From 6f47b85b2996f3b8909fb60668ea611922067bae Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Job=20C=C3=A9spedes=20Ortiz?= Date: Wed, 5 Feb 2025 13:18:58 -0600 Subject: [PATCH 1/3] feat: update operator sdk version From 1.33 to 1.39.1 Fixes: https://github.com/krestomatio/moodle-operator/issues/246 --- Dockerfile | 4 +- Makefile-dist.mk | 17 +++--- bundle.Dockerfile | 2 +- ...er-manager-metrics-service_v1_service.yaml | 6 +-- ...c.authorization.k8s.io_v1_clusterrole.yaml | 6 +-- ...moodle-operator.clusterserviceversion.yaml | 6 +-- bundle/tests/scorecard/config.yaml | 12 ++--- config/crd/kustomization.yaml | 2 +- config/default/kustomization.yaml | 21 +++++--- config/default/manager_auth_proxy_patch.yaml | 40 -------------- config/default/manager_config_patch.yaml | 10 ---- config/default/manager_metrics_patch.yaml | 12 +++++ .../metrics_service.yaml} | 8 +-- config/manager/manager.yaml | 19 +++---- .../network-policy/allow-metrics-traffic.yaml | 26 ++++++++++ config/network-policy/kustomization.yaml | 2 + config/prometheus/monitor.yaml | 18 ++++--- .../rbac/auth_proxy_client_clusterrole.yaml | 16 ------ config/rbac/auth_proxy_role.yaml | 24 --------- config/rbac/auth_proxy_role_binding.yaml | 19 ------- config/rbac/kustomization.yaml | 29 ++++++++--- config/rbac/leader_election_role.yaml | 6 +-- config/rbac/leader_election_role_binding.yaml | 6 +-- config/rbac/metrics_auth_role.yaml | 17 ++++++ config/rbac/metrics_auth_role_binding.yaml | 12 +++++ config/rbac/metrics_reader_role.yaml | 9 ++++ config/rbac/moodle_editor_role.yaml | 6 +-- config/rbac/moodle_viewer_role.yaml | 6 +-- config/rbac/nginx_editor_role.yaml | 6 +-- config/rbac/nginx_viewer_role.yaml | 6 +-- config/rbac/phpfpm_editor_role.yaml | 6 +-- config/rbac/phpfpm_viewer_role.yaml | 6 +-- config/rbac/role.yaml | 2 +- config/rbac/role_binding.yaml | 6 +-- config/rbac/routine_editor_role.yaml | 6 +-- config/rbac/routine_viewer_role.yaml | 6 +-- config/rbac/service_account.yaml | 6 +-- config/samples/kustomization.yaml | 2 +- config/scorecard/kustomization.yaml | 10 ++-- config/scorecard/patches/basic.config.yaml | 2 +- config/scorecard/patches/olm.config.yaml | 10 ++-- config/testing/kustomization.yaml | 28 ++++++---- config/testing/postgres/kustomization.yaml | 52 +++++++++---------- hack/mk | 2 +- molecule | 2 +- requirements.yml | 6 +-- watches.yaml | 2 +- 47 files changed, 227 insertions(+), 300 deletions(-) delete mode 100644 config/default/manager_auth_proxy_patch.yaml delete mode 100644 config/default/manager_config_patch.yaml create mode 100644 config/default/manager_metrics_patch.yaml rename config/{rbac/auth_proxy_service.yaml => default/metrics_service.yaml} (53%) create mode 100644 config/network-policy/allow-metrics-traffic.yaml create mode 100644 config/network-policy/kustomization.yaml delete mode 100644 config/rbac/auth_proxy_client_clusterrole.yaml delete mode 100644 config/rbac/auth_proxy_role.yaml delete mode 100644 config/rbac/auth_proxy_role_binding.yaml create mode 100644 config/rbac/metrics_auth_role.yaml create mode 100644 config/rbac/metrics_auth_role_binding.yaml create mode 100644 config/rbac/metrics_reader_role.yaml diff --git a/Dockerfile b/Dockerfile index 86fad31..a78aaad 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,5 +1,5 @@ # Stage to install krestomatio collection -FROM quay.io/operator-framework/ansible-operator:v1.33.0 AS collection +FROM quay.io/operator-framework/ansible-operator:v1.37.1 AS collection ## Install krestomatio collection ARG COLLECTION_FILE="krestomatio-k8s-master.tar.gz" @@ -9,7 +9,7 @@ COPY $COLLECTION_FILE /tmp/$COLLECTION_FILE RUN ansible-galaxy collection install /tmp/${COLLECTION_FILE} # Stage to build operator container -FROM quay.io/operator-framework/ansible-operator:v1.33.0 +FROM quay.io/operator-framework/ansible-operator:v1.37.1 ## Install kubectl ENV KUBECTL_VERSION="1.26.6" diff --git a/Makefile-dist.mk b/Makefile-dist.mk index cad87ac..a8aa830 100644 --- a/Makefile-dist.mk +++ b/Makefile-dist.mk @@ -48,7 +48,7 @@ endif # Set the Operator SDK version to use. By default, what is installed on the system is used. # This is useful for CI or a project to utilize a specific version of the operator-sdk toolkit. -OPERATOR_SDK_VERSION ?= v1.33.0 +OPERATOR_SDK_VERSION ?= v1.39.1 # Image URL to use all building/pushing image targets IMG ?= controller:latest @@ -96,14 +96,11 @@ docker-push: ## Push docker image with the manager. # To properly provided solutions that supports more than one platform you should use this option. PLATFORMS ?