From b61ad47f93bb7b01ebe8035495e6b02521f3313c Mon Sep 17 00:00:00 2001 From: David Eads Date: Mon, 24 Aug 2020 12:58:52 -0400 Subject: [PATCH] bug 1871890: add current profile annotations to CVO manifests Cluster profiles are a way to support different deployment models for OpenShift clusters. A profile is an identifier that the Cluster Version Operator uses to determine which manifests to apply. Operators can be excluded completely or can have different manifests for each supported profile. To support above, a deployment model in which not all operators rendered by the CVO by default is needed. The use case includes IBM Public Cloud, in which a hosted control plane is used. Potentially it can also be used for Code Ready Containers. The following annotation may be used to include manifests for a given profile: include.release.openshift.io/[identifier]=true This would make the CVO render this manifest only when CLUSTER_PROFILE=[identifier] has been specified. --- ...cluster-authentication-operator_01_prometheusrbac.yaml | 8 ++++++++ ...cluster-authentication-operator_02_servicemonitor.yaml | 4 ++++ manifests/00_namespace.yaml | 1 + manifests/02_config.cr.yaml | 1 + manifests/02_service.yaml | 1 + manifests/03_configmap.yaml | 2 ++ manifests/03_openshift_service_ca.yaml | 1 + manifests/03_operator_trusted_ca.yaml | 1 + manifests/04_roles.yaml | 2 ++ manifests/05_serviceaccount.yaml | 2 ++ manifests/07_deployment.yaml | 1 + manifests/08_clusteroperator.yaml | 1 + 12 files changed, 25 insertions(+) diff --git a/manifests/0000_90_cluster-authentication-operator_01_prometheusrbac.yaml b/manifests/0000_90_cluster-authentication-operator_01_prometheusrbac.yaml index b7d2c55e57..aeb306084d 100644 --- a/manifests/0000_90_cluster-authentication-operator_01_prometheusrbac.yaml +++ b/manifests/0000_90_cluster-authentication-operator_01_prometheusrbac.yaml @@ -4,6 +4,8 @@ kind: Role metadata: name: prometheus-k8s namespace: openshift-authentication-operator + annotations: + include.release.openshift.io/self-managed-high-availability: "true" rules: - apiGroups: - "" @@ -22,6 +24,8 @@ kind: Role metadata: name: prometheus-k8s namespace: openshift-authentication + annotations: + include.release.openshift.io/self-managed-high-availability: "true" rules: - apiGroups: - "" @@ -40,6 +44,8 @@ kind: RoleBinding metadata: name: prometheus-k8s namespace: openshift-authentication-operator + annotations: + include.release.openshift.io/self-managed-high-availability: "true" roleRef: apiGroup: rbac.authorization.k8s.io kind: Role @@ -55,6 +61,8 @@ kind: RoleBinding metadata: name: prometheus-k8s namespace: openshift-authentication + annotations: + include.release.openshift.io/self-managed-high-availability: "true" roleRef: apiGroup: rbac.authorization.k8s.io kind: Role diff --git a/manifests/0000_90_cluster-authentication-operator_02_servicemonitor.yaml b/manifests/0000_90_cluster-authentication-operator_02_servicemonitor.yaml index ff0b1cb479..98fba3e0ea 100644 --- a/manifests/0000_90_cluster-authentication-operator_02_servicemonitor.yaml +++ b/manifests/0000_90_cluster-authentication-operator_02_servicemonitor.yaml @@ -4,6 +4,8 @@ kind: ServiceMonitor metadata: name: authentication-operator namespace: openshift-authentication-operator + annotations: + include.release.openshift.io/self-managed-high-availability: "true" spec: endpoints: - bearerTokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token @@ -30,6 +32,8 @@ kind: ServiceMonitor metadata: name: oauth-openshift namespace: openshift-authentication + annotations: + include.release.openshift.io/self-managed-high-availability: "true" spec: endpoints: - bearerTokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token diff --git a/manifests/00_namespace.yaml b/manifests/00_namespace.yaml index ea93455204..0414a6773e 100644 --- a/manifests/00_namespace.yaml +++ b/manifests/00_namespace.yaml @@ -3,6 +3,7 @@ kind: Namespace metadata: name: openshift-authentication-operator annotations: + include.release.openshift.io/self-managed-high-availability: "true" openshift.io/node-selector: "" labels: openshift.io/cluster-monitoring: "true" diff --git a/manifests/02_config.cr.yaml b/manifests/02_config.cr.yaml index 498dbb1496..0573d605e4 100644 --- a/manifests/02_config.cr.yaml +++ b/manifests/02_config.cr.yaml @@ -3,6 +3,7 @@ kind: Authentication metadata: name: cluster annotations: + include.release.openshift.io/self-managed-high-availability: "true" release.openshift.io/create-only: "true" spec: managementState: Managed diff --git a/manifests/02_service.yaml b/manifests/02_service.yaml index c237009790..8f8afc42c5 100644 --- a/manifests/02_service.yaml +++ b/manifests/02_service.yaml @@ -3,6 +3,7 @@ apiVersion: v1 kind: Service metadata: annotations: + include.release.openshift.io/self-managed-high-availability: "true" service.alpha.openshift.io/serving-cert-secret-name: serving-cert labels: app: authentication-operator diff --git a/manifests/03_configmap.yaml b/manifests/03_configmap.yaml index 4b21ced786..6b26bf9032 100644 --- a/manifests/03_configmap.yaml +++ b/manifests/03_configmap.yaml @@ -3,6 +3,8 @@ kind: ConfigMap metadata: namespace: openshift-authentication-operator name: authentication-operator-config + annotations: + include.release.openshift.io/self-managed-high-availability: "true" data: operator-config.yaml: | apiVersion: operator.openshift.io/v1alpha1 diff --git a/manifests/03_openshift_service_ca.yaml b/manifests/03_openshift_service_ca.yaml index 4a74389f8e..3af887664a 100644 --- a/manifests/03_openshift_service_ca.yaml +++ b/manifests/03_openshift_service_ca.yaml @@ -4,5 +4,6 @@ metadata: name: service-ca-bundle namespace: openshift-authentication-operator annotations: + include.release.openshift.io/self-managed-high-availability: "true" service.beta.openshift.io/inject-cabundle: "true" data: {} diff --git a/manifests/03_operator_trusted_ca.yaml b/manifests/03_operator_trusted_ca.yaml index d87f5de9c4..eccd96e080 100644 --- a/manifests/03_operator_trusted_ca.yaml +++ b/manifests/03_operator_trusted_ca.yaml @@ -4,6 +4,7 @@ metadata: namespace: openshift-authentication-operator name: trusted-ca-bundle annotations: + include.release.openshift.io/self-managed-high-availability: "true" release.openshift.io/create-only: "true" labels: config.openshift.io/inject-trusted-cabundle: "true" diff --git a/manifests/04_roles.yaml b/manifests/04_roles.yaml index f6f0d9f0cb..f11d881468 100644 --- a/manifests/04_roles.yaml +++ b/manifests/04_roles.yaml @@ -2,6 +2,8 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: system:openshift:operator:authentication + annotations: + include.release.openshift.io/self-managed-high-availability: "true" roleRef: kind: ClusterRole name: cluster-admin # TODO fix, this is madness diff --git a/manifests/05_serviceaccount.yaml b/manifests/05_serviceaccount.yaml index efb0d74d5e..697d167372 100644 --- a/manifests/05_serviceaccount.yaml +++ b/manifests/05_serviceaccount.yaml @@ -3,5 +3,7 @@ kind: ServiceAccount metadata: namespace: openshift-authentication-operator name: authentication-operator + annotations: + include.release.openshift.io/self-managed-high-availability: "true" labels: app: authentication-operator diff --git a/manifests/07_deployment.yaml b/manifests/07_deployment.yaml index a0dbff7d38..86512f2601 100644 --- a/manifests/07_deployment.yaml +++ b/manifests/07_deployment.yaml @@ -6,6 +6,7 @@ metadata: labels: app: authentication-operator annotations: + include.release.openshift.io/self-managed-high-availability: "true" config.openshift.io/inject-proxy: authentication-operator exclude.release.openshift.io/internal-openshift-hosted: "true" spec: diff --git a/manifests/08_clusteroperator.yaml b/manifests/08_clusteroperator.yaml index 19a3263d3f..ec3c4660ef 100644 --- a/manifests/08_clusteroperator.yaml +++ b/manifests/08_clusteroperator.yaml @@ -3,6 +3,7 @@ kind: ClusterOperator metadata: name: authentication annotations: + include.release.openshift.io/self-managed-high-availability: "true" exclude.release.openshift.io/internal-openshift-hosted: "true" status: versions: