From 7828b8644058c49c057f40365f60a4e65c1dc7df Mon Sep 17 00:00:00 2001 From: Venktesh Date: Tue, 17 Dec 2024 12:01:49 +0000 Subject: [PATCH 1/5] update clusterrole --- .github/workflows/ci.yml | 5 +---- .../nginx-ingress-operator.clusterserviceversion.yaml | 7 +++++++ 2 files changed, 8 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 070808cc..4939bd9f 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -78,11 +78,8 @@ jobs: uses: docker/metadata-action@369eb591f429131d6889c46b94e711f089e6ca96 # v5.6.1 with: images: | - nginx/nginx-ingress-operator ghcr.io/nginxinc/nginx-ingress-operator - quay.io/nginx/nginx-ingress-operator tags: | - type=edge type=ref,event=pr type=semver,pattern={{version}} labels: | @@ -106,7 +103,7 @@ jobs: labels: ${{ steps.meta.outputs.labels }} platforms: ${{ github.event_name != 'pull_request' && env.platforms || '' }} load: ${{ github.event_name == 'pull_request' }} - push: ${{ github.event_name != 'pull_request' }} + push: ${{ github.event_name == 'pull_request' }} no-cache: ${{ github.event_name != 'pull_request' }} pull: true sbom: ${{ github.event_name != 'pull_request' }} diff --git a/bundle/manifests/nginx-ingress-operator.clusterserviceversion.yaml b/bundle/manifests/nginx-ingress-operator.clusterserviceversion.yaml index 9c71ad4b..d9a5c5a2 100644 --- a/bundle/manifests/nginx-ingress-operator.clusterserviceversion.yaml +++ b/bundle/manifests/nginx-ingress-operator.clusterserviceversion.yaml @@ -334,6 +334,13 @@ spec: - create - delete - get + - apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - list + - watch - apiGroups: - charts.nginx.org resources: From 606ec98040a7e7efb5518b9c7e087f93e937b0b6 Mon Sep 17 00:00:00 2001 From: Venktesh Date: Tue, 17 Dec 2024 12:04:38 +0000 Subject: [PATCH 2/5] update ci --- .github/workflows/ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 4939bd9f..b7c3baea 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -47,7 +47,7 @@ jobs: registry: ghcr.io username: ${{ github.repository_owner }} password: ${{ secrets.GITHUB_TOKEN }} - if: github.event_name != 'pull_request' + if: github.event_name == 'pull_request' - name: Login to Quay.io uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 From 9cefc647c204cb777b8379149246cc6f64b282b4 Mon Sep 17 00:00:00 2001 From: Paul Abel Date: Tue, 17 Dec 2024 14:21:01 +0000 Subject: [PATCH 3/5] update ClusterRoles rather Roles for operator watching Leases --- ...ngress-operator.clusterserviceversion.yaml | 62 ++++++------------- config/rbac/leader_election_role.yaml | 14 +---- config/rbac/leader_election_role_binding.yaml | 4 +- 3 files changed, 23 insertions(+), 57 deletions(-) diff --git a/bundle/manifests/nginx-ingress-operator.clusterserviceversion.yaml b/bundle/manifests/nginx-ingress-operator.clusterserviceversion.yaml index d9a5c5a2..2dc42554 100644 --- a/bundle/manifests/nginx-ingress-operator.clusterserviceversion.yaml +++ b/bundle/manifests/nginx-ingress-operator.clusterserviceversion.yaml @@ -224,7 +224,7 @@ metadata: categories: Monitoring, Networking certified: "true" containerImage: quay.io/nginx/nginx-ingress-operator:3.0.0 - createdAt: "2024-12-17T10:28:34Z" + createdAt: "2024-12-17T14:09:56Z" description: The NGINX Ingress Operator is a Kubernetes/OpenShift component which deploys and manages one or more NGINX/NGINX Plus Ingress Controllers features.operators.openshift.io/cnf: "false" @@ -269,6 +269,25 @@ spec: spec: clusterPermissions: - rules: + - apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - get + - list + - watch + - create + - update + - patch + - delete + - apiGroups: + - "" + resources: + - events + verbs: + - create + - patch - apiGroups: - "" resources: @@ -334,13 +353,6 @@ spec: - create - delete - get - - apiGroups: - - coordination.k8s.io - resources: - - leases - verbs: - - list - - watch - apiGroups: - charts.nginx.org resources: @@ -488,40 +500,6 @@ spec: runAsNonRoot: true serviceAccountName: nginx-ingress-operator-controller-manager terminationGracePeriodSeconds: 10 - permissions: - - rules: - - apiGroups: - - "" - resources: - - configmaps - verbs: - - get - - list - - watch - - create - - update - - patch - - delete - - apiGroups: - - coordination.k8s.io - resources: - - leases - verbs: - - get - - list - - watch - - create - - update - - patch - - delete - - apiGroups: - - "" - resources: - - events - verbs: - - create - - patch - serviceAccountName: nginx-ingress-operator-controller-manager strategy: deployment installModes: - supported: true diff --git a/config/rbac/leader_election_role.yaml b/config/rbac/leader_election_role.yaml index 89d930db..0cdb5409 100644 --- a/config/rbac/leader_election_role.yaml +++ b/config/rbac/leader_election_role.yaml @@ -1,6 +1,6 @@ # permissions to do leader election. apiVersion: rbac.authorization.k8s.io/v1 -kind: Role +kind: ClusterRole metadata: labels: app.kubernetes.io/name: role @@ -11,18 +11,6 @@ metadata: app.kubernets.io/managed-by: kustomize name: leader-election-role rules: -- apiGroups: - - "" - resources: - - configmaps - verbs: - - get - - list - - watch - - create - - update - - patch - - delete - apiGroups: - coordination.k8s.io resources: diff --git a/config/rbac/leader_election_role_binding.yaml b/config/rbac/leader_election_role_binding.yaml index 88482be7..08808438 100644 --- a/config/rbac/leader_election_role_binding.yaml +++ b/config/rbac/leader_election_role_binding.yaml @@ -1,5 +1,5 @@ apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding +kind: ClusterRoleBinding metadata: labels: app.kubernetes.io/name: rolebinding @@ -11,7 +11,7 @@ metadata: name: leader-election-rolebinding roleRef: apiGroup: rbac.authorization.k8s.io - kind: Role + kind: ClusterRole name: leader-election-role subjects: - kind: ServiceAccount From cd1d4a49912348cabaa3de387f5cf2d1ec33902c Mon Sep 17 00:00:00 2001 From: Venktesh Date: Tue, 17 Dec 2024 15:10:01 +0000 Subject: [PATCH 4/5] revert ci changes and update role manifest --- .github/workflows/ci.yml | 7 +++++-- ..._rbac.authorization.k8s.io_v1_clusterrole.yaml | 15 +++++++++++++++ config/rbac/role.yaml | 15 +++++++++++++++ 3 files changed, 35 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index b7c3baea..48f872e5 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -47,7 +47,7 @@ jobs: registry: ghcr.io username: ${{ github.repository_owner }} password: ${{ secrets.GITHUB_TOKEN }} - if: github.event_name == 'pull_request' + if: github.event_name != 'pull_request' - name: Login to Quay.io uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 @@ -79,7 +79,10 @@ jobs: with: images: | ghcr.io/nginxinc/nginx-ingress-operator + quay.io/nginx/nginx-ingress-operator + nginx/nginx-ingress-operator tags: | + type=edge type=ref,event=pr type=semver,pattern={{version}} labels: | @@ -103,7 +106,7 @@ jobs: labels: ${{ steps.meta.outputs.labels }} platforms: ${{ github.event_name != 'pull_request' && env.platforms || '' }} load: ${{ github.event_name == 'pull_request' }} - push: ${{ github.event_name == 'pull_request' }} + push: ${{ github.event_name = 'pull_request' }} no-cache: ${{ github.event_name != 'pull_request' }} pull: true sbom: ${{ github.event_name != 'pull_request' }} diff --git a/bundle/manifests/nginx-ingress-operator-nginx-ingress-admin_rbac.authorization.k8s.io_v1_clusterrole.yaml b/bundle/manifests/nginx-ingress-operator-nginx-ingress-admin_rbac.authorization.k8s.io_v1_clusterrole.yaml index bc777cfd..7ed6da18 100644 --- a/bundle/manifests/nginx-ingress-operator-nginx-ingress-admin_rbac.authorization.k8s.io_v1_clusterrole.yaml +++ b/bundle/manifests/nginx-ingress-operator-nginx-ingress-admin_rbac.authorization.k8s.io_v1_clusterrole.yaml @@ -58,6 +58,21 @@ rules: - watch - update - create +- apiGroups: + - apps + resources: + - daemonsets + - deployments + - replicasets + - statefulsets + verbs: + - get +- apiGroups: + - "" + resources: + - nodes + verbs: + - get - apiGroups: - "" resources: diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml index 3f8e8234..26538bc2 100644 --- a/config/rbac/role.yaml +++ b/config/rbac/role.yaml @@ -175,6 +175,21 @@ rules: - watch - update - create +- apiGroups: + - apps + resources: + - daemonsets + - deployments + - replicasets + - statefulsets + verbs: + - get +- apiGroups: + - "" + resources: + - nodes + verbs: + - get - apiGroups: - "" resources: From e0b033431acd141fa058aa1b22739cd39ea81e6d Mon Sep 17 00:00:00 2001 From: Venktesh Date: Tue, 17 Dec 2024 15:11:27 +0000 Subject: [PATCH 5/5] update ci --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 48f872e5..070808cc 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -78,9 +78,9 @@ jobs: uses: docker/metadata-action@369eb591f429131d6889c46b94e711f089e6ca96 # v5.6.1 with: images: | + nginx/nginx-ingress-operator ghcr.io/nginxinc/nginx-ingress-operator quay.io/nginx/nginx-ingress-operator - nginx/nginx-ingress-operator tags: | type=edge type=ref,event=pr @@ -106,7 +106,7 @@ jobs: labels: ${{ steps.meta.outputs.labels }} platforms: ${{ github.event_name != 'pull_request' && env.platforms || '' }} load: ${{ github.event_name == 'pull_request' }} - push: ${{ github.event_name = 'pull_request' }} + push: ${{ github.event_name != 'pull_request' }} no-cache: ${{ github.event_name != 'pull_request' }} pull: true sbom: ${{ github.event_name != 'pull_request' }}