manifests: reorganize to match infra operator convention

manifests/00_namespace.yaml → manifests/00-namespace.yaml

@@ -4,6 +4,5 @@ metadata:
   annotations:
     openshift.io/node-selector: ""
   labels:
-    controller-tools.k8s.io: "1.0"
     openshift.io/cluster-monitoring: "true"
   name: openshift-cloud-credential-operator

manifests/0000_90_cloud-credential-operator_01_prometheusrole.yaml

@@ -0,0 +1,16 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: prometheus-k8s
+  namespace: openshift-cloud-credential-operator
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - services
+  - endpoints
+  - pods
+  verbs:
+  - get
+  - list
+  - watch

manifests/0000_90_cloud-credential-operator_02_prometheusrolebinding.yaml

@@ -0,0 +1,13 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: prometheus-k8s
+  namespace: openshift-cloud-credential-operator
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: prometheus-k8s
+subjects:
+- kind: ServiceAccount
+  name: prometheus-k8s
+  namespace: openshift-monitoring

manifests/0000_90_cloud-credential-operator_03_servicemonitor.yaml

@@ -0,0 +1,65 @@
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+  name: cloud-credential-operator
+  namespace: openshift-cloud-credential-operator
+spec:
+  endpoints:
+  - interval: 30s
+    port: cco-metrics
+    scheme: http
+  namespaceSelector:
+    matchNames:
+    - openshift-cloud-credential-operator
+  selector: {}
+---
+apiVersion: monitoring.coreos.com/v1
+kind: PrometheusRule
+metadata:
+  annotations:
+    exclude.release.openshift.io/internal-openshift-hosted: "true"
+  name: cloud-credential-operator-alerts
+  namespace: openshift-cloud-credential-operator
+spec:
+  groups:
+  - name: CloudCredentialOperator
+    rules:
+    - alert: CloudCredentialOperatorTargetNamespaceMissing
+      annotations:
+        message: CredentialsRequest(s) pointing to non-existant namespace
+      expr: cco_credentials_requests_conditions{condition="MissingTargetNamespace"}
+        > 0
+      for: 5m
+      labels:
+        severity: warning
+    - alert: CloudCredentialOperatorProvisioningFailed
+      annotations:
+        message: CredentialsRequest(s) unable to be fulfilled
+      expr: cco_credentials_requests_conditions{condition="CredentialsProvisionFailure"}
+        > 0
+      for: 5m
+      labels:
+        severity: warning
+    - alert: CloudCredentialOperatorDeprovisioningFailed
+      annotations:
+        message: CredentialsRequest(s) unable to be cleaned up
+      expr: cco_credentials_requests_conditions{condition="CredentialsDeprovisionFailure"}
+        > 0
+      for: 5m
+      labels:
+        severity: warning
+    - alert: CloudCredentialOperatorInsufficientCloudCreds
+      annotations:
+        message: Cluster's cloud credentials insufficient for minting or passthrough
+      expr: cco_credentials_requests_conditions{condition="InsufficientCloudCreds"}
+        > 0
+      for: 5m
+      labels:
+        severity: warning
+    - alert: CloudCredentialOperatorDown
+      annotations:
+        message: cloud-credential-operator pod not running
+      expr: absent(up{job="cco-metrics"} == 1)
+      for: 5m
+      labels:
+        severity: critical

manifests/01-cluster-role-binding.yaml

@@ -0,0 +1,13 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  creationTimestamp: null
+  name: cloud-credential-operator-rolebinding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: cloud-credential-operator-role
+subjects:
+- kind: ServiceAccount
+  name: cloud-credential-operator
+  namespace: openshift-cloud-credential-operator

manifests/01-cluster-role.yaml

@@ -0,0 +1,88 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  creationTimestamp: null
+  name: cloud-credential-operator-role
+rules:
+- apiGroups:
+  - cloudcredential.openshift.io
+  resources:
+  - credentialsrequests
+  - credentialsrequests/status
+  - credentialsrequests/finalizers
+  verbs:
+  - get
+  - list
+  - watch
+  - create
+  - update
+  - patch
+  - delete
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  - configmaps
+  - events
+  verbs:
+  - get
+  - list
+  - watch
+  - create
+  - update
+  - patch
+  - delete
+- apiGroups:
+  - ""
+  resources:
+  - namespaces
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - config.openshift.io
+  resources:
+  - clusterversions
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - config.openshift.io
+  resources:
+  - infrastructures
+  - dnses
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - config.openshift.io
+  resources:
+  - clusteroperators
+  - clusteroperators/status
+  verbs:
+  - create
+  - get
+  - update
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - get
+  - list
+  - watch
+  - update
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - get
+  - list
+  - watch
+  - update

