diff --git a/Makefile b/Makefile index c57ac622..6302abb9 100644 --- a/Makefile +++ b/Makefile @@ -133,10 +133,20 @@ controller-gen: $(CONTROLLER_GEN) ## Download controller-gen locally if necessar $(CONTROLLER_GEN): $(LOCALBIN) GOBIN=$(LOCALBIN) go install sigs.k8s.io/controller-tools/cmd/controller-gen@$(CONTROLLER_TOOLS_VERSION) -KUSTOMIZE = $(shell pwd)/bin/kustomize +## Tool Binaries +KUSTOMIZE ?= $(LOCALBIN)/kustomize +## Tool Versions +KUSTOMIZE_VERSION ?= v5.0.1 + +KUSTOMIZE_INSTALL_SCRIPT ?= "https://raw.githubusercontent.com/kubernetes-sigs/kustomize/master/hack/install_kustomize.sh" .PHONY: kustomize -kustomize: ## Download kustomize locally if necessary. - $(call go-get-tool,$(KUSTOMIZE),sigs.k8s.io/kustomize/kustomize/v3@v3.8.7) +kustomize: $(KUSTOMIZE) ## Download kustomize locally if necessary. If wrong version is installed, it will be removed before downloading. +$(KUSTOMIZE): $(LOCALBIN) + @if test -x $(LOCALBIN)/kustomize && ! $(LOCALBIN)/kustomize version | grep -q $(KUSTOMIZE_VERSION); then \ + echo "$(LOCALBIN)/kustomize version is not expected $(KUSTOMIZE_VERSION). Removing it before installing."; \ + rm -rf $(LOCALBIN)/kustomize; \ + fi + test -s $(LOCALBIN)/kustomize || { curl -Ss $(KUSTOMIZE_INSTALL_SCRIPT) | bash -s -- $(subst v,,$(KUSTOMIZE_VERSION)) $(LOCALBIN); } ENVTEST = $(shell pwd)/bin/setup-envtest .PHONY: envtest diff --git a/config/00_namespace.yaml b/config/00_namespace.yaml deleted file mode 100644 index 91ec2ad3..00000000 --- a/config/00_namespace.yaml +++ /dev/null @@ -1,4 +0,0 @@ -apiVersion: v1 -kind: Namespace -metadata: - name: catalogd-system \ No newline at end of file diff --git a/config/aggregated-apiserver.yaml b/config/apiserver/apiserver.yaml similarity index 51% rename from config/aggregated-apiserver.yaml rename to config/apiserver/apiserver.yaml index 897d40fa..ee508fce 100644 --- a/config/aggregated-apiserver.yaml +++ b/config/apiserver/apiserver.yaml @@ -1,12 +1,42 @@ +apiVersion: apiregistration.k8s.io/v1 +kind: APIService +metadata: + name: v1beta1.catalogd.operatorframework.io + labels: + api: catalogd + apiserver: "true" + app.kubernetes.io/name: apiservice + app.kubernetes.io/instance: system + app.kubernetes.io/component: apiservice + app.kubernetes.io/created-by: catalogd + app.kubernetes.io/part-of: catalogd + app.kubernetes.io/managed-by: kustomize + annotations: + # Have cert manager inject the caBundle field using the cert we created + cert-manager.io/inject-ca-from: catalogd-system/server-cert +spec: + version: v1beta1 + group: catalogd.operatorframework.io + groupPriorityMinimum: 2000 + service: + name: catalogd + namespace: system + versionPriority: 10 --- apiVersion: apps/v1 kind: Deployment metadata: - name: catalogd-apiserver - namespace: catalogd-system + name: apiserver + namespace: system labels: api: catalogd apiserver: "true" + app.kubernetes.io/name: deployment + app.kubernetes.io/instance: system + app.kubernetes.io/component: apiservice + app.kubernetes.io/created-by: catalogd + app.kubernetes.io/part-of: catalogd + app.kubernetes.io/managed-by: kustomize spec: selector: matchLabels: @@ -19,18 +49,19 @@ spec: api: catalogd apiserver: "true" spec: + serviceAccountName: apiserver containers: - name: apiserver - image: quay.io/operator-framework/catalogd-server:latest + image: apiserver:latest imagePullPolicy: IfNotPresent volumeMounts: - - name: apiserver-certs + - name: catalogd-apiserver-certs mountPath: /apiserver.local.config/certificates readOnly: true command: - "./apiserver" args: - - "--etcd-servers=http://etcd-svc:2379" + - "--etcd-servers=http://catalogd-etcd-svc:2379" - "--tls-cert-file=/apiserver.local.config/certificates/tls.crt" - "--tls-private-key-file=/apiserver.local.config/certificates/tls.key" - "--audit-log-path=-" @@ -46,15 +77,15 @@ spec: cpu: 100m memory: 30Mi volumes: - - name: apiserver-certs + - name: catalogd-apiserver-certs secret: - secretName: catalogd + secretName: catalogd-apiserver --- apiVersion: v1 kind: Service metadata: - name: catalogd - namespace: catalogd-system + name: apiserver + namespace: system labels: api: catalogd apiserver: "true" @@ -74,7 +105,7 @@ metadata: api: catalogd apiserver: "true" name: selfsigned-issuer - namespace: catalogd-system + namespace: system spec: selfSigned: {} --- @@ -84,14 +115,14 @@ metadata: labels: api: catalogd apiserver: "true" - name: catalogd-cert - namespace: catalogd-system + name: server-cert + namespace: system spec: dnsNames: - - catalogd.catalogd-system.svc - - catalogd.catalogd-system.svc.cluster.local + - catalogd-apiserver.catalogd.svc + - catalogd-apiserver.catalogd.svc.cluster.local - localhost issuerRef: kind: Issuer - name: selfsigned-issuer - secretName: catalogd + name: catalogd-selfsigned-issuer + secretName: catalogd-apiserver diff --git a/config/apiserver/kustomization.yaml b/config/apiserver/kustomization.yaml new file mode 100644 index 00000000..f6743b3a --- /dev/null +++ b/config/apiserver/kustomization.yaml @@ -0,0 +1,8 @@ +resources: +- apiserver.yaml +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +images: +- name: apiserver + newName: quay.io/operator-framework/catalogd-server + newTag: latest diff --git a/config/apiservice.yaml b/config/apiservice.yaml deleted file mode 100644 index 0711194e..00000000 --- a/config/apiservice.yaml +++ /dev/null @@ -1,18 +0,0 @@ - -apiVersion: apiregistration.k8s.io/v1 -kind: APIService -metadata: - name: v1beta1.core.catalogd.io - labels: - api: catalogd - apiserver: "true" -spec: - version: v1beta1 - group: core.catalogd.io - groupPriorityMinimum: 2000 - service: - name: catalogd - namespace: catalogd-system - versionPriority: 10 - caBundle: "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUR6RENDQXJTZ0F3SUJBZ0lVT0t0RXJnS3pGMTl4ZXh6cUVXbExxcGlmN2lnd0RRWUpLb1pJaHZjTkFRRUwKQlFBd2RERUxNQWtHQTFVRUJoTUNkVzR4Q3pBSkJnTlZCQWdNQW5OME1Rb3dDQVlEVlFRSERBRnNNUW93Q0FZRApWUVFLREFGdk1Rc3dDUVlEVlFRTERBSnZkVEV6TURFR0ExVUVBd3dxY25WcmNHRnJMWEJoWTJ0aFoyVnpaWEoyClpYSXRZMlZ5ZEdsbWFXTmhkR1V0WVhWMGFHOXlhWFI1TUI0WERUSXlNVEF3TnpFNU1Ua3dNMW9YRFRJek1UQXcKTnpFNU1Ua3dNMW93ZERFTE1Ba0dBMVVFQmhNQ2RXNHhDekFKQmdOVkJBZ01Bbk4wTVFvd0NBWURWUVFIREFGcwpNUW93Q0FZRFZRUUtEQUZ2TVFzd0NRWURWUVFMREFKdmRURXpNREVHQTFVRUF3d3FjblZyY0dGckxYQmhZMnRoCloyVnpaWEoyWlhJdFkyVnlkR2xtYVdOaGRHVXRZWFYwYUc5eWFYUjVNSUlCSWpBTkJna3Foa2lHOXcwQkFRRUYKQUFPQ0FROEFNSUlCQ2dLQ0FRRUFxZlRZSkpURmwwZ2F0RVQvUDlFTlhsWjRqYUdLSklMSFZVb2VjankwRmxVRgpDVnYvdTYrMzNwcnFBNjBiWmpzenFzN1FmTmZRTmd3azllTE03TDRiNVkyZnc1SitPTEhtSlc3S0FHVTcxa2JsCnBWaXZ6MFBjbUdNZlFFQU1kYTB0T2xZRjQyNEIvZTE2TEwyNDBQNzdxOFprQzEvU3N1NVlpMkVvRzlOQ3c2ZUgKalhRT2dXcFd0OE1VT1E1ZmZYRUdBcTlwcWJNeGN0UUxDS3JHVlVHVGdmaHQvb2xKWlcxbTJ6QVhEVDRQa0ZYRQo2MnNNVFBmamFFNWtmeUhxKy9nRXlUU0FPbW1LVzdJOXBNOHdZcVJ1ZHB4alZrWm5UQWlMVkNDckk2SGhaVVlECmpURThzTlhld2J2WU5rdnlVUnN4QjdEWHdOcE1kN2d3SzhiQ1BqTHBiUUlEQVFBQm8xWXdWREFkQmdOVkhRNEUKRmdRVVZjeXQ1L2F2RVc2SXJiOC9CKzkvYjhDZnFEb3dId1lEVlIwakJCZ3dGb0FVVmN5dDUvYXZFVzZJcmI4LwpCKzkvYjhDZnFEb3dFZ1lEVlIwVEFRSC9CQWd3QmdFQi93SUJBVEFOQmdrcWhraUc5dzBCQVFzRkFBT0NBUUVBClhFbU15L0tnMUZnVFdnL244ajcrak5aSFhHcWs2ZnZQMzNVbTZMaTdVL0JSOWZyQ05rQk9GSU9ZV21BWUlBQksKbEhSMStDQkJ5NncwSjFVMjZ4VEVaTnVPQVhOSHdPQVlNaURia2xRamlIMEdtcWpNUGxDQlhoUGpHTEhBK2h0dwpXd3JTL2h1bkJlU2RmbERtYThUbm9OMDUzTHZBanFNN3cwU3JOaWw3ZzhtM2k2djFmdGxNNkNJU1N0M05wRTZNCllnU2pMRTRLNmxCVFI0VU81K0hsanBVK2JWUCtHcDRMWHBGaEZJMU9jZjAxTC9iRGF3elhmYXNoNm8yVS9lOE8KOUZTa1Q2TzFlVW5COFRyRVMrZDlaKzBQS2dqZXAzU0NmV1N5WDFSdzZKZGM3SmNYY0I0ZmdLQ3FMNWtIbHNXUgpNcXErQ3UycVlZbnNiclo4ZVZaUGtRPT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=" ---- diff --git a/config/controller-manager.yaml b/config/controller-manager.yaml deleted file mode 100644 index c6920af2..00000000 --- a/config/controller-manager.yaml +++ /dev/null @@ -1,44 +0,0 @@ ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: catalogd-controller - namespace: catalogd-system - labels: - api: catalogd - controller: "true" -spec: - selector: - matchLabels: - api: catalogd - controller: "true" - replicas: 1 - template: - metadata: - labels: - api: catalogd - controller: "true" - spec: - containers: - - name: controller - image: quay.io/operator-framework/catalogd-controller:latest - imagePullPolicy: IfNotPresent - ports: - - containerPort: 8080 - command: - - "./manager" - args: - # If you are interested in enabling the endpoints for collecting - # performance metrics via pprof uncomment the below line: - # - --profiling=true - resources: - requests: - cpu: 1000m - memory: 200Mi - limits: - cpu: 1000m - memory: 300Mi - volumes: - - name: apiserver-certs - secret: - secretName: catalogd diff --git a/config/crd/bases/catalogd.operatorframework.io_bundlemetadata.yaml b/config/crd/bases/catalogd.operatorframework.io_bundlemetadata.yaml new file mode 100644 index 00000000..400bfd71 --- /dev/null +++ b/config/crd/bases/catalogd.operatorframework.io_bundlemetadata.yaml @@ -0,0 +1,98 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.9.0 + creationTimestamp: null + name: bundlemetadata.catalogd.operatorframework.io +spec: + group: catalogd.operatorframework.io + names: + kind: BundleMetadata + listKind: BundleMetadataList + plural: bundlemetadata + singular: bundlemetadata + scope: Cluster + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + description: BundleMetadata + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: BundleMetadataSpec defines the desired state of BundleMetadata + properties: + catalogSource: + description: CatalogSource is the name of the CatalogSource that provides + this bundle + type: string + image: + description: Image is a reference to the image that provides the bundle + contents + type: string + package: + description: Package is the name of the package that provides this + bundle + type: string + properties: + description: Properties is a string of references to property objects + that are part of the bundle + items: + description: 'TODO: In the future we should remove this in favor + of using `property.Property` from https://pkg.go.dev/github.com/operator-framework/operator-registry@v1.26.3/alpha/property#Property + This will likely require some changes to the `property.Property` + type to make it suitable for usage within the Spec for a CustomResource' + properties: + type: + type: string + value: + format: byte + type: string + required: + - type + - value + type: object + type: array + relatedImages: + description: RelatedImages are the RelatedImages in the bundle + items: + description: 'TODO: In the future we should remove this in favor + of using `model.RelatedImage` (or similar) from https://pkg.go.dev/github.com/operator-framework/operator-registry@v1.26.3/alpha/model#RelatedImage + This will likely require some changes to the `model.RelatedImage` + type to make it suitable for usage within the Spec for a CustomResource' + properties: + image: + type: string + name: + type: string + required: + - image + - name + type: object + type: array + required: + - catalogSource + - image + - package + - properties + - relatedImages + type: object + status: + description: BundleMetadataStatus defines the observed state of BundleMetadata + type: object + type: object + served: true + storage: true diff --git a/config/crd/bases/catalogd.operatorframework.io_catalogsources.yaml b/config/crd/bases/catalogd.operatorframework.io_catalogsources.yaml new file mode 100644 index 00000000..5a95aecf --- /dev/null +++ b/config/crd/bases/catalogd.operatorframework.io_catalogