diff --git a/go.mod b/go.mod index 0544204698..9579309307 100644 --- a/go.mod +++ b/go.mod @@ -15,7 +15,7 @@ require ( github.com/openshift/api v0.0.0-20220110171111-997c316db5e1 github.com/openshift/build-machinery-go v0.0.0-20211213093930-7e33a7eb4ce3 github.com/openshift/client-go v0.0.0-20211209144617-7385dd6338e3 - github.com/openshift/library-go v0.0.0-20211220195323-eca2c467c492 + github.com/openshift/library-go v0.0.0-20220111125907-7f25b9c7ad22 github.com/pkg/profile v1.5.0 // indirect github.com/prometheus-operator/prometheus-operator/pkg/client v0.45.0 github.com/prometheus/client_golang v1.11.0 diff --git a/go.sum b/go.sum index 9a1c02c102..f5f2ca069c 100644 --- a/go.sum +++ b/go.sum @@ -535,8 +535,8 @@ github.com/openshift/build-machinery-go v0.0.0-20211213093930-7e33a7eb4ce3 h1:65 github.com/openshift/build-machinery-go v0.0.0-20211213093930-7e33a7eb4ce3/go.mod h1:b1BuldmJlbA/xYtdZvKi+7j5YGB44qJUJDZ9zwiNCfE= github.com/openshift/client-go v0.0.0-20211209144617-7385dd6338e3 h1:SG1aqwleU6bGD0X4mhkTNupjVnByMYYuW4XbnCPavQU= github.com/openshift/client-go v0.0.0-20211209144617-7385dd6338e3/go.mod h1:cwhyki5lqBmrT0m8Im+9I7PGFaraOzcYPtEz93RcsGY= -github.com/openshift/library-go v0.0.0-20211220195323-eca2c467c492 h1:oj/rSQqVWVj6YJUydZwLz2frrJreiyI4oa9g/YPgMsM= -github.com/openshift/library-go v0.0.0-20211220195323-eca2c467c492/go.mod h1:4UQ9snU1vg53fyTpHQw3vLPiAxI8ub5xrc+y8KPQQFs= +github.com/openshift/library-go v0.0.0-20220111125907-7f25b9c7ad22 h1:yi4NoYekLpqHqatGMwashmyxui0mI3AcoWMPozuCZfA= +github.com/openshift/library-go v0.0.0-20220111125907-7f25b9c7ad22/go.mod h1:4UQ9snU1vg53fyTpHQw3vLPiAxI8ub5xrc+y8KPQQFs= github.com/opentracing/opentracing-go v1.1.0/go.mod h1:UkNAQd3GIcIGf0SeVgPpRdFStlNbqXla1AfSYxPUl2o= github.com/pascaldekloe/goe v0.0.0-20180627143212-57f6aae5913c/go.mod h1:lzWF7FIEvWOWxwDKqyGYQf6ZUaNfKdP144TG7ZOy1lc= github.com/pborman/uuid v1.2.0/go.mod h1:X/NO0urCmaxf9VXbdlT7C2Yzkj2IKimNn4k+gtPdI/k= diff --git a/pkg/operator/starter.go b/pkg/operator/starter.go index 1084308ff7..8fc26945f2 100644 --- a/pkg/operator/starter.go +++ b/pkg/operator/starter.go @@ -39,6 +39,7 @@ import ( "github.com/openshift/library-go/pkg/operator/resource/resourceapply" "github.com/openshift/library-go/pkg/operator/staleconditions" "github.com/openshift/library-go/pkg/operator/staticpod" + "github.com/openshift/library-go/pkg/operator/staticpod/controller/guard" "github.com/openshift/library-go/pkg/operator/staticpod/controller/installer" "github.com/openshift/library-go/pkg/operator/staticpod/controller/revision" "github.com/openshift/library-go/pkg/operator/staticresourcecontroller" @@ -223,7 +224,18 @@ func RunOperator(ctx context.Context, controllerContext *controllercmd.Controlle WithUnrevisionedCerts("kube-apiserver-certs", CertConfigMaps, CertSecrets). WithVersioning("kube-apiserver", versionRecorder). WithMinReadyDuration(30*time.Second). - WithStartupMonitor(startupmonitorreadiness.IsStartupMonitorEnabledFunction(configInformers.Config().V1().Infrastructures().Lister(), operatorClient), labels.Set{"apiserver": "true"}.AsSelector()). + WithStartupMonitor(startupmonitorreadiness.IsStartupMonitorEnabledFunction(configInformers.Config().V1().Infrastructures().Lister(), operatorClient)). + WithPodDisruptionBudgetGuard( + "openshift-kube-apiserver-operator", + "cluster-kube-apiserver-operator", + "6443", + func() (bool, error) { + isSNO, err := guard.IsSNOCheckFnc(configInformers.Config().V1().Infrastructures().Lister())() + // create only when not a single node topology + return !isSNO, err + }, + ). + WithOperandPodLabelSelector(labels.Set{"apiserver": "true"}.AsSelector()). ToControllers() if err != nil { return err diff --git a/vendor/github.com/openshift/library-go/pkg/operator/staticpod/controller/guard/guard_controller.go b/vendor/github.com/openshift/library-go/pkg/operator/staticpod/controller/guard/guard_controller.go index ca47c78d81..4ab81ee5eb 100644 --- a/vendor/github.com/openshift/library-go/pkg/operator/staticpod/controller/guard/guard_controller.go +++ b/vendor/github.com/openshift/library-go/pkg/operator/staticpod/controller/guard/guard_controller.go @@ -37,6 +37,7 @@ type GuardController struct { targetNamespace, podResourcePrefix string operatorName string readyzPort string + operandPodLabelSelector labels.Selector nodeLister corelisterv1.NodeLister podLister corelisterv1.PodLister @@ -50,7 +51,9 @@ type GuardController struct { } func NewGuardController( - targetNamespace, podResourcePrefix string, + targetNamespace string, + operandPodLabelSelector labels.Selector, + podResourcePrefix string, operatorName string, readyzPort string, kubeInformersForTargetNamespace informers.SharedInformerFactory, @@ -62,17 +65,18 @@ func NewGuardController( createConditionalFunc func() (bool, error), ) factory.Controller { c := &GuardController{ - targetNamespace: targetNamespace, - podResourcePrefix: podResourcePrefix, - operatorName: operatorName, - readyzPort: readyzPort, - nodeLister: kubeInformersClusterScoped.Core().V1().Nodes().Lister(), - podLister: kubeInformersForTargetNamespace.Core().V1().Pods().Lister(), - podGetter: podGetter, - pdbGetter: pdbGetter, - pdbLister: kubeInformersForTargetNamespace.Policy().V1().PodDisruptionBudgets().Lister(), - installerPodImageFn: getInstallerPodImageFromEnv, - createConditionalFunc: createConditionalFunc, + targetNamespace: targetNamespace, + operandPodLabelSelector: operandPodLabelSelector, + podResourcePrefix: podResourcePrefix, + operatorName: operatorName, + readyzPort: readyzPort, + nodeLister: kubeInformersClusterScoped.Core().V1().Nodes().Lister(), + podLister: kubeInformersForTargetNamespace.Core().V1().Pods().Lister(), + podGetter: podGetter, + pdbGetter: pdbGetter, + pdbLister: kubeInformersForTargetNamespace.Policy().V1().PodDisruptionBudgets().Lister(), + installerPodImageFn: getInstallerPodImageFromEnv, + createConditionalFunc: createConditionalFunc, } return factory.New().WithInformers( @@ -162,7 +166,7 @@ func (c *GuardController) sync(ctx context.Context, syncCtx factory.SyncContext) return err } - pods, err := c.podLister.Pods(c.targetNamespace).List(labels.SelectorFromSet(labels.Set{"app": c.podResourcePrefix})) + pods, err := c.podLister.Pods(c.targetNamespace).List(c.operandPodLabelSelector) if err != nil { return err } diff --git a/vendor/github.com/openshift/library-go/pkg/operator/staticpod/controllers.go b/vendor/github.com/openshift/library-go/pkg/operator/staticpod/controllers.go index 00025e3758..930ea816d9 100644 --- a/vendor/github.com/openshift/library-go/pkg/operator/staticpod/controllers.go +++ b/vendor/github.com/openshift/library-go/pkg/operator/staticpod/controllers.go @@ -88,11 +88,12 @@ func NewBuilder( type Builder interface { WithEvents(eventRecorder events.Recorder) Builder WithVersioning(operandName string, versionRecorder status.VersionGetter) Builder + WithOperandPodLabelSelector(labelSelector labels.Selector) Builder WithRevisionedResources(operandNamespace, staticPodName string, revisionConfigMaps, revisionSecrets []revisioncontroller.RevisionResource) Builder WithUnrevisionedCerts(certDir string, certConfigMaps, certSecrets []installer.UnrevisionedResource) Builder WithInstaller(command []string) Builder WithMinReadyDuration(minReadyDuration time.Duration) Builder - WithStartupMonitor(enabledStartupMonitor func() (bool, error), operandPodLabelSelector labels.Selector) Builder + WithStartupMonitor(enabledStartupMonitor func() (bool, error)) Builder // WithCustomInstaller allows mutating the installer pod definition just before // the installer pod is created for a revision. @@ -113,6 +114,11 @@ func (b *staticPodOperatorControllerBuilder) WithVersioning(operandName string, return b } +func (b *staticPodOperatorControllerBuilder) WithOperandPodLabelSelector(labelSelector labels.Selector) Builder { + b.operandPodLabelSelector = labelSelector + return b +} + func (b *staticPodOperatorControllerBuilder) WithRevisionedResources(operandNamespace, staticPodName string, revisionConfigMaps, revisionSecrets []revisioncontroller.RevisionResource) Builder { b.operandNamespace = operandNamespace b.staticPodName = staticPodName @@ -141,9 +147,8 @@ func (b *staticPodOperatorControllerBuilder) WithMinReadyDuration(minReadyDurati return b } -func (b *staticPodOperatorControllerBuilder) WithStartupMonitor(enabledStartupMonitor func() (bool, error), operandPodLabelSelector labels.Selector) Builder { +func (b *staticPodOperatorControllerBuilder) WithStartupMonitor(enabledStartupMonitor func() (bool, error)) Builder { b.enableStartMonitor = enabledStartupMonitor - b.operandPodLabelSelector = operandPodLabelSelector return b } @@ -285,14 +290,18 @@ func (b *staticPodOperatorControllerBuilder) ToControllers() (manager.Controller eventRecorder, ), 1) - manager.WithController(staticpodfallback.New( - b.operandNamespace, - b.operandPodLabelSelector, - b.staticPodOperatorClient, - b.kubeInformers, - b.enableStartMonitor, - b.eventRecorder, - ), 1) + if b.operandPodLabelSelector.Empty() { + errs = append(errs, fmt.Errorf("missing OperandPodLabelSelector when running StaticPodFallbackConditionController; cannot proceed")) + } else { + manager.WithController(staticpodfallback.New( + b.operandNamespace, + b.operandPodLabelSelector, + b.staticPodOperatorClient, + b.kubeInformers, + b.enableStartMonitor, + b.eventRecorder, + ), 1) + } manager.WithController(node.NewNodeController( b.staticPodOperatorClient, @@ -317,19 +326,24 @@ func (b *staticPodOperatorControllerBuilder) ToControllers() (manager.Controller manager.WithController(loglevel.NewClusterOperatorLoggingController(b.staticPodOperatorClient, eventRecorder), 1) if len(b.operatorNamespace) > 0 && len(b.operatorName) > 0 && len(b.readyzPort) > 0 { - manager.WithController(guard.NewGuardController( - b.operandNamespace, - b.staticPodName, - b.operatorName, - b.readyzPort, - operandInformers, - clusterInformers, - b.staticPodOperatorClient, - podClient, - pdbClient, - eventRecorder, - b.guardCreateConditionalFunc, - ), 1) + if b.operandPodLabelSelector.Empty() { + errs = append(errs, fmt.Errorf("missing OperandPodLabelSelector when running GuardController; cannot proceed")) + } else { + manager.WithController(guard.NewGuardController( + b.operandNamespace, + b.operandPodLabelSelector, + b.staticPodName, + b.operatorName, + b.readyzPort, + operandInformers, + clusterInformers, + b.staticPodOperatorClient, + podClient, + pdbClient, + eventRecorder, + b.guardCreateConditionalFunc, + ), 1) + } } return manager, errors.NewAggregate(errs) diff --git a/vendor/github.com/openshift/library-go/pkg/operator/v1helpers/helpers.go b/vendor/github.com/openshift/library-go/pkg/operator/v1helpers/helpers.go index 46d5c13b0c..de48550f6f 100644 --- a/vendor/github.com/openshift/library-go/pkg/operator/v1helpers/helpers.go +++ b/vendor/github.com/openshift/library-go/pkg/operator/v1helpers/helpers.go @@ -383,3 +383,42 @@ func InjectObservedProxyIntoContainers(podSpec *corev1.PodSpec, containerNames [ return nil } + +func InjectTrustedCAIntoContainers(podSpec *corev1.PodSpec, configMapName string, containerNames []string) error { + podSpec.Volumes = append(podSpec.Volumes, corev1.Volume{ + Name: "non-standard-root-system-trust-ca-bundle", + VolumeSource: corev1.VolumeSource{ + ConfigMap: &corev1.ConfigMapVolumeSource{ + LocalObjectReference: corev1.LocalObjectReference{ + Name: configMapName, + }, + Items: []corev1.KeyToPath{ + {Key: "ca-bundle.crt", Path: "tls-ca-bundle.pem"}, + }, + }, + }, + }) + + for _, containerName := range containerNames { + for i := range podSpec.InitContainers { + if podSpec.InitContainers[i].Name == containerName { + podSpec.InitContainers[i].VolumeMounts = append(podSpec.InitContainers[i].VolumeMounts, corev1.VolumeMount{ + Name: "non-standard-root-system-trust-ca-bundle", + MountPath: "/etc/pki/ca-trust/extracted/pem", + ReadOnly: true, + }) + } + } + for i := range podSpec.Containers { + if podSpec.Containers[i].Name == containerName { + podSpec.Containers[i].VolumeMounts = append(podSpec.Containers[i].VolumeMounts, corev1.VolumeMount{ + Name: "non-standard-root-system-trust-ca-bundle", + MountPath: "/etc/pki/ca-trust/extracted/pem", + ReadOnly: true, + }) + } + } + } + + return nil +} diff --git a/vendor/modules.txt b/vendor/modules.txt index 359bdafc6e..8cc3659014 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -268,7 +268,7 @@ github.com/openshift/client-go/operatorcontrolplane/informers/externalversions/i github.com/openshift/client-go/operatorcontrolplane/informers/externalversions/operatorcontrolplane github.com/openshift/client-go/operatorcontrolplane/informers/externalversions/operatorcontrolplane/v1alpha1 github.com/openshift/client-go/operatorcontrolplane/listers/operatorcontrolplane/v1alpha1 -# github.com/openshift/library-go v0.0.0-20211220195323-eca2c467c492 +# github.com/openshift/library-go v0.0.0-20220111125907-7f25b9c7ad22 ## explicit; go 1.17 github.com/openshift/library-go/pkg/assets github.com/openshift/library-go/pkg/authorization/hardcodedauthorizer