manifests/01-service.yaml

@@ -0,0 +1,15 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: cco-metrics
+  namespace: openshift-cloud-credential-operator
+spec:
+  ports:
+  - name: cco-metrics
+    port: 2112
+    protocol: TCP
+    targetPort: 2112
+  selector:
+    app: cloud-credential-operator
+  sessionAffinity: None
+  type: ClusterIP

manifests/01-trusted-ca-configmap.yaml

@@ -0,0 +1,7 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  labels:
+    config.openshift.io/inject-trusted-cabundle: "true"
+  name: cco-trusted-ca
+  namespace: openshift-cloud-credential-operator

manifests/02-sa.yaml

@@ -0,0 +1,5 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: cloud-credential-operator
+  namespace: openshift-cloud-credential-operator

manifests/03-deployment.yaml

@@ -0,0 +1,78 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  annotations:
+    config.openshift.io/inject-proxy: cloud-credential-operator
+    exclude.release.openshift.io/internal-openshift-hosted: "true"
+  name: cloud-credential-operator
+  namespace: openshift-cloud-credential-operator
+spec:
+  replicas: 1
+  revisionHistoryLimit: 4
+  selector:
+    matchLabels:
+      control-plane: controller-manager
+      controller-tools.k8s.io: "1.0"
+  template:
+    metadata:
+      labels:
+        app: cloud-credential-operator
+        control-plane: controller-manager
+        controller-tools.k8s.io: "1.0"
+    spec:
+      containers:
+      - args:
+        - |
+          if [ -s /var/run/configmaps/trusted-ca-bundle/tls-ca-bundle.pem ]; then
+              echo "Copying system trust bundle"
+              cp -f /var/run/configmaps/trusted-ca-bundle/tls-ca-bundle.pem /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
+          fi
+          exec /usr/bin/cloud-credential-operator operator --log-level=debug
+        command:
+        - /bin/bash
+        - -ec
+        env:
+        - name: RELEASE_VERSION
+          value: 0.0.1-snapshot
+        - name: AWS_POD_IDENTITY_WEBHOOK_IMAGE
+          value: quay.io/openshift/aws-pod-identity-webhook:latest
+        image: quay.io/openshift/origin-cloud-credential-operator:latest
+        imagePullPolicy: IfNotPresent
+        name: cloud-credential-operator
+        ports:
+        - containerPort: 9876
+          name: webhook-server
+          protocol: TCP
+        resources:
+          requests:
+            cpu: 10m
+            memory: 150Mi
+        terminationMessagePolicy: FallbackToLogsOnError
+        volumeMounts:
+        - mountPath: /var/run/configmaps/trusted-ca-bundle
+          name: cco-trusted-ca
+      nodeSelector:
+        node-role.kubernetes.io/master: ""
+      priorityClassName: system-cluster-critical
+      serviceAccountName: cloud-credential-operator
+      terminationGracePeriodSeconds: 10
+      tolerations:
+      - effect: NoSchedule
+        key: node-role.kubernetes.io/master
+        operator: Exists
+      - effect: NoExecute
+        key: node.kubernetes.io/unreachable
+        operator: Exists
+        tolerationSeconds: 120
+      - effect: NoExecute
+        key: node.kubernetes.io/not-ready
+        operator: Exists
+        tolerationSeconds: 120
+      volumes:
+      - configMap:
+          items:
+          - key: ca-bundle.crt
+            path: tls-ca-bundle.pem
+          name: cco-trusted-ca
+          optional: true
+        name: cco-trusted-ca

manifests/10_cluster-operator.yaml → manifests/04-cluster-operator.yaml

@@ -8,4 +8,3 @@ status:
   versions:
   - name: operator
     version: "0.0.1-snapshot"
-

manifests/07_cred-iam-ro.yaml → manifests/05-iam-ro-credentialsrequest.yaml

@@ -1,8 +1,6 @@
 apiVersion: cloudcredential.openshift.io/v1
 kind: CredentialsRequest
 metadata:
-  labels:
-    controller-tools.k8s.io: "1.0"
   name: cloud-credential-operator-iam-ro
   namespace: openshift-cloud-credential-operator
   annotations:
@@ -21,4 +19,3 @@ spec:
       - iam:GetUserPolicy
       - iam:ListAccessKeys
       resource: "*"
----