diff --git a/Dockerfile b/Dockerfile index cd00b7147..da47ed67b 100644 --- a/Dockerfile +++ b/Dockerfile @@ -6,8 +6,9 @@ RUN make build FROM registry.ci.openshift.org/ocp/4.14:base COPY --from=builder /build/bin/cluster-olm-operator / - +COPY manifests /manifests USER 1001 -LABEL io.k8s.display-name="OpenShift Cluster Operator Lifecycle Manager (OLM) Operator" \ +LABEL io.openshift.release.operator=true \ + io.k8s.display-name="OpenShift Cluster Operator Lifecycle Manager (OLM) Operator" \ io.k8s.description="This cluster-olm-operator installs and maintains the Operator Lifecycle Manager (OLM) components of the OCP cluster." diff --git a/assets/rukpak/00-namespace--openshift-rukpak.yml b/assets/rukpak/00-namespace--openshift-rukpak.yml new file mode 100644 index 000000000..750696f67 --- /dev/null +++ b/assets/rukpak/00-namespace--openshift-rukpak.yml @@ -0,0 +1,7 @@ +apiVersion: v1 +kind: Namespace +metadata: + labels: + pod-security.kubernetes.io/enforce: baseline + pod-security.kubernetes.io/enforce-version: latest + name: openshift-rukpak diff --git a/assets/rukpak/01-customresourcedefinition--bundledeployments.core.rukpak.io.yml b/assets/rukpak/01-customresourcedefinition--bundledeployments.core.rukpak.io.yml new file mode 100644 index 000000000..e6f928160 --- /dev/null +++ b/assets/rukpak/01-customresourcedefinition--bundledeployments.core.rukpak.io.yml @@ -0,0 +1,269 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.12.0 + name: bundledeployments.core.rukpak.io +spec: + group: core.rukpak.io + names: + kind: BundleDeployment + listKind: BundleDeploymentList + plural: bundledeployments + shortNames: + - bd + - bds + singular: bundledeployment + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .status.activeBundle + name: Active Bundle + type: string + - jsonPath: .status.conditions[?(.type=="Installed")].reason + name: Install State + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + - jsonPath: .spec.provisionerClassName + name: Provisioner + priority: 1 + type: string + name: v1alpha1 + schema: + openAPIV3Schema: + description: BundleDeployment is the Schema for the bundledeployments API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + properties: + name: + maxLength: 45 + type: string + type: object + spec: + description: BundleDeploymentSpec defines the desired state of BundleDeployment + properties: + config: + description: Config is provisioner specific configurations + type: object + x-kubernetes-preserve-unknown-fields: true + provisionerClassName: + description: ProvisionerClassName sets the name of the provisioner that should reconcile this BundleDeployment. + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + template: + description: Template describes the generated Bundle that this deployment will manage. + properties: + metadata: + description: 'Standard object''s metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata' + properties: + annotations: + additionalProperties: + type: string + type: object + finalizers: + items: + type: string + type: array + labels: + additionalProperties: + type: string + type: object + name: + type: string + namespace: + type: string + type: object + spec: + description: 'Specification of the desired behavior of the Bundle. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status' + properties: + provisionerClassName: + description: ProvisionerClassName sets the name of the provisioner that should reconcile this BundleDeployment. + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + source: + description: Source defines the configuration for the underlying Bundle content. + properties: + configMaps: + description: ConfigMaps is a list of config map references and their relative directory paths that represent a bundle filesystem. + items: + properties: + configMap: + description: ConfigMap is a reference to a configmap in the rukpak system namespace + properties: + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + type: object + x-kubernetes-map-type: atomic + path: + description: Path is the relative directory path within the bundle where the files from the configmap will be present when the bundle is unpacked. + type: string + required: + - configMap + type: object + type: array + git: + description: Git is the git repository that backs the content of this Bundle. + properties: + auth: + description: Auth configures the authorization method if necessary. + properties: + insecureSkipVerify: + description: InsecureSkipVerify controls whether a client verifies the server's certificate chain and host name. If InsecureSkipVerify is true, the clone operation will accept any certificate presented by the server and any host name in that certificate. In this mode, TLS is susceptible to machine-in-the-middle attacks unless custom verification is used. This should be used only for testing. + type: boolean + secret: + description: Secret contains reference to the secret that has authorization information and is in the namespace that the provisioner is deployed. The secret is expected to contain `data.username` and `data.password` for the username and password, respectively for http(s) scheme. Refer to https://kubernetes.io/docs/concepts/configuration/secret/#basic-authentication-secret For the ssh authorization of the GitSource, the secret is expected to contain `data.ssh-privatekey` and `data.ssh-knownhosts` for the ssh privatekey and the host entry in the known_hosts file respectively. Refer to https://kubernetes.io/docs/concepts/configuration/secret/#ssh-authentication-secrets + properties: + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + type: object + x-kubernetes-map-type: atomic + type: object + directory: + description: Directory refers to the location of the bundle within the git repository. Directory is optional and if not set defaults to ./manifests. + type: string + ref: + description: Ref configures the git source to clone a specific branch, tag, or commit from the specified repo. Ref is required, and exactly one field within Ref is required. Setting more than one field or zero fields will result in an error. + properties: + branch: + description: Branch refers to the branch to checkout from the repository. The Branch should contain the bundle manifests in the specified directory. + type: string + commit: + description: Commit refers to the commit to checkout from the repository. The Commit should contain the bundle manifests in the specified directory. + type: string + tag: + description: Tag refers to the tag to checkout from the repository. The Tag should contain the bundle manifests in the specified directory. + type: string + type: object + repository: + description: Repository is a URL link to the git repository containing the bundle. Repository is required and the URL should be parsable by a standard git tool. + type: string + required: + - ref + - repository + type: object + http: + description: HTTP is the remote location that backs the content of this Bundle. + properties: + auth: + description: Auth configures the authorization method if necessary. + properties: + insecureSkipVerify: + description: InsecureSkipVerify controls whether a client verifies the server's certificate chain and host name. If InsecureSkipVerify is true, the clone operation will accept any certificate presented by the server and any host name in that certificate. In this mode, TLS is susceptible to machine-in-the-middle attacks unless custom verification is used. This should be used only for testing. + type: boolean + secret: + description: Secret contains reference to the secret that has authorization information and is in the namespace that the provisioner is deployed. The secret is expected to contain `data.username` and `data.password` for the username and password, respectively for http(s) scheme. Refer to https://kubernetes.io/docs/concepts/configuration/secret/#basic-authentication-secret For the ssh authorization of the GitSource, the secret is expected to contain `data.ssh-privatekey` and `data.ssh-knownhosts` for the ssh privatekey and the host entry in the known_hosts file respectively. Refer to https://kubernetes.io/docs/concepts/configuration/secret/#ssh-authentication-secrets + properties: + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + type: object + x-kubernetes-map-type: atomic + type: object + url: + description: URL is where the bundle contents is. + type: string + required: + - url + type: object + image: + description: Image is the bundle image that backs the content of this bundle. + properties: + pullSecret: + description: ImagePullSecretName contains the name of the image pull secret in the namespace that the provisioner is deployed. + type: string + ref: + description: Ref contains the reference to a container image containing Bundle contents. + type: string + required: + - ref + type: object + type: + description: Type defines the kind of Bundle content being sourced. + type: string + upload: + description: Upload is a source that enables this Bundle's content to be uploaded via Rukpak's bundle upload service. This source type is primarily useful with bundle development workflows because it enables bundle developers to inject a local bundle directly into the cluster. + type: object + required: + - type + type: object + required: + - provisionerClassName + - source + type: object + required: + - spec + type: object + required: + - provisionerClassName + - template + type: object + status: + description: BundleDeploymentStatus defines the observed state of BundleDeployment + properties: + activeBundle: + type: string + conditions: + items: + description: "Condition contains details for one aspect of the current state of this API Resource. --- This struct is intended for direct use as an array at the field path .status.conditions. For example, \n type FooStatus struct{ // Represents the observations of a foo's current state. // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge // +listType=map // +listMapKey=type Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + observedGeneration: + format: int64 + type: integer + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} diff --git a/assets/rukpak/02-customresourcedefinition--bundles.core.rukpak.io.yml b/assets/rukpak/02-customresourcedefinition--bundles.core.rukpak.io.yml new file mode 100644 index 000000000..49d2aae34 --- /dev/null +++ b/assets/rukpak/02-customresourcedefinition--bundles.core.rukpak.io.yml @@ -0,0 +1,356 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.12.0 + name: bundles.core.rukpak.io +spec: + group: core.rukpak.io + names: + kind: Bundle + listKind: BundleList + plural: bundles + singular: bundle + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .spec.source.type + name: Type + type: string + - jsonPath: .status.phase + name: Phase + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + - jsonPath: .spec.provisionerClassName + name: Provisioner + priority: 1 + type: string + - jsonPath: .status.resolvedSource + name: Resolved Source + priority: 1 + type: string + name: v1alpha1 + schema: + openAPIV3Schema: + description: Bundle is the Schema for the bundles API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + properties: + name: + maxLength: 52 + type: string + type: object + spec: + description: BundleSpec defines the desired state of Bundle + properties: + provisionerClassName: + description: ProvisionerClassName sets the name of the provisioner that should reconcile this BundleDeployment. + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + source: + description: Source defines the configuration for the underlying Bundle content. + oneOf: + - required: + - git + - required: + - image + - required: + - configMaps + - required: + - upload + - required: + - http + properties: + configMaps: + description: ConfigMaps is a list of config map references and their relative directory paths that represent a bundle filesystem. + items: + properties: + configMap: + description: ConfigMap is a reference to a configmap in the rukpak system namespace + properties: + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + type: object + x-kubernetes-map-type: atomic + path: + description: Path is the relative directory path within the bundle where the files from the configmap will be present when the bundle is unpacked. + type: string + required: + - configMap + type: object + type: array + git: + description: Git is the git repository that backs the content of this Bundle. + properties: + auth: + description: Auth configures the authorization method if necessary. + properties: + insecureSkipVerify: + description: InsecureSkipVerify controls whether a client verifies the server's certificate chain and host name. If InsecureSkipVerify is true, the clone operation will accept any certificate presented by the server and any host name in that certificate. In this mode, TLS is susceptible to machine-in-the-middle attacks unless custom verification is used. This should be used only for testing. + type: boolean + secret: + description: Secret contains reference to the secret that has authorization information and is in the namespace that the provisioner is deployed. The secret is expected to contain `data.username` and `data.password` for the username and password, respectively for http(s) scheme. Refer to https://kubernetes.io/docs/concepts/configuration/secret/#basic-authentication-secret For the ssh authorization of the GitSource, the secret is expected to contain `data.ssh-privatekey` and `data.ssh-knownhosts` for the ssh privatekey and the host entry in the known_hosts file respectively. Refer to https://kubernetes.io/docs/concepts/configuration/secret/#ssh-authentication-secrets + properties: + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + type: object + x-kubernetes-map-type: atomic + type: object + directory: + description: Directory refers to the location of the bundle within the git repository. Directory is optional and if not set defaults to ./manifests. + type: string + ref: + description: Ref configures the git source to clone a specific branch, tag, or commit from the specified repo. Ref is required, and exactly one field within Ref is required. Setting more than one field or zero fields will result in an error. + oneOf: + - required: + - branch + - required: + - commit + - required: + - tag + properties: + branch: + description: Branch refers to the branch to checkout from the repository. The Branch should contain the bundle manifests in the specified directory. + type: string + commit: + description: Commit refers to the commit to checkout from the repository. The Commit should contain the bundle manifests in the specified directory. + type: string + tag: + description: Tag refers to the tag to checkout from the repository. The Tag should contain the bundle manifests in the specified directory. + type: string + type: object + repository: + description: Repository is a URL link to the git repository containing the bundle. Repository is required and the URL should be parsable by a standard git tool. + type: string + required: + - ref + - repository + type: object + http: + description: HTTP is the remote location that backs the content of this Bundle. + properties: + auth: + description: Auth configures the authorization method if necessary. + properties: + insecureSkipVerify: + description: InsecureSkipVerify controls whether a client verifies the server's certificate chain and host name. If InsecureSkipVerify is true, the clone operation will accept any certificate presented by the server and any host name in that certificate. In this mode, TLS is susceptible to machine-in-the-middle attacks unless custom verification is used. This should be used only for testing. + type: boolean + secret: + description: Secret contains reference to the secret that has authorization information and is in the namespace that the provisioner is deployed. The secret is expected to contain `data.username` and `data.password` for the username and password, respectively for http(s) scheme. Refer to https://kubernetes.io/docs/concepts/configuration/secret/#basic-authentication-secret For the ssh authorization of the GitSource, the secret is expected to contain `data.ssh-privatekey` and `data.ssh-knownhosts` for the ssh privatekey and the host entry in the known_hosts file respectively. Refer to https://kubernetes.io/docs/concepts/configuration/secret/#ssh-authentication-secrets + properties: + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + type: object + x-kubernetes-map-type: atomic + type: object + url: + description: URL is where the bundle contents is. + type: string + required: + - url + type: object + image: + description: Image is the bundle image that backs the content of this bundle. + properties: + pullSecret: + description: ImagePullSecretName contains the name of the image pull secret in the namespace that the provisioner is deployed. + type: string + ref: + description: Ref contains the reference to a container image containing Bundle contents. + type: string + required: + - ref + type: object + type: + description: Type defines the kind of Bundle content being sourced. + type: string + upload: + description: Upload is a source that enables this Bundle's content to be uploaded via Rukpak's bundle upload service. This source type is primarily useful with bundle development workflows because it enables bundle developers to inject a local bundle directly into the cluster. + type: object + required: + - type + type: object + required: + - provisionerClassName + - source + type: object + status: + description: BundleStatus defines the observed state of Bundle + properties: + conditions: + items: + description: "Condition contains details for one aspect of the current state of this API Resource. --- This struct is intended for direct use as an array at the field path .status.conditions. For example, \n type FooStatus struct{ // Represents the observations of a foo's current state. // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge // +listType=map // +listMapKey=type Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + contentURL: + type: string + observedGeneration: + format: int64 + type: integer + phase: + type: string + resolvedSource: + properties: + configMaps: + description: ConfigMaps is a list of config map references and their relative directory paths that represent a bundle filesystem. + items: + properties: + configMap: + description: ConfigMap is a reference to a configmap in the rukpak system namespace + properties: + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + type: object + x-kubernetes-map-type: atomic + path: + description: Path is the relative directory path within the bundle where the files from the configmap will be present when the bundle is unpacked. + type: string + required: + - configMap + type: object + type: array + git: + description: Git is the git repository that backs the content of this Bundle. + properties: + auth: + description: Auth configures the authorization method if necessary. + properties: + insecureSkipVerify: + description: InsecureSkipVerify controls whether a client verifies the server's certificate chain and host name. If InsecureSkipVerify is true, the clone operation will accept any certificate presented by the server and any host name in that certificate. In this mode, TLS is susceptible to machine-in-the-middle attacks unless custom verification is used. This should be used only for testing. + type: boolean + secret: + description: Secret contains reference to the secret that has authorization information and is in the namespace that the provisioner is deployed. The secret is expected to contain `data.username` and `data.password` for the username and password, respectively for http(s) scheme. Refer to https://kubernetes.io/docs/concepts/configuration/secret/#basic-authentication-secret For the ssh authorization of the GitSource, the secret is expected to contain `data.ssh-privatekey` and `data.ssh-knownhosts` for the ssh privatekey and the host entry in the known_hosts file respectively. Refer to https://kubernetes.io/docs/concepts/configuration/secret/#ssh-authentication-secrets + properties: + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + type: object + x-kubernetes-map-type: atomic + type: object + directory: + description: Directory refers to the location of the bundle within the git repository. Directory is optional and if not set defaults to ./manifests. + type: string + ref: + description: Ref configures the git source to clone a specific branch, tag, or commit from the specified repo. Ref is required, and exactly one field within Ref is required. Setting more than one field or zero fields will result in an error. + properties: + branch: + description: Branch refers to the branch to checkout from the repository. The Branch should contain the bundle manifests in the specified directory. + type: string + commit: + description: Commit refers to the commit to checkout from the repository. The Commit should contain the bundle manifests in the specified directory. + type: string + tag: + description: Tag refers to the tag to checkout from the repository. The Tag should contain the bundle manifests in the specified directory. + type: string + type: object + repository: + description: Repository is a URL link to the git repository containing the bundle. Repository is required and the URL should be parsable by a standard git tool. + type: string + required: + - ref + - repository + type: object + http: + description: HTTP is the remote location that backs the content of this Bundle. + properties: + auth: + description: Auth configures the authorization method if necessary. + properties: + insecureSkipVerify: + description: InsecureSkipVerify controls whether a client verifies the server's certificate chain and host name. If InsecureSkipVerify is true, the clone operation will accept any certificate presented by the server and any host name in that certificate. In this mode, TLS is susceptible to machine-in-the-middle attacks unless custom verification is used. This should be used only for testing. + type: boolean + secret: + description: Secret contains reference to the secret that has authorization information and is in the namespace that the provisioner is deployed. The secret is expected to contain `data.username` and `data.password` for the username and password, respectively for http(s) scheme. Refer to https://kubernetes.io/docs/concepts/configuration/secret/#basic-authentication-secret For the ssh authorization of the GitSource, the secret is expected to contain `data.ssh-privatekey` and `data.ssh-knownhosts` for the ssh privatekey and the host entry in the known_hosts file respectively. Refer to https://kubernetes.io/docs/concepts/configuration/secret/#ssh-authentication-secrets + properties: + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + type: object + x-kubernetes-map-type: atomic + type: object + url: + description: URL is where the bundle contents is. + type: string + required: + - url + type: object + image: + description: Image is the bundle image that backs the content of this bundle. + properties: + pullSecret: + description: ImagePullSecretName contains the name of the image pull secret in the namespace that the provisioner is deployed. + type: string + ref: + description: Ref contains the reference to a container image containing Bundle contents. + type: string + required: + - ref + type: object + type: + description: Type defines the kind of Bundle content being sourced. + type: string + upload: + description: Upload is a source that enables this Bundle's content to be uploaded via Rukpak's bundle upload service. This source type is primarily useful with bundle development workflows because it enables bundle developers to inject a local bundle directly into the cluster. + type: object + required: + - type + type: object + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} diff --git a/assets/rukpak/03-serviceaccount-openshift-rukpak-core-admin.yml b/assets/rukpak/03-serviceaccount-openshift-rukpak-core-admin.yml new file mode 