_openstacks.yaml b/config/crd/patches/cainjection_in_operator_openstacks.yaml deleted file mode 100644 index fb7dae09d..000000000 --- a/config/crd/patches/cainjection_in_operator_openstacks.yaml +++ /dev/null @@ -1,7 +0,0 @@ -# The following patch adds a directive for certmanager to inject CA into the CRD -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME) - name: openstacks.operator.openstack.org diff --git a/config/crd/patches/webhook_in_client_openstackclients.yaml b/config/crd/patches/webhook_in_client_openstackclients.yaml deleted file mode 100644 index 271cb35a6..000000000 --- a/config/crd/patches/webhook_in_client_openstackclients.yaml +++ /dev/null @@ -1,16 +0,0 @@ -# The following patch enables a conversion webhook for the CRD -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: openstackclients.client.openstack.org -spec: - conversion: - strategy: Webhook - webhook: - clientConfig: - service: - namespace: system - name: webhook-service - path: /convert - conversionReviewVersions: - - v1 diff --git a/config/crd/patches/webhook_in_core_openstackcontrolplanes.yaml b/config/crd/patches/webhook_in_core_openstackcontrolplanes.yaml deleted file mode 100644 index ee212d60a..000000000 --- a/config/crd/patches/webhook_in_core_openstackcontrolplanes.yaml +++ /dev/null @@ -1,16 +0,0 @@ -# The following patch enables a conversion webhook for the CRD -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: openstackcontrolplanes.core.openstack.org -spec: - conversion: - strategy: Webhook - webhook: - clientConfig: - service: - namespace: system - name: webhook-service - path: /convert - conversionReviewVersions: - - v1 diff --git a/config/crd/patches/webhook_in_core_openstackversions.yaml b/config/crd/patches/webhook_in_core_openstackversions.yaml deleted file mode 100644 index 3970fb91f..000000000 --- a/config/crd/patches/webhook_in_core_openstackversions.yaml +++ /dev/null @@ -1,16 +0,0 @@ -# The following patch enables a conversion webhook for the CRD -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: openstackversions.core.openstack.org -spec: - conversion: - strategy: Webhook - webhook: - clientConfig: - service: - namespace: system - name: webhook-service - path: /convert - conversionReviewVersions: - - v1 diff --git a/config/crd/patches/webhook_in_operator_openstacks.yaml b/config/crd/patches/webhook_in_operator_openstacks.yaml deleted file mode 100644 index a8820aec2..000000000 --- a/config/crd/patches/webhook_in_operator_openstacks.yaml +++ /dev/null @@ -1,16 +0,0 @@ -# The following patch enables a conversion webhook for the CRD -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: openstacks.operator.openstack.org -spec: - conversion: - strategy: Webhook - webhook: - clientConfig: - service: - namespace: system - name: webhook-service - path: /convert - conversionReviewVersions: - - v1 diff --git a/config/default/cert_metrics_manager_patch.yaml b/config/default/cert_metrics_manager_patch.yaml new file mode 100644 index 000000000..d97501553 --- /dev/null +++ b/config/default/cert_metrics_manager_patch.yaml @@ -0,0 +1,30 @@ +# This patch adds the args, volumes, and ports to allow the manager to use the metrics-server certs. + +# Add the volumeMount for the metrics-server certs +- op: add + path: /spec/template/spec/containers/0/volumeMounts/- + value: + mountPath: /tmp/k8s-metrics-server/metrics-certs + name: metrics-certs + readOnly: true + +# Add the --metrics-cert-path argument for the metrics server +- op: add + path: /spec/template/spec/containers/0/args/- + value: --metrics-cert-path=/tmp/k8s-metrics-server/metrics-certs + +# Add the metrics-server certs volume configuration +- op: add + path: /spec/template/spec/volumes/- + value: + name: metrics-certs + secret: + secretName: metrics-server-cert + optional: false + items: + - key: ca.crt + path: ca.crt + - key: tls.crt + path: tls.crt + - key: tls.key + path: tls.key diff --git a/config/default/kustomization.yaml b/config/default/kustomization.yaml index d64c5cf41..76c4d3af4 100644 --- a/config/default/kustomization.yaml +++ b/config/default/kustomization.yaml @@ -11,7 +11,6 @@ namePrefix: openstack-operator- # Labels to add to all resources and selectors. #labels: #- includeSelectors: true -# includeTemplates: true # pairs: # someName: someValue @@ -26,53 +25,210 @@ resources: - ../certmanager # [PROMETHEUS] To enable prometheus monitor, uncomment all sections with 'PROMETHEUS'. #- ../prometheus +# [METRICS] Expose the controller manager metrics service. +- metrics_service.yaml +# [NETWORK POLICY] Protect the /metrics endpoint and Webhook Server with NetworkPolicy. +# Only Pod(s) running a namespace labeled with 'metrics: enabled' will be able to gather the metrics. +# Only CR(s) which requires webhooks and are applied on namespaces labeled with 'webhooks: enabled' will +# be able to communicate with the Webhook Server. +#- ../network-policy +# Uncomment the patches line if you enable Metrics patches: -# Protect the /metrics endpoint by putting it behind auth. -# If you want your controller-manager to expose the /metrics -# endpoint w/o any authn/z, please comment the following line. -- path: manager_auth_proxy_patch.yaml +# [METRICS] The following patch will enable the metrics endpoint using HTTPS and the port :8443. +# More info: https://book.kubebuilder.io/reference/metrics +- path: manager_metrics_patch.yaml + target: + kind: Deployment -# Mount the controller config file for loading manager configurations -# through a ComponentConfig type -#- path: manager_config_patch.yaml +# Uncomment the patches line if you enable Metrics and CertManager +# [METRICS-WITH-CERTS] To enable metrics protected with certManager, uncomment the following line. +# This patch will protect the metrics with certManager self-signed certs. +- path: cert_metrics_manager_patch.yaml + target: + kind: Deployment # [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix including the one in # crd/kustomization.yaml - path: manager_webhook_patch.yaml + target: + kind: Deployment -# [CERTMANAGER] To enable cert-manager, uncomment all sections with 'CERTMANAGER'. -# Uncomment 'CERTMANAGER' sections in crd/kustomization.yaml to enable the CA injection in the admission webhooks. -# 'CERTMANAGER' needs to be enabled to use ca injection -- path: mutatingwebhookcainjection_patch.yaml -- path: validatingwebhookcainjection_patch.yaml - -# the following config is for teaching kustomize how to do var substitution -vars: # [CERTMANAGER] To enable cert-manager, uncomment all sections with 'CERTMANAGER' prefix. -- name: CERTIFICATE_NAMESPACE # namespace of the certificate CR - objref: - kind: Certificate - group: cert-manager.io - version: v1 - name: serving-cert # this name should match the one in certificate.yaml - fieldref: - fieldpath: metadata.namespace -- name: CERTIFICATE_NAME - objref: - kind: Certificate - group: cert-manager.io - version: v1 - name: serving-cert # this name should match the one in certificate.yaml -- name: SERVICE_NAMESPACE # namespace of the service - objref: - kind: Service - version: v1 - name: webhook-service - fieldref: - fieldpath: metadata.namespace -- name: SERVICE_NAME - objref: - kind: Service - version: v1 - name: webhook-service +# Uncomment the following replacements to add the cert-manager CA injection annotations +replacements: + - source: # Uncomment the following block to enable certificates for metrics + kind: Service + version: v1 + name: controller-manager-metrics-service + fieldPath: metadata.name + targets: + - select: + kind: Certificate + group: cert-manager.io + version: v1 + name: metrics-certs + fieldPaths: + - spec.dnsNames.0 + - spec.dnsNames.1 + options: + delimiter: '.' + index: 0 + create: true + - select: # Uncomment the following to set the Service name for TLS config in Prometheus ServiceMonitor + kind: ServiceMonitor + group: monitoring.coreos.com + version: v1 + name: controller-manager-metrics-monitor + fieldPaths: + - spec.endpoints.0.tlsConfig.serverName + options: + delimiter: '.' + index: 0 + create: true + + - source: + kind: Service + version: v1 + name: controller-manager-metrics-service + fieldPath: metadata.namespace + targets: + - select: + kind: Certificate + group: cert-manager.io + version: v1 + name: metrics-certs + fieldPaths: + - spec.dnsNames.0 + - spec.dnsNames.1 + options: + delimiter: '.' + index: 1 + create: true + - select: # Uncomment the following to set the Service namespace for TLS in Prometheus ServiceMonitor + kind: ServiceMonitor + group: monitoring.coreos.com + version: v1 + name: controller-manager-metrics-monitor + fieldPaths: + - spec.endpoints.0.tlsConfig.serverName + options: + delimiter: '.' + index: 1 + create: true + + - source: # Uncomment the following block if you have any webhook + kind: Service + version: v1 + name: webhook-service + fieldPath: .metadata.name # Name of the service + targets: + - select: + kind: Certificate + group: cert-manager.io + version: v1 + name: serving-cert + fieldPaths: + - .spec.dnsNames.0 + - .spec.dnsNames.1 + options: + delimiter: '.' + index: 0 + create: true + - source: + kind: Service + version: v1 + name: webhook-service + fieldPath: .metadata.namespace # Namespace of the service + targets: + - select: + kind: Certificate + group: cert-manager.io + version: v1 + name: serving-cert + fieldPaths: + - .spec.dnsNames.0 + - .spec.dnsNames.1 + options: + delimiter: '.' + index: 1 + create: true + + - source: # Uncomment the following block if you have a ValidatingWebhook (--programmatic-validation) + kind: Certificate + group: cert-manager.io + version: v1 + name: serving-cert # This name should match the one in certificate.yaml + fieldPath: .metadata.namespace # Namespace of the certificate CR + targets: + - select: + kind: ValidatingWebhookConfiguration + fieldPaths: + - .metadata.annotations.[cert-manager.io/inject-ca-from] + options: + delimiter: '/' + index: 0 + create: true + - source: + kind: Certificate + group: cert-manager.io + version: v1 + name: serving-cert + fieldPath: .metadata.name + targets: + - select: + kind: ValidatingWebhookConfiguration + fieldPaths: + - .metadata.annotations.[cert-manager.io/inject-ca-from] + options: + delimiter: '/' + index: 1 + create: true + + - source: # Uncomment the following block if you have a DefaultingWebhook (--defaulting ) + kind: Certificate + group: cert-manager.io + version: v1 + name: serving-cert + fieldPath: .metadata.namespace # Namespace of the certificate CR + targets: + - select: + kind: MutatingWebhookConfiguration + fieldPaths: + - .metadata.annotations.[cert-manager.io/inject-ca-from] + options: + delimiter: '/' + index: 0 + create: true + - source: + kind: Certificate + group: cert-manager.io + version: v1 + name: serving-cert + fieldPath: .metadata.name + targets: + - select: + kind: MutatingWebhookConfiguration + fieldPaths: + - .metadata.annotations.[cert-manager.io/inject-ca-from] + options: + delimiter: '/' + index: 1 + create: true + +# - source: # Uncomment the following block if you have a ConversionWebhook (--conversion) +# kind: Certificate +# group: cert-manager.io +# version: v1 +# name: serving-cert +# fieldPath: .metadata.namespace # Namespace of the certificate CR +# targets: # Do not remove or uncomment the following scaffold marker; required to generate code for target CRD. +# +kubebuilder:scaffold:crdkustomizecainjectionns +# - source: +# kind: Certificate +# group: cert-manager.io +# version: v1 +# name: serving-cert +# fieldPath: .metadata.name +# targets: # Do not remove or uncomment the following scaffold marker; required to generate code for target CRD. +# +kubebuilder:scaffold:crdkustomizecainjectionname diff --git a/config/default/manager_auth_proxy_patch.yaml b/config/default/manager_auth_proxy_patch.yaml deleted file mode 100644 index 4f861d3db..000000000 --- a/config/default/manager_auth_proxy_patch.yaml +++ /dev/null @@ -1,40 +0,0 @@ -# This patch inject a sidecar container which is a HTTP proxy for the -# controller manager, it performs RBAC authorization against the Kubernetes API using SubjectAccessReviews. -apiVersion: apps/v1 -kind: Deployment -metadata: - name: controller-manager - namespace: system -spec: - template: - spec: - containers: - - name: kube-rbac-proxy - securityContext: - allowPrivilegeEscalation: false - # TODO(user): uncomment for common cases that do not require escalating privileges - # capabilities: - # drop: - # - "ALL" - image: kube-rbac-proxy:replace_me - args: - - "--secure-listen-address=0.0.0.0:8443" - - "--upstream=http://127.0.0.1:8080/" - - "--logtostderr=true" - - "--v=0" - ports: - - containerPort: 8443 - protocol: TCP - name: https - resources: - limits: - cpu: 500m - memory: 128Mi - requests: - cpu: 5m - memory: 64Mi - - name: manager - args: - - "--health-probe-bind-address=:8081" - - "--metrics-bind-address=127.0.0.1:8080" - - "--leader-elect" diff --git a/config/default/manager_config_patch.yaml b/config/default/manager_config_patch.yaml deleted file mode 100644 index 6c400155c..000000000 --- a/config/default/manager_config_patch.yaml +++ /dev/null @@ -1,20 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: controller-manager - namespace: system -spec: - template: - spec: - containers: - - name: manager - args: - - "--config=controller_manager_config.yaml" - volumeMounts: - - name: manager-config - mountPath: /controller_manager_config.yaml - subPath: controller_manager_config.yaml - volumes: - - name: manager-config - configMap: - name: manager-config diff --git a/config/default/manager_metrics_patch.yaml b/config/default/manager_metrics_patch.yaml new file mode 100644 index 000000000..2aaef6536 --- /dev/null +++ b/config/default/manager_metrics_patch.yaml @@ -0,0 +1,4 @@ +# This patch adds the args to allow exposing the metrics endpoint using HTTPS +- op: add + path: /spec/template/spec/containers/0/args/0 + value: --metrics-bind-address=:8443 diff --git a/config/default/manager_webhook_patch.yaml b/config/default/manager_webhook_patch.yaml index 738de350b..963c8a4cc 100644 --- a/config/default/manager_webhook_patch.yaml +++ b/config/default/manager_webhook_patch.yaml @@ -1,23 +1,31 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: controller-manager - namespace: system -spec: - template: - spec: - containers: - - name: manager - ports: - - containerPort: 9443 - name: webhook-server - protocol: TCP - volumeMounts: - - mountPath: /tmp/k8s-webhook-server/serving-certs - name: cert - readOnly: true - volumes: - - name: cert - secret: - defaultMode: 420 - secretName: webhook-server-cert +# This patch ensures the webhook certificates are properly mounted in the manager container. +# It configures the necessary arguments, volumes, volume mounts, and container ports. + +# Add the --webhook-cert-path argument for configuring the webhook certificate path +- op: add + path: /spec/template/spec/containers/0/args/- + value: --webhook-cert-path=/tmp/k8s-webhook-server/serving-certs + +# Add the volumeMount for the webhook certificates +- op: add + path: /spec/template/spec/containers/0/volumeMounts/- + value: + mountPath: /tmp/k8s-webhook-server/serving-certs + name: webhook-certs + readOnly: true + +# Add the port configuration for the webhook server +- op: add + path: /spec/template/spec/containers/0/ports/- + value: + containerPort: 9443 + name: webhook-server + protocol: TCP + +# Add the volume configuration for the webhook certificates +- op: add + path: /spec/template/spec/volumes/- + value: + name: webhook-certs + secret: + secretName: webhook-server-cert diff --git a/config/rbac/auth_proxy_service.yaml b/config/default/metrics_service.yaml similarity index 53% rename from config/rbac/auth_proxy_service.yaml rename to config/default/metrics_service.yaml index eb525ed15..8a4faa8bd 100644 --- a/config/rbac/auth_proxy_service.yaml +++ b/config/default/metrics_service.yaml @@ -3,6 +3,8 @@ kind: Service metadata: labels: control-plane: controller-manager + app.kubernetes.io/name: openstack-operator + app.kubernetes.io/managed-by: kustomize name: controller-manager-metrics-service namespace: system spec: @@ -10,6 +12,7 @@ spec: - name: https port: 8443 protocol: TCP - targetPort: https + targetPort: 8443 selector: - openstack.org/operator-name: openstack + control-plane: controller-manager + app.kubernetes.io/name: openstack-operator diff --git a/config/default/mutatingwebhookcainjection_patch.yaml b/config/default/mutatingwebhookcainjection_patch.yaml deleted file mode 100644 index 829991c7e..000000000 --- a/config/default/mutatingwebhookcainjection_patch.yaml +++ /dev/null @@ -1,15 +0,0 @@ -# This patch add annotation to admission webhook config and -# the variables $(CERTIFICATE_NAMESPACE) and $(CERTIFICATE_NAME) will be substituted by kustomize. -apiVersion: admissionregistration.k8s.io/v1 -kind: MutatingWebhookConfiguration -metadata: - labels: - app.kubernetes.io/name: mutatingingwebhookconfiguration - app.kubernetes.io/instance: mutating-webhook-configuration - app.kubernetes.io/component: webhook - app.kubernetes.io/created-by: openstack-operator - app.kubernetes.io/part-of: openstack-operator - app.kubernetes.io/managed-by: kustomize - name: mutating-webhook-configuration - annotations: - cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME) diff --git a/config/default/validatingwebhookcainjection_patch.yaml b/config/default/validatingwebhookcainjection_patch.yaml deleted file mode 100644 index ebe13c3f3..000000000 --- a/config/default/validatingwebhookcainjection_patch.yaml +++ /dev/null @@ -1,15 +0,0 @@ -# This patch add annotation to admission webhook config and -# the variables $(CERTIFICATE_NAMESPACE) and $(CERTIFICATE_NAME) will be substituted by kustomize. -apiVersion: admissionregistration.k8s.io/v1 -kind: ValidatingWebhookConfiguration -metadata: - labels: - app.kubernetes.io/name: validatingwebhookconfiguration - app.kubernetes.io/instance: validating-webhook-configuration - app.kubernetes.io/component: webhook - app.kubernetes.io/created-by: openstack-operator - app.kubernetes.io/part-of: openstack-operator - app.kubernetes.io/managed-by: kustomize - name: validating-webhook-configuration - annotations: - cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME) diff --git a/config/manager/controller_manager_config.yaml b/config/manager/controller_manager_config.yaml deleted file mode 100644 index 3b9992c89..000000000 --- a/config/manager/controller_manager_config.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: controller-runtime.sigs.k8s.io/v1alpha1 -kind: ControllerManagerConfig -health: - healthProbeBindAddress: :8081 -metrics: - bindAddress: 127.0.0.1:8080 -webhook: - port: 9443 -leaderElection: - leaderElect: true - resourceName: 40ba705e.openstack.org diff --git a/config/manager/kustomization.yaml b/config/manager/kustomization.yaml index 72b8cb5f6..5c5f0b84c 100644 --- a/config/manager/kustomization.yaml +++ b/config/manager/kustomization.yaml @@ -1,10 +1,2 @@ resources: - manager.yaml - -generatorOptions: - disableNameSuffixHash: true - -configMapGenerator: -- files: - - controller_manager_config.yaml - name: manager-config diff --git a/config/manager/manager.yaml b/config/manager/manager.yaml index 0e9d9b860..1edc2e1e9 100644 --- a/config/manager/manager.yaml +++ b/config/manager/manager.yaml @@ -3,7 +3,8 @@ kind: Namespace metadata: labels: control-plane: controller-manager - openstack.org/operator-name: openstack + app.kubernetes.io/name: openstack-operator + app.kubernetes.io/managed-by: kustomize name: system --- apiVersion: apps/v1 @@ -14,10 +15,14 @@ metadata: labels: control-plane: controller-manager openstack.org/operator-name: openstack + app.kubernetes.io/name: openstack-operator + app.kubernetes.io/managed-by: kustomize spec: selector: matchLabels: + control-plane: controller-manager openstack.org/operator-name: openstack + app.kubernetes.io/name: openstack-operator replicas: 1 template: metadata: @@ -26,31 +31,51 @@ spec: labels: control-plane: controller-manager openstack.org/operator-name: openstack + app.kubernetes.io/name: openstack-operator spec: + # TODO(user): Uncomment the following code to configure the nodeAffinity expression + # according to the platforms which are supported by your solution. + # It is considered best practice to support multiple architectures. You can + # build your manager image using the makefile target docker-buildx. + # affinity: + # nodeAffinity: + # requiredDuringSchedulingIgnoredDuringExecution: + # nodeSelectorTerms: + # - matchExpressions: + # - key: kubernetes.io/arch + # operator: In + # values: + # - amd64 + # - arm64 + # - ppc64le + # - s390x + # - key: kubernetes.io/os + # operator: In + # values: + # - linux securityContext: + # Projects are configured by default to adhere to the "restricted" Pod Security Standards. + # This ensures that deployments meet the highest security requirements for Kubernetes. + # For more details, see: https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted runAsNonRoot: true - # TODO(user): For common cases that do not require escalating privileges - # it is recommended to ensure that all your Pods/Containers are restrictive. - # More info: https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted - # Please uncomment the following code if your project does NOT have to work on old Kubernetes - # versions < 1.19 or on vendors versions which do NOT support this field by default (i.e. Openshift < 4.11 ). - # seccompProfile: - # type: RuntimeDefault + seccompProfile: + type: RuntimeDefault containers: - command: - /manager args: - - --leader-elect + - --leader-elect + - --health-probe-bind-address=:8081 env: - envCustom: replace_me #NOTE: this is used via the Makefile to inject a custom template loop that kustomize won't allow image: '{{ .OpenStackOperator.Deployment.Manager.Image }}' name: manager + ports: [] securityContext: allowPrivilegeEscalation: false - # TODO(user): uncomment for common cases that do not require escalating privileges - # capabilities: - # drop: - # - "ALL" + capabilities: + drop: + - "ALL" livenessProbe: httpGet: path: /healthz @@ -70,6 +95,7 @@ spec: customLimits: replace_me #NOTE: this is used via the Makefile to inject a custom template that kustomize won't allow requests: customRequests: replace_me #NOTE: this is used via the Makefile to inject a custom template that kustomize won't allow + volumeMounts: [] + volumes: [] serviceAccountName: openstack-operator-controller-manager terminationGracePeriodSeconds: 10 - customTolerations: replace_me #NOTE: this is used via the Makefile to inject a custom template that kustomize won't allow diff --git a/config/manifests/bases/openstack-operator.clusterserviceversion.yaml b/config/manifests/bases/openstack-operator.clusterserviceversion.yaml index a78a4a5da..e2a3e6bea 100644 --- a/config/manifests/bases/openstack-operator.clusterserviceversion.yaml +++ b/config/manifests/bases/openstack-operator.clusterserviceversion.yaml @@ -14,9 +14,9 @@ metadata: operatorframework.io/suggested-namespace: openstack-operators operators.openshift.io/valid-subscription: '["OpenShift Container Platform", "OpenShift Platform Plus"]' - operators.operatorframework.io/builder: operator-sdk-v1.31.0 + operators.operatorframework.io/builder: operator-sdk-v1.41.0 operators.operatorframework.io/internal-objects: '["openstackclients.client.openstack.org","openstackdataplaneservices.dataplane.openstack.org"]' - operators.operatorframework.io/project_layout: go.kubebuilder.io/v3 + operators.operatorframework.io/project_layout: go.kubebuilder.io/v4 name: openstack-operator.v0.0.0 namespace: placeholder spec: @@ -286,10 +286,10 @@ spec: - description: TLS - overrides tls parameters for public endpoint displayName: TLS path: nova.apiOverride.tls - - description: CellOverride, provides the ability to override the generated - manifest of several child resources for a nova cell. cell0 never have compute - nodes and therefore it won't have a noVNCProxy deployed. Providing an override - for cell0 noVNCProxy does not have an effect. + - description: |- + CellOverride, provides the ability to override the generated manifest of several child resources + for a nova cell. cell0 never have compute nodes and therefore it won't have a noVNCProxy deployed. + Providing an override for cell0 noVNCProxy does not have an effect. displayName: Cell Override path: nova.cellOverride - description: TLS - overrides tls parameters for public endpoint @@ -476,8 +476,9 @@ spec: path: tls.podLevel.enabled x-descriptors: - urn:alm:descriptor:com.tectonic.ui:booleanSwitch - - description: Internal - default CA used for all OpenStackControlPlane and - OpenStackDataplane endpoints, except OVN related CA and certs + - description: |- + Internal - default CA used for all OpenStackControlPlane and OpenStackDataplane endpoints, + except OVN related CA and certs displayName: Internal path: tls.podLevel.internal - description: Ca - defines details for CA cert config @@ -540,9 +541,9 @@ spec: displayName: TLS path: tls version: v1beta1 - - description: OpenStackDataPlaneDeployment is the Schema for the openstackdataplanedeployments - API OpenStackDataPlaneDeployment name must be a valid RFC1123 as it is used - in labels + - description: |- + OpenStackDataPlaneDeployment is the Schema for the openstackdataplanedeployments API + OpenStackDataPlaneDeployment name must be a valid RFC1123 as it is used in labels displayName: OpenStack Data Plane Deployments kind: OpenStackDataPlaneDeployment name: openstackdataplanedeployments.dataplane.openstack.org @@ -565,9 +566,9 @@ spec: x-descriptors: - urn:alm:descriptor:com.tectonic.ui:booleanSwitch version: v1beta1 - - description: OpenStackDataPlaneNodeSet is the Schema for the openstackdataplanenodesets - API OpenStackDataPlaneNodeSet name must be a valid RFC1123 as it is used in - labels + - description: |- + OpenStackDataPlaneNodeSet is the Schema for the openstackdataplanenodesets API + OpenStackDataPlaneNodeSet name must be a valid RFC1123 as it is used in labels displayName: OpenStack Data Plane NodeSet kind: OpenStackDataPlaneNodeSet name: openstackdataplanenodesets.dataplane.openstack.org @@ -577,10 +578,12 @@ spec: path: nodeTemplate.ansible.ansiblePort x-descriptors: - urn:alm:descriptor:com.tectonic.ui:number - - description: 'AnsibleSSHPrivateKeySecret Name of a private SSH key secret - containing private SSH key for connecting to node. The named secret must - be of the form: Secret.data.ssh-privatekey: ' + - description: |- + AnsibleSSHPrivateKeySecret Name of a private SSH key secret containing + private SSH key for connecting to node. + The named secret must be of the form: + Secret.data.ssh-privatekey: + displayName: Ansible SSHPrivate Key Secret path: nodeTemplate.ansibleSSHPrivateKeySecret x-descriptors: @@ -607,9 +610,9 @@ spec: x-descriptors: - urn:alm:descriptor:io.kubernetes.conditions version: v1beta1 - - description: OpenStackDataPlaneService is the Schema for the openstackdataplaneservices - API OpenStackDataPlaneService name must be a valid RFC1123 as it is used in - labels + - description: |- + OpenStackDataPlaneService defines the Schema for the openstackdataplaneservices API. + OpenStackDataPlaneService name must be a valid RFC1123 as it is used in labels displayName: OpenStack Data Plane Service kind: OpenStackDataPlaneService name: openstackdataplaneservices.dataplane.openstack.org @@ -619,9 +622,9 @@ spec: path: addCertMounts x-descriptors: - urn:alm:descriptor:com.tectonic.ui:booleanSwitch - - description: DeployOnAllNodeSets - should the service be deploy across all - nodesets This will override default target of a service play, setting it - to 'all'. + - description: |- + DeployOnAllNodeSets - should the service be deploy across all nodesets + This will override default target of a service play, setting it to 'all'. displayName: Deploy On All Node Sets path: deployOnAllNodeSets x-descriptors: @@ -633,7 +636,7 @@ spec: x-descriptors: - urn:alm:descriptor:io.kubernetes.conditions version: v1beta1 - - description: OpenStack is the Schema for the openstacks API + - description: OpenStack defines the Schema for the openstacks API displayName: OpenStack kind: OpenStack name: openstacks.operator.openstack.org @@ -644,7 +647,7 @@ spec: x-descriptors: - urn:alm:descriptor:io.kubernetes.conditions version: v1beta1 - - description: OpenStackVersion is the Schema for the openstackversionupdates + - description: OpenStackVersion defines the Schema for the openstackversionupdates API displayName: OpenStack Version kind: OpenStackVersion @@ -680,6 +683,7 @@ spec: - name: Openstack Operator url: https://github.com/openstack-k8s-operators/ maturity: alpha + minKubeVersion: 1.31.0 provider: name: Red Hat Inc. url: https://redhat.com/ diff --git a/config/manifests/kustomization.yaml b/config/manifests/kustomization.yaml index 96867a52e..e7daaa018 100644 --- a/config/manifests/kustomization.yaml +++ b/config/manifests/kustomization.yaml @@ -20,7 +20,8 @@ resources: # # Remove the manager container's "cert" volumeMount, since OLM will create and mount a set of certs. # # Update the indices in this path if adding or removing containers/volumeMounts in the manager's Deployment. # - op: remove -# path: /spec/template/spec/containers/1/volumeMounts/0 + +# path: /spec/template/spec/containers/0/volumeMounts/0 # # Remove the "cert" volume, since OLM will create and mount a set of certs. # # Update the indices in this path if adding or removing volumes in the manager's Deployment. # - op: remove diff --git a/config/network-policy/allow-metrics-traffic.yaml b/config/network-policy/allow-metrics-traffic.yaml new file mode 100644 index 000000000..2b1e4cb0a --- /dev/null +++ b/config/network-policy/allow-metrics-traffic.yaml @@ -0,0 +1,27 @@ +# This NetworkPolicy allows ingress traffic +# with Pods running on namespaces labeled with 'metrics: enabled'. Only Pods on those +# namespaces are able to gather data from the metrics endpoint. +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + labels: + app.kubernetes.io/name: openstack-operator + app.kubernetes.io/managed-by: kustomize + name: allow-metrics-traffic + namespace: system +spec: + podSelector: + matchLabels: + control-plane: controller-manager + app.kubernetes.io/name: openstack-operator + policyTypes: + - Ingress + ingress: + # This allows ingress traffic from any namespace with the label metrics: enabled + - from: + - namespaceSelector: + matchLabels: + metrics: enabled # Only from namespaces with this label + ports: + - port: 8443 + protocol: TCP diff --git a/config/network-policy/allow-webhook-traffic.yaml b/config/network-policy/allow-webhook-traffic.yaml new file mode 100644 index 000000000..007a18b7d --- /dev/null +++ b/config/network-policy/allow-webhook-traffic.yaml @@ -0,0 +1,27 @@ +# This NetworkPolicy allows ingress traffic to your webhook server running +# as part of the controller-manager from specific namespaces and pods. CR(s) which uses webhooks +# will only work when applied in namespaces labeled with 'webhook: enabled' +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + labels: + app.kubernetes.io/name: openstack-operator + app.kubernetes.io/managed-by: kustomize + name: allow-webhook-traffic + namespace: system +spec: + podSelector: + matchLabels: + control-plane: controller-manager + app.kubernetes.io/name: openstack-operator + policyTypes: + - Ingress + ingress: + # This allows ingress traffic from any namespace with the label webhook: enabled + - from: + - namespaceSelector: + matchLabels: + webhook: enabled # Only from namespaces with this label + ports: + - port: 443 + protocol: TCP diff --git a/config/network-policy/kustomization.yaml b/config/network-policy/kustomization.yaml new file mode 100644 index 000000000..0872bee12 --- /dev/null +++ b/config/network-policy/kustomization.yaml @@ -0,0 +1,3 @@ +resources: +- allow-webhook-traffic.yaml +- allow-metrics-traffic.yaml diff --git a/config/operator/delete_crd.yaml b/config/operator/delete_crd.yaml deleted file mode 100644 index a7299553b..000000000 --- a/config/operator/delete_crd.yaml +++ /dev/null @@ -1,35 +0,0 @@ -$patch: delete -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: openstackcontrolplanes.core.openstack.org ---- -$patch: delete -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: openstackversions.core.openstack.org ---- -$patch: delete -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: openstackclients.client.openstack.org ---- -$patch: delete -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: openstackdataplanenodesets.dataplane.openstack.org ---- -$patch: delete -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: openstackdataplaneservices.dataplane.openstack.org ---- -$patch: delete -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: openstackdataplanedeployments.dataplane.openstack.org diff --git a/config/operator/deployment/deployment.yaml b/config/operator/deployment/deployment.yaml index fa44c8bde..22e38854a 100644 --- a/config/operator/deployment/deployment.yaml +++ b/config/operator/deployment/deployment.yaml @@ -2,8 +2,8 @@ apiVersion: v1 kind: Namespace metadata: labels: - control-plane: openstack-operator-controller-operator - openstack.org/operator-name: openstack + app.kubernetes.io/name: openstack-operator-controller-operator + control-plane: controller-manager name: system --- apiVersion: apps/v1 @@ -12,20 +12,24 @@ metadata: name: openstack-operator-controller-operator namespace: system labels: - control-plane: openstack-operator-controller-operator - openstack.org/operator-name: openstack-controller + app.kubernetes.io/name: openstack-operator-controller-operator + control-plane: controller-manager + openstack.org/operator-name: openstack-init spec: selector: matchLabels: - openstack.org/operator-name: openstack-controller + app.kubernetes.io/name: openstack-operator-controller-operator + control-plane: controller-manager + openstack.org/operator-name: openstack-init replicas: 1 template: metadata: annotations: kubectl.kubernetes.io/default-container: operator labels: - control-plane: openstack-operator-controller-operator - openstack.org/operator-name: openstack-controller + app.kubernetes.io/name: openstack-operator-controller-operator + control-plane: controller-manager + openstack.org/operator-name: openstack-init spec: securityContext: runAsNonRoot: true @@ -37,30 +41,11 @@ spec: # seccompProfile: # type: RuntimeDefault containers: - - args: - - --secure-listen-address=0.0.0.0:8443 - - --upstream=http://127.0.0.1:8080/ - - --logtostderr=true - - --v=0 - image: quay.io/openstack-k8s-operators/kube-rbac-proxy:v0.16.0 - name: kube-rbac-proxy - ports: - - containerPort: 8443 - name: https - protocol: TCP - resources: - limits: - cpu: 500m - memory: 128Mi - requests: - cpu: 5m - memory: 64Mi - command: - /operator args: - - --health-probe-bind-address=:8081 - - --metrics-bind-address=127.0.0.1:8080 - --leader-elect + - --health-probe-bind-address=:8081 env: # we use kustomize to replace the first 2 envs here so do not reorder these - name: OPENSTACK_RELEASE_VERSION diff --git a/config/operator/kustomization.yaml b/config/operator/kustomization.yaml index b5b38d02e..68033a6de 100644 --- a/config/operator/kustomization.yaml +++ b/config/operator/kustomization.yaml @@ -1,17 +1,14 @@ resources: - ../crd/bases/operator.openstack.org_openstacks.yaml +- ../samples/operator_v1beta1_openstack.yaml bases: -#- ../crd/ - manifests - rbac - deployment -- ../certmanager/ -- ../samples/ -patchesStrategicMerge: -#- delete_crd.yaml +patches: # Injects our custom images (ENV variable settings) -- manager_operator_images.yaml -- default_images.yaml +- path: manager_operator_images.yaml +- path: default_images.yaml diff --git a/config/operator/managers.yaml b/config/operator/managers.yaml index 8b13757f0..ad130652a 100644 --- a/config/operator/managers.yaml +++ b/config/operator/managers.yaml @@ -5,13 +5,16 @@ metadata: labels: control-plane: controller-manager openstack.org/operator-name: {{ .Name }} + app.kubernetes.io/name: {{ .Name }} name: {{ .Name }}-operator-controller-manager namespace: {{ .Namespace }} spec: replicas: {{ .Deployment.Replicas }} selector: matchLabels: + control-plane: controller-manager openstack.org/operator-name: {{ .Name }} + app.kubernetes.io/name: {{ .Name }}-operator template: metadata: annotations: @@ -19,12 +22,21 @@ spec: labels: control-plane: controller-manager openstack.org/operator-name: {{ .Name }} + app.kubernetes.io/name: {{ .Name }}-operator spec: containers: - args: + - --leader-elect - --health-probe-bind-address=:8081 +{{- if isEnvVarTrue .Deployment.Manager.Env "METRICS_CERTS" }} + - --metrics-bind-address=:8443 + - --metrics-cert-path=/tmp/k8s-metrics-server/metrics-certs +{{- if isEnvVarTrue .Deployment.Manager.Env "ENABLE_WEBHOOKS" }} + - --webhook-cert-path=/tmp/k8s-webhook-server/serving-certs +{{- end }} +{{- else }} - --metrics-bind-address=127.0.0.1:8080 - - --leader-elect +{{- end }} command: - /manager env: @@ -55,12 +67,18 @@ spec: memory: {{ .Deployment.Manager.Resources.Requests.Memory }} securityContext: allowPrivilegeEscalation: false -{{- if isEnvVarTrue .Deployment.Manager.Env "ENABLE_WEBHOOKS" }} volumeMounts: +{{- if isEnvVarTrue .Deployment.Manager.Env "ENABLE_WEBHOOKS" }} - mountPath: /tmp/k8s-webhook-server/serving-certs name: cert readOnly: true {{- end }} +{{- if isEnvVarTrue .Deployment.Manager.Env "METRICS_CERTS" }} + - mountPath: /tmp/k8s-metrics-server/metrics-certs + name: metrics-certs + readOnly: true +{{- end }} +{{- if isEnvVarFalse .Deployment.Manager.Env "METRICS_CERTS" }} - args: - --secure-listen-address=0.0.0.0:8443 - --upstream=http://127.0.0.1:8080/ @@ -81,6 +99,7 @@ spec: memory: {{ .Deployment.KubeRbacProxy.Resources.Requests.Memory }} securityContext: allowPrivilegeEscalation: false +{{- end }} securityContext: runAsNonRoot: true serviceAccountName: {{ .Name }}-operator-controller-manager @@ -101,12 +120,25 @@ spec: tolerationSeconds: {{ .TolerationSeconds }} {{- end }} {{- end }} -{{- if isEnvVarTrue .Deployment.Manager.Env "ENABLE_WEBHOOKS" }} volumes: +{{- if isEnvVarTrue .Deployment.Manager.Env "ENABLE_WEBHOOKS" }} - name: cert secret: defaultMode: 420 secretName: {{ .Name }}-operator-webhook-server-cert {{ end }} +{{- if isEnvVarTrue .Deployment.Manager.Env "METRICS_CERTS" }} + - name: metrics-certs + secret: + items: + - key: ca.crt + path: ca.crt + - key: tls.crt + path: tls.crt + - key: tls.key + path: tls.key + optional: false + secretName: {{ .Name }}-operator-metrics-server-cert +{{ end }} --- {{ end }} diff --git a/config/operator/manifests/bases/openstack-operator.clusterserviceversion.yaml b/config/operator/manifests/bases/openstack-operator.clusterserviceversion.yaml index 342eb53e4..5dba123c6 100644 --- a/config/operator/manifests/bases/openstack-operator.clusterserviceversion.yaml +++ b/config/operator/manifests/bases/openstack-operator.clusterserviceversion.yaml @@ -14,8 +14,8 @@ metadata: operators.openshift.io/valid-subscription: '["OpenShift Container Platform", "OpenShift Platform Plus"]' operatorframework.io/suggested-namespace: openstack-operators operatorframework.io/initialization-resource: '{"apiVersion":"operator.openstack.org/v1beta1","kind":"OpenStack","metadata":{"name":"openstack","namespace":"openstack-operators"},"spec":{}}' - operators.operatorframework.io/builder: operator-sdk-v1.31.0 - operators.operatorframework.io/project_layout: go.kubebuilder.io/v3 + operators.operatorframework.io/builder: operator-sdk-v1.41.1 + operators.operatorframework.io/project_layout: go.kubebuilder.io/v4 name: openstack-operator.v0.0.0 namespace: placeholder spec: @@ -55,3 +55,4 @@ spec: name: Red Hat Inc. url: https://redhat.com/ version: 0.1.0 + minKubeVersion: 0.0.1 diff --git a/config/operator/rbac/auth_proxy_service.yaml b/config/operator/rbac/auth_proxy_service.yaml deleted file mode 100644 index 30d060521..000000000 --- a/config/operator/rbac/auth_proxy_service.yaml +++ /dev/null @@ -1,15 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - labels: - control-plane: openstack-operator-controller-operator - name: controller-operator-metrics-service-operator - namespace: system -spec: - ports: - - name: https - port: 8443 - protocol: TCP - targetPort: https - selector: - openstack.org/operator-name: openstack-operator diff --git a/config/operator/rbac/kustomization.yaml b/config/operator/rbac/kustomization.yaml index 731832a6a..3334d4991 100644 --- a/config/operator/rbac/kustomization.yaml +++ b/config/operator/rbac/kustomization.yaml @@ -1,3 +1,13 @@ +# Adds namespace to all resources. +namespace: '{{ .OperatorNamespace }}' + +# Value of this field is prepended to the +# names of all resources, e.g. a deployment named +# "wordpress" becomes "alices-wordpress". +# Note that it should also match with the prefix (text before '-') of the namespace +# field above. +namePrefix: openstack-operator- + resources: # All RBAC will be applied under this service account in # the deployment namespace. You may comment out this resource @@ -9,10 +19,12 @@ resources: - role_binding.yaml - leader_election_role.yaml - leader_election_role_binding.yaml -# Comment the following 4 lines if you want to disable -# the auth proxy (https://github.com/brancz/kube-rbac-proxy) -# which protects your /metrics endpoint. -- auth_proxy_service.yaml -- auth_proxy_role.yaml -- auth_proxy_role_binding.yaml -- auth_proxy_client_clusterrole.yaml +# The following RBAC configurations are used to protect +# the metrics endpoint with authn/authz. These configurations +# ensure that only authorized users and service accounts +# can access the metrics endpoint. Comment the following +# permissions if you want to disable this protection. +# More info: https://book.kubebuilder.io/reference/metrics.html +- metrics_auth_role.yaml +- metrics_auth_role_binding.yaml +- metrics_reader_role.yaml diff --git a/config/operator/rbac/leader_election_role.yaml b/config/operator/rbac/leader_election_role.yaml index 78acf677e..76ce2df89 100644 --- a/config/operator/rbac/leader_election_role.yaml +++ b/config/operator/rbac/leader_election_role.yaml @@ -2,6 +2,9 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: + labels: + app.kubernetes.io/name: openstack-operator-controller-operator + app.kubernetes.io/managed-by: kustomize name: leader-election-role-operator rules: - apiGroups: diff --git a/config/operator/rbac/leader_election_role_binding.yaml