diff --git a/deploy/chart/templates/0000_50_olm_02-olm-operator.serviceaccount.yaml b/deploy/chart/templates/0000_50_olm_02-olm-operator.serviceaccount.yaml index fceffd024c..2c15ad34bf 100644 --- a/deploy/chart/templates/0000_50_olm_02-olm-operator.serviceaccount.yaml +++ b/deploy/chart/templates/0000_50_olm_02-olm-operator.serviceaccount.yaml @@ -8,6 +8,18 @@ rules: verbs: ["watch", "list", "get", "create", "update", "patch", "delete", "deletecollection", "escalate", "bind"] - nonResourceURLs: ["*"] verbs: ["*"] +- apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create +- apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create --- kind: ServiceAccount apiVersion: v1 diff --git a/deploy/chart/templates/0000_50_olm_03-services.yaml b/deploy/chart/templates/0000_50_olm_03-services.yaml index 51fb8df0e3..fde964e75d 100644 --- a/deploy/chart/templates/0000_50_olm_03-services.yaml +++ b/deploy/chart/templates/0000_50_olm_03-services.yaml @@ -1,39 +1,43 @@ -{{ if .Values.monitoring.enabled }} +{{- if or .Values.monitoring.enabled .Values.serviceCa.enabled }} apiVersion: v1 kind: Service metadata: - name: olm-operator-metrics + name: {{ .Values.olm.service.name }} namespace: {{ .Values.namespace }} + {{- if .Values.serviceCa.enabled }} annotations: - service.alpha.openshift.io/serving-cert-secret-name: olm-operator-serving-cert + service.alpha.openshift.io/serving-cert-secret-name: {{ .Values.serviceCa.olmOperator.secretName }} + {{- end }} labels: app: olm-operator spec: type: ClusterIP ports: - name: https-metrics - port: {{ .Values.olm.service.externalPort }} + port: {{ if or .Values.certManager.enabled .Values.serviceCa.enabled }}{{ .Values.olm.service.internalPortHttps }}{{ else }}{{ .Values.olm.service.externalPort }}{{ end }} protocol: TCP - targetPort: {{ .Values.olm.service.internalPort }} + targetPort: {{ if or .Values.certManager.enabled .Values.serviceCa.enabled }}{{ .Values.olm.service.internalPortHttps }}{{ else }}{{ .Values.olm.service.internalPort }}{{ end }} selector: app: olm-operator --- apiVersion: v1 kind: Service metadata: - name: catalog-operator-metrics + name: {{ .Values.catalog.service.name }} namespace: {{ .Values.namespace }} + {{- if .Values.serviceCa.enabled }} annotations: - service.alpha.openshift.io/serving-cert-secret-name: catalog-operator-serving-cert + service.alpha.openshift.io/serving-cert-secret-name: {{ .Values.serviceCa.catalogOperator.secretName }} + {{- end }} labels: app: catalog-operator spec: type: ClusterIP ports: - name: https-metrics - port: {{ .Values.catalog.service.externalPort }} + port: {{ if or .Values.certManager.enabled .Values.serviceCa.enabled }}{{ .Values.catalog.service.internalPortHttps }}{{ else }}{{ .Values.catalog.service.externalPort }}{{ end }} protocol: TCP - targetPort: {{ .Values.catalog.service.internalPort }} + targetPort: {{ if or .Values.certManager.enabled .Values.serviceCa.enabled }}{{ .Values.catalog.service.internalPortHttps }}{{ else }}{{ .Values.catalog.service.internalPort }}{{ end }} selector: app: catalog-operator {{ end }} diff --git a/deploy/chart/templates/0000_50_olm_07-olm-operator.deployment.yaml b/deploy/chart/templates/0000_50_olm_07-olm-operator.deployment.yaml index 342369963c..b7eb6c8dd3 100644 --- a/deploy/chart/templates/0000_50_olm_07-olm-operator.deployment.yaml +++ b/deploy/chart/templates/0000_50_olm_07-olm-operator.deployment.yaml @@ -30,6 +30,13 @@ spec: - name: profile-collector-cert secret: secretName: {{ .Values.certManager.certificate.secretName }} + {{- else if .Values.serviceCa.enabled }} + - name: srv-cert + secret: + secretName: {{ .Values.serviceCa.olmOperator.secretName }} + - name: profile-collector-cert + secret: + secretName: {{ .Values.serviceCa.olmOperator.secretName }} {{- end }} - name: tmpfs emptyDir: {} @@ -41,7 +48,7 @@ spec: capabilities: drop: [ "ALL" ] volumeMounts: - {{- if .Values.certManager.enabled }} + {{- if or .Values.certManager.enabled .Values.serviceCa.enabled }} - name: srv-cert mountPath: "/srv-cert" readOnly: true @@ -74,7 +81,7 @@ spec: - --writePackageServerStatusName - {{ .Values.writePackageServerStatusName }} {{- end }} - {{- if .Values.certManager.enabled }} + {{- if or .Values.certManager.enabled .Values.serviceCa.enabled }} - --tls-cert - /srv-cert/tls.crt - --tls-key @@ -85,18 +92,18 @@ spec: image: {{ .Values.olm.image.ref }} imagePullPolicy: {{ .Values.olm.image.pullPolicy }} ports: - - containerPort: {{ if .Values.certManager.enabled }}{{ .Values.olm.service.internalPortHttps }}{{ else }}{{ .Values.olm.service.internalPort }}{{ end }} + - containerPort: {{ if or .Values.certManager.enabled .Values.serviceCa.enabled }}{{ .Values.olm.service.internalPortHttps }}{{ else }}{{ .Values.olm.service.internalPort }}{{ end }} name: metrics livenessProbe: httpGet: path: /healthz - port: {{ if .Values.certManager.enabled }}{{ .Values.olm.service.internalPortHttps }}{{ else }}{{ .Values.olm.service.internalPort }}{{ end }} - scheme: {{ if .Values.certManager.enabled }}HTTPS{{ else }}HTTP{{ end }} + port: {{ if or .Values.certManager.enabled .Values.serviceCa.enabled }}{{ .Values.olm.service.internalPortHttps }}{{ else }}{{ .Values.olm.service.internalPort }}{{ end }} + scheme: {{ if or .Values.certManager.enabled .Values.serviceCa.enabled }}HTTPS{{ else }}HTTP{{ end }} readinessProbe: httpGet: path: /healthz - port: {{ if .Values.certManager.enabled }}{{ .Values.olm.service.internalPortHttps }}{{ else }}{{ .Values.olm.service.internalPort }}{{ end }} - scheme: {{ if .Values.certManager.enabled }}HTTPS{{ else }}HTTP{{ end }} + port: {{ if or .Values.certManager.enabled .Values.serviceCa.enabled }}{{ .Values.olm.service.internalPortHttps }}{{ else }}{{ .Values.olm.service.internalPort }}{{ end }} + scheme: {{ if or .Values.certManager.enabled .Values.serviceCa.enabled }}HTTPS{{ else }}HTTP{{ end }} terminationMessagePolicy: FallbackToLogsOnError env: - name: OPERATOR_NAMESPACE diff --git a/deploy/chart/templates/0000_50_olm_08-catalog-operator.deployment.yaml b/deploy/chart/templates/0000_50_olm_08-catalog-operator.deployment.yaml index 5395b1f45f..5a4a77635f 100644 --- a/deploy/chart/templates/0000_50_olm_08-catalog-operator.deployment.yaml +++ b/deploy/chart/templates/0000_50_olm_08-catalog-operator.deployment.yaml @@ -30,6 +30,13 @@ spec: - name: profile-collector-cert secret: secretName: {{ .Values.certManager.certificate.secretName }} + {{- else if .Values.serviceCa.enabled }} + - name: srv-cert + secret: + secretName: {{ .Values.serviceCa.catalogOperator.secretName }} + - name: profile-collector-cert + secret: + secretName: {{ .Values.serviceCa.catalogOperator.secretName }} {{- end }} - name: tmpfs emptyDir: {} @@ -41,7 +48,7 @@ spec: capabilities: drop: [ "ALL" ] volumeMounts: - {{- if .Values.certManager.enabled }} + {{- if or .Values.certManager.enabled .Values.serviceCa.enabled }} - name: srv-cert mountPath: "/srv-cert" readOnly: true @@ -71,7 +78,7 @@ spec: - --writeStatusName - {{ .Values.writeStatusNameCatalog }} {{- end }} - {{- if .Values.certManager.enabled }} + {{- if or .Values.certManager.enabled .Values.serviceCa.enabled }} - --tls-cert - /srv-cert/tls.crt - --tls-key @@ -92,18 +99,18 @@ spec: {{- end }} imagePullPolicy: {{ .Values.catalog.image.pullPolicy }} ports: - - containerPort: {{ if .Values.certManager.enabled }}{{ .Values.catalog.service.internalPortHttps }}{{ else }}{{ .Values.catalog.service.internalPort }}{{ end }} + - containerPort: {{ if or .Values.certManager.enabled .Values.serviceCa.enabled }}{{ .Values.catalog.service.internalPortHttps }}{{ else }}{{ .Values.catalog.service.internalPort }}{{ end }} name: metrics livenessProbe: httpGet: path: /healthz - port: {{ if .Values.certManager.enabled }}{{ .Values.catalog.service.internalPortHttps }}{{ else }}{{ .Values.catalog.service.internalPort }}{{ end }} - scheme: {{ if .Values.certManager.enabled }}HTTPS{{ else }}HTTP{{ end }} + port: {{ if or .Values.certManager.enabled .Values.serviceCa.enabled }}{{ .Values.catalog.service.internalPortHttps }}{{ else }}{{ .Values.catalog.service.internalPort }}{{ end }} + scheme: {{ if or .Values.certManager.enabled .Values.serviceCa.enabled }}HTTPS{{ else }}HTTP{{ end }} readinessProbe: httpGet: path: /healthz - port: {{ if .Values.certManager.enabled }}{{ .Values.catalog.service.internalPortHttps }}{{ else }}{{ .Values.catalog.service.internalPort }}{{ end }} - scheme: {{ if .Values.certManager.enabled }}HTTPS{{ else }}HTTP{{ end }} + port: {{ if or .Values.certManager.enabled .Values.serviceCa.enabled }}{{ .Values.catalog.service.internalPortHttps }}{{ else }}{{ .Values.catalog.service.internalPort }}{{ end }} + scheme: {{ if or .Values.certManager.enabled .Values.serviceCa.enabled }}HTTPS{{ else }}HTTP{{ end }} terminationMessagePolicy: FallbackToLogsOnError {{- if .Values.catalog.resources }} resources: diff --git a/deploy/chart/values.yaml b/deploy/chart/values.yaml index 416b4e419a..af9968d327 100644 --- a/deploy/chart/values.yaml +++ b/deploy/chart/values.yaml @@ -27,6 +27,7 @@ olm: ref: quay.io/operator-framework/olm:master pullPolicy: Always service: + name: olm-operator-metrics internalPort: 8080 internalPortHttps: 8443 externalPort: metrics @@ -46,6 +47,7 @@ catalog: ref: quay.io/operator-framework/olm:master pullPolicy: Always service: + name: catalog-operator-metrics internalPort: 8080 internalPortHttps: 8443 externalPort: metrics @@ -89,6 +91,18 @@ certManager: extraDnsNames: [] extraIpAddresses: [] +# OpenShift service-ca configuration +# When enabled, uses OpenShift service-ca-operator for certificate management +# This is mutually exclusive with certManager - only one should be enabled +serviceCa: + enabled: false + # Secret names are left empty in upstream, to be filled by downstream values.yaml + # Service names are taken from olm.service.name and catalog.service.name + olmOperator: + secretName: "" + catalogOperator: + secretName: "" + networkPolicy: dns: ports: