From 492c4da6ddb780d55b6832d657398e84605da544 Mon Sep 17 00:00:00 2001 From: Eoin Gallinagh Date: Tue, 12 Sep 2023 10:20:13 +0100 Subject: [PATCH 1/2] fix: add necessary configurations for permissions --- Makefile | 8 ++- config/configmap/instascale_configmap.yaml | 7 +++ config/configmap/kustomization.yaml | 2 + config/manager/kustomization.yaml | 2 +- config/rbac/instascale_configmap.yaml | 7 +++ config/rbac/role.yaml | 66 +++++++++++++++++----- controllers/appwrapper_controller.go | 4 ++ main.go | 3 + 8 files changed, 81 insertions(+), 18 deletions(-) create mode 100644 config/configmap/instascale_configmap.yaml create mode 100644 config/configmap/kustomization.yaml create mode 100644 config/rbac/instascale_configmap.yaml diff --git a/Makefile b/Makefile index 7fb75cc..69815a7 100644 --- a/Makefile +++ b/Makefile @@ -3,7 +3,7 @@ # # For example, running 'make bundle-build bundle-push catalog-build catalog-push' will build and push both # my.domain/instascale-1-bundle:$VERSION and my.domain/instascale-1-catalog:$VERSION. -IMAGE_TAG_BASE ?= quay.io/project-codeflare/instascale +IMAGE_TAG_BASE ?= quay.io/project-codeflare/instascale-controller ENGINE ?= "podman" @@ -16,7 +16,7 @@ ifeq ($(USE_IMAGE_DIGESTS), true) endif # Image URL to use all building/pushing image targets -IMG ?= controller:latest +IMG ?= latest # ENVTEST_K8S_VERSION refers to the version of kubebuilder assets to be downloaded by envtest binary. ENVTEST_K8S_VERSION = 1.23 @@ -114,19 +114,23 @@ endif .PHONY: install install: manifests kustomize ## Install CRDs into the K8s cluster specified in ~/.kube/config. $(KUSTOMIZE) build config/default | kubectl apply -f - + $(KUSTOMIZE) build config/configmap | kubectl apply -f - .PHONY: uninstall uninstall: manifests kustomize ## Uninstall CRDs from the K8s cluster specified in ~/.kube/config. Call with ignore-not-found=true to ignore resource not found errors during deletion. $(KUSTOMIZE) build config/default | kubectl delete --ignore-not-found=$(ignore-not-found) -f - + $(KUSTOMIZE) build config/configmap | kubectl delete --ignore-not-found=$(ignore-not-found) -f - .PHONY: deploy deploy: manifests kustomize ## Deploy controller to the K8s cluster specified in ~/.kube/config. cd config/manager && $(KUSTOMIZE) edit set image controller=${IMG} $(KUSTOMIZE) build config/default | kubectl apply -f - + $(KUSTOMIZE) build config/configmap | kubectl apply -f - .PHONY: undeploy undeploy: ## Undeploy controller from the K8s cluster specified in ~/.kube/config. Call with ignore-not-found=true to ignore resource not found errors during deletion. $(KUSTOMIZE) build config/default | kubectl delete --ignore-not-found=$(ignore-not-found) -f - + $(KUSTOMIZE) build config/configmap | kubectl delete --ignore-not-found=$(ignore-not-found) -f - ## Location to install dependencies to LOCALBIN ?= $(shell pwd)/bin diff --git a/config/configmap/instascale_configmap.yaml b/config/configmap/instascale_configmap.yaml new file mode 100644 index 0000000..79c15b0 --- /dev/null +++ b/config/configmap/instascale_configmap.yaml @@ -0,0 +1,7 @@ +kind: ConfigMap +apiVersion: v1 +metadata: + name: instascale-config + namespace: kube-system +data: + maxScaleoutAllowed: "15" diff --git a/config/configmap/kustomization.yaml b/config/configmap/kustomization.yaml new file mode 100644 index 0000000..0179d07 --- /dev/null +++ b/config/configmap/kustomization.yaml @@ -0,0 +1,2 @@ +resources: +- instascale_configmap.yaml diff --git a/config/manager/kustomization.yaml b/config/manager/kustomization.yaml index 5e793dd..5234782 100644 --- a/config/manager/kustomization.yaml +++ b/config/manager/kustomization.yaml @@ -12,5 +12,5 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization images: - name: controller - newName: controller + newName: quay.io/project-codeflare/instascale-controller newTag: latest diff --git a/config/rbac/instascale_configmap.yaml b/config/rbac/instascale_configmap.yaml new file mode 100644 index 0000000..79c15b0 --- /dev/null +++ b/config/rbac/instascale_configmap.yaml @@ -0,0 +1,7 @@ +kind: ConfigMap +apiVersion: v1 +metadata: + name: instascale-config + namespace: kube-system +data: + maxScaleoutAllowed: "15" diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml index cf0cf2c..c1df165 100644 --- a/config/rbac/role.yaml +++ b/config/rbac/role.yaml @@ -5,6 +5,37 @@ metadata: creationTimestamp: null name: manager-role rules: +- apiGroups: + - "" + resourceNames: + - instascale-config + resources: + - configmaps + - nodes + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - "" + resourceNames: + - instascale-ocm-secret + resources: + - secrets + verbs: + - get +- apiGroups: + - apps + resources: + - deployments + verbs: + - get + - list + - watch - apiGroups: - apps resources: @@ -23,6 +54,26 @@ rules: - machineset/status verbs: - get +- apiGroups: + - config.openshift.io + resources: + - clusterversions + verbs: + - get + - list + - watch +- apiGroups: + - machine.openshift.io + resources: + - '*' + verbs: + - create + - delete + - get + - list + - patch + - update + - watch - apiGroups: - workload.codeflare.dev resources: @@ -49,18 +100,3 @@ rules: - get - patch - update -- apiGroups: - - "" - resourceNames: - - instascale-ocm-secret - resources: - - secrets - verbs: - - get -- apiGroups: - - config.openshift.io - resources: - - clusterversions - verbs: - - get - - update \ No newline at end of file diff --git a/controllers/appwrapper_controller.go b/controllers/appwrapper_controller.go index 0f5010e..a7b9ce1 100644 --- a/controllers/appwrapper_controller.go +++ b/controllers/appwrapper_controller.go @@ -84,6 +84,10 @@ const ( // +kubebuilder:rbac:groups=apps,resources=machineset,verbs=get;list;watch;create;update;patch;delete // +kubebuilder:rbac:groups=apps,resources=machineset/status,verbs=get +// +kubebuilder:rbac:groups=apps,resources=deployments,verbs=list;watch;get +// +kubebuilder:rbac:groups=machine.openshift.io,resources=*,verbs=list;watch;get;create;update;delete;patch +// +kubebuilder:rbac:groups=config.openshift.io,resources=clusterversions,verbs=get;list;watch + // Reconcile is part of the main kubernetes reconciliation loop which aims to // move the current state of the cluster closer to the desired state. // TODO(user): Modify the Reconcile function to compare the state specified by diff --git a/main.go b/main.go index a333353..cc76261 100644 --- a/main.go +++ b/main.go @@ -49,6 +49,9 @@ var ( setupLog = ctrl.Log.WithName("setup") ) +// +kubebuilder:rbac:groups="",resources=secrets,resourceNames=instascale-ocm-secret,verbs=get +// +kubebuilder:rbac:groups="",resources=nodes;configmaps,resourceNames=instascale-config,verbs=list;watch;get;create;update;delete;patch + func init() { utilruntime.Must(clientgoscheme.AddToScheme(scheme)) utilruntime.Must(configv1.Install(scheme)) From 367639a8547a183d8333ea8b22cc07ace1e7c986 Mon Sep 17 00:00:00 2001 From: Eoin Gallinagh Date: Tue, 12 Sep 2023 16:55:48 +0100 Subject: [PATCH 2/2] add: address comments on pr --- Makefile | 6 +----- config/configmap/instascale_configmap.yaml | 7 ------- config/configmap/kustomization.yaml | 2 -- config/default/kustomization.yaml | 4 ++-- config/rbac/auth_proxy_role_binding.yaml | 2 +- config/rbac/instascale_configmap.yaml | 4 ++-- config/rbac/kustomization.yaml | 1 + config/rbac/leader_election_role_binding.yaml | 2 +- config/rbac/role.yaml | 10 +++++----- config/rbac/role_binding.yaml | 2 +- config/rbac/service_account.yaml | 2 +- main.go | 7 ++++--- 12 files changed, 19 insertions(+), 30 deletions(-) delete mode 100644 config/configmap/instascale_configmap.yaml delete mode 100644 config/configmap/kustomization.yaml diff --git a/Makefile b/Makefile index 69815a7..c3b7f20 100644 --- a/Makefile +++ b/Makefile @@ -16,7 +16,7 @@ ifeq ($(USE_IMAGE_DIGESTS), true) endif # Image URL to use all building/pushing image targets -IMG ?= latest +IMG ?= $(IMAGE_TAG_BASE):latest # ENVTEST_K8S_VERSION refers to the version of kubebuilder assets to be downloaded by envtest binary. ENVTEST_K8S_VERSION = 1.23 @@ -114,23 +114,19 @@ endif .PHONY: install install: manifests kustomize ## Install CRDs into the K8s cluster specified in ~/.kube/config. $(KUSTOMIZE) build config/default | kubectl apply -f - - $(KUSTOMIZE) build config/configmap | kubectl apply -f - .PHONY: uninstall uninstall: manifests kustomize ## Uninstall CRDs from the K8s cluster specified in ~/.kube/config. Call with ignore-not-found=true to ignore resource not found errors during deletion. $(KUSTOMIZE) build config/default | kubectl delete --ignore-not-found=$(ignore-not-found) -f - - $(KUSTOMIZE) build config/configmap | kubectl delete --ignore-not-found=$(ignore-not-found) -f - .PHONY: deploy deploy: manifests kustomize ## Deploy controller to the K8s cluster specified in ~/.kube/config. cd config/manager && $(KUSTOMIZE) edit set image controller=${IMG} $(KUSTOMIZE) build config/default | kubectl apply -f - - $(KUSTOMIZE) build config/configmap | kubectl apply -f - .PHONY: undeploy undeploy: ## Undeploy controller from the K8s cluster specified in ~/.kube/config. Call with ignore-not-found=true to ignore resource not found errors during deletion. $(KUSTOMIZE) build config/default | kubectl delete --ignore-not-found=$(ignore-not-found) -f - - $(KUSTOMIZE) build config/configmap | kubectl delete --ignore-not-found=$(ignore-not-found) -f - ## Location to install dependencies to LOCALBIN ?= $(shell pwd)/bin diff --git a/config/configmap/instascale_configmap.yaml b/config/configmap/instascale_configmap.yaml deleted file mode 100644 index 79c15b0..0000000 --- a/config/configmap/instascale_configmap.yaml +++ /dev/null @@ -1,7 +0,0 @@ -kind: ConfigMap -apiVersion: v1 -metadata: - name: instascale-config - namespace: kube-system -data: - maxScaleoutAllowed: "15" diff --git a/config/configmap/kustomization.yaml b/config/configmap/kustomization.yaml deleted file mode 100644 index 0179d07..0000000 --- a/config/configmap/kustomization.yaml +++ /dev/null @@ -1,2 +0,0 @@ -resources: -- instascale_configmap.yaml diff --git a/config/default/kustomization.yaml b/config/default/kustomization.yaml index d35a1cb..601f988 100644 --- a/config/default/kustomization.yaml +++ b/config/default/kustomization.yaml @@ -1,12 +1,12 @@ # Adds namespace to all resources. -namespace: instascale-1-system +namespace: instascale-system # Value of this field is prepended to the # names of all resources, e.g. a deployment named # "wordpress" becomes "alices-wordpress". # Note that it should also match with the prefix (text before '-') of the namespace # field above. -namePrefix: instascale-1- +namePrefix: instascale- # Labels to add to all resources and selectors. #commonLabels: diff --git a/config/rbac/auth_proxy_role_binding.yaml b/config/rbac/auth_proxy_role_binding.yaml index ec7acc0..7c7f54f 100644 --- a/config/rbac/auth_proxy_role_binding.yaml +++ b/config/rbac/auth_proxy_role_binding.yaml @@ -9,4 +9,4 @@ roleRef: subjects: - kind: ServiceAccount name: controller-manager - namespace: system + namespace: instascale-system diff --git a/config/rbac/instascale_configmap.yaml b/config/rbac/instascale_configmap.yaml index 