b/config/operator/rbac/leader_election_role_binding.yaml index 949093d62..fe8f9fdb5 100644 --- a/config/operator/rbac/leader_election_role_binding.yaml +++ b/config/operator/rbac/leader_election_role_binding.yaml @@ -1,6 +1,9 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: + labels: + app.kubernetes.io/name: openstack-operator + app.kubernetes.io/managed-by: kustomize name: leader-election-rolebinding-operator roleRef: apiGroup: rbac.authorization.k8s.io diff --git a/config/operator/rbac/auth_proxy_role.yaml b/config/operator/rbac/metrics_auth_role.yaml similarity index 88% rename from config/operator/rbac/auth_proxy_role.yaml rename to config/operator/rbac/metrics_auth_role.yaml index cfbb8a4b5..8b0e81ed0 100644 --- a/config/operator/rbac/auth_proxy_role.yaml +++ b/config/operator/rbac/metrics_auth_role.yaml @@ -1,7 +1,7 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: - name: proxy-role-operator + name: metrics-auth-role-operator rules: - apiGroups: - authentication.k8s.io diff --git a/config/operator/rbac/auth_proxy_role_binding.yaml b/config/operator/rbac/metrics_auth_role_binding.yaml similarity index 75% rename from config/operator/rbac/auth_proxy_role_binding.yaml rename to config/operator/rbac/metrics_auth_role_binding.yaml index cd3f0efeb..e51e856b6 100644 --- a/config/operator/rbac/auth_proxy_role_binding.yaml +++ b/config/operator/rbac/metrics_auth_role_binding.yaml @@ -1,11 +1,11 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: - name: proxy-rolebinding-operator + name: metrics-auth-rolebinding-operator roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: proxy-role-operator + name: metrics-auth-role-operator subjects: - kind: ServiceAccount name: openstack-operator-controller-operator diff --git a/config/operator/rbac/auth_proxy_client_clusterrole.yaml b/config/operator/rbac/metrics_reader_role.yaml similarity index 100% rename from config/operator/rbac/auth_proxy_client_clusterrole.yaml rename to config/operator/rbac/metrics_reader_role.yaml diff --git a/config/operator/rbac/role.yaml b/config/operator/rbac/role.yaml index 094127a16..8684db511 100644 --- a/config/operator/rbac/role.yaml +++ b/config/operator/rbac/role.yaml @@ -65,6 +65,7 @@ rules: - servicemonitors verbs: - create + - delete - get - list - update diff --git a/config/operator/rbac/role_binding.yaml b/config/operator/rbac/role_binding.yaml index 4d6ab18d8..f89933b5e 100644 --- a/config/operator/rbac/role_binding.yaml +++ b/config/operator/rbac/role_binding.yaml @@ -1,6 +1,9 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: + labels: + app.kubernetes.io/name: openstack-operator-controller-operator + app.kubernetes.io/managed-by: kustomize name: operator-rolebinding roleRef: apiGroup: rbac.authorization.k8s.io diff --git a/config/operator/rbac/service_account.yaml b/config/operator/rbac/service_account.yaml index 72275ca0d..ad2ef0f8e 100644 --- a/config/operator/rbac/service_account.yaml +++ b/config/operator/rbac/service_account.yaml @@ -1,5 +1,8 @@ apiVersion: v1 kind: ServiceAccount metadata: + labels: + app.kubernetes.io/name: openstack-operator-controller-operator + app.kubernetes.io/managed-by: kustomize name: controller-operator namespace: system diff --git a/config/prometheus/kustomization.yaml b/config/prometheus/kustomization.yaml index ed137168a..8126ea89b 100644 --- a/config/prometheus/kustomization.yaml +++ b/config/prometheus/kustomization.yaml @@ -1,2 +1,11 @@ resources: - monitor.yaml + +# [PROMETHEUS-WITH-CERTS] The following patch configures the ServiceMonitor in ../prometheus +# to securely reference certificates created and managed by cert-manager. +# Additionally, ensure that you uncomment the [METRICS WITH CERTMANAGER] patch under config/default/kustomization.yaml +# to mount the "metrics-server-cert" secret in the Manager Deployment. +patches: + - path: monitor_tls_patch.yaml + target: + kind: ServiceMonitor diff --git a/config/prometheus/monitor.yaml b/config/prometheus/monitor.yaml index 10730da9f..3895ecdb2 100644 --- a/config/prometheus/monitor.yaml +++ b/config/prometheus/monitor.yaml @@ -1,20 +1,27 @@ - # Prometheus Monitor Service (Metrics) apiVersion: monitoring.coreos.com/v1 kind: ServiceMonitor metadata: labels: control-plane: controller-manager + app.kubernetes.io/name: openstack-operator + app.kubernetes.io/managed-by: kustomize name: controller-manager-metrics-monitor namespace: system spec: endpoints: - path: /metrics - port: https + port: https # Ensure this is the name of the port that exposes HTTPS metrics scheme: https bearerTokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token tlsConfig: + # TODO(user): The option insecureSkipVerify: true is not recommended for production since it disables + # certificate verification, exposing the system to potential man-in-the-middle attacks. + # For production environments, it is recommended to use cert-manager for automatic TLS certificate management. + # To apply this configuration, enable cert-manager and use the patch located at config/prometheus/servicemonitor_tls_patch.yaml, + # which securely references the certificate from the 'metrics-server-cert' secret. insecureSkipVerify: true selector: matchLabels: - openstack.org/operator-name: openstack + control-plane: controller-manager + app.kubernetes.io/name: openstack-operator diff --git a/config/prometheus/monitor_tls_patch.yaml b/config/prometheus/monitor_tls_patch.yaml new file mode 100644 index 000000000..5bf84ce0d --- /dev/null +++ b/config/prometheus/monitor_tls_patch.yaml @@ -0,0 +1,19 @@ +# Patch for Prometheus ServiceMonitor to enable secure TLS configuration +# using certificates managed by cert-manager +- op: replace + path: /spec/endpoints/0/tlsConfig + value: + # SERVICE_NAME and SERVICE_NAMESPACE will be substituted by kustomize + serverName: SERVICE_NAME.SERVICE_NAMESPACE.svc + insecureSkipVerify: false + ca: + secret: + name: metrics-server-cert + key: ca.crt + cert: + secret: + name: metrics-server-cert + key: tls.crt + keySecret: + name: metrics-server-cert + key: tls.key diff --git a/config/rbac/client_openstackclient_admin_role.yaml b/config/rbac/client_openstackclient_admin_role.yaml new file mode 100644 index 000000000..15143c78c --- /dev/null +++ b/config/rbac/client_openstackclient_admin_role.yaml @@ -0,0 +1,27 @@ +# This rule is not used by the project openstack-operator itself. +# It is provided to allow the cluster admin to help manage permissions for users. +# +# Grants full permissions ('*') over client.openstack.org. +# This role is intended for users authorized to modify roles and bindings within the cluster, +# enabling them to delegate specific permissions to other users or groups as needed. + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/name: openstack-operator + app.kubernetes.io/managed-by: kustomize + name: client-openstackclient-admin-role +rules: +- apiGroups: + - client.openstack.org + resources: + - openstackclients + verbs: + - '*' +- apiGroups: + - client.openstack.org + resources: + - openstackclients/status + verbs: + - get diff --git a/config/rbac/client_openstackclient_editor_role.yaml b/config/rbac/client_openstackclient_editor_role.yaml index c58077b9b..cfc1f62d6 100644 --- a/config/rbac/client_openstackclient_editor_role.yaml +++ b/config/rbac/client_openstackclient_editor_role.yaml @@ -1,15 +1,17 @@ -# permissions for end users to edit openstackclients. +# This rule is not used by the project openstack-operator itself. +# It is provided to allow the cluster admin to help manage permissions for users. +# +# Grants permissions to create, update, and delete resources within the client.openstack.org. +# This role is intended for users who need to manage these resources +# but should not control RBAC or manage permissions for others. + apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: labels: - app.kubernetes.io/name: clusterrole - app.kubernetes.io/instance: openstackclient-editor-role - app.kubernetes.io/component: rbac - app.kubernetes.io/created-by: openstack-operator - app.kubernetes.io/part-of: openstack-operator + app.kubernetes.io/name: openstack-operator app.kubernetes.io/managed-by: kustomize - name: openstackclient-editor-role + name: client-openstackclient-editor-role rules: - apiGroups: - client.openstack.org diff --git a/config/rbac/client_openstackclient_viewer_role.yaml b/config/rbac/client_openstackclient_viewer_role.yaml index 7fdb074d7..9ac4bc78e 100644 --- a/config/rbac/client_openstackclient_viewer_role.yaml +++ b/config/rbac/client_openstackclient_viewer_role.yaml @@ -1,15 +1,17 @@ -# permissions for end users to view openstackclients. +# This rule is not used by the project openstack-operator itself. +# It is provided to allow the cluster admin to help manage permissions for users. +# +# Grants read-only access to client.openstack.org resources. +# This role is intended for users who need visibility into these resources +# without permissions to modify them. It is ideal for monitoring purposes and limited-access viewing. + apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: labels: - app.kubernetes.io/name: clusterrole - app.kubernetes.io/instance: openstackclient-viewer-role - app.kubernetes.io/component: rbac - app.kubernetes.io/created-by: openstack-operator - app.kubernetes.io/part-of: openstack-operator + app.kubernetes.io/name: openstack-operator app.kubernetes.io/managed-by: kustomize - name: openstackclient-viewer-role + name: client-openstackclient-viewer-role rules: - apiGroups: - client.openstack.org diff --git a/config/rbac/core_openstackcontrolplane_admin_role.yaml b/config/rbac/core_openstackcontrolplane_admin_role.yaml new file mode 100644 index 000000000..c68df5d61 --- /dev/null +++ b/config/rbac/core_openstackcontrolplane_admin_role.yaml @@ -0,0 +1,27 @@ +# This rule is not used by the project openstack-operator itself. +# It is provided to allow the cluster admin to help manage permissions for users. +# +# Grants full permissions ('*') over core.openstack.org. +# This role is intended for users authorized to modify roles and bindings within the cluster, +# enabling them to delegate specific permissions to other users or groups as needed. + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/name: openstack-operator + app.kubernetes.io/managed-by: kustomize + name: core-openstackcontrolplane-admin-role +rules: +- apiGroups: + - core.openstack.org + resources: + - openstackcontrolplanes + verbs: + - '*' +- apiGroups: + - core.openstack.org + resources: + - openstackcontrolplanes/status + verbs: + - get diff --git a/config/rbac/core_openstackcontrolplane_editor_role.yaml b/config/rbac/core_openstackcontrolplane_editor_role.yaml index fd534a890..edd3774e6 100644 --- a/config/rbac/core_openstackcontrolplane_editor_role.yaml +++ b/config/rbac/core_openstackcontrolplane_editor_role.yaml @@ -1,8 +1,17 @@ -# permissions for end users to edit openstackcontrolplanes. +# This rule is not used by the project openstack-operator itself. +# It is provided to allow the cluster admin to help manage permissions for users. +# +# Grants permissions to create, update, and delete resources within the core.openstack.org. +# This role is intended for users who need to manage these resources +# but should not control RBAC or manage permissions for others. + apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: - name: openstackcontrolplane-editor-role + labels: + app.kubernetes.io/name: openstack-operator + app.kubernetes.io/managed-by: kustomize + name: core-openstackcontrolplane-editor-role rules: - apiGroups: - core.openstack.org diff --git a/config/rbac/core_openstackcontrolplane_viewer_role.yaml b/config/rbac/core_openstackcontrolplane_viewer_role.yaml index 619ed2b60..e248a5316 100644 --- a/config/rbac/core_openstackcontrolplane_viewer_role.yaml +++ b/config/rbac/core_openstackcontrolplane_viewer_role.yaml @@ -1,8 +1,17 @@ -# permissions for end users to view openstackcontrolplanes. +# This rule is not used by the project openstack-operator itself. +# It is provided to allow the cluster admin to help manage permissions for users. +# +# Grants read-only access to core.openstack.org resources. +# This role is intended for users who need visibility into these resources +# without permissions to modify them. It is ideal for monitoring purposes and limited-access viewing. + apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: - name: openstackcontrolplane-viewer-role + labels: + app.kubernetes.io/name: openstack-operator + app.kubernetes.io/managed-by: kustomize + name: core-openstackcontrolplane-viewer-role rules: - apiGroups: - core.openstack.org diff --git a/config/rbac/core_openstackversion_admin_role.yaml b/config/rbac/core_openstackversion_admin_role.yaml new file mode 100644 index 000000000..8d9b9ed86 --- /dev/null +++ b/config/rbac/core_openstackversion_admin_role.yaml @@ -0,0 +1,27 @@ +# This rule is not used by the project openstack-operator itself. +# It is provided to allow the cluster admin to help manage permissions for users. +# +# Grants full permissions ('*') over core.openstack.org. +# This role is intended for users authorized to modify roles and bindings within the cluster, +# enabling them to delegate specific permissions to other users or groups as needed. + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/name: openstack-operator + app.kubernetes.io/managed-by: kustomize + name: core-openstackversion-admin-role +rules: +- apiGroups: + - core.openstack.org + resources: + - openstackversions + verbs: + - '*' +- apiGroups: + - core.openstack.org + resources: + - openstackversions/status + verbs: + - get diff --git a/config/rbac/core_openstackversion_editor_role.yaml b/config/rbac/core_openstackversion_editor_role.yaml index e274cb878..58276a24d 100644 --- a/config/rbac/core_openstackversion_editor_role.yaml +++ b/config/rbac/core_openstackversion_editor_role.yaml @@ -1,15 +1,17 @@ -# permissions for end users to edit openstackversions. +# This rule is not used by the project openstack-operator itself. +# It is provided to allow the cluster admin to help manage permissions for users. +# +# Grants