= linux/arm64,linux/amd64,linux/s390x,linux/ppc64le .PHONY: docker-buildx -docker-buildx: test ## Build and push docker image for the manager for cross-platform support - # copy existing Dockerfile and insert --platform=${BUILDPLATFORM} into Dockerfile.cross, and preserve the original Dockerfile - sed -e '1 s/\(^FROM\)/FROM --platform=\$$\{BUILDPLATFORM\}/; t' -e ' 1,// s//FROM --platform=\$$\{BUILDPLATFORM\}/' Dockerfile > Dockerfile.cross +docker-buildx: ## Build and push docker image for the manager for cross-platform support - docker buildx create --name project-v3-builder docker buildx use project-v3-builder - - docker buildx build --push --platform=$(PLATFORMS) --tag ${IMG} -f Dockerfile.cross . + - docker buildx build --push --platform=$(PLATFORMS) --tag ${IMG} -f Dockerfile . - docker buildx rm project-v3-builder - rm Dockerfile.cross ##@ Deployment @@ -135,7 +132,7 @@ ifeq (,$(shell which kustomize 2>/dev/null)) @{ \ set -e ;\ mkdir -p $(dir $(KUSTOMIZE)) ;\ - curl -sSLo - https://github.com/kubernetes-sigs/kustomize/releases/download/kustomize/v5.0.1/kustomize_v5.0.1_$(OS)_$(ARCH).tar.gz | \ + curl -sSLo - https://github.com/kubernetes-sigs/kustomize/releases/download/kustomize/v5.4.3/kustomize_v5.4.3_$(OS)_$(ARCH).tar.gz | \ tar xzf - -C bin/ ;\ } else @@ -151,7 +148,7 @@ ifeq (,$(shell which ansible-operator 2>/dev/null)) @{ \ set -e ;\ mkdir -p $(dir $(ANSIBLE_OPERATOR)) ;\ - curl -sSLo $(ANSIBLE_OPERATOR) https://github.com/operator-framework/ansible-operator-plugins/releases/download/v1.33.0/ansible-operator_$(OS)_$(ARCH) ;\ + curl -sSLo $(ANSIBLE_OPERATOR) https://github.com/operator-framework/ansible-operator-plugins/releases/download/v1.37.1/ansible-operator_$(OS)_$(ARCH) ;\ chmod +x $(ANSIBLE_OPERATOR) ;\ } else @@ -160,7 +157,7 @@ endif endif .PHONY: operator-sdk -OPERATOR_SDK ?= ./bin/operator-sdk +OPERATOR_SDK ?= $(LOCALBIN)/operator-sdk operator-sdk: ## Download operator-sdk locally if necessary. ifeq (,$(wildcard $(OPERATOR_SDK))) ifeq (, $(shell which operator-sdk 2>/dev/null)) @@ -191,7 +188,7 @@ bundle-push: ## Push the bundle image. $(MAKE) docker-push IMG=$(BUNDLE_IMG) .PHONY: opm -OPM = ./bin/opm +OPM = $(LOCALBIN)/opm opm: ## Download opm locally if necessary. ifeq (,$(wildcard $(OPM))) ifeq (,$(shell which opm 2>/dev/null)) diff --git a/bundle.Dockerfile b/bundle.Dockerfile index ef2c9b6..1229001 100644 --- a/bundle.Dockerfile +++ b/bundle.Dockerfile @@ -6,7 +6,7 @@ LABEL operators.operatorframework.io.bundle.manifests.v1=manifests/ LABEL operators.operatorframework.io.bundle.metadata.v1=metadata/ LABEL operators.operatorframework.io.bundle.package.v1=moodle-operator LABEL operators.operatorframework.io.bundle.channels.v1=alpha -LABEL operators.operatorframework.io.metrics.builder=operator-sdk-v1.33.0 +LABEL operators.operatorframework.io.metrics.builder=operator-sdk-v1.39.1 LABEL operators.operatorframework.io.metrics.mediatype.v1=metrics+v1 LABEL operators.operatorframework.io.metrics.project_layout=ansible.sdk.operatorframework.io/v1 diff --git a/bundle/manifests/moodle-operator-controller-manager-metrics-service_v1_service.yaml b/bundle/manifests/moodle-operator-controller-manager-metrics-service_v1_service.yaml index 528aae5..40fc645 100644 --- a/bundle/manifests/moodle-operator-controller-manager-metrics-service_v1_service.yaml +++ b/bundle/manifests/moodle-operator-controller-manager-metrics-service_v1_service.yaml @@ -3,12 +3,8 @@ kind: Service metadata: creationTimestamp: null labels: - app.kubernetes.io/component: kube-rbac-proxy - app.kubernetes.io/created-by: moodle-operator - app.kubernetes.io/instance: controller-manager-metrics-service + app.kubernetes.io/name: moodle-operator app.kubernetes.io/managed-by: kustomize - app.kubernetes.io/name: service - app.kubernetes.io/part-of: moodle-operator control-plane: controller-manager name: moodle-operator-controller-manager-metrics-service spec: diff --git a/bundle/manifests/moodle-operator-metrics-reader_rbac.authorization.k8s.io_v1_clusterrole.yaml b/bundle/manifests/moodle-operator-metrics-reader_rbac.authorization.k8s.io_v1_clusterrole.yaml index b928cb9..724f3c3 100644 --- a/bundle/manifests/moodle-operator-metrics-reader_rbac.authorization.k8s.io_v1_clusterrole.yaml +++ b/bundle/manifests/moodle-operator-metrics-reader_rbac.authorization.k8s.io_v1_clusterrole.yaml @@ -3,12 +3,8 @@ kind: ClusterRole metadata: creationTimestamp: null labels: - app.kubernetes.io/component: kube-rbac-proxy - app.kubernetes.io/created-by: moodle-operator - app.kubernetes.io/instance: metrics-reader app.kubernetes.io/managed-by: kustomize - app.kubernetes.io/name: clusterrole - app.kubernetes.io/part-of: moodle-operator + app.kubernetes.io/name: moodle-operator name: moodle-operator-metrics-reader rules: - nonResourceURLs: diff --git a/bundle/manifests/moodle-operator.clusterserviceversion.yaml b/bundle/manifests/moodle-operator.clusterserviceversion.yaml index df2bf45..95b5505 100644 --- a/bundle/manifests/moodle-operator.clusterserviceversion.yaml +++ b/bundle/manifests/moodle-operator.clusterserviceversion.yaml @@ -284,12 +284,8 @@ spec: serviceAccountName: moodle-operator-controller-manager deployments: - label: - app.kubernetes.io/component: manager - app.kubernetes.io/created-by: moodle-operator - app.kubernetes.io/instance: controller-manager + app.kubernetes.io/name: moodle-operator app.kubernetes.io/managed-by: kustomize - app.kubernetes.io/name: deployment - app.kubernetes.io/part-of: moodle-operator control-plane: controller-manager name: moodle-operator-controller-manager spec: diff --git a/bundle/tests/scorecard/config.yaml b/bundle/tests/scorecard/config.yaml index d5b4b3e..924ca62 100644 --- a/bundle/tests/scorecard/config.yaml +++ b/bundle/tests/scorecard/config.yaml @@ -8,7 +8,7 @@ stages: - entrypoint: - scorecard-test - basic-check-spec - image: quay.io/operator-framework/scorecard-test:v1.33.0 + image: quay.io/operator-framework/scorecard-test:v1.39.1 labels: suite: basic test: basic-check-spec-test @@ -18,7 +18,7 @@ stages: - entrypoint: - scorecard-test - olm-bundle-validation - image: quay.io/operator-framework/scorecard-test:v1.33.0 + image: quay.io/operator-framework/scorecard-test:v1.39.1 labels: suite: olm test: olm-bundle-validation-test @@ -28,7 +28,7 @@ stages: - entrypoint: - scorecard-test - olm-crds-have-validation - image: quay.io/operator-framework/scorecard-test:v1.33.0 + image: quay.io/operator-framework/scorecard-test:v1.39.1 labels: suite: olm test: olm-crds-have-validation-test @@ -38,7 +38,7 @@ stages: - entrypoint: - scorecard-test - olm-crds-have-resources - image: quay.io/operator-framework/scorecard-test:v1.33.0 + image: quay.io/operator-framework/scorecard-test:v1.39.1 labels: suite: olm test: olm-crds-have-resources-test @@ -48,7 +48,7 @@ stages: - entrypoint: - scorecard-test - olm-spec-descriptors - image: quay.io/operator-framework/scorecard-test:v1.33.0 + image: quay.io/operator-framework/scorecard-test:v1.39.1 labels: suite: olm test: olm-spec-descriptors-test @@ -58,7 +58,7 @@ stages: - entrypoint: - scorecard-test - olm-status-descriptors - image: quay.io/operator-framework/scorecard-test:v1.33.0 + image: quay.io/operator-framework/scorecard-test:v1.39.1 labels: suite: olm test: olm-status-descriptors-test diff --git a/config/crd/kustomization.yaml b/config/crd/kustomization.yaml index c3cb9cf..05d3027 100644 --- a/config/crd/kustomization.yaml +++ b/config/crd/kustomization.yaml @@ -6,4 +6,4 @@ resources: - bases/m4e.krestomat.io_routines.yaml - bases/m4e.krestomat.io_nginxes.yaml - bases/m4e.krestomat.io_phpfpms.yaml -#+kubebuilder:scaffold:crdkustomizeresource +# +kubebuilder:scaffold:crdkustomizeresource diff --git a/config/default/kustomization.yaml b/config/default/kustomization.yaml index 019b850..50d0ca6 100644 --- a/config/default/kustomization.yaml +++ b/config/default/kustomization.yaml @@ -20,11 +20,18 @@ resources: - ../manager # [PROMETHEUS] To enable prometheus monitor, uncomment all sections with 'PROMETHEUS'. #- ../prometheus +# [METRICS] Expose the controller manager metrics service. +- metrics_service.yaml +# [NETWORK POLICY] Protect the /metrics endpoint and Webhook Server with NetworkPolicy. +# Only Pod(s) running a namespace labeled with 'metrics: enabled' will be able to gather the metrics. +# Only CR(s) which requires webhooks and are applied on namespaces labeled with 'webhooks: enabled' will +# be able to communicate with the Webhook Server. +#- ../network-policy -patchesStrategicMerge: -# Protect the /metrics endpoint by putting it behind auth. -# If you want your controller-manager to expose the /metrics -# endpoint w/o any authn/z, please comment the following line. -- manager_auth_proxy_patch.yaml - - +# Uncomment the patches line if you enable Metrics, and/or are using webhooks and cert-manager +patches: +# [METRICS] The following patch will enable the metrics endpoint using HTTPS and the port :8443. +# More info: https://book.kubebuilder.io/reference/metrics +- path: manager_metrics_patch.yaml + target: + kind: Deployment diff --git a/config/default/manager_auth_proxy_patch.yaml b/config/default/manager_auth_proxy_patch.yaml deleted file mode 100644 index 31e0b29..0000000 --- a/config/default/manager_auth_proxy_patch.yaml +++ /dev/null @@ -1,40 +0,0 @@ -# This patch inject a sidecar container which is a HTTP proxy for the -# controller manager, it performs RBAC authorization against the Kubernetes API using SubjectAccessReviews. -apiVersion: apps/v1 -kind: Deployment -metadata: - name: controller-manager - namespace: system -spec: - template: - spec: - containers: - - name: kube-rbac-proxy - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - "ALL" - image: gcr.io/kubebuilder/kube-rbac-proxy:v0.14.1 - args: - - "--secure-listen-address=0.0.0.0:8443" - - "--upstream=http://127.0.0.1:8080/" - - "--logtostderr=true" - - "--v=0" - ports: - - containerPort: 8443 - protocol: TCP - name: https - resources: - limits: - cpu: 500m - memory: 128Mi - requests: - cpu: 5m - memory: 64Mi - - name: manager - args: - - "--health-probe-bind-address=:6789" - - "--metrics-bind-address=127.0.0.1:8080" - - "--leader-elect" - - "--leader-election-id=moodle-operator" diff --git a/config/default/manager_config_patch.yaml b/config/default/manager_config_patch.yaml deleted file mode 100644 index f6f5891..0000000 --- a/config/default/manager_config_patch.yaml +++ /dev/null @@ -1,10 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: controller-manager - namespace: system -spec: - template: - spec: - containers: - - name: manager diff --git a/config/default/manager_metrics_patch.yaml b/config/default/manager_metrics_patch.yaml new file mode 100644 index 0000000..a3cb2f1 --- /dev/null +++ b/config/default/manager_metrics_patch.yaml @@ -0,0 +1,12 @@ +# This patch adds the args to allow exposing the metrics endpoint using HTTPS +- op: add + path: /spec/template/spec/containers/0/args/0 + value: --metrics-bind-address=:8443 +# This patch adds the args to allow securing the metrics endpoint +- op: add + path: /spec/template/spec/containers/0/args/0 + value: --metrics-secure +# This patch adds the args to allow RBAC-based authn/authz the metrics endpoint +- op: add + path: /spec/template/spec/containers/0/args/0 + value: --metrics-require-rbac diff --git a/config/rbac/auth_proxy_service.yaml b/config/default/metrics_service.yaml similarity index 53% rename from config/rbac/auth_proxy_service.yaml rename to config/default/metrics_service.yaml index 943c0db..981c315 100644 --- a/config/rbac/auth_proxy_service.yaml +++ b/config/default/metrics_service.yaml @@ -3,11 +3,7 @@ kind: Service metadata: labels: control-plane: controller-manager - app.kubernetes.io/name: service - app.kubernetes.io/instance: controller-manager-metrics-service - app.kubernetes.io/component: kube-rbac-proxy - app.kubernetes.io/created-by: moodle-operator - app.kubernetes.io/part-of: moodle-operator + app.kubernetes.io/name: moodle-operator app.kubernetes.io/managed-by: kustomize name: controller-manager-metrics-service namespace: system @@ -16,6 +12,6 @@ spec: - name: https port: 8443 protocol: TCP - targetPort: https + targetPort: 8443 selector: control-plane: controller-manager diff --git a/config/manager/manager.yaml b/config/manager/manager.yaml index fbc898e..957bd9e 100644 --- a/config/manager/manager.yaml +++ b/config/manager/manager.yaml @@ -3,11 +3,7 @@ kind: Namespace metadata: labels: control-plane: controller-manager - app.kubernetes.io/name: namespace - app.kubernetes.io/instance: system - app.kubernetes.io/component: manager - app.kubernetes.io/created-by: moodle-operator - app.kubernetes.io/part-of: moodle-operator + app.kubernetes.io/name: moodle-operator app.kubernetes.io/managed-by: kustomize name: system --- @@ -18,11 +14,7 @@ metadata: namespace: system labels: control-plane: controller-manager - app.kubernetes.io/name: deployment - app.kubernetes.io/instance: controller-manager - app.kubernetes.io/component: manager - app.kubernetes.io/created-by: moodle-operator - app.kubernetes.io/part-of: moodle-operator + app.kubernetes.io/name: moodle-operator app.kubernetes.io/managed-by: kustomize spec: selector: @@ -67,8 +59,9 @@ spec: # type: RuntimeDefault containers: - args: - - --leader-elect - - --leader-election-id=moodle-operator + - --leader-elect + - --leader-election-id=moodle-operator + - --health-probe-bind-address=:6789 image: controller:latest name: manager env: @@ -78,7 +71,7 @@ spec: allowPrivilegeEscalation: false capabilities: drop: - - "ALL" + - "ALL" livenessProbe: httpGet: path: /healthz diff --git a/config/network-policy/allow-metrics-traffic.yaml b/config/network-policy/allow-metrics-traffic.yaml new file mode 100644 index 0000000..98b4ebe --- /dev/null +++ b/config/network-policy/allow-metrics-traffic.yaml @@ -0,0 +1,26 @@ +# This NetworkPolicy allows ingress traffic +# with Pods running on namespaces labeled with 'metrics: enabled'. Only Pods on those +# namespaces are able to gathering data from the metrics endpoint. +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + labels: + app.kubernetes.io/name: moodle-operator + app.kubernetes.io/managed-by: kustomize + name: allow-metrics-traffic + namespace: system +spec: + podSelector: + matchLabels: + control-plane: controller-manager + policyTypes: + - Ingress + ingress: + # This allows ingress traffic from any namespace with the label metrics: enabled + - from: + - namespaceSelector: + matchLabels: + metrics: enabled # Only from namespaces with this label + ports: + - port: 8443 + protocol: TCP diff --git a/config/network-policy/kustomization.yaml b/config/network-policy/kustomization.yaml new file mode 100644 index 0000000..ec0fb5e --- /dev/null +++ b/config/network-policy/kustomization.yaml @@ -0,0 +1,2 @@ +resources: +- allow-metrics-traffic.yaml diff --git a/config/prometheus/monitor.yaml b/config/prometheus/monitor.yaml index 7d93bd2..29a8b42 100644 --- a/config/prometheus/monitor.yaml +++ b/config/prometheus/monitor.yaml @@ -1,25 +1,29 @@ - # Prometheus Monitor Service (Metrics) apiVersion: monitoring.coreos.com/v1 kind: ServiceMonitor metadata: labels: control-plane: controller-manager - app.kubernetes.io/name: servicemonitor - app.kubernetes.io/instance: controller-manager-metrics-monitor - app.kubernetes.io/component: metrics - app.kubernetes.io/created-by: moodle-operator - app.kubernetes.io/part-of: moodle-operator + app.kubernetes.io/name: moodle-operator app.kubernetes.io/managed-by: kustomize name: controller-manager-metrics-monitor namespace: system spec: endpoints: - path: /metrics - port: https + port: https # Ensure this is the name of the port that exposes HTTPS metrics scheme: https bearerTokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token tlsConfig: + # TODO(user): The option insecureSkipVerify: true is not recommended for production since it disables + # certificate verification. This poses a significant security risk by making the system vulnerable to + # man-in-the-middle attacks, where an attacker could intercept and manipulate the