From 86ae6eda503c4be6fd2904ca486ebb2fcc8345c6 Mon Sep 17 00:00:00 2001 From: Seth Jennings Date: Thu, 23 Apr 2020 13:28:00 -0500 Subject: [PATCH] manifests: reorganize to match infra operator convention --- ...yaml => 00-clusterreader_clusterrole.yaml} | 0 manifests/{00_v1_crd.yaml => 00-crd.yaml} | 0 .../{00_namespace.yaml => 00-namespace.yaml} | 1 - ...credential-operator_01_prometheusrole.yaml | 16 + ...ial-operator_02_prometheusrolebinding.yaml | 13 + ...credential-operator_03_servicemonitor.yaml | 65 ++++ manifests/01-cluster-role-binding.yaml | 13 + manifests/01-cluster-role.yaml | 88 +++++ ...figmap.yaml => 01-operator_configmap.yaml} | 0 manifests/01-service.yaml | 15 + manifests/01-trusted-ca-configmap.yaml | 7 + manifests/02-sa.yaml | 5 + manifests/03-deployment.yaml | 78 +++++ ...operator.yaml => 04-cluster-operator.yaml} | 1 - ...yaml => 05-iam-ro-credentialsrequest.yaml} | 3 - manifests/05_deployment.yaml | 319 ------------------ 16 files changed, 300 insertions(+), 324 deletions(-) rename manifests/{00_clusterreader_clusterrole.yaml => 00-clusterreader_clusterrole.yaml} (100%) rename manifests/{00_v1_crd.yaml => 00-crd.yaml} (100%) rename manifests/{00_namespace.yaml => 00-namespace.yaml} (84%) create mode 100644 manifests/0000_90_cloud-credential-operator_01_prometheusrole.yaml create mode 100644 manifests/0000_90_cloud-credential-operator_02_prometheusrolebinding.yaml create mode 100644 manifests/0000_90_cloud-credential-operator_03_servicemonitor.yaml create mode 100644 manifests/01-cluster-role-binding.yaml create mode 100644 manifests/01-cluster-role.yaml rename manifests/{01_operator_configmap.yaml => 01-operator_configmap.yaml} (100%) create mode 100644 manifests/01-service.yaml create mode 100644 manifests/01-trusted-ca-configmap.yaml create mode 100644 manifests/02-sa.yaml create mode 100644 manifests/03-deployment.yaml rename manifests/{10_cluster-operator.yaml => 04-cluster-operator.yaml} (99%) rename manifests/{07_cred-iam-ro.yaml => 05-iam-ro-credentialsrequest.yaml} (92%) delete mode 100644 manifests/05_deployment.yaml diff --git a/manifests/00_clusterreader_clusterrole.yaml b/manifests/00-clusterreader_clusterrole.yaml similarity index 100% rename from manifests/00_clusterreader_clusterrole.yaml rename to manifests/00-clusterreader_clusterrole.yaml diff --git a/manifests/00_v1_crd.yaml b/manifests/00-crd.yaml similarity index 100% rename from manifests/00_v1_crd.yaml rename to manifests/00-crd.yaml diff --git a/manifests/00_namespace.yaml b/manifests/00-namespace.yaml similarity index 84% rename from manifests/00_namespace.yaml rename to manifests/00-namespace.yaml index ec8488dc51..cb6bccfb2a 100644 --- a/manifests/00_namespace.yaml +++ b/manifests/00-namespace.yaml @@ -4,6 +4,5 @@ metadata: annotations: openshift.io/node-selector: "" labels: - controller-tools.k8s.io: "1.0" openshift.io/cluster-monitoring: "true" name: openshift-cloud-credential-operator diff --git a/manifests/0000_90_cloud-credential-operator_01_prometheusrole.yaml b/manifests/0000_90_cloud-credential-operator_01_prometheusrole.yaml new file mode 100644 index 0000000000..665eb31bd9 --- /dev/null +++ b/manifests/0000_90_cloud-credential-operator_01_prometheusrole.yaml @@ -0,0 +1,16 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: prometheus-k8s + namespace: openshift-cloud-credential-operator +rules: +- apiGroups: + - "" + resources: + - services + - endpoints + - pods + verbs: + - get + - list + - watch diff --git a/manifests/0000_90_cloud-credential-operator_02_prometheusrolebinding.yaml b/manifests/0000_90_cloud-credential-operator_02_prometheusrolebinding.yaml new file mode 100644 index 0000000000..456dbc77a4 --- /dev/null +++ b/manifests/0000_90_cloud-credential-operator_02_prometheusrolebinding.yaml @@ -0,0 +1,13 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: prometheus-k8s + namespace: openshift-cloud-credential-operator +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: prometheus-k8s +subjects: +- kind: ServiceAccount + name: prometheus-k8s + namespace: openshift-monitoring diff --git a/manifests/0000_90_cloud-credential-operator_03_servicemonitor.yaml b/manifests/0000_90_cloud-credential-operator_03_servicemonitor.yaml new file mode 100644 index 0000000000..64c101964f --- /dev/null +++ b/manifests/0000_90_cloud-credential-operator_03_servicemonitor.yaml @@ -0,0 +1,65 @@ +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: cloud-credential-operator + namespace: openshift-cloud-credential-operator +spec: + endpoints: + - interval: 30s + port: cco-metrics + scheme: http + namespaceSelector: + matchNames: + - openshift-cloud-credential-operator + selector: {} +--- +apiVersion: monitoring.coreos.com/v1 +kind: PrometheusRule +metadata: + annotations: + exclude.release.openshift.io/internal-openshift-hosted: "true" + name: cloud-credential-operator-alerts + namespace: openshift-cloud-credential-operator +spec: + groups: + - name: CloudCredentialOperator + rules: + - alert: CloudCredentialOperatorTargetNamespaceMissing + annotations: + message: CredentialsRequest(s) pointing to non-existant namespace + expr: cco_credentials_requests_conditions{condition="MissingTargetNamespace"} + > 0 + for: 5m + labels: + severity: warning + - alert: CloudCredentialOperatorProvisioningFailed + annotations: + message: CredentialsRequest(s) unable to be fulfilled + expr: cco_credentials_requests_conditions{condition="CredentialsProvisionFailure"} + > 0 + for: 5m + labels: + severity: warning + - alert: CloudCredentialOperatorDeprovisioningFailed + annotations: + message: CredentialsRequest(s) unable to be cleaned up + expr: cco_credentials_requests_conditions{condition="CredentialsDeprovisionFailure"} + > 0 + for: 5m + labels: + severity: warning + - alert: CloudCredentialOperatorInsufficientCloudCreds + annotations: + message: Cluster's cloud credentials insufficient for minting or passthrough + expr: cco_credentials_requests_conditions{condition="InsufficientCloudCreds"} + > 0 + for: 5m + labels: + severity: warning + - alert: CloudCredentialOperatorDown + annotations: + message: cloud-credential-operator pod not running + expr: absent(up{job="cco-metrics"} == 1) + for: 5m + labels: + severity: critical diff --git a/manifests/01-cluster-role-binding.yaml b/manifests/01-cluster-role-binding.yaml new file mode 100644 index 0000000000..1ffc78bc2c --- /dev/null +++ b/manifests/01-cluster-role-binding.yaml @@ -0,0 +1,13 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + creationTimestamp: null + name: cloud-credential-operator-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cloud-credential-operator-role +subjects: +- kind: ServiceAccount + name: cloud-credential-operator + namespace: openshift-cloud-credential-operator diff --git a/manifests/01-cluster-role.yaml b/manifests/01-cluster-role.yaml new file mode 100644 index 0000000000..dc54437270 --- /dev/null +++ b/manifests/01-cluster-role.yaml @@ -0,0 +1,88 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + creationTimestamp: null + name: cloud-credential-operator-role +rules: +- apiGroups: + - cloudcredential.openshift.io + resources: + - credentialsrequests + - credentialsrequests/status + - credentialsrequests/finalizers + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - "" + resources: + - secrets + - configmaps + - events + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - "" + resources: + - namespaces + verbs: + - get + - list + - watch +- apiGroups: + - config.openshift.io + resources: + - clusterversions + verbs: + - get + - list + - watch +- apiGroups: + - config.openshift.io + resources: + - infrastructures + - dnses + verbs: + - get + - list + - watch +- apiGroups: + - config.openshift.io + resources: + - clusteroperators + - clusteroperators/status + verbs: + - create + - get + - update + - list + - watch +- apiGroups: + - "" + resources: + - secrets + verbs: + - get + - list + - watch + - update +- apiGroups: + - "" + resources: + - secrets + verbs: + - get + - list + - watch + - update diff --git a/manifests/01_operator_configmap.yaml b/manifests/01-operator_configmap.yaml similarity index 100% rename from manifests/01_operator_configmap.yaml rename to manifests/01-operator_configmap.yaml diff --git a/manifests/01-service.yaml b/manifests/01-service.yaml new file mode 100644 index 0000000000..4fa856c41f --- /dev/null +++ b/manifests/01-service.