permissions to create, update, and delete resources within the core.openstack.org. +# This role is intended for users who need to manage these resources +# but should not control RBAC or manage permissions for others. + apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: labels: - app.kubernetes.io/name: clusterrole - app.kubernetes.io/instance: openstackversion-editor-role - app.kubernetes.io/component: rbac - app.kubernetes.io/created-by: openstack-operator - app.kubernetes.io/part-of: openstack-operator + app.kubernetes.io/name: openstack-operator app.kubernetes.io/managed-by: kustomize - name: openstackversion-editor-role + name: core-openstackversion-editor-role rules: - apiGroups: - core.openstack.org diff --git a/config/rbac/core_openstackversion_viewer_role.yaml b/config/rbac/core_openstackversion_viewer_role.yaml index 25c4bcc90..8899a6e4d 100644 --- a/config/rbac/core_openstackversion_viewer_role.yaml +++ b/config/rbac/core_openstackversion_viewer_role.yaml @@ -1,15 +1,17 @@ -# permissions for end users to view openstackversions. +# This rule is not used by the project openstack-operator itself. +# It is provided to allow the cluster admin to help manage permissions for users. +# +# Grants read-only access to core.openstack.org resources. +# This role is intended for users who need visibility into these resources +# without permissions to modify them. It is ideal for monitoring purposes and limited-access viewing. + apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: labels: - app.kubernetes.io/name: clusterrole - app.kubernetes.io/instance: openstackversion-viewer-role - app.kubernetes.io/component: rbac - app.kubernetes.io/created-by: openstack-operator - app.kubernetes.io/part-of: openstack-operator + app.kubernetes.io/name: openstack-operator app.kubernetes.io/managed-by: kustomize - name: openstackversion-viewer-role + name: core-openstackversion-viewer-role rules: - apiGroups: - core.openstack.org diff --git a/config/rbac/dataplane_openstackdataplanedeployment_admin_role.yaml b/config/rbac/dataplane_openstackdataplanedeployment_admin_role.yaml new file mode 100644 index 000000000..8b7f72a5a --- /dev/null +++ b/config/rbac/dataplane_openstackdataplanedeployment_admin_role.yaml @@ -0,0 +1,27 @@ +# This rule is not used by the project openstack-operator itself. +# It is provided to allow the cluster admin to help manage permissions for users. +# +# Grants full permissions ('*') over dataplane.openstack.org. +# This role is intended for users authorized to modify roles and bindings within the cluster, +# enabling them to delegate specific permissions to other users or groups as needed. + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/name: openstack-operator + app.kubernetes.io/managed-by: kustomize + name: dataplane-openstackdataplanedeployment-admin-role +rules: +- apiGroups: + - dataplane.openstack.org + resources: + - openstackdataplanedeployments + verbs: + - '*' +- apiGroups: + - dataplane.openstack.org + resources: + - openstackdataplanedeployments/status + verbs: + - get diff --git a/config/rbac/dataplane_openstackdataplanedeployment_editor_role.yaml b/config/rbac/dataplane_openstackdataplanedeployment_editor_role.yaml new file mode 100644 index 000000000..f9eb5ec11 --- /dev/null +++ b/config/rbac/dataplane_openstackdataplanedeployment_editor_role.yaml @@ -0,0 +1,33 @@ +# This rule is not used by the project openstack-operator itself. +# It is provided to allow the cluster admin to help manage permissions for users. +# +# Grants permissions to create, update, and delete resources within the dataplane.openstack.org. +# This role is intended for users who need to manage these resources +# but should not control RBAC or manage permissions for others. + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/name: openstack-operator + app.kubernetes.io/managed-by: kustomize + name: dataplane-openstackdataplanedeployment-editor-role +rules: +- apiGroups: + - dataplane.openstack.org + resources: + - openstackdataplanedeployments + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - dataplane.openstack.org + resources: + - openstackdataplanedeployments/status + verbs: + - get diff --git a/config/rbac/dataplane_openstackdataplanedeployment_viewer_role.yaml b/config/rbac/dataplane_openstackdataplanedeployment_viewer_role.yaml new file mode 100644 index 000000000..c1c985b2c --- /dev/null +++ b/config/rbac/dataplane_openstackdataplanedeployment_viewer_role.yaml @@ -0,0 +1,29 @@ +# This rule is not used by the project openstack-operator itself. +# It is provided to allow the cluster admin to help manage permissions for users. +# +# Grants read-only access to dataplane.openstack.org resources. +# This role is intended for users who need visibility into these resources +# without permissions to modify them. It is ideal for monitoring purposes and limited-access viewing. + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/name: openstack-operator + app.kubernetes.io/managed-by: kustomize + name: dataplane-openstackdataplanedeployment-viewer-role +rules: +- apiGroups: + - dataplane.openstack.org + resources: + - openstackdataplanedeployments + verbs: + - get + - list + - watch +- apiGroups: + - dataplane.openstack.org + resources: + - openstackdataplanedeployments/status + verbs: + - get diff --git a/config/rbac/dataplane_openstackdataplanenodeset_admin_role.yaml b/config/rbac/dataplane_openstackdataplanenodeset_admin_role.yaml new file mode 100644 index 000000000..3d6b31f45 --- /dev/null +++ b/config/rbac/dataplane_openstackdataplanenodeset_admin_role.yaml @@ -0,0 +1,27 @@ +# This rule is not used by the project openstack-operator itself. +# It is provided to allow the cluster admin to help manage permissions for users. +# +# Grants full permissions ('*') over dataplane.openstack.org. +# This role is intended for users authorized to modify roles and bindings within the cluster, +# enabling them to delegate specific permissions to other users or groups as needed. + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/name: openstack-operator + app.kubernetes.io/managed-by: kustomize + name: dataplane-openstackdataplanenodeset-admin-role +rules: +- apiGroups: + - dataplane.openstack.org + resources: + - openstackdataplanenodesets + verbs: + - '*' +- apiGroups: + - dataplane.openstack.org + resources: + - openstackdataplanenodesets/status + verbs: + - get diff --git a/config/rbac/dataplane_openstackdataplanenodeset_editor_role.yaml b/config/rbac/dataplane_openstackdataplanenodeset_editor_role.yaml new file mode 100644 index 000000000..d8f8ddbf9 --- /dev/null +++ b/config/rbac/dataplane_openstackdataplanenodeset_editor_role.yaml @@ -0,0 +1,33 @@ +# This rule is not used by the project openstack-operator itself. +# It is provided to allow the cluster admin to help manage permissions for users. +# +# Grants permissions to create, update, and delete resources within the dataplane.openstack.org. +# This role is intended for users who need to manage these resources +# but should not control RBAC or manage permissions for others. + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/name: openstack-operator + app.kubernetes.io/managed-by: kustomize + name: dataplane-openstackdataplanenodeset-editor-role +rules: +- apiGroups: + - dataplane.openstack.org + resources: + - openstackdataplanenodesets + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - dataplane.openstack.org + resources: + - openstackdataplanenodesets/status + verbs: + - get diff --git a/config/rbac/dataplane_openstackdataplanenodeset_viewer_role.yaml b/config/rbac/dataplane_openstackdataplanenodeset_viewer_role.yaml new file mode 100644 index 000000000..43dc226a4 --- /dev/null +++ b/config/rbac/dataplane_openstackdataplanenodeset_viewer_role.yaml @@ -0,0 +1,29 @@ +# This rule is not used by the project openstack-operator itself. +# It is provided to allow the cluster admin to help manage permissions for users. +# +# Grants read-only access to dataplane.openstack.org resources. +# This role is intended for users who need visibility into these resources +# without permissions to modify them. It is ideal for monitoring purposes and limited-access viewing. + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/name: openstack-operator + app.kubernetes.io/managed-by: kustomize + name: dataplane-openstackdataplanenodeset-viewer-role +rules: +- apiGroups: + - dataplane.openstack.org + resources: + - openstackdataplanenodesets + verbs: + - get + - list + - watch +- apiGroups: + - dataplane.openstack.org + resources: + - openstackdataplanenodesets/status + verbs: + - get diff --git a/config/rbac/dataplane_openstackdataplaneservice_admin_role.yaml b/config/rbac/dataplane_openstackdataplaneservice_admin_role.yaml new file mode 100644 index 000000000..14486ff94 --- /dev/null +++ b/config/rbac/dataplane_openstackdataplaneservice_admin_role.yaml @@ -0,0 +1,27 @@ +# This rule is not used by the project openstack-operator itself. +# It is provided to allow the cluster admin to help manage permissions for users. +# +# Grants full permissions ('*') over dataplane.openstack.org. +# This role is intended for users authorized to modify roles and bindings within the cluster, +# enabling them to delegate specific permissions to other users or groups as needed. + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/name: openstack-operator + app.kubernetes.io/managed-by: kustomize + name: dataplane-openstackdataplaneservice-admin-role +rules: +- apiGroups: + - dataplane.openstack.org + resources: + - openstackdataplaneservices + verbs: + - '*' +- apiGroups: + - dataplane.openstack.org + resources: + - openstackdataplaneservices/status + verbs: + - get diff --git a/config/rbac/dataplane_openstackdataplaneservice_editor_role.yaml b/config/rbac/dataplane_openstackdataplaneservice_editor_role.yaml new file mode 100644 index 000000000..1e4e9147f --- /dev/null +++ b/config/rbac/dataplane_openstackdataplaneservice_editor_role.yaml @@ -0,0 +1,33 @@ +# This rule is not used by the project openstack-operator itself. +# It is provided to allow the cluster admin to help manage permissions for users. +# +# Grants permissions to create, update, and delete resources within the dataplane.openstack.org. +# This role is intended for users who need to manage these resources +# but should not control RBAC or manage permissions for others. + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/name: openstack-operator + app.kubernetes.io/managed-by: kustomize + name: dataplane-openstackdataplaneservice-editor-role +rules: +- apiGroups: + - dataplane.openstack.org + resources: + - openstackdataplaneservices + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - dataplane.openstack.org + resources: + - openstackdataplaneservices/status + verbs: + - get diff --git a/config/rbac/dataplane_openstackdataplaneservice_viewer_role.yaml b/config/rbac/dataplane_openstackdataplaneservice_viewer_role.yaml new file mode 100644 index 000000000..5f3fdbff5 --- /dev/null +++ b/config/rbac/dataplane_openstackdataplaneservice_viewer_role.yaml @@ -0,0 +1,29 @@ +# This rule is not used by the project openstack-operator itself. +# It is provided to allow the cluster admin to help manage permissions for users. +# +# Grants read-only access to dataplane.openstack.org resources. +# This role is intended for users who need visibility into these resources +# without permissions to modify them. It is ideal for monitoring purposes and limited-access viewing. + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/name: openstack-operator + app.kubernetes.io/managed-by: kustomize + name: dataplane-openstackdataplaneservice-viewer-role +rules: +- apiGroups: + - dataplane.openstack.org + resources: + - openstackdataplaneservices + verbs: + - get + - list + - watch +- apiGroups: + - dataplane.openstack.org + resources: + - openstackdataplaneservices/status + verbs: + - get diff --git a/config/rbac/kustomization.yaml b/config/rbac/kustomization.yaml index e9c4ef55f..fc721b406 100644 --- a/config/rbac/kustomization.yaml +++ b/config/rbac/kustomization.yaml @@ -19,10 +19,37 @@ resources: - role_binding.yaml - leader_election_role.yaml - leader_election_role_binding.yaml -# Comment the following 4 lines if you want to disable -# the auth proxy (https://github.com/brancz/kube-rbac-proxy) -# which protects your /metrics endpoint. -- auth_proxy_service.yaml -- auth_proxy_role.yaml -- auth_proxy_role_binding.yaml -- auth_proxy_client_clusterrole.yaml +# The following RBAC configurations are used to protect +# the metrics endpoint with authn/authz. These configurations +# ensure that only authorized users and service accounts +# can access the metrics endpoint. Comment the following +# permissions if you want to disable this protection. +# More info: https://book.kubebuilder.io/reference/metrics.html +- metrics_auth_role.yaml +- metrics_auth_role_binding.yaml +- metrics_reader_role.yaml +# For each CRD, "Admin", "Editor" and "Viewer" roles are scaffolded by +# default, aiding admins in cluster management. Those roles are +# not used by the openstack-operator itself. You can comment the following lines +# if you do not want those helpers be installed with your Project. +#- operator_openstack_admin_role.yaml +#- operator_openstack_editor_role.yaml +#- operator_openstack_viewer_role.yaml +#- dataplane_openstackdataplanedeployment_admin_role.yaml +#- dataplane_openstackdataplanedeployment_editor_role.yaml +#- dataplane_openstackdataplanedeployment_viewer_role.yaml +#- dataplane_openstackdataplaneservice_admin_role.yaml +#- dataplane_openstackdataplaneservice_editor_role.yaml +#- dataplane_openstackdataplaneservice_viewer_role.yaml +#- dataplane_openstackdataplanenodeset_admin_role.yaml +#- dataplane_openstackdataplanenodeset_editor_role.yaml +#- dataplane_openstackdataplanenodeset_viewer_role.yaml +#- core_openstackversion_admin_role.yaml +#- core_openstackversion_editor_role.yaml +#- core_openstackversion_viewer_role.yaml +#- client_openstackclient_admin_role.yaml +#- client_openstackclient_editor_role.yaml +#- client_openstackclient_viewer_role.yaml +#- core_openstackcontrolplane_admin_role.yaml +#- core_openstackcontrolplane_editor_role.yaml +#- core_openstackcontrolplane_viewer_role.yaml diff --git a/config/rbac/leader_election_role.yaml b/config/rbac/leader_election_role.yaml index 4190ec805..e63157842 100644 --- a/config/rbac/leader_election_role.yaml +++ b/config/rbac/leader_election_role.yaml @@ -2,6 +2,9 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: + labels: + app.kubernetes.io/name: openstack-operator + app.kubernetes.io/managed-by: kustomize name: leader-election-role rules: - apiGroups: diff --git a/config/rbac/leader_election_role_binding.yaml b/config/rbac/leader_election_role_binding.yaml index 1d1321ed4..9bf0b8111 100644 --- a/config/rbac/leader_election_role_binding.yaml +++ b/config/rbac/leader_election_role_binding.yaml @@ -1,6 +1,9 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: + labels: + app.kubernetes.io/name: openstack-operator + app.kubernetes.io/managed-by: kustomize name: leader-election-rolebinding roleRef: apiGroup: rbac.authorization.k8s.io diff --git a/config/rbac/auth_proxy_role.yaml b/config/rbac/metrics_auth_role.yaml similarity index 90% rename from config/rbac/auth_proxy_role.yaml rename to config/rbac/metrics_auth_role.yaml index 80e1857c5..32d2e4ec6 100644 --- a/config/rbac/auth_proxy_role.yaml +++ b/config/rbac/metrics_auth_role.yaml @@ -1,7 +1,7 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: - name: proxy-role + name: metrics-auth-role rules: - apiGroups: - authentication.k8s.io diff --git a/config/rbac/auth_proxy_role_binding.yaml b/config/rbac/metrics_auth_role_binding.yaml similarity index 79% rename from config/rbac/auth_proxy_role_binding.yaml rename to config/rbac/metrics_auth_role_binding.yaml index ec7acc0a1..e775d67ff 100644 --- a/config/rbac/auth_proxy_role_binding.yaml +++ b/config/rbac/metrics_auth_role_binding.yaml @@ -1,11 +1,11 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: - name: proxy-rolebinding + name: metrics-auth-rolebinding roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: proxy-role + name: metrics-auth-role subjects: - kind: ServiceAccount name: controller-manager diff --git a/config/rbac/auth_proxy_client_clusterrole.yaml b/config/rbac/metrics_reader_role.yaml similarity index 100% rename from config/rbac/auth_proxy_client_clusterrole.yaml rename to config/rbac/metrics_reader_role.yaml diff --git a/config/rbac/operator_openstack_admin_role.yaml b/config/rbac/operator_openstack_admin_role.yaml new file mode 100644 index 000000000..c579503c1 --- /dev/null +++ b/config/rbac/operator_openstack_admin_role.yaml @@ -0,0 +1,27 @@ +# This rule is not used by the project openstack-operator itself. +# It is provided to allow the cluster admin to help manage permissions for users. +# +# Grants full permissions ('*') over operator.openstack.org. +# This role is intended for users authorized to modify roles and bindings within the cluster, +# enabling them to delegate specific permissions to other users or groups as needed. + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/name: openstack-operator + app.kubernetes.io/managed-by: kustomize + name: operator-openstack-admin-role +rules: +- apiGroups: + - operator.openstack.org + resources: + - openstacks + verbs: + - '*' +- apiGroups: + - operator.openstack.org + resources: + - openstacks/status + verbs: + - get diff --git a/config/rbac/operator_openstack_editor_role.yaml b/config/rbac/operator_openstack_editor_role.yaml index 156bb0e38..c132c5c23 100644 --- a/config/rbac/operator_openstack_editor_role.yaml +++ b/config/rbac/operator_openstack_editor_role.yaml @@ -1,15 +1,17 @@ -# permissions for end users to edit openstacks. +# This rule is not used by the project openstack-operator itself. +# It is provided to allow the cluster admin to help manage permissions for users. +# +# Grants permissions to create, update, and delete resources within the operator.openstack.org. +# This role is intended for users who need to manage these resources +# but should not control RBAC or manage permissions for others. + apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: labels: - app.kubernetes.io/name: clusterrole - app.kubernetes.io/instance: openstack-editor-role - app.kubernetes.io/component: rbac - app.kubernetes.io/created-by: openstack-operator - app.kubernetes.io/part-of: openstack-operator + app.kubernetes.io/name: openstack-operator app.kubernetes.io/managed-by: kustomize - name: openstack-editor-role + name: operator-openstack-editor-role rules: - apiGroups: - operator.openstack.org diff --git a/config/rbac/operator_openstack_viewer_role.yaml b/config/rbac/operator_openstack_viewer_role.yaml index 6bef23cc0..66d3397f7 100644 --- a/config/rbac/operator_openstack_viewer_role.yaml +++ b/config/rbac/operator_openstack_viewer_role.yaml @@ -1,15 +1,17 @@ -# permissions for end users to view openstacks. +# This rule is not used by the project openstack-operator itself. +# It is provided to allow the cluster admin to help manage permissions for users. +# +# Grants read-only access to operator.openstack.org resources. +# This role is intended for users who need visibility into these resources +# without permissions to modify them. It is ideal for monitoring purposes and limited-access viewing. + apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: labels: - app.kubernetes.io/name: clusterrole - app.kubernetes.io/instance: openstack-viewer-role - app.kubernetes.io/component: rbac - app.kubernetes.io/created-by: openstack-operator - app.kubernetes.io/part-of: openstack-operator + app.kubernetes.io/name: openstack-operator app.kubernetes.io/managed-by: kustomize - name: openstack-viewer-role + name: operator-openstack-viewer-role rules: - apiGroups: - operator.openstack.org diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml index 7decfd254..574879be7 100644 --- a/config/rbac/role.yaml +++ b/config/rbac/role.yaml @@ -8,17 +8,9 @@ rules: - "" resources: - configmaps - - pods - - secrets - services verbs: - - create - - delete - - get - - list - - patch - - update - - watch + - '*' - apiGroups: - "" resources: @@ -36,15 +28,54 @@ rules: - "" resources: - namespaces - - projects verbs: + - '*' +- apiGroups: + - "" + resources: + - pods + - secrets + verbs: + - create + - delete - get + - list + - patch + - update + - watch - apiGroups: - "" resources: - serviceaccounts verbs: + - '*' +- apiGroups: + - "" + - project.openshift.io + resources: + - projects + verbs: + - get +- apiGroups: + - admissionregistration.k8s.io + resources: + - mutatingwebhookconfigurations + - validatingwebhookconfigurations + verbs: + - '*' +- apiGroups: + - apiextensions.k8s.io + resources: + - '*' + verbs: + - '*' +- apiGroups: + - apps + resources: + - deployments + verbs: - create + - delete - get - list - patch @@ -213,6 +244,7 @@ rules: resources: - openstackdataplanedeployments/status - openstackdataplanenodesets/status + - openstackdataplaneservices/status verbs: - get - patch @@ -221,20 +253,10 @@ rules: - dataplane.openstack.org resources: - openstackdataplanenodesets - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - dataplane.openstack.org - resources: - openstackdataplaneservices verbs: - create + - delete - get - list - patch @@ -394,6 +416,17 @@ rules: - patch - update - watch +- apiGroups: + - monitoring.coreos.com + resources: + - servicemonitors + verbs: + - create + - delete + - get + - list + - update + - watch - apiGroups: - network.openstack.org resources: @@ -476,6 +509,43 @@ rules: - get - list - watch +- apiGroups: + - operator.openstack.org + resources: + - openstacks + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - operator.openstack.org + resources: + - openstacks/finalizers + verbs: + - update +- apiGroups: + - operator.openstack.org + resources: + - openstacks/status + verbs: + - get + - patch + - update +- apiGroups: + - operators.coreos.com + resources: + - clusterserviceversions + - installplans + - operators + - subscriptions + verbs: + - delete + - get + - list - apiGroups: - ovn.openstack.org resources: @@ -502,12 +572,6 @@ rules: - patch - update - watch -- apiGroups: - - project.openshift.io - resources: - - projects - verbs: - - get - apiGroups: - rabbitmq.com resources: @@ -532,18 +596,20 @@ rules: - patch - update - watch +- apiGroups: + - rbac.authorization.k8s.io + resources: + - clusterrolebindings + - clusterroles + verbs: + - '*' - apiGroups: - rbac.authorization.k8s.io resources: - rolebindings - roles verbs: - - create - - get - - list - - patch - - update - - watch + - '*' - apiGroups: - redis.openstack.org resources: diff --git a/config/rbac/role_binding.yaml b/config/rbac/role_binding.yaml index 2070ede44..4c6a15194 100644 --- a/config/rbac/role_binding.yaml +++ b/config/rbac/role_binding.yaml @@ -1,6 +1,9 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: + labels: + app.kubernetes.io/name: openstack-operator + app.kubernetes.io/managed-by: kustomize name: manager-rolebinding roleRef: apiGroup: rbac.authorization.k8s.io diff --git a/config/rbac/service_account.yaml b/config/rbac/service_account.yaml index 7cd6025bf..d78bca797 100644 --- a/config/rbac/service_account.yaml +++ b/config/rbac/service_account.yaml @@ -1,5 +1,8 @@ apiVersion: v1 kind: ServiceAccount metadata: + labels: + app.kubernetes.io/name: openstack-operator + app.kubernetes.io/managed-by: kustomize name: controller-manager namespace: system diff --git a/config/scorecard/kustomization.yaml b/config/scorecard/kustomization.yaml index a9a84a85a..54e8aa507 100644 --- a/config/scorecard/kustomization.yaml +++ b/config/scorecard/kustomization.yaml @@ -1,16 +1,18 @@ resources: - bases/config.yaml +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization patches: - path: patches/basic.config.yaml target: group: scorecard.operatorframework.io - version: v1alpha3 kind: Configuration name: config + version: v1alpha3 - path: patches/olm.config.yaml target: group: scorecard.operatorframework.io - version: v1alpha3 kind: Configuration name: config -#+kubebuilder:scaffold:patches + version: v1alpha3 +# +kubebuilder:scaffold:patches diff --git a/config/scorecard/patches/basic.config.yaml b/config/scorecard/patches/basic.config.yaml index 4a6c8167d..8237b70d8 100644 --- a/config/scorecard/patches/basic.config.yaml +++ b/config/scorecard/patches/basic.config.yaml @@ -4,7 +4,7 @@ entrypoint: - scorecard-test - basic-check-spec - image: quay.io/operator-framework/scorecard-test:v1.22.2 + image: quay.io/operator-framework/scorecard-test:v1.41.1 labels: suite: basic test: basic-check-spec-test diff --git a/config/scorecard/patches/olm.config.yaml b/config/scorecard/patches/olm.config.yaml index c342410a9..416660a77 100644 --- a/config/scorecard/patches/olm.config.yaml +++ b/config/scorecard/patches/olm.config.yaml @@ -4,7 +4,7 @@ entrypoint: - scorecard-test - olm-bundle-validation - image: quay.io/operator-framework/scorecard-test:v1.22.2 + image: quay.io/operator-framework/scorecard-test:v1.41.1 labels: suite: olm test: olm-bundle-validation-test @@ -14,7 +14,7 @@ entrypoint: - scorecard-test - olm-crds-have-validation - image: quay.io/operator-framework/scorecard-test:v1.22.2 + image: quay.io/operator-framework/scorecard-test:v1.41.1 labels: suite: olm test: olm-crds-have-validation-test @@ -24,7 +24,7 @@ entrypoint: - scorecard-test - olm-crds-have-resources - image: quay.io/operator-framework/scorecard-test:v1.22.2 + image: quay.io/operator-framework/scorecard-test:v1.41.1 labels: suite: olm test: olm-crds-have-resources-test @@ -34,7 +34,7 @@ entrypoint: - scorecard-test - olm-spec-descriptors - image: quay.io/operator-framework/scorecard-test:v1.22.2 + image: quay.io/operator-framework/scorecard-test:v1.41.1 labels: suite: olm test: olm-spec-descriptors-test @@ -44,7 +44,7 @@ entrypoint: - scorecard-test - olm-status-descriptors - image: quay.io/operator-framework/scorecard-test:v1.22.2 + image: quay.io/operator-framework/scorecard-test:v1.41.1 labels: suite: olm test: olm-status-descriptors-test diff --git a/config/webhook/kustomizeconfig.yaml b/config/webhook/kustomizeconfig.yaml index 25e21e3c9..206316e54 100644 --- a/config/webhook/kustomizeconfig.yaml +++ b/config/webhook/kustomizeconfig.yaml @@ -1,4 +1,4 @@ -# the following config is for teaching kustomize where to look at when substituting vars. +# the following config is for teaching kustomize where to look at when substituting nameReference. # It requires kustomize v2.1.0 or newer to work properly. nameReference: - kind: Service @@ -20,6 +20,3 @@ namespace: group: admissionregistration.k8s.io path: webhooks/clientConfig/service/namespace create: true - -varReference: -- path: metadata/annotations diff --git a/config/webhook/manifests.yaml b/config/webhook/manifests.yaml index 2fd1496ca..ce67518dc 100644 --- a/config/webhook/manifests.yaml +++ b/config/webhook/manifests.yaml @@ -12,7 +12,7 @@ webhooks: namespace: system path: /mutate-client-openstack-org-v1beta1-openstackclient failurePolicy: Fail - name: mopenstackclient.kb.io + name: mopenstackclient-v1beta1.kb.io rules: - apiGroups: - client.openstack.org @@ -32,7 +32,7 @@ webhooks: namespace: system path: /mutate-core-openstack-org-v1beta1-openstackcontrolplane failurePolicy: Fail - name: mopenstackcontrolplane.kb.io + name: mopenstackcontrolplane-v1beta1.kb.io rules: - apiGroups: - core.openstack.org @@ -52,7 +52,7 @@ webhooks: namespace: system path: /mutate-core-openstack-org-v1beta1-openstackversion failurePolicy: Fail - name: mopenstackversion.kb.io + name: mopenstackversion-v1beta1.kb.io rules: - apiGroups: - core.openstack.org @@ -72,7 +72,7 @@ webhooks: namespace: system path: /mutate-dataplane-openstack-org-v1beta1-openstackdataplanedeployment failurePolicy: Fail - name: mopenstackdataplanedeployment.kb.io + name: mopenstackdataplanedeployment-v1beta1.kb.io rules: - apiGroups: - dataplane.openstack.org @@ -92,7 +92,7 @@ webhooks: namespace: system path: /mutate-dataplane-openstack-org-v1beta1-openstackdataplanenodeset failurePolicy: Fail - name: mopenstackdataplanenodeset.kb.io + name: mopenstackdataplanenodeset-v1beta1.kb.io rules: - apiGroups: - dataplane.openstack.org @@ -104,6 +104,66 @@ webhooks: resources: - openstackdataplanenodesets sideEffects: None +- admissionReviewVersions: + - v1 + clientConfig: + service: + name: webhook-service + namespace: system + path: /mutate-dataplane-openstack-org-v1beta1-openstackdataplaneservice + failurePolicy: Fail + name: mopenstackdataplaneservice-v1beta1.kb.io + rules: + - apiGroups: + - dataplane.openstack.org + apiVersions: + - v1beta1 + operations: + - CREATE + - UPDATE + resources: + - openstackdataplaneservices + sideEffects: None +- admissionReviewVersions: + - v1 + clientConfig: + service: + name: webhook-service + namespace: system + path: /mutate-client-openstack-org-v1beta1-openstackclient + failurePolicy: Fail + name: mopenstackclient.kb.io + rules: + - apiGroups: + - client.openstack.org + apiVersions: + - v1beta1 + operations: + - CREATE + - UPDATE + resources: + - openstackclients + sideEffects: None +- admissionReviewVersions: + - v1 + clientConfig: + service: + name: webhook-service + namespace: system + path: /mutate-dataplane-openstack-org-v1beta1-openstackdataplanedeployment + failurePolicy: Fail + name: mopenstackdataplanedeployment.kb.io + rules: + - apiGroups: + - dataplane.openstack.org + apiVersions: + - v1beta1 + operations: + - CREATE + - UPDATE + resources: + - openstackdataplanedeployments + sideEffects: None - admissionReviewVersions: - v1 clientConfig: @@ -138,7 +198,7 @@ webhooks: namespace: system path: /validate-client-openstack-org-v1beta1-openstackclient failurePolicy: Fail - name: vopenstackclient.kb.io + name: vopenstackclient-v1beta1.kb.io rules: - apiGroups: - client.openstack.org @@ -158,7 +218,7 @@ webhooks: namespace: system path: /validate-core-openstack-org-v1beta1-openstackcontrolplane failurePolicy: Fail - name: vopenstackcontrolplane.kb.io + name: vopenstackcontrolplane-v1beta1.kb.io rules: - apiGroups: - core.openstack.org @@ -178,7 +238,7 @@ webhooks: namespace: system path: /validate-core-openstack-org-v1beta1-openstackversion failurePolicy: Fail - name: vopenstackversion.kb.io + name: vopenstackversion-v1beta1.kb.io rules: - apiGroups: - core.openstack.org @@ -198,7 +258,7 @@ webhooks: namespace: system path: /validate-dataplane-openstack-org-v1beta1-openstackdataplanedeployment failurePolicy: Fail - name: vopenstackdataplanedeployment.kb.io + name: vopenstackdataplanedeployment-v1beta1.kb.io rules: - apiGroups: - dataplane.openstack.org @@ -218,7 +278,7 @@ webhooks: namespace: system path: /validate-dataplane-openstack-org-v1beta1-openstackdataplanenodeset failurePolicy: Fail - name: vopenstackdataplanenodeset.kb.io + name: vopenstackdataplanenodeset-v1beta1.kb.io rules: - apiGroups: - dataplane.openstack.org @@ -230,6 +290,66 @@ webhooks: resources: - openstackdataplanenodesets sideEffects: None +- admissionReviewVersions: + - v1 + clientConfig: + service: + name: webhook-service + namespace: system + path: /validate-dataplane-openstack-org-v1beta1-openstackdataplaneservice + failurePolicy: Fail + name: vopenstackdataplaneservice-v1beta1.kb.io + rules: + - apiGroups: + - dataplane.openstack.org + apiVersions: + - v1beta1 + operations: + - CREATE + - UPDATE + resources: + - openstackdataplaneservices + sideEffects: None +- admissionReviewVersions: + - v1 + clientConfig: + service: + name: webhook-service + namespace: system + path: /validate-client-openstack-org-v1beta1-openstackclient + failurePolicy: Fail + name: vopenstackclient.kb.io + rules: + - apiGroups: + - client.openstack.org + apiVersions: + - v1beta1 + operations: + - CREATE + - UPDATE + resources: + - openstackclients + sideEffects: None +- admissionReviewVersions: + - v1 + clientConfig: + service: + name: webhook-service + namespace: system + path: /validate-dataplane-openstack-org-v1beta1-openstackdataplanedeployment + failurePolicy: Fail + name: vopenstackdataplanedeployment.kb.io + rules: + - apiGroups: + - dataplane.openstack.org + apiVersions: + - v1beta1 + operations: + - CREATE + - UPDATE + resources: + - openstackdataplanedeployments + sideEffects: None - admissionReviewVersions: - v1 clientConfig: diff --git a/config/webhook/service.yaml b/config/webhook/service.yaml index cc7a9e74c..096ea383d 100644 --- a/config/webhook/service.yaml +++ b/config/webhook/service.yaml @@ -1,13 +1,8 @@ - apiVersion: v1 kind: Service metadata: labels: - app.kubernetes.io/name: service - app.kubernetes.io/instance: webhook-service - app.kubernetes.io/component: webhook - app.kubernetes.io/created-by: openstack-operator - app.kubernetes.io/part-of: openstack-operator + app.kubernetes.io/name: openstack-operator app.kubernetes.io/managed-by: kustomize name: webhook-service namespace: system @@ -17,4 +12,5 @@ spec: protocol: TCP targetPort: 9443 selector: - openstack.org/operator-name: openstack + control-plane: controller-manager + app.kubernetes.io/name: openstack-operator diff --git a/containers/ci/Dockerfile b/containers/ci/Dockerfile deleted file mode 100644 index adee39d15..000000000 --- a/containers/ci/Dockerfile +++ /dev/null @@ -1,4 +0,0 @@ -FROM src -RUN yum update -y && yum install -y python39 python39-pip -RUN alternatives --set python3 /usr/bin/python3.9 -RUN pip3 install pre-commit diff --git a/docs/build_docs.sh b/docs/build_docs.sh index 2253049b4..235c0e917 100755 --- a/docs/build_docs.sh +++ b/docs/build_docs.sh @@ -3,26 +3,26 @@ set -ex pipefail CTLPLANE_FILES=() CTLPLANE_PATHS=( - "apis/client/v1beta1/openstackclient_types.go" - "apis/core/v1beta1/openstackcontrolplane_types.go" - "apis/core/v1beta1/openstackversion_types.go" + "api/client/v1beta1/openstackclient_types.go" + "api/core/v1beta1/openstackcontrolplane_types.go" + "api/core/v1beta1/openstackversion_types.go" ) DATAPLANE_FILES=() DATAPLANE_PATHS=( - "apis/dataplane/v1beta1/openstackdataplanedeployment_types.go" - "apis/dataplane/v1beta1/openstackdataplanenodeset_types.go" - "apis/dataplane/v1beta1/openstackdataplaneservice_types.go" - "apis/dataplane/v1beta1/common.go" + "api/dataplane/v1beta1/openstackdataplanedeployment_types.go" + "api/dataplane/v1beta1/openstackdataplanenodeset_types.go" + "api/dataplane/v1beta1/openstackdataplaneservice_types.go" + "api/dataplane/v1beta1/common.go" ) # Getting APIs from Services -SERVICE_PATH=($(MODCACHE=$(go env GOMODCACHE) awk '/openstack-k8s-operators/ && ! /lib-common/ && ! /openstack-operator/ && ! /infra/ && ! /replace/ {print ENVIRON["MODCACHE"] "/" $1 "@" $2 "/v1beta1/*_types.go"}' apis/go.mod)) +SERVICE_PATH=($(MODCACHE=$(go env GOMODCACHE) awk '/openstack-k8s-operators/ && ! /lib-common/ && ! /openstack-operator/ && ! /infra/ && ! /replace/ {print ENVIRON["MODCACHE"] "/" $1 "@" $2 "/v1beta1/*_types.go"}' api/go.mod)) for SERVICE in ${SERVICE_PATH[@]};do CTLPLANE_PATHS+=($(ls ${SERVICE})) done # Getting APIs from Infra -INFRA_PATH=($(MODCACHE=$(go env GOMODCACHE) awk '/openstack-k8s-operators/ && /infra/ {print ENVIRON["MODCACHE"] "/" $1 "@" $2 "/"}' apis/go.mod)) +INFRA_PATH=($(MODCACHE=$(go env GOMODCACHE) awk '/openstack-k8s-operators/ && /infra/ {print ENVIRON["MODCACHE"] "/" $1 "@" $2 "/"}' api/go.mod)) PATTERNS=("memcached/v1beta1/*_types.go" "network/v1beta1/*_types.go" "rabbitmq/v1beta1/*_types.go") for INFRA in ${PATTERNS[@]};do ls ${INFRA_PATH}${INFRA} diff --git a/go.mod b/go.mod index 47a5c001c..94f4b1254 100644 --- a/go.mod +++ b/go.mod @@ -32,7 +32,7 @@ require ( github.com/openstack-k8s-operators/nova-operator/api v0.6.1-0.20251103074111-0ec969e832ad github.com/openstack-k8s-operators/octavia-operator/api v0.6.1-0.20251112213455-aa03725e0f2b github.com/openstack-k8s-operators/openstack-baremetal-operator/api v0.6.1-0.20251112191014-b4c8cca9b6fc - github.com/openstack-k8s-operators/openstack-operator/apis v0.0.0-20240531084739-3b4c0451297c + github.com/openstack-k8s-operators/openstack-operator/api v0.0.0-00010101000000-000000000000 github.com/openstack-k8s-operators/ovn-operator/api v0.6.1-0.20251111072459-1ceb14e1eab0 github.com/openstack-k8s-operators/placement-operator/api v0.6.1-0.20251112201103-7583889cdb89 github.com/openstack-k8s-operators/swift-operator/api v0.6.1-0.20251112213455-cc9071dc6aa0 @@ -53,14 +53,20 @@ require ( require ( github.com/Masterminds/semver/v3 v3.4.0 // indirect + github.com/antlr4-go/antlr/v4 v4.13.0 // indirect + github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 // indirect github.com/beorn7/perks v1.0.1 // indirect + github.com/blang/semver/v4 v4.0.0 // indirect + github.com/cenkalti/backoff/v4 v4.3.0 // indirect github.com/cespare/xxhash/v2 v2.3.0 // indirect github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect github.com/emicklei/go-restful/v3 v3.12.2 // indirect github.com/evanphx/json-patch/v5 v5.9.11 // indirect + github.com/felixge/httpsnoop v1.0.4 // indirect github.com/fsnotify/fsnotify v1.9.0 // indirect github.com/fxamacker/cbor/v2 v2.9.0 // indirect github.com/gabriel-vasile/mimetype v1.4.10 // indirect + github.com/go-logr/stdr v1.2.2 // indirect github.com/go-logr/zapr v1.3.0 // indirect github.com/go-openapi/jsonpointer v0.21.1 // indirect github.com/go-openapi/jsonreference v0.21.0 // indirect @@ -71,12 +77,15 @@ require ( github.com/gogo/protobuf v1.3.2 // indirect github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect github.com/golang/protobuf v1.5.4 // indirect + github.com/google/cel-go v0.20.1 // indirect github.com/google/gnostic-models v0.7.0 // indirect github.com/google/go-cmp v0.7.0 // indirect github.com/google/gofuzz v1.2.0 // indirect github.com/google/pprof v0.0.0-20250403155104-27863c87afa6 // indirect github.com/gophercloud/gophercloud/v2 v2.8.0 // indirect + github.com/grpc-ecosystem/grpc-gateway/v2 v2.20.0 // indirect github.com/imdario/mergo v0.3.16 // indirect + github.com/inconshreveable/mousetrap v1.1.0 // indirect github.com/josharian/intern v1.0.0 // indirect github.com/json-iterator/go v1.1.12 // indirect github.com/leodido/go-urn v1.4.0 // indirect @@ -95,8 +104,19 @@ require ( github.com/rhobs/obo-prometheus-operator/pkg/apis/monitoring v0.71.0-rhobs1 // indirect github.com/rhobs/observability-operator v0.3.1 // indirect github.com/robfig/cron/v3 v3.0.1 // indirect + github.com/spf13/cobra v1.9.1 // indirect github.com/spf13/pflag v1.0.7 // indirect + github.com/stoewer/go-strcase v1.3.0 // indirect github.com/x448/float16 v0.8.4 // indirect + go.opentelemetry.io/auto/sdk v1.1.0 // indirect + go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.58.0 // indirect + go.opentelemetry.io/otel v1.34.0 // indirect + go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.28.0 // indirect + go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.27.0 // indirect + go.opentelemetry.io/otel/metric v1.34.0 // indirect + go.opentelemetry.io/otel/sdk v1.34.0 // indirect + go.opentelemetry.io/otel/trace v1.34.0 // indirect + go.opentelemetry.io/proto/otlp v1.3.1 // indirect go.uber.org/multierr v1.11.0 // indirect go.yaml.in/yaml/v2 v2.4.2 // indirect go.yaml.in/yaml/v3 v3.0.4 // indirect @@ -112,12 +132,19 @@ require ( golang.org/x/time v0.12.0 // indirect golang.org/x/tools v0.37.0 // indirect gomodules.xyz/jsonpatch/v2 v2.5.0 // indirect + google.golang.org/genproto/googleapis/api v0.0.0-20250106144421-5f5ef82da422 // indirect + google.golang.org/genproto/googleapis/rpc v0.0.0-20250115164207-1a7da9e5054f // indirect + google.golang.org/grpc v1.71.1 // indirect google.golang.org/protobuf v1.36.7 // indirect gopkg.in/evanphx/json-patch.v4 v4.12.0 // indirect gopkg.in/inf.v0 v0.9.1 // indirect + gopkg.in/yaml.v2 v2.4.0 // indirect k8s.io/apiextensions-apiserver v0.33.2 // indirect + k8s.io/apiserver v0.33.2 // indirect + k8s.io/component-base v0.33.2 // indirect k8s.io/klog/v2 v2.130.1 // indirect k8s.io/kube-openapi v0.0.0-20250902184714-7fc278399c7f // indirect + sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.30.3 // indirect sigs.k8s.io/gateway-api v1.2.1 // indirect sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8 // indirect sigs.k8s.io/randfill v1.0.0 // indirect @@ -125,7 +152,7 @@ require ( sigs.k8s.io/yaml v1.6.0 // indirect ) -replace github.com/openstack-k8s-operators/openstack-operator/apis => ./apis +replace github.com/openstack-k8s-operators/openstack-operator/api => ./api //allow-merging // mschuppert: map to latest commit from release-4.18 tag // must consistent within modules and service operators diff --git a/go.sum b/go.sum index 7fa63bf10..d6f64bb2d 100644 --- a/go.sum +++ b/go.sum @@ -1,11 +1,20 @@ github.com/Masterminds/semver/v3 v3.4.0 h1:Zog+i5UMtVoCU8oKka5P7i9q9HgrJeGzI9SA1Xbatp0= github.com/Masterminds/semver/v3 v3.4.0/go.mod h1:4V+yj/TJE1HU9XfppCwVMZq3I84lprf4nC11bSS5beM= +github.com/antlr4-go/antlr/v4 v4.13.0 h1:lxCg3LAv+EUK6t1i0y1V6/SLeUi0eKEKdhQAlS8TVTI= +github.com/antlr4-go/antlr/v4 v4.13.0/go.mod h1:pfChB/xh/Unjila75QW7+VU4TSnWnnk9UTnmpPaOR2g= +github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 h1:DklsrG3dyBCFEj5IhUbnKptjxatkF07cF2ak3yi77so= +github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2/go.mod h1:WaHUgvxTVq04UNunO+XhnAqY/wQc+bxr74GqbsZ/Jqw= github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM= github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw= +github.com/blang/semver/v4 v4.0.0 h1:1PFHFE6yCCTv8C1TeyNNarDzntLi7wMI5i/pzqYIsAM= +github.com/blang/semver/v4 v4.0.0/go.mod h1:IbckMUScFkM3pff0VJDNKRiT6TG/YpiHIM2yvyW5YoQ= +github.com/cenkalti/backoff/v4 v4.3.0 h1:MyRJ/UdXutAwSAT+s3wNd7MfTIcy71VQueUuFK343L8= +github.com/cenkalti/backoff/v4 v4.3.0/go.mod h1:Y3VNntkOUPxTVeUxJ/G5vcM//AlwfmyYozVcomhLiZE= github.com/cert-manager/cert-manager v1.16.5 h1:XIhKoS4zQV9RHXAkqQW0NLivvoxAnWzbPsy9BG6cPVc= github.com/cert-manager/cert-manager v1.16.5/go.mod h1:0DwmIGjMOreiP7/6gAqnjaBRJ+yHCfZ5DP7NNqKV+tY= github.com/cespare/xxhash/v2 v2.3.0 h1:UL815xU9SqsFlibzuggzjXhog7bL6oX9BbNZnL2UFvs= github.com/cespare/xxhash/v2 v2.3.