communication between + # Prometheus and the monitored services. This could lead to unauthorized access to sensitive metrics data, + # compromising the integrity and confidentiality of the information. + # Please use the following options for secure configurations: + # caFile: /etc/metrics-certs/ca.crt + # certFile: /etc/metrics-certs/tls.crt + # keyFile: /etc/metrics-certs/tls.key insecureSkipVerify: true selector: matchLabels: diff --git a/config/rbac/auth_proxy_client_clusterrole.yaml b/config/rbac/auth_proxy_client_clusterrole.yaml deleted file mode 100644 index 292ee4c..0000000 --- a/config/rbac/auth_proxy_client_clusterrole.yaml +++ /dev/null @@ -1,16 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - app.kubernetes.io/name: clusterrole - app.kubernetes.io/instance: metrics-reader - app.kubernetes.io/component: kube-rbac-proxy - app.kubernetes.io/created-by: moodle-operator - app.kubernetes.io/part-of: moodle-operator - app.kubernetes.io/managed-by: kustomize - name: metrics-reader -rules: -- nonResourceURLs: - - "/metrics" - verbs: - - get diff --git a/config/rbac/auth_proxy_role.yaml b/config/rbac/auth_proxy_role.yaml deleted file mode 100644 index f39da0f..0000000 --- a/config/rbac/auth_proxy_role.yaml +++ /dev/null @@ -1,24 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - app.kubernetes.io/name: clusterrole - app.kubernetes.io/instance: proxy-role - app.kubernetes.io/component: kube-rbac-proxy - app.kubernetes.io/created-by: moodle-operator - app.kubernetes.io/part-of: moodle-operator - app.kubernetes.io/managed-by: kustomize - name: proxy-role -rules: -- apiGroups: - - authentication.k8s.io - resources: - - tokenreviews - verbs: - - create -- apiGroups: - - authorization.k8s.io - resources: - - subjectaccessreviews - verbs: - - create diff --git a/config/rbac/auth_proxy_role_binding.yaml b/config/rbac/auth_proxy_role_binding.yaml deleted file mode 100644 index 8f356d9..0000000 --- a/config/rbac/auth_proxy_role_binding.yaml +++ /dev/null @@ -1,19 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - labels: - app.kubernetes.io/name: clusterrolebinding - app.kubernetes.io/instance: proxy-rolebinding - app.kubernetes.io/component: kube-rbac-proxy - app.kubernetes.io/created-by: moodle-operator - app.kubernetes.io/part-of: moodle-operator - app.kubernetes.io/managed-by: kustomize - name: proxy-rolebinding -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: proxy-role -subjects: -- kind: ServiceAccount - name: controller-manager - namespace: system diff --git a/config/rbac/kustomization.yaml b/config/rbac/kustomization.yaml index 731832a..e3fc198 100644 --- a/config/rbac/kustomization.yaml +++ b/config/rbac/kustomization.yaml @@ -9,10 +9,25 @@ resources: - role_binding.yaml - leader_election_role.yaml - leader_election_role_binding.yaml -# Comment the following 4 lines if you want to disable -# the auth proxy (https://github.com/brancz/kube-rbac-proxy) -# which protects your /metrics endpoint. -- auth_proxy_service.yaml -- auth_proxy_role.yaml -- auth_proxy_role_binding.yaml -- auth_proxy_client_clusterrole.yaml +# The following RBAC configurations are used to protect +# the metrics endpoint with authn/authz. These configurations +# ensure that only authorized users and service accounts +# can access the metrics endpoint. Comment the following +# permissions if you want to disable this protection. +# More info: https://book.kubebuilder.io/reference/metrics.html +- metrics_auth_role.yaml +- metrics_auth_role_binding.yaml +- metrics_reader_role.yaml +# For each CRD, "Editor" and "Viewer" roles are scaffolded by +# default, aiding admins in cluster management. Those roles are +# not used by the Project itself. You can comment the following lines +# if you do not want those helpers be installed with your Project. +- nginx_editor_role.yaml +- nginx_viewer_role.yaml +- phpfpm_editor_role.yaml +- phpfpm_viewer_role.yaml +- routine_editor_role.yaml +- routine_viewer_role.yaml +- moodle_editor_role.yaml +- moodle_viewer_role.yaml + diff --git a/config/rbac/leader_election_role.yaml b/config/rbac/leader_election_role.yaml index 4a156b9..62f5bf7 100644 --- a/config/rbac/leader_election_role.yaml +++ b/config/rbac/leader_election_role.yaml @@ -3,11 +3,7 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: labels: - app.kubernetes.io/name: role - app.kubernetes.io/instance: leader-election-role - app.kubernetes.io/component: rbac - app.kubernetes.io/created-by: moodle-operator - app.kubernetes.io/part-of: moodle-operator + app.kubernetes.io/name: moodle-operator app.kubernetes.io/managed-by: kustomize name: leader-election-role rules: diff --git a/config/rbac/leader_election_role_binding.yaml b/config/rbac/leader_election_role_binding.yaml index 3d9cd7c..2c6f096 100644 --- a/config/rbac/leader_election_role_binding.yaml +++ b/config/rbac/leader_election_role_binding.yaml @@ -2,11 +2,7 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: labels: - app.kubernetes.io/name: rolebinding - app.kubernetes.io/instance: leader-election-rolebinding - app.kubernetes.io/component: rbac - app.kubernetes.io/created-by: moodle-operator - app.kubernetes.io/part-of: moodle-operator + app.kubernetes.io/name: moodle-operator app.kubernetes.io/managed-by: kustomize name: leader-election-rolebinding roleRef: diff --git a/config/rbac/metrics_auth_role.yaml b/config/rbac/metrics_auth_role.yaml new file mode 100644 index 0000000..32d2e4e --- /dev/null +++ b/config/rbac/metrics_auth_role.yaml @@ -0,0 +1,17 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: metrics-auth-role +rules: +- apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create +- apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create diff --git a/config/rbac/metrics_auth_role_binding.yaml b/config/rbac/metrics_auth_role_binding.yaml new file mode 100644 index 0000000..e775d67 --- /dev/null +++ b/config/rbac/metrics_auth_role_binding.yaml @@ -0,0 +1,12 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: metrics-auth-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: metrics-auth-role +subjects: +- kind: ServiceAccount + name: controller-manager + namespace: system diff --git a/config/rbac/metrics_reader_role.yaml b/config/rbac/metrics_reader_role.yaml new file mode 100644 index 0000000..51a75db --- /dev/null +++ b/config/rbac/metrics_reader_role.yaml @@ -0,0 +1,9 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: metrics-reader +rules: +- nonResourceURLs: + - "/metrics" + verbs: + - get diff --git a/config/rbac/moodle_editor_role.yaml b/config/rbac/moodle_editor_role.yaml index 55f7dcb..afa8baf 100644 --- a/config/rbac/moodle_editor_role.yaml +++ b/config/rbac/moodle_editor_role.yaml @@ -3,11 +3,7 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: labels: - app.kubernetes.io/name: clusterrole - app.kubernetes.io/instance: moodle-editor-role - app.kubernetes.io/component: rbac - app.kubernetes.io/created-by: moodle-operator - app.kubernetes.io/part-of: moodle-operator + app.kubernetes.io/name: moodle-operator app.kubernetes.io/managed-by: kustomize name: moodle-editor-role rules: diff --git a/config/rbac/moodle_viewer_role.yaml b/config/rbac/moodle_viewer_role.yaml index 263388b..99f5cca 100644 --- a/config/rbac/moodle_viewer_role.yaml +++ b/config/rbac/moodle_viewer_role.yaml @@ -3,11 +3,7 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: labels: - app.kubernetes.io/name: clusterrole - app.kubernetes.io/instance: moodle-viewer-role - app.kubernetes.io/component: rbac - app.kubernetes.io/created-by: moodle-operator - app.kubernetes.io/part-of: moodle-operator + app.kubernetes.io/name: moodle-operator app.kubernetes.io/managed-by: kustomize name: moodle-viewer-role rules: diff --git a/config/rbac/nginx_editor_role.yaml b/config/rbac/nginx_editor_role.yaml index 3fdc507..d8e1bff 100644 --- a/config/rbac/nginx_editor_role.yaml +++ b/config/rbac/nginx_editor_role.yaml @@ -3,11 +3,7 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: labels: - app.kubernetes.io/name: clusterrole - app.kubernetes.io/instance: nginx-editor-role - app.kubernetes.io/component: rbac - app.kubernetes.io/created-by: moodle-operator - app.kubernetes.io/part-of: moodle-operator + app.kubernetes.io/name: moodle-operator app.kubernetes.io/managed-by: kustomize name: nginx-editor-role rules: diff --git a/config/rbac/nginx_viewer_role.yaml b/config/rbac/nginx_viewer_role.yaml index 936573d..62630db 100644 --- a/config/rbac/nginx_viewer_role.yaml +++ b/config/rbac/nginx_viewer_role.yaml @@ -3,11 +3,7 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: labels: - app.kubernetes.io/name: clusterrole - app.kubernetes.io/instance: nginx-viewer-role - app.kubernetes.io/component: rbac - app.kubernetes.io/created-by: moodle-operator - app.kubernetes.io/part-of: moodle-operator + app.kubernetes.io/name: moodle-operator app.kubernetes.io/managed-by: kustomize name: nginx-viewer-role rules: diff --git a/config/rbac/phpfpm_editor_role.yaml b/config/rbac/phpfpm_editor_role.yaml index d388b2b..4558f86 100644 --- a/config/rbac/phpfpm_editor_role.yaml +++ b/config/rbac/phpfpm_editor_role.yaml @@ -3,11 +3,7 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: labels: - app.kubernetes.io/name: clusterrole - app.kubernetes.io/instance: phpfpm-editor-role - app.kubernetes.io/component: rbac - app.kubernetes.io/created-by: moodle-operator - app.kubernetes.io/part-of: moodle-operator + app.kubernetes.io/name: moodle-operator app.kubernetes.io/managed-by: kustomize name: phpfpm-editor-role rules: diff --git a/config/rbac/phpfpm_viewer_role.yaml b/config/rbac/phpfpm_viewer_role.yaml index bedcbfb..e0eba41 100644 --- a/config/rbac/phpfpm_viewer_role.yaml +++ b/config/rbac/phpfpm_viewer_role.yaml @@ -3,11 +3,7 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: labels: - app.kubernetes.io/name: clusterrole - app.kubernetes.io/instance: phpfpm-viewer-role - app.kubernetes.io/component: rbac - app.kubernetes.io/created-by: moodle-operator - app.kubernetes.io/part-of: moodle-operator + app.kubernetes.io/name: moodle-operator app.kubernetes.io/managed-by: kustomize name: phpfpm-viewer-role rules: diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml index 1d7447c..e7c89d5 100644 --- a/config/rbac/role.yaml +++ b/config/rbac/role.yaml @@ -181,4 +181,4 @@ rules: - patch - update - watch -#+kubebuilder:scaffold:rules +# +kubebuilder:scaffold:rules diff --git a/config/rbac/role_binding.yaml b/config/rbac/role_binding.yaml index b498975..5cfa476 100644 --- a/config/rbac/role_binding.yaml +++ b/config/rbac/role_binding.yaml @@ -2,11 +2,7 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: labels: - app.kubernetes.io/name: clusterrolebinding - app.kubernetes.io/instance: manager-rolebinding - app.kubernetes.io/component: rbac - app.kubernetes.io/created-by: moodle-operator - app.kubernetes.io/part-of: moodle-operator + app.kubernetes.io/name: moodle-operator app.kubernetes.io/managed-by: kustomize name: manager-rolebinding roleRef: diff --git a/config/rbac/routine_editor_role.yaml b/config/rbac/routine_editor_role.yaml index 3076abd..babc664 100644 --- a/config/rbac/routine_editor_role.yaml +++ b/config/rbac/routine_editor_role.yaml @@ -3,11 +3,7 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: labels: - app.kubernetes.io/name: clusterrole - app.kubernetes.io/instance: routine-editor-role - app.kubernetes.io/component: rbac - app.kubernetes.io/created-by: moodle-operator - app.kubernetes.io/part-of: moodle-operator + app.kubernetes.io/name: moodle-operator app.kubernetes.io/managed-by: kustomize name: routine-editor-role rules: diff --git a/config/rbac/routine_viewer_role.yaml b/config/rbac/routine_viewer_role.yaml index 7ea6034..6dc48da 100644 --- a/config/rbac/routine_viewer_role.yaml +++ b/config/rbac/routine_viewer_role.yaml @@ -3,11 +3,7 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: labels: - app.kubernetes.io/name: clusterrole - app.kubernetes.io/instance: routine-viewer-role - app.kubernetes.io/component: rbac - app.kubernetes.io/created-by: moodle-operator - app.kubernetes.io/part-of: moodle-operator + app.kubernetes.io/name: moodle-operator app.kubernetes.io/managed-by: kustomize name: routine-viewer-role rules: diff --git a/config/rbac/service_account.yaml b/config/rbac/service_account.yaml index 83d051a..2a93782 100644 --- a/config/rbac/service_account.yaml +++ b/config/rbac/service_account.yaml @@ -2,11 +2,7 @@ apiVersion: v1 kind: ServiceAccount metadata: labels: - app.kubernetes.io/name: serviceaccount - app.kubernetes.io/instance: controller-manager-sa - app.kubernetes.io/component: rbac - app.kubernetes.io/created-by: moodle-operator - app.kubernetes.io/part-of: moodle-operator + app.kubernetes.io/name: moodle-operator app.kubernetes.io/managed-by: kustomize name: controller-manager namespace: system diff --git a/config/samples/kustomization.yaml b/config/samples/kustomization.yaml index 160ca22..608eeff 100644 --- a/config/samples/kustomization.yaml +++ b/config/samples/kustomization.yaml @@ -3,4 +3,4 @@ # - path: patch/gke/https_lb.yaml # patch to use GKE Ingress for HTTP(S) Load Balancing resources: - m4e_v1alpha1_moodle.yaml -#+kubebuilder:scaffold:manifestskustomizesamples +# +kubebuilder:scaffold:manifestskustomizesamples diff --git a/config/scorecard/kustomization.yaml b/config/scorecard/kustomization.yaml index 50cd2d0..54e8aa5 100644 --- a/config/scorecard/kustomization.yaml +++ b/config/scorecard/kustomization.yaml @@ -1,16 +1,18 @@ resources: - bases/config.yaml -patchesJson6902: +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +patches: - path: patches/basic.config.yaml target: group: scorecard.operatorframework.io - version: v1alpha3 kind: Configuration name: config + version: v1alpha3 - path: patches/olm.config.yaml target: group: scorecard.operatorframework.io - version: v1alpha3 kind: Configuration name: config -#+kubebuilder:scaffold:patchesJson6902 + version: v1alpha3 +# +kubebuilder:scaffold:patches diff --git a/config/scorecard/patches/basic.config.yaml b/config/scorecard/patches/basic.config.yaml index a2f1589..b9ec7c6 100644 --- a/config/scorecard/patches/basic.config.yaml +++ b/config/scorecard/patches/basic.config.yaml @@ -4,7 +4,7 @@ entrypoint: - scorecard-test - basic-check-spec - image: quay.io/operator-framework/scorecard-test:v1.33.0 + image: quay.io/operator-framework/scorecard-test:v1.39.1 labels: suite: basic test: basic-check-spec-test diff --git a/config/scorecard/patches/olm.config.yaml b/config/scorecard/patches/olm.config.yaml index 9b7ca41..25d83f9 100644 --- a/config/scorecard/patches/olm.config.yaml +++ b/config/scorecard/patches/olm.config.yaml @@ -4,7 +4,7 @@ entrypoint: - scorecard-test - olm-bundle-validation - image: quay.io/operator-framework/scorecard-test:v1.33.0 + image: quay.io/operator-framework/scorecard-test:v1.39.1 labels: suite: olm test: olm-bundle-validation-test @@ -14,7 +14,7 @@ entrypoint: - scorecard-test - olm-crds-have-validation - image: quay.io/operator-framework/scorecard-test:v1.33.0 + image: quay.io/operator-framework/scorecard-test:v1.39.1 labels: suite: olm test: olm-crds-have-validation-test @@ -24,7 +24,7 @@ entrypoint: - scorecard-test - olm-crds-have-resources - image: quay.io/operator-framework/scorecard-test:v1.33.0 + image: quay.io/operator-framework/scorecard-test:v1.39.1 labels: suite: olm test: olm-crds-have-resources-test @@ -34,7 +34,7 @@ entrypoint: - scorecard-test - olm-spec-descriptors - image: quay.io/operator-framework/scorecard-test:v1.33.0 + image: quay.io/operator-framework/scorecard-test:v1.39.1 labels: suite: olm test: olm-spec-descriptors-test @@ -44,7 +44,7 @@ entrypoint: - scorecard-test - olm-status-descriptors - image: quay.io/operator-framework/scorecard-test:v1.33.0 + image: quay.io/operator-framework/scorecard-test:v1.39.1 labels: suite: olm test: olm-status-descriptors-test diff --git a/config/testing/kustomization.yaml b/config/testing/kustomization.yaml index 8708098..c432c59 100644 --- a/config/testing/kustomization.yaml +++ b/config/testing/kustomization.yaml @@ -1,22 +1,29 @@ +# Adds namespace to all resources. +namespace: moodle-test + +namePrefix: moodle- + +# Labels to add to all resources and selectors. +#commonLabels: +# someName: someValue + apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization -namespace: moodle-pr-0-0-ns -namePrefix: moodle-pr-0-0- resources: - ../crd - ../rbac - ../manager -patchesStrategicMerge: -- manager_image.yaml -- debug_logs_patch.yaml -- watch_namespace_patch.yaml -- ../default/manager_auth_proxy_patch.yaml -- ../manager/profile_tasks_patch.yaml images: - name: testing - newName: harbor.krestomat.io/kio-builds/moodle-operator - newTag: 66cf5e1668e0851a76466792af9e334cad0e3166 + newName: testing-operator patches: +- path: manager_image.yaml +- path: debug_logs_patch.yaml +- path: ../default/manager_metrics_patch.yaml + target: + kind: Deployment +- path: watch_namespace_patch.yaml +- path: ../manager/profile_tasks_patch.yaml - patch: |- - op: add path: /spec/template/spec/containers/0/args/- @@ -32,4 +39,3 @@ patches: value: --ansible-args='-D' target: kind: Deployment -- path: pull_policy/Always.yaml diff --git a/config/testing/postgres/kustomization.yaml b/config/testing/postgres/kustomization.yaml index b3bfff1..768c68c 100644 --- a/config/testing/postgres/kustomization.yaml +++ b/config/testing/postgres/kustomization.yaml @@ -1,8 +1,8 @@ # Install postgres operator apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization -namespace: moodle-pr-0-0-ns -namePrefix: moodle-pr-0-0- +namespace: moodle-test +namePrefix: moodle- resources: - github.com/krestomatio/postgres-operator/config/default?ref=main patches: @@ -13,28 +13,26 @@ patches: target: kind: Service name: postgres-operator-controller-manager-metrics-service -patchesStrategicMerge: -- |- - apiVersion: v1 - kind: Namespace - metadata: - name: system - labels: - app.kubernetes.io/created-by: moodle-operator - app.kubernetes.io/part-of: moodle-operator -- |- - apiVersion: apps/v1 - kind: Deployment - metadata: - name: controller-manager - namespace: system - spec: - template: - spec: - containers: - - name: manager - env: - - name: WATCH_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace +- patch: |- + apiVersion: v1 + kind: Namespace + metadata: + name: system + labels: + app.kubernetes.io/name: moodle-operator +- patch: |- + apiVersion: apps/v1 + kind: Deployment + metadata: + name: controller-manager + namespace: system + spec: + template: + spec: + containers: + - name: manager + env: + - name: WATCH_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace diff --git a/hack/mk b/hack/mk index bea15de..415eb96 160000 --- a/hack/mk +++ b/hack/mk @@ -1 +1 @@ -Subproject commit bea15dec84c7f0ba9bc45a0064a527c53db4402c +Subproject commit 415eb96cf416613e6f694be39c234a7fcdf8f7ed diff --git a/molecule b/molecule index c2586a6..2de6191 160000 --- a/molecule +++ b/molecule @@ -1 +1 @@ -Subproject commit c2586a63496a149af2a507e96c08760aa1cd43f1 +Subproject commit 2de61919b8f335f6aa27cb72e17b4713fbb1f3a8 diff --git a/requirements.yml b/requirements.yml index 8baf919..9246f89 100644 --- a/requirements.yml +++ b/requirements.yml @@ -3,8 +3,8 @@ collections: - name: operator_sdk.util version: "0.5.0" - name: kubernetes.core - version: "2.4.0" + version: "3.2.0" - name: cloud.common - version: "2.1.1" + version: "3.0.0" - name: community.docker - version: "3.4.0" + version: "3.12.1" diff --git a/watches.yaml b/watches.yaml index d730be0..4c8ec77 100644 --- a/watches.yaml +++ b/watches.yaml @@ -86,4 +86,4 @@ vars: cr_kind: Routine -#+kubebuilder:scaffold:watch +# +kubebuilder:scaffold:watch From 21a12f098f797ea848e927200bb0f5b6191437f1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Job=20C=C3=A9spedes=20Ortiz?= Date: Thu, 6 Feb 2025 09:47:43 -0600 Subject: [PATCH 2/3] chore: update makefiles --- hack/mk | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hack/mk b/hack/mk index 415eb96..a5d8bde 160000 --- a/hack/mk +++ b/hack/mk @@ -1 +1 @@ -Subproject commit 415eb96cf416613e6f694be39c234a7fcdf8f7ed +Subproject commit a5d8bdef905c0987aa9ed7c05b810994638498d0 From 55405a157824330b69b08521bc33fd722ed7e405 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Job=20C=C3=A9spedes=20Ortiz?= Date: Thu, 6 Feb 2025 12:03:11 -0600 Subject: [PATCH 3/3] chore: update molecule --- molecule | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/molecule b/molecule index 2de6191..7f5ca28 160000 --- a/molecule +++ b/molecule @@ -1 +1 @@ -Subproject commit 2de61919b8f335f6aa27cb72e17b4713fbb1f3a8 +Subproject commit 7f5ca28676c4c6ab4a2897a399eb4d242b83ca8f