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Service +metadata: + name: cco-metrics + namespace: openshift-cloud-credential-operator +spec: + ports: + - name: cco-metrics + port: 2112 + protocol: TCP + targetPort: 2112 + selector: + app: cloud-credential-operator + sessionAffinity: None + type: ClusterIP diff --git a/manifests/01-trusted-ca-configmap.yaml b/manifests/01-trusted-ca-configmap.yaml new file mode 100644 index 0000000000..dba52f24d6 --- /dev/null +++ b/manifests/01-trusted-ca-configmap.yaml @@ -0,0 +1,7 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + labels: + config.openshift.io/inject-trusted-cabundle: "true" + name: cco-trusted-ca + namespace: openshift-cloud-credential-operator diff --git a/manifests/02-sa.yaml b/manifests/02-sa.yaml new file mode 100644 index 0000000000..0cbf16d018 --- /dev/null +++ b/manifests/02-sa.yaml @@ -0,0 +1,5 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: cloud-credential-operator + namespace: openshift-cloud-credential-operator diff --git a/manifests/03-deployment.yaml b/manifests/03-deployment.yaml new file mode 100644 index 0000000000..5ac482a013 --- /dev/null +++ b/manifests/03-deployment.yaml @@ -0,0 +1,78 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: + config.openshift.io/inject-proxy: cloud-credential-operator + exclude.release.openshift.io/internal-openshift-hosted: "true" + name: cloud-credential-operator + namespace: openshift-cloud-credential-operator +spec: + replicas: 1 + revisionHistoryLimit: 4 + selector: + matchLabels: + control-plane: controller-manager + controller-tools.k8s.io: "1.0" + template: + metadata: + labels: + app: cloud-credential-operator + control-plane: controller-manager + controller-tools.k8s.io: "1.0" + spec: + containers: + - args: + - | + if [ -s /var/run/configmaps/trusted-ca-bundle/tls-ca-bundle.pem ]; then + echo "Copying system trust bundle" + cp -f /var/run/configmaps/trusted-ca-bundle/tls-ca-bundle.pem /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem + fi + exec /usr/bin/cloud-credential-operator operator --log-level=debug + command: + - /bin/bash + - -ec + env: + - name: RELEASE_VERSION + value: 0.0.1-snapshot + - name: AWS_POD_IDENTITY_WEBHOOK_IMAGE + value: quay.io/openshift/aws-pod-identity-webhook:latest + image: quay.io/openshift/origin-cloud-credential-operator:latest + imagePullPolicy: IfNotPresent + name: cloud-credential-operator + ports: + - containerPort: 9876 + name: webhook-server + protocol: TCP + resources: + requests: + cpu: 10m + memory: 150Mi + terminationMessagePolicy: FallbackToLogsOnError + volumeMounts: + - mountPath: /var/run/configmaps/trusted-ca-bundle + name: cco-trusted-ca + nodeSelector: + node-role.kubernetes.io/master: "" + priorityClassName: system-cluster-critical + serviceAccountName: cloud-credential-operator + terminationGracePeriodSeconds: 10 + tolerations: + - effect: NoSchedule + key: node-role.kubernetes.io/master + operator: Exists + - effect: NoExecute + key: node.kubernetes.io/unreachable + operator: Exists + tolerationSeconds: 120 + - effect: NoExecute + key: node.kubernetes.io/not-ready + operator: Exists + tolerationSeconds: 120 + volumes: + - configMap: + items: + - key: ca-bundle.crt + path: tls-ca-bundle.pem + name: cco-trusted-ca + optional: true + name: cco-trusted-ca diff --git a/manifests/10_cluster-operator.yaml b/manifests/04-cluster-operator.yaml similarity index 99% rename from manifests/10_cluster-operator.yaml rename to manifests/04-cluster-operator.yaml index b911d34785..c3b4923b50 100644 --- a/manifests/10_cluster-operator.yaml +++ b/manifests/04-cluster-operator.yaml @@ -8,4 +8,3 @@ status: versions: - name: operator version: "0.0.1-snapshot" - diff --git a/manifests/07_cred-iam-ro.yaml b/manifests/05-iam-ro-credentialsrequest.yaml similarity index 92% rename from manifests/07_cred-iam-ro.yaml rename to manifests/05-iam-ro-credentialsrequest.yaml index 86c3ee437e..7f4c85dbe4 100644 --- a/manifests/07_cred-iam-ro.yaml +++ b/manifests/05-iam-ro-credentialsrequest.yaml @@ -1,8 +1,6 @@ apiVersion: cloudcredential.openshift.io/v1 kind: CredentialsRequest metadata: - labels: - controller-tools.k8s.io: "1.0" name: cloud-credential-operator-iam-ro namespace: openshift-cloud-credential-operator annotations: @@ -21,4 +19,3 @@ spec: - iam:GetUserPolicy - iam:ListAccessKeys resource: "*" ---- diff --git a/manifests/05_deployment.yaml b/manifests/05_deployment.yaml deleted file mode 100644 index e3d350ed9e..0000000000 --- a/manifests/05_deployment.yaml +++ /dev/null @@ -1,319 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: prometheus-k8s - namespace: openshift-cloud-credential-operator -rules: -- apiGroups: - - "" - resources: - - services - - endpoints - - pods - verbs: - - get - - list - - watch ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - creationTimestamp: null - name: cloud-credential-operator-role -rules: -- apiGroups: - - cloudcredential.openshift.io - resources: - - credentialsrequests - - credentialsrequests/status - - credentialsrequests/finalizers - verbs: - - get - - list - - watch - - create - - update - - patch - - delete -- apiGroups: - - "" - resources: - - secrets - - configmaps - - events - verbs: - - get - - list - - watch - - create - - update - - patch - - delete -- apiGroups: - - "" - resources: - - namespaces - verbs: - - get - - list - - watch -- apiGroups: - - config.openshift.io - resources: - - clusterversions - verbs: - - get - - list - - watch -- apiGroups: - - config.openshift.io - resources: - - infrastructures - - dnses - verbs: - - get - - list - - watch -- apiGroups: - - config.openshift.io - resources: - - clusteroperators - - clusteroperators/status - verbs: - - create - - get - - update - - list - - watch -- apiGroups: - - "" - resources: - - secrets - verbs: - - get - - list - - watch - - update -- apiGroups: - - "" - resources: - - secrets - verbs: - - get - - list - - watch - - update ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: prometheus-k8s - namespace: openshift-cloud-credential-operator -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: prometheus-k8s -subjects: -- kind: ServiceAccount - name: prometheus-k8s - namespace: openshift-monitoring ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - creationTimestamp: null - name: cloud-credential-operator-rolebinding -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: cloud-credential-operator-role -subjects: -- kind: ServiceAccount - name: default - namespace: openshift-cloud-credential-operator ---- -apiVersion: v1 -kind: ConfigMap -metadata: - labels: - config.openshift.io/inject-trusted-cabundle: "true" - name: cco-trusted-ca - namespace: openshift-cloud-credential-operator ---- -apiVersion: v1 -kind: Service -metadata: - name: cco-metrics - namespace: openshift-cloud-credential-operator -spec: - ports: - - name: cco-metrics - port: 2112 - protocol: TCP - targetPort: 2112 - selector: - app: cloud-credential-operator - sessionAffinity: None - type: ClusterIP ---- -apiVersion: v1 -kind: Service -metadata: - labels: - control-plane: controller-manager - controller-tools.k8s.io: "1.0" - name: controller-manager-service - namespace: openshift-cloud-credential-operator -spec: - ports: - - port: 443 - selector: - control-plane: controller-manager - controller-tools.k8s.io: "1.0" ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - annotations: - config.openshift.io/inject-proxy: cloud-credential-operator - exclude.release.openshift.io/internal-openshift-hosted: "true" - labels: - control-plane: controller-manager - controller-tools.k8s.io: "1.0" - name: cloud-credential-operator - namespace: openshift-cloud-credential-operator -spec: - replicas: 1 - revisionHistoryLimit: 4 - selector: - matchLabels: - control-plane: controller-manager - controller-tools.k8s.io: "1.0" - template: - metadata: - labels: - app: cloud-credential-operator - control-plane: controller-manager - controller-tools.k8s.io: "1.0" - spec: - containers: - - args: - - | - if [ -s /var/run/configmaps/trusted-ca-bundle/tls-ca-bundle.pem ]; then - echo "Copying system trust bundle" - cp -f /var/run/configmaps/trusted-ca-bundle/tls-ca-bundle.pem /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem - fi - exec /usr/bin/cloud-credential-operator operator --log-level=debug - command: - - /bin/bash - - -ec - env: - - name: RELEASE_VERSION - value: 0.0.1-snapshot - - name: AWS_POD_IDENTITY_WEBHOOK_IMAGE - value: quay.io/openshift/aws-pod-identity-webhook:latest - image: quay.io/openshift/origin-cloud-credential-operator:latest - imagePullPolicy: IfNotPresent - name: cloud-credential-operator - ports: - - containerPort: 9876 - name: webhook-server - protocol: TCP - resources: - requests: - cpu: 10m - memory: 150Mi - terminationMessagePolicy: FallbackToLogsOnError - volumeMounts: - - mountPath: /var/run/configmaps/trusted-ca-bundle - name: cco-trusted-ca - nodeSelector: - node-role.kubernetes.io/master: "" - priorityClassName: system-cluster-critical - terminationGracePeriodSeconds: 10 - tolerations: - - effect: NoSchedule - key: node-role.kubernetes.io/master - operator: Exists - - effect: NoExecute - key: node.kubernetes.io/unreachable - operator: Exists - tolerationSeconds: 120 - - effect: NoExecute - key: node.kubernetes.io/not-ready - operator: Exists - tolerationSeconds: 120 - volumes: - - configMap: - items: - - key: ca-bundle.crt - path: tls-ca-bundle.pem - name: cco-trusted-ca - optional: true - name: cco-trusted-ca ---- -apiVersion: monitoring.coreos.com/v1 -kind: PrometheusRule -metadata: - annotations: - exclude.release.openshift.io/internal-openshift-hosted: "true" - name: cloud-credential-operator-alerts - namespace: openshift-cloud-credential-operator -spec: - groups: - - name: CloudCredentialOperator - rules: - - alert: CloudCredentialOperatorTargetNamespaceMissing - annotations: - message: CredentialsRequest(s) pointing to non-existant namespace - expr: cco_credentials_requests_conditions{condition="MissingTargetNamespace"} - > 0 - for: 5m - labels: - severity: warning - - alert: CloudCredentialOperatorProvisioningFailed - annotations: - message: CredentialsRequest(s) unable to be fulfilled - expr: cco_credentials_requests_conditions{condition="CredentialsProvisionFailure"} - > 0 - for: 5m - labels: - severity: warning - - alert: CloudCredentialOperatorDeprovisioningFailed - annotations: - message: CredentialsRequest(s) unable to be cleaned up - expr: cco_credentials_requests_conditions{condition="CredentialsDeprovisionFailure"} - > 0 - for: 5m - labels: - severity: warning - - alert: CloudCredentialOperatorInsufficientCloudCreds - annotations: - message: Cluster's cloud credentials insufficient for minting or passthrough - expr: cco_credentials_requests_conditions{condition="InsufficientCloudCreds"} - > 0 - for: 5m - labels: - severity: warning - - alert: CloudCredentialOperatorDown - annotations: - message: cloud-credential-operator pod not running - expr: absent(up{job="cco-metrics"} == 1) - for: 5m - labels: - severity: critical ---- -apiVersion: monitoring.coreos.com/v1 -kind: ServiceMonitor -metadata: - name: cloud-credential-operator - namespace: openshift-cloud-credential-operator -spec: - endpoints: - - interval: 30s - port: cco-metrics - scheme: http - namespaceSelector: - matchNames: - - openshift-cloud-credential-operator - selector: {}