100644 index 000000000..5ecde8473 --- /dev/null +++ b/assets/rukpak/03-serviceaccount-openshift-rukpak-core-admin.yml @@ -0,0 +1,6 @@ +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: core-admin + namespace: openshift-rukpak diff --git a/assets/rukpak/04-serviceaccount-openshift-rukpak-helm-provisioner-admin.yml b/assets/rukpak/04-serviceaccount-openshift-rukpak-helm-provisioner-admin.yml new file mode 100644 index 000000000..a1dc4e266 --- /dev/null +++ b/assets/rukpak/04-serviceaccount-openshift-rukpak-helm-provisioner-admin.yml @@ -0,0 +1,6 @@ +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: helm-provisioner-admin + namespace: openshift-rukpak diff --git a/assets/rukpak/05-serviceaccount-openshift-rukpak-rukpak-webhooks-admin.yml b/assets/rukpak/05-serviceaccount-openshift-rukpak-rukpak-webhooks-admin.yml new file mode 100644 index 000000000..7b4972f21 --- /dev/null +++ b/assets/rukpak/05-serviceaccount-openshift-rukpak-rukpak-webhooks-admin.yml @@ -0,0 +1,6 @@ +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: rukpak-webhooks-admin + namespace: openshift-rukpak diff --git a/assets/rukpak/06-clusterrole--bundle-reader.yml b/assets/rukpak/06-clusterrole--bundle-reader.yml new file mode 100644 index 000000000..b2f7d3d3b --- /dev/null +++ b/assets/rukpak/06-clusterrole--bundle-reader.yml @@ -0,0 +1,10 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: bundle-reader +rules: + - nonResourceURLs: + - /bundles/* + verbs: + - get diff --git a/assets/rukpak/07-clusterrole--bundle-uploader.yml b/assets/rukpak/07-clusterrole--bundle-uploader.yml new file mode 100644 index 000000000..669d89a6f --- /dev/null +++ b/assets/rukpak/07-clusterrole--bundle-uploader.yml @@ -0,0 +1,10 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: bundle-uploader +rules: + - nonResourceURLs: + - /bundles/* + verbs: + - put diff --git a/assets/rukpak/08-clusterrole--core-admin.yml b/assets/rukpak/08-clusterrole--core-admin.yml new file mode 100644 index 000000000..7b8bc7ace --- /dev/null +++ b/assets/rukpak/08-clusterrole--core-admin.yml @@ -0,0 +1,93 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: core-admin +rules: + - nonResourceURLs: + - /bundles/* + - /uploads/* + verbs: + - get + - apiGroups: + - '*' + resources: + - '*' + verbs: + - '*' + - apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create + - apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create + - apiGroups: + - "" + resources: + - configmaps + verbs: + - list + - watch + - apiGroups: + - "" + resources: + - pods + verbs: + - create + - delete + - list + - watch + - apiGroups: + - "" + resources: + - pods/log + verbs: + - get + - apiGroups: + - core.rukpak.io + resources: + - bundledeployments + verbs: + - list + - watch + - apiGroups: + - core.rukpak.io + resources: + - bundledeployments/finalizers + verbs: + - update + - apiGroups: + - core.rukpak.io + resources: + - bundledeployments/status + verbs: + - patch + - update + - apiGroups: + - core.rukpak.io + resources: + - bundles + verbs: + - list + - patch + - update + - watch + - apiGroups: + - core.rukpak.io + resources: + - bundles/finalizers + verbs: + - update + - apiGroups: + - core.rukpak.io + resources: + - bundles/status + verbs: + - patch + - update diff --git a/assets/rukpak/09-clusterrole--helm-provisioner-admin.yml b/assets/rukpak/09-clusterrole--helm-provisioner-admin.yml new file mode 100644 index 000000000..02cd43401 --- /dev/null +++ b/assets/rukpak/09-clusterrole--helm-provisioner-admin.yml @@ -0,0 +1,93 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: helm-provisioner-admin +rules: + - nonResourceURLs: + - /bundles/* + - /uploads/* + verbs: + - get + - apiGroups: + - '*' + resources: + - '*' + verbs: + - '*' + - apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create + - apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create + - apiGroups: + - "" + resources: + - configmaps + verbs: + - list + - watch + - apiGroups: + - "" + resources: + - pods + verbs: + - create + - delete + - list + - watch + - apiGroups: + - "" + resources: + - pods/log + verbs: + - get + - apiGroups: + - core.rukpak.io + resources: + - bundledeployments + verbs: + - list + - watch + - apiGroups: + - core.rukpak.io + resources: + - bundledeployments/finalizers + verbs: + - update + - apiGroups: + - core.rukpak.io + resources: + - bundledeployments/status + verbs: + - patch + - update + - apiGroups: + - core.rukpak.io + resources: + - bundles + verbs: + - list + - patch + - update + - watch + - apiGroups: + - core.rukpak.io + resources: + - bundles/finalizers + verbs: + - update + - apiGroups: + - core.rukpak.io + resources: + - bundles/status + verbs: + - patch + - update diff --git a/assets/rukpak/10-clusterrole--rukpak-webhooks-admin.yml b/assets/rukpak/10-clusterrole--rukpak-webhooks-admin.yml new file mode 100644 index 000000000..85846705c --- /dev/null +++ b/assets/rukpak/10-clusterrole--rukpak-webhooks-admin.yml @@ -0,0 +1,20 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: rukpak-webhooks-admin +rules: + - apiGroups: + - "" + resources: + - configmaps + verbs: + - list + - watch + - apiGroups: + - core.rukpak.io + resources: + - bundles + verbs: + - list + - watch diff --git a/assets/rukpak/11-clusterrolebinding--core-admin.yml b/assets/rukpak/11-clusterrolebinding--core-admin.yml new file mode 100644 index 000000000..29b261477 --- /dev/null +++ b/assets/rukpak/11-clusterrolebinding--core-admin.yml @@ -0,0 +1,14 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: core-admin +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: core-admin +subjects: + - apiGroup: "" + kind: ServiceAccount + name: core-admin + namespace: openshift-rukpak diff --git a/assets/rukpak/12-clusterrolebinding--helm-provisioner-admin.yml b/assets/rukpak/12-clusterrolebinding--helm-provisioner-admin.yml new file mode 100644 index 000000000..9430b9ce8 --- /dev/null +++ b/assets/rukpak/12-clusterrolebinding--helm-provisioner-admin.yml @@ -0,0 +1,14 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: helm-provisioner-admin +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: helm-provisioner-admin +subjects: + - apiGroup: "" + kind: ServiceAccount + name: helm-provisioner-admin + namespace: openshift-rukpak diff --git a/assets/rukpak/13-clusterrolebinding--rukpak-webhooks-admin.yml b/assets/rukpak/13-clusterrolebinding--rukpak-webhooks-admin.yml new file mode 100644 index 000000000..2e9134b7f --- /dev/null +++ b/assets/rukpak/13-clusterrolebinding--rukpak-webhooks-admin.yml @@ -0,0 +1,14 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: rukpak-webhooks-admin +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: rukpak-webhooks-admin +subjects: + - apiGroup: "" + kind: ServiceAccount + name: rukpak-webhooks-admin + namespace: openshift-rukpak diff --git a/assets/rukpak/14-service-openshift-rukpak-core.yml b/assets/rukpak/14-service-openshift-rukpak-core.yml new file mode 100644 index 000000000..5c48c560d --- /dev/null +++ b/assets/rukpak/14-service-openshift-rukpak-core.yml @@ -0,0 +1,16 @@ +--- +apiVersion: v1 +kind: Service +metadata: + annotations: + service.beta.openshift.io/serving-cert-secret-name: core-cert + name: core + namespace: openshift-rukpak +spec: + ports: + - name: https + port: 443 + protocol: TCP + targetPort: 8443 + selector: + app: core diff --git a/assets/rukpak/15-service-openshift-rukpak-helm-provisioner.yml b/assets/rukpak/15-service-openshift-rukpak-helm-provisioner.yml new file mode 100644 index 000000000..b4641ee4a --- /dev/null +++ b/assets/rukpak/15-service-openshift-rukpak-helm-provisioner.yml @@ -0,0 +1,15 @@ +--- +apiVersion: v1 +kind: Service +metadata: + annotations: + service.beta.openshift.io/serving-cert-secret-name: helm-provisioner-cert + name: helm-provisioner + namespace: openshift-rukpak +spec: + ports: + - port: 443 + protocol: TCP + targetPort: 8443 + selector: + app: helm-provisioner diff --git a/assets/rukpak/16-service-openshift-rukpak-rukpak-webhook-service.yml b/assets/rukpak/16-service-openshift-rukpak-rukpak-webhook-service.yml new file mode 100644 index 000000000..1c831c8dd --- /dev/null +++ b/assets/rukpak/16-service-openshift-rukpak-rukpak-webhook-service.yml @@ -0,0 +1,15 @@ +--- +apiVersion: v1 +kind: Service +metadata: + annotations: + service.beta.openshift.io/serving-cert-secret-name: rukpak-webhook-certificate + name: rukpak-webhook-service + namespace: openshift-rukpak +spec: + ports: + - port: 443 + protocol: TCP + targetPort: 9443 + selector: + app: webhooks diff --git a/assets/rukpak/17-deployment-openshift-rukpak-core.yml b/assets/rukpak/17-deployment-openshift-rukpak-core.yml new file mode 100644 index 000000000..bbde8d1e0 --- /dev/null +++ b/assets/rukpak/17-deployment-openshift-rukpak-core.yml @@ -0,0 +1,105 @@ +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: core + name: core + namespace: openshift-rukpak +spec: + replicas: 1 + selector: + matchLabels: + app: core + template: + metadata: + annotations: + kubectl.kubernetes.io/default-container: manager + labels: + app: core + spec: + containers: + - args: + - --secure-listen-address=0.0.0.0:8443 + - --upstream=http://127.0.0.1:8080/ + - --logtostderr=true + - --v=1 + - --client-ca-file=/var/run/secrets/kubernetes.io/serviceaccount/ca.crt + - --tls-cert-file=/etc/pki/tls/tls.crt + - --tls-private-key-file=/etc/pki/tls/tls.key + - --upstream-ca-file=/etc/configmaps/ca-bundle/service-ca.crt + image: ${KUBE_RBAC_PROXY_IMAGE} + name: kube-rbac-proxy + ports: + - containerPort: 8443 + name: https + protocol: TCP + resources: + requests: + cpu: 1m + memory: 15Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + volumeMounts: + - mountPath: /etc/pki/tls + name: certs + - mountPath: /etc/configmaps/ca-bundle + name: ca-bundle + readOnly: false + - args: + - --unpack-image=${RUKPAK_IMAGE} + - --base-upload-manager-url=https://core.openshift-rukpak.svc + - --provisioner-storage-dir=/var/cache/bundles + - --upload-storage-dir=/var/cache/uploads + - --http-bind-address=127.0.0.1:8080 + - --http-external-address=https://core.openshift-rukpak.svc + - --bundle-ca-file=/etc/configmaps/ca-bundle/service-ca.crt + command: + - /core + image: ${RUKPAK_IMAGE} + imagePullPolicy: IfNotPresent + name: manager + ports: + - containerPort: 8080 + resources: + requests: + cpu: 10m + memory: 160Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + volumeMounts: + - mountPath: /var/cache/bundles + name: bundle-cache + - mountPath: /var/cache/uploads + name: upload-cache + - mountPath: /etc/pki/tls + name: certs + - mountPath: /etc/configmaps/ca-bundle + name: ca-bundle + readOnly: false + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + serviceAccountName: core-admin + volumes: + - emptyDir: {} + name: bundle-cache + - emptyDir: {} + name: upload-cache + - name: certs + secret: + optional: false + secretName: core-cert + - configMap: + items: + - key: service-ca.crt + path: service-ca.crt + name: openshift-service-ca.crt + name: ca-bundle diff --git a/assets/rukpak/18-deployment-openshift-rukpak-helm-provisioner.yml b/assets/rukpak/18-deployment-openshift-rukpak-helm-provisioner.yml new file mode 100644 index 000000000..a01785e10 --- /dev/null +++ b/assets/rukpak/18-deployment-openshift-rukpak-helm-provisioner.yml @@ -0,0 +1,100 @@ +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: helm-provisioner + name: helm-provisioner + namespace: openshift-rukpak +spec: + replicas: 1 + selector: + matchLabels: + app: helm-provisioner + template: + metadata: + annotations: + kubectl.kubernetes.io/default-container: manager + labels: + app: helm-provisioner + spec: + containers: + - args: + - --secure-listen-address=0.0.0.0:8443 + - --upstream=http://127.0.0.1:8080/ + - --logtostderr=true + - --v=1 + - --client-ca-file=/var/run/secrets/kubernetes.io/serviceaccount/ca.crt + - --tls-cert-file=/etc/pki/tls/tls.crt + - --tls-private-key-file=/etc/pki/tls/tls.key + - --upstream-ca-file=/etc/configmaps/ca-bundle/service-ca.crt + image: ${KUBE_RBAC_PROXY_IMAGE} + name: kube-rbac-proxy + ports: + - containerPort: 8443 + name: https + protocol: TCP + resources: + requests: + cpu: 1m + memory: 15Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + volumeMounts: + - mountPath: /etc/pki/tls + name: certs + - mountPath: /etc/configmaps/ca-bundle + name: ca-bundle + readOnly: false + - args: + - --unpack-image=${RUKPAK_IMAGE} + - --base-upload-manager-url=https://core.openshift-rukpak.svc + - --storage-dir=/var/cache/bundles + - --http-bind-address=127.0.0.1:8080 + - --http-external-address=https://helm-provisioner.openshift-rukpak.svc + - --bundle-ca-file=/etc/configmaps/ca-bundle/service-ca.crt + command: + - /helm + image: ${RUKPAK_IMAGE} + imagePullPolicy: IfNotPresent + name: manager + ports: + - containerPort: 8080 + resources: + requests: + cpu: 10m + memory: 160Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + volumeMounts: + - mountPath: /var/cache/bundles + name: bundle-cache + - mountPath: /etc/pki/tls + name: certs + - mountPath: /etc/configmaps/ca-bundle + name: ca-bundle + readOnly: false + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + serviceAccountName: helm-provisioner-admin + volumes: + - emptyDir: {} + name: bundle-cache + - name: certs + secret: + optional: false + secretName: helm-provisioner-cert + - configMap: + items: + - key: service-ca.crt + path: service-ca.crt + name: openshift-service-ca.crt + name: ca-bundle diff --git a/assets/rukpak/19-deployment-openshift-rukpak-rukpak-webhooks.yml b/assets/rukpak/19-deployment-openshift-rukpak-rukpak-webhooks.yml new file mode 100644 index 000000000..537cfd1b9 --- /dev/null +++ b/assets/rukpak/19-deployment-openshift-rukpak-rukpak-webhooks.yml @@ -0,0 +1,53 @@ +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: webhooks + name: rukpak-webhooks + namespace: openshift-rukpak +spec: + replicas: 1 + selector: + matchLabels: + app: webhooks + template: + metadata: + labels: + app: webhooks + spec: + containers: + - command: + - /webhooks + image: ${RUKPAK_IMAGE} + imagePullPolicy: IfNotPresent + name: webhooks + ports: + - containerPort: 8080 + - containerPort: 9443 + name: webhook-server + protocol: TCP + resources: + requests: + cpu: 1m + memory: 15Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + volumeMounts: + - mountPath: /tmp/k8s-webhook-server/serving-certs + name: cert + readOnly: true + args: [] + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + serviceAccountName: rukpak-webhooks-admin + volumes: + - name: cert + secret: + defaultMode: 420 + secretName: rukpak-webhook-certificate diff --git a/assets/rukpak/20-validatingwebhookconfiguration--rukpak-validating-webhook-configuration.yml b/assets/rukpak/20-validatingwebhookconfiguration--rukpak-validating-webhook-configuration.yml new file mode 100644 index 000000000..a1666c79f --- /dev/null +++ b/assets/rukpak/20-validatingwebhookconfiguration--rukpak-validating-webhook-configuration.yml @@ -0,0 +1,51 @@ +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + annotations: + service.beta.openshift.io/inject-cabundle: "true" + name: rukpak-validating-webhook-configuration +webhooks: + - admissionReviewVersions: + - v1 + clientConfig: + service: + name: rukpak-webhook-service + namespace: openshift-rukpak + path: /validate-core-v1-configmap + failurePolicy: Fail + name: vconfigmaps.core.rukpak.io + namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: rukpak-system + rules: + - apiGroups: + - "" + apiVersions: + - v1 + operations: + - CREATE + - DELETE + resources: + - configmaps + sideEffects: None + - admissionReviewVersions: + - v1 + clientConfig: + service: + name: rukpak-webhook-service + namespace: openshift-rukpak + path: /validate-core-rukpak-io-v1alpha1-bundle + failurePolicy: Fail + name: vbundles.core.rukpak.io + rules: + - apiGroups: + - core.rukpak.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - bundles + sideEffects: None diff --git a/cmd/cluster-olm-operator/main.go b/cmd/cluster-olm-operator/main.go index 9967f45a2..87654f455 100644 --- a/cmd/cluster-olm-operator/main.go +++ b/cmd/cluster-olm-operator/main.go @@ -94,6 +94,36 @@ func runOperator(ctx context.Context, cc *controllercmd.ControllerContext) error } operatorControllerDeployment := "operator-controller/11-deployment-openshift-operator-controller-operator-controller-controller-manager.yml" + rukpakStaticFiles := []string{ + "rukpak/00-namespace--openshift-rukpak.yml", + "rukpak/01-customresourcedefinition--bundledeployments.core.rukpak.io.yml", + "rukpak/02-customresourcedefinition--bundles.core.rukpak.io.yml", + "rukpak/03-serviceaccount-openshift-rukpak-core-admin.yml", + "rukpak/04-serviceaccount-openshift-rukpak-helm-provisioner-admin.yml", + "rukpak/05-serviceaccount-openshift-rukpak-rukpak-webhooks-admin.yml", + "rukpak/06-clusterrole--bundle-reader.yml", + "rukpak/07-clusterrole--bundle-uploader.yml", + "rukpak/08-clusterrole--core-admin.yml", + "rukpak/09-clusterrole--helm-provisioner-admin.yml", + "rukpak/10-clusterrole--rukpak-webhooks-admin.yml", + "rukpak/11-clusterrolebinding--core-admin.yml", + "rukpak/12-clusterrolebinding--helm-provisioner-admin.yml", + "rukpak/13-clusterrolebinding--rukpak-webhooks-admin.yml", + "rukpak/14-service-openshift-rukpak-core.yml", + "rukpak/15-service-openshift-rukpak-helm-provisioner.yml", + "rukpak/16-service-openshift-rukpak-rukpak-webhook-service.yml", + "rukpak/20-validatingwebhookconfiguration--rukpak-validating-webhook-configuration.yml", + } + rukpakDeploymentFiles := map[string]string{ + "Core": "rukpak/17-deployment-openshift-rukpak-core.yml", + "HelmProvisioner": "rukpak/18-deployment-openshift-rukpak-helm-provisioner.yml", + "Webhooks": "rukpak/19-deployment-openshift-rukpak-rukpak-webhooks.yml", + } + rukpakDeploymentFileNames := make([]string, 0, len(rukpakDeploymentFiles)) + for _, file := range rukpakDeploymentFiles { + rukpakDeploymentFileNames = append(rukpakDeploymentFileNames, file) + } + catalogdRelatedObjects, err := assets.RelatedObjects(cl.RESTMapper, append(catalogdStaticFiles, catalogdDeployment)) if err != nil { return err @@ -104,7 +134,12 @@ func runOperator(ctx context.Context, cc *controllercmd.ControllerContext) error return err } - relatedObjects := append(catalogdRelatedObjects, operatorControllerRelatedObjects...) + rukpakRelatedObjects, err := assets.RelatedObjects(cl.RESTMapper, append(rukpakStaticFiles, rukpakDeploymentFileNames...)) + if err != nil { + return err + } + + relatedObjects := append(append(catalogdRelatedObjects, operatorControllerRelatedObjects...), rukpakRelatedObjects...) namespaces := sets.New[string]() for _, obj := range relatedObjects { @@ -167,6 +202,67 @@ func runOperator(ctx context.Context, cc *controllercmd.ControllerContext) error }, ) + rukpakStaticResourceController := staticresourcecontroller.NewStaticResourceController( + "RukpakStaticResources", + assets.ReadFile, + rukpakStaticFiles, + cl.ClientHolder(), + cl.OperatorClient, + cc.EventRecorder.ForComponent("RukpakStaticResources"), + ).AddKubeInformers(cl.KubeInformersForNamespaces) + + rukpakCoreDeploymentManifest, err := assets.ReadFile(rukpakDeploymentFiles["Core"]) + if err != nil { + return err + } + rukpakHelmProvisionerDeploymentManifest, err := assets.ReadFile(rukpakDeploymentFiles["HelmProvisioner"]) + if err != nil { + return err + } + rukpakWebhooksDeploymentManifest, err := assets.ReadFile(rukpakDeploymentFiles["Webhooks"]) + if err != nil { + return err + } + + rukpakCoreDeploymentController := deploymentcontroller.NewDeploymentController( + "RukpakCoreControllerDeployment", + rukpakCoreDeploymentManifest, + cc.EventRecorder.ForComponent("RukpakCoreControllerDeployment"), + cl.OperatorClient, + cl.KubeClient, + cl.KubeInformerFactory.Apps().V1().Deployments(), + nil, + []deploymentcontroller.ManifestHookFunc{ + replaceImageHook("${RUKPAK_IMAGE}", "RUKPAK_IMAGE"), + replaceImageHook("${KUBE_RBAC_PROXY_IMAGE}", "KUBE_RBAC_PROXY_IMAGE"), + }, + ) + rukpakHelmProvisionerDeploymentController := deploymentcontroller.NewDeploymentController( + "RukpakHelmProvisionerControllerDeployment", + rukpakHelmProvisionerDeploymentManifest, + cc.EventRecorder.ForComponent("RukpakHelmProvisionerControllerDeployment"), + cl.OperatorClient, + cl.KubeClient, + cl.KubeInformerFactory.Apps().V1().Deployments(), + nil, + []deploymentcontroller.ManifestHookFunc{ + replaceImageHook("${RUKPAK_IMAGE}", "RUKPAK_IMAGE"), + replaceImageHook("${KUBE_RBAC_PROXY_IMAGE}", "KUBE_RBAC_PROXY_IMAGE"), + }, + ) + rukpakWebhooksDeploymentController := deploymentcontroller.NewDeploymentController( + "RukpakWebhooksControllerDeployment", + rukpakWebhooksDeploymentManifest, + cc.EventRecorder.ForComponent("RukpakWebhooksControllerDeployment"), + cl.OperatorClient, + cl.KubeClient, + cl.KubeInformerFactory.Apps().V1().Deployments(), + nil, + []deploymentcontroller.ManifestHookFunc{ + replaceImageHook("${RUKPAK_IMAGE}", "RUKPAK_IMAGE"), + }, + ) + versionGetter := status.NewVersionGetter() versionGetter.SetVersion("operator", status.VersionForOperatorFromEnv()) @@ -187,6 +283,10 @@ func runOperator(ctx context.Context, cc *controllercmd.ControllerContext) error catalogdDeploymentController, operatorControllerStaticResourceController, operatorControllerDeploymentController, + rukpakStaticResourceController, + rukpakCoreDeploymentController, + rukpakHelmProvisionerDeploymentController, + rukpakWebhooksDeploymentController, clusterOperatorController, } { go func(c factory.Controller) { diff --git a/manifests/0000_51_olm_02_operator_clusterrole.yaml b/manifests/0000_51_olm_02_operator_clusterrole.yaml index 3f71a37b0..db347f9e6 100644 --- a/manifests/0000_51_olm_02_operator_clusterrole.yaml +++ b/manifests/0000_51_olm_02_operator_clusterrole.yaml @@ -167,3 +167,20 @@ rules: - operator-controller-metrics-reader - operator-controller-proxy-role - operator-controller-leader-election-role + - bundle-reader + - bundle-uploader + - core-admin + - helm-provisioner-admin + - rukpak-webhooks-admin + - apiGroups: + - admissionregistration.k8s.io + resources: + - validatingwebhookconfigurations + verbs: + - create + - update + - patch + - get + - list + - watch + - delete diff --git a/manifests/0000_51_olm_06_deployment.yaml b/manifests/0000_51_olm_06_deployment.yaml index 6a4eb4434..698ad6275 100644 --- a/manifests/0000_51_olm_06_deployment.yaml +++ b/manifests/0000_51_olm_06_deployment.yaml @@ -45,6 +45,8 @@ spec: value: quay.io/openshift/origin-olm-catalogd:latest - name: OPERATOR_CONTROLLER_IMAGE value: quay.io/openshift/origin-olm-operator-controller:latest + - name: RUKPAK_IMAGE + value: quay.io/openshift/origin-olm-rukpak:latest resources: requests: cpu: 10m diff --git a/manifests/image-references b/manifests/image-references new file mode 100644 index 000000000..6c82c2bde --- /dev/null +++ b/manifests/image-references @@ -0,0 +1,24 @@ +kind: ImageStream +apiVersion: image.openshift.io/v1 +spec: + tags: + - name: cluster-olm-operator + from: + kind: DockerImage + name: quay.io/openshift/origin-cluster-olm-operator:latest + - name: olm-catalogd + from: + kind: DockerImage + name: quay.io/openshift/origin-olm-catalogd:latest + - name: olm-operator-controller + from: + kind: DockerImage + name: quay.io/openshift/origin-olm-operator-controller:latest + - name: olm-rukpak + from: + kind: DockerImage + name: quay.io/openshift/origin-olm-rukpak:latest + - name: kube-rbac-proxy + from: + kind: DockerImage + name: quay.io/openshift/origin-kube-rbac-proxy:latest diff --git a/manifests/image-references.pending b/manifests/image-references.pending deleted file mode 100644 index 19e103ef2..000000000 --- a/manifests/image-references.pending +++ /dev/null @@ -1,17 +0,0 @@ -kind: ImageStream -apiVersion: image.openshift.io/v1 -spec: - # Uncomment these after we have builds of all the images in OSBS -# tags: -# - name: cluster-olm-operator -# from: -# kind: DockerImage -# name: quay.io/openshift/origin-cluster-olm-operator:latest -# - name: olm-catalogd -# from: -# kind: DockerImage -# name: quay.io/openshift/origin-olm-catalogd:latest -# - name: olm-operator-controller -# from: -# kind: DockerImage -# name: quay.io/openshift/origin-olm-operator-controller:latest