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs= +github.com/cpuguy83/go-md2man/v2 v2.0.6/go.mod h1:oOW0eioCTA6cOiMLiUPZOpcVxMig6NIQQ7OS05n1F4g= github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1VwoXQT9A3Wy9MM3WgvqSxFWenqJduM= @@ -16,6 +25,8 @@ github.com/evanphx/json-patch v5.9.11+incompatible h1:ixHHqfcGvxhWkniF1tWxBHA0yb github.com/evanphx/json-patch v5.9.11+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk= github.com/evanphx/json-patch/v5 v5.9.11 h1:/8HVnzMq13/3x9TPvjG08wUGqBTmZBsCWzjTM0wiaDU= github.com/evanphx/json-patch/v5 v5.9.11/go.mod h1:3j+LviiESTElxA4p3EMKAB9HXj3/XEtnUf6OZxqIQTM= +github.com/felixge/httpsnoop v1.0.4 h1:NFTV2Zj1bL4mc9sqWACXbQFVBBg2W3GPvqp8/ESS2Wg= +github.com/felixge/httpsnoop v1.0.4/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U= github.com/fsnotify/fsnotify v1.9.0 h1:2Ml+OJNzbYCTzsxtv8vKSFD9PbJjmhYF14k/jKC7S9k= github.com/fsnotify/fsnotify v1.9.0/go.mod h1:8jBTzvmWwFyi3Pb8djgCCO5IBqzKJ/Jwo8TRcHyHii0= github.com/fxamacker/cbor/v2 v2.9.0 h1:NpKPmjDBgUfBms6tr6JZkTHtfFGcMKsw3eGcmD/sapM= @@ -28,8 +39,11 @@ github.com/gkampitakis/go-diff v1.3.2 h1:Qyn0J9XJSDTgnsgHRdz9Zp24RaJeKMUHg2+PDZZ github.com/gkampitakis/go-diff v1.3.2/go.mod h1:LLgOrpqleQe26cte8s36HTWcTmMEur6OPYerdAAS9tk= github.com/gkampitakis/go-snaps v0.5.15 h1:amyJrvM1D33cPHwVrjo9jQxX8g/7E2wYdZ+01KS3zGE= github.com/gkampitakis/go-snaps v0.5.15/go.mod h1:HNpx/9GoKisdhw9AFOBT1N7DBs9DiHo/hGheFGBZ+mc= +github.com/go-logr/logr v1.2.2/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A= github.com/go-logr/logr v1.4.3 h1:CjnDlHq8ikf6E492q6eKboGOC0T8CDaOvkHCIg8idEI= github.com/go-logr/logr v1.4.3/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY= +github.com/go-logr/stdr v1.2.2 h1:hSWxHoqTgW2S2qGc0LTAI563KZ5YKYRhT3MFKZMbjag= +github.com/go-logr/stdr v1.2.2/go.mod h1:mMo/vtBO5dYbehREoey6XUKy/eSumjCCveDpRre4VKE= github.com/go-logr/zapr v1.3.0 h1:XGdV8XW8zdwFiwOA2Dryh1gj2KRQyOOoNmBy4EplIcQ= github.com/go-logr/zapr v1.3.0/go.mod h1:YKepepNBd1u/oyhd/yQmtjVXmm9uML4IXUgMOwR8/Gg= github.com/go-openapi/jsonpointer v0.21.1 h1:whnzv/pNXtK2FbX/W9yJfRmE2gsmkfahjMKB0fZvcic= @@ -56,6 +70,8 @@ github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da h1:oI5xCqsCo564l github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= github.com/golang/protobuf v1.5.4 h1:i7eJL8qZTpSEXOPTxNKhASYpMn+8e5Q6AdndVa1dWek= github.com/golang/protobuf v1.5.4/go.mod h1:lnTiLA8Wa4RWRcIUkrtSVa5nRhsEGBg48fD6rSs7xps= +github.com/google/cel-go v0.20.1 h1:nDx9r8S3L4pE61eDdt8igGj8rf5kjYR3ILxWIpWNi84= +github.com/google/cel-go v0.20.1/go.mod h1:kWcIzTsPX0zmQ+H3TirHstLLf9ep5QTsZBN9u4dOYLg= github.com/google/gnostic-models v0.7.0 h1:qwTtogB15McXDaNqTZdzPJRHvaVJlAl+HVQnLmJEJxo= github.com/google/gnostic-models v0.7.0/go.mod h1:whL5G0m6dmc5cPxKc5bdKdEN3UjI7OUGxBlw57miDrQ= github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= @@ -70,10 +86,14 @@ github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0= github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= github.com/gophercloud/gophercloud/v2 v2.8.0 h1:of2+8tT6+FbEYHfYC8GBu8TXJNsXYSNm9KuvpX7Neqo= github.com/gophercloud/gophercloud/v2 v2.8.0/go.mod h1:Ki/ILhYZr/5EPebrPL9Ej+tUg4lqx71/YH2JWVeU+Qk= +github.com/grpc-ecosystem/grpc-gateway/v2 v2.20.0 h1:bkypFPDjIYGfCYD5mRBvpqxfYX1YCS1PXdKYWi8FsN0= +github.com/grpc-ecosystem/grpc-gateway/v2 v2.20.0/go.mod h1:P+Lt/0by1T8bfcF3z737NnSbmxQAppXMRziHUxPOC8k= github.com/iancoleman/strcase v0.3.0 h1:nTXanmYxhfFAMjZL34Ov6gkzEsSJZ5DbhxWjvSASxEI= github.com/iancoleman/strcase v0.3.0/go.mod h1:iwCmte+B7n89clKwxIoIXy/HfoL7AsD47ZCWhYzw7ho= github.com/imdario/mergo v0.3.16 h1:wwQJbIsHYGMUyLSPrEq1CT16AhnhNJQ51+4fdHUnCl4= github.com/imdario/mergo v0.3.16/go.mod h1:WBLT9ZmE3lPoWsEzCh9LPo3TiwVN+ZKEjmz+hD27ysY= +github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8= +github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw= github.com/josharian/intern v1.0.0 h1:vlS4z54oSdjm0bgjRigI+G1HpF+tI+9rE5LLzOg8HmY= github.com/josharian/intern v1.0.0/go.mod h1:5DoeVV0s6jJacbCEi61lwdGj/aVlrQvzHFFd8Hwg//Y= github.com/joshdk/go-junit v1.0.0 h1:S86cUKIdwBHWwA6xCmFlf3RTLfVXYQfvanM5Uh+K6GE= @@ -195,10 +215,21 @@ github.com/robfig/cron/v3 v3.0.1 h1:WdRxkvbJztn8LMz/QEvLN5sBU+xKpSqwwUO1Pjr4qDs= github.com/robfig/cron/v3 v3.0.1/go.mod h1:eQICP3HwyT7UooqI/z+Ov+PtYAWygg1TEWWzGIFLtro= github.com/rogpeppe/go-internal v1.13.1 h1:KvO1DLK/DRN07sQ1LQKScxyZJuNnedQ5/wKSR38lUII= github.com/rogpeppe/go-internal v1.13.1/go.mod h1:uMEvuHeurkdAXX61udpOXGD/AzZDWNMNyH2VO9fmH0o= +github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM= +github.com/spf13/cobra v1.9.1 h1:CXSaggrXdbHK9CF+8ywj8Amf7PBRmPCOJugH954Nnlo= +github.com/spf13/cobra v1.9.1/go.mod h1:nDyEzZ8ogv936Cinf6g1RU9MRY64Ir93oCnqb9wxYW0= +github.com/spf13/pflag v1.0.6/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg= github.com/spf13/pflag v1.0.7 h1:vN6T9TfwStFPFM5XzjsvmzZkLuaLX+HS+0SeFLRgU6M= github.com/spf13/pflag v1.0.7/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg= +github.com/stoewer/go-strcase v1.3.0 h1:g0eASXYtp+yvN9fK8sH94oCIk0fau9uV1/ZdJ0AVEzs= +github.com/stoewer/go-strcase v1.3.0/go.mod h1:fAH5hQ5pehh+j3nZfvwdk2RgEgQjAoM8wodgtPmh1xo= github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= +github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw= +github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo= github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI= +github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= +github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU= +github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4= github.com/stretchr/testify v1.11.1 h1:7s2iGBzp5EwR7/aIZr8ao5+dra3wiQyKjjFuvgVKu7U= github.com/stretchr/testify v1.11.1/go.mod h1:wZwfW3scLgRK+23gO65QZefKpKQRnfz6sD981Nm4B6U= github.com/tidwall/gjson v1.18.0 h1:FIDeeyB800efLX89e5a8Y0BNH+LOngJyGrIWxG2FKQY= @@ -213,6 +244,26 @@ github.com/x448/float16 v0.8.4 h1:qLwI1I70+NjRFUR3zs1JPUCgaCXSh3SW62uAKT1mSBM= github.com/x448/float16 v0.8.4/go.mod h1:14CWIYCyZA/cWjXOioeEpHeN/83MdbZDRQHoFcYsOfg= github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= +go.opentelemetry.io/auto/sdk v1.1.0 h1:cH53jehLUN6UFLY71z+NDOiNJqDdPRaXzTel0sJySYA= +go.opentelemetry.io/auto/sdk v1.1.0/go.mod h1:3wSPjt5PWp2RhlCcmmOial7AvC4DQqZb7a7wCow3W8A= +go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.58.0 h1:yd02MEjBdJkG3uabWP9apV+OuWRIXGDuJEUJbOHmCFU= +go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.58.0/go.mod h1:umTcuxiv1n/s/S6/c2AT/g2CQ7u5C59sHDNmfSwgz7Q= +go.opentelemetry.io/otel v1.34.0 h1:zRLXxLCgL1WyKsPVrgbSdMN4c0FMkDAskSTQP+0hdUY= +go.opentelemetry.io/otel v1.34.0/go.mod h1:OWFPOQ+h4G8xpyjgqo4SxJYdDQ/qmRH+wivy7zzx9oI= +go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.28.0 h1:3Q/xZUyC1BBkualc9ROb4G8qkH90LXEIICcs5zv1OYY= +go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.28.0/go.mod h1:s75jGIWA9OfCMzF0xr+ZgfrB5FEbbV7UuYo32ahUiFI= +go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.27.0 h1:qFffATk0X+HD+f1Z8lswGiOQYKHRlzfmdJm0wEaVrFA= +go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.27.0/go.mod h1:MOiCmryaYtc+V0Ei+Tx9o5S1ZjA7kzLucuVuyzBZloQ= +go.opentelemetry.io/otel/metric v1.34.0 h1:+eTR3U0MyfWjRDhmFMxe2SsW64QrZ84AOhvqS7Y+PoQ= +go.opentelemetry.io/otel/metric v1.34.0/go.mod h1:CEDrp0fy2D0MvkXE+dPV7cMi8tWZwX3dmaIhwPOaqHE= +go.opentelemetry.io/otel/sdk v1.34.0 h1:95zS4k/2GOy069d321O8jWgYsW3MzVV+KuSPKp7Wr1A= +go.opentelemetry.io/otel/sdk v1.34.0/go.mod h1:0e/pNiaMAqaykJGKbi+tSjWfNNHMTxoC9qANsCzbyxU= +go.opentelemetry.io/otel/sdk/metric v1.34.0 h1:5CeK9ujjbFVL5c1PhLuStg1wxA7vQv7ce1EK0Gyvahk= +go.opentelemetry.io/otel/sdk/metric v1.34.0/go.mod h1:jQ/r8Ze28zRKoNRdkjCZxfs6YvBTG1+YIqyFVFYec5w= +go.opentelemetry.io/otel/trace v1.34.0 h1:+ouXS2V8Rd4hp4580a8q23bg0azF2nI8cqLYnC8mh/k= +go.opentelemetry.io/otel/trace v1.34.0/go.mod h1:Svm7lSjQD7kG7KJ/MUHPVXSDGz2OX4h0M2jHBhmSfRE= +go.opentelemetry.io/proto/otlp v1.3.1 h1:TrMUixzpM0yuc/znrFTP9MMRh8trP93mkCiDVeXrui0= +go.opentelemetry.io/proto/otlp v1.3.1/go.mod h1:0X1WI4de4ZsLrrJNLAQbFeLCm3T7yBkR0XqQ7niQU+8= go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto= go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE= go.uber.org/multierr v1.11.0 h1:blXXJkSxSSfBVBlC76pxqeO+LN3aDfLQo+309xJstO0= @@ -272,6 +323,12 @@ golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8T golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= gomodules.xyz/jsonpatch/v2 v2.5.0 h1:JELs8RLM12qJGXU4u/TO3V25KW8GreMKl9pdkk14RM0= gomodules.xyz/jsonpatch/v2 v2.5.0/go.mod h1:AH3dM2RI6uoBZxn3LVrfvJ3E0/9dG4cSrbuBJT4moAY= +google.golang.org/genproto/googleapis/api v0.0.0-20250106144421-5f5ef82da422 h1:GVIKPyP/kLIyVOgOnTwFOrvQaQUzOzGMCxgFUOEmm24= +google.golang.org/genproto/googleapis/api v0.0.0-20250106144421-5f5ef82da422/go.mod h1:b6h1vNKhxaSoEI+5jc3PJUCustfli/mRab7295pY7rw= +google.golang.org/genproto/googleapis/rpc v0.0.0-20250115164207-1a7da9e5054f h1:OxYkA3wjPsZyBylwymxSHa7ViiW1Sml4ToBrncvFehI= +google.golang.org/genproto/googleapis/rpc v0.0.0-20250115164207-1a7da9e5054f/go.mod h1:+2Yz8+CLJbIfL9z73EW45avw8Lmge3xVElCP9zEKi50= +google.golang.org/grpc v1.71.1 h1:ffsFWr7ygTUscGPI0KKK6TLrGz0476KUvvsbqWK0rPI= +google.golang.org/grpc v1.71.1/go.mod h1:H0GRtasmQOh9LkFoCPDu3ZrwUtD1YGE+b2vYBYd/8Ec= google.golang.org/protobuf v1.36.7 h1:IgrO7UwFQGJdRNXH/sQux4R1Dj1WAKcLElzeeRaXV2A= google.golang.org/protobuf v1.36.7/go.mod h1:jduwjTPXsFjZGTmRluh+L6NjiWu7pchiJ2/5YcXBHnY= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= @@ -281,6 +338,9 @@ gopkg.in/evanphx/json-patch.v4 v4.12.0 h1:n6jtcsulIzXPJaxegRbvFNNrZDjbij7ny3gmSP gopkg.in/evanphx/json-patch.v4 v4.12.0/go.mod h1:p8EYWUEYMpynmqDbY58zCKCFZw8pRWMG4EsWvDvM72M= gopkg.in/inf.v0 v0.9.1 h1:73M5CoZyi3ZLMOyDlQh031Cx6N9NDJ2Vvfl76EDAgDc= gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw= +gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY= +gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ= +gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= k8s.io/api v0.31.13 h1:sco9Cq2pY4Ysv9qZiWzcR97MmA/35nwYQ/VCTzOcWmc= @@ -289,14 +349,20 @@ k8s.io/apiextensions-apiserver v0.31.13 h1:8xtWKVpV/YbYX0UX2k6w+cgxfxKhX0UNGuo/V k8s.io/apiextensions-apiserver v0.31.13/go.mod h1:zxpMLWXBxnJqKUIruJ+ulP+Xlfe5lPZPxq1z0cLwA2U= k8s.io/apimachinery v0.31.13 h1:rkG0EiBkBkEzURo/8dKGx/oBF202Z2LqHuSD8Cm3bG4= k8s.io/apimachinery v0.31.13/go.mod h1:rsPdaZJfTfLsNJSQzNHQvYoTmxhoOEofxtOsF3rtsMo= +k8s.io/apiserver v0.31.13 h1:Ke9/X2m3vHSgsminpAbUxULDNMbvAfjrRX73Gqx6CZc= +k8s.io/apiserver v0.31.13/go.mod h1:5nBPhL2g7am/CS+/OI5A6+olEbo0C7tQ8QNDODLd+WY= k8s.io/client-go v0.31.13 h1:Q0LG51uFbzNd9fzIj5ilA0Sm1wUholHvDaNwVKzqdCA= k8s.io/client-go v0.31.13/go.mod h1:UB4yTzQeRAv+vULOKp2jdqA5LSwV55bvc3RQ5tM48LM= +k8s.io/component-base v0.31.13 h1:/uVLq7yHk9azReqeCFAZSr/8NXydzpz7yDZ6p/yiwBQ= +k8s.io/component-base v0.31.13/go.mod h1:uMXtKNyDqeNdZYL6SRCr9wB6FutL9pOlQmkK2dRVAKQ= k8s.io/klog/v2 v2.130.1 h1:n9Xl7H1Xvksem4KFG4PYbdQCQxqc/tTUyrgXaOhHSzk= k8s.io/klog/v2 v2.130.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE= k8s.io/kube-openapi v0.0.0-20250627150254-e9823e99808e h1:UGI9rv1A2cV87NhXr4s+AUBxIuoo/SME/IyJ3b6KztE= k8s.io/kube-openapi v0.0.0-20250627150254-e9823e99808e/go.mod h1:GLOk5B+hDbRROvt0X2+hqX64v/zO3vXN7J78OUmBSKw= k8s.io/utils v0.0.0-20250820121507-0af2bda4dd1d h1:wAhiDyZ4Tdtt7e46e9M5ZSAJ/MnPGPs+Ki1gHw4w1R0= k8s.io/utils v0.0.0-20250820121507-0af2bda4dd1d/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= +sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.30.3 h1:2770sDpzrjjsAtVhSeUFseziht227YAWYHLGNM8QPwY= +sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.30.3/go.mod h1:Ve9uj1L+deCXFrPOk1LpFXqTg7LCFzFso6PA48q/XZw= sigs.k8s.io/controller-runtime v0.19.7 h1:DLABZfMr20A+AwCZOHhcbcu+TqBXnJZaVBri9K3EO48= sigs.k8s.io/controller-runtime v0.19.7/go.mod h1:iRmWllt8IlaLjvTTDLhRBXIEtkCK6hwVBJJsYS9Ajf4= sigs.k8s.io/gateway-api v1.2.1 h1:fZZ/+RyRb+Y5tGkwxFKuYuSRQHu9dZtbjenblleOLHM= diff --git a/hack/sync-bindata.sh b/hack/sync-bindata.sh index b2de0372a..0ce7b23a1 100755 --- a/hack/sync-bindata.sh +++ b/hack/sync-bindata.sh @@ -56,7 +56,7 @@ metadata: app.kubernetes.io/created-by: openstack-operator app.kubernetes.io/instance: webhook-service app.kubernetes.io/managed-by: kustomize - app.kubernetes.io/name: service + app.kubernetes.io/name: $OPERATOR_NAME app.kubernetes.io/part-of: $OPERATOR_NAME name: $OPERATOR_NAME-webhook-service namespace: '{{ .OperatorNamespace }}' @@ -66,7 +66,8 @@ spec: protocol: TCP targetPort: 9443 selector: - openstack.org/operator-name: ${OPERATOR_NAME//-operator} + app.kubernetes.io/name: $OPERATOR_NAME + control-plane: controller-manager --- apiVersion: cert-manager.io/v1 kind: Certificate @@ -76,8 +77,7 @@ metadata: app.kubernetes.io/created-by: openstack-operator app.kubernetes.io/instance: serving-cert app.kubernetes.io/managed-by: kustomize - app.kubernetes.io/name: certificate - app.kubernetes.io/part-of: $OPERATOR_NAME + app.kubernetes.io/name: $OPERATOR_NAME name: $OPERATOR_NAME-serving-cert namespace: '{{ .OperatorNamespace }}' spec: @@ -89,21 +89,6 @@ spec: name: $OPERATOR_NAME-selfsigned-issuer secretName: $OPERATOR_NAME-webhook-server-cert --- -apiVersion: cert-manager.io/v1 -kind: Issuer -metadata: - labels: - app.kubernetes.io/component: certificate - app.kubernetes.io/created-by: openstack-operator - app.kubernetes.io/instance: selfsigned-issuer - app.kubernetes.io/managed-by: kustomize - app.kubernetes.io/name: issuer - app.kubernetes.io/part-of: $OPERATOR_NAME - name: $OPERATOR_NAME-selfsigned-issuer - namespace: '{{ .OperatorNamespace }}' -spec: - selfSigned: {} ---- apiVersion: admissionregistration.k8s.io/v1 kind: MutatingWebhookConfiguration metadata: @@ -168,6 +153,7 @@ grep -l CustomResourceDefinition manifests/* | xargs -I % sh -c 'cp % ./crds/' for X in $(ls manifests/*clusterserviceversion.yaml); do OPERATOR_NAME=$(echo $X | sed -e "s|manifests\/\([^\.]*\)\..*|\1|") echo $OPERATOR_NAME + OPERATOR_SDK_VERSION=$(cat $X | $LOCAL_BINARIES/yq -r '.metadata.annotations."operators.operatorframework.io/builder"') LEADER_ELECTION_ROLE_RULES=$(cat $X | $LOCAL_BINARIES/yq -r .spec.install.spec.permissions | sed -e 's|- rules:|rules:|' | sed -e 's| ||' | sed -e '/ serviceAccountName.*/d' ) CLUSTER_ROLE_RULES=$(cat $X | $LOCAL_BINARIES/yq -r .spec.install.spec.clusterPermissions| sed -e 's|- rules:|rules:|' | sed -e 's| ||' | sed -e '/ serviceAccountName.*/d' @@ -181,6 +167,22 @@ mkdir -p rbac cat > rbac/$OPERATOR_NAME-rbac.yaml <> rbac/$OPERATOR_NAME-rbac.yaml <> rbac/$OPERATOR_NAME-rbac.yaml <> rbac/$OPERATOR_NAME-rbac.yaml <> rbac/$OPERATOR_NAME-rbac.yaml <