79c15b0..7c9e0dd 100644 --- a/config/rbac/instascale_configmap.yaml +++ b/config/rbac/instascale_configmap.yaml @@ -1,7 +1,7 @@ kind: ConfigMap apiVersion: v1 metadata: - name: instascale-config - namespace: kube-system + name: config + namespace: instascale-system data: maxScaleoutAllowed: "15" diff --git a/config/rbac/kustomization.yaml b/config/rbac/kustomization.yaml index 731832a..606dbd7 100644 --- a/config/rbac/kustomization.yaml +++ b/config/rbac/kustomization.yaml @@ -9,6 +9,7 @@ resources: - role_binding.yaml - leader_election_role.yaml - leader_election_role_binding.yaml +- instascale_configmap.yaml # Comment the following 4 lines if you want to disable # the auth proxy (https://github.com/brancz/kube-rbac-proxy) # which protects your /metrics endpoint. diff --git a/config/rbac/leader_election_role_binding.yaml b/config/rbac/leader_election_role_binding.yaml index 1d1321e..7929f7a 100644 --- a/config/rbac/leader_election_role_binding.yaml +++ b/config/rbac/leader_election_role_binding.yaml @@ -9,4 +9,4 @@ roleRef: subjects: - kind: ServiceAccount name: controller-manager - namespace: system + namespace: instascale-system diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml index c1df165..8285e89 100644 --- a/config/rbac/role.yaml +++ b/config/rbac/role.yaml @@ -7,19 +7,19 @@ metadata: rules: - apiGroups: - "" - resourceNames: - - instascale-config resources: - configmaps + verbs: + - get +- apiGroups: + - "" + resources: - nodes verbs: - - create - - delete - get - list - patch - update - - watch - apiGroups: - "" resourceNames: diff --git a/config/rbac/role_binding.yaml b/config/rbac/role_binding.yaml index 2070ede..7742345 100644 --- a/config/rbac/role_binding.yaml +++ b/config/rbac/role_binding.yaml @@ -9,4 +9,4 @@ roleRef: subjects: - kind: ServiceAccount name: controller-manager - namespace: system + namespace: instascale-system diff --git a/config/rbac/service_account.yaml b/config/rbac/service_account.yaml index 7cd6025..cfb6b23 100644 --- a/config/rbac/service_account.yaml +++ b/config/rbac/service_account.yaml @@ -2,4 +2,4 @@ apiVersion: v1 kind: ServiceAccount metadata: name: controller-manager - namespace: system + namespace: instascale-system diff --git a/main.go b/main.go index cc76261..103eb30 100644 --- a/main.go +++ b/main.go @@ -50,7 +50,8 @@ var ( ) // +kubebuilder:rbac:groups="",resources=secrets,resourceNames=instascale-ocm-secret,verbs=get -// +kubebuilder:rbac:groups="",resources=nodes;configmaps,resourceNames=instascale-config,verbs=list;watch;get;create;update;delete;patch +// +kubebuilder:rbac:groups="",resources=configmaps,verbs=get +// +kubebuilder:rbac:groups="",resources=nodes,verbs=get;list;patch;update func init() { utilruntime.Must(clientgoscheme.AddToScheme(scheme)) @@ -68,8 +69,8 @@ func main() { var ocmSecretNamespace string flag.StringVar(&metricsAddr, "metrics-bind-address", ":8080", "The address the metric endpoint binds to.") flag.StringVar(&probeAddr, "health-probe-bind-address", ":8081", "The address the probe endpoint binds to.") - flag.StringVar(&configsNamespace, "configs-namespace", "kube-system", "The namespace containing the Instacale configmap") - flag.StringVar(&ocmSecretNamespace, "ocm-secret-namespace", "default", "The namespace containing the OCM secret") + flag.StringVar(&configsNamespace, "configs-namespace", "instascale-system", "The namespace containing the Instacale configmap") + flag.StringVar(&ocmSecretNamespace, "ocm-secret-namespace", "instascale-system", "The namespace containing the OCM secret") flag.BoolVar(&enableLeaderElection, "leader-elect", false, "Enable leader election for controller manager. "+ "Enabling this will ensure there is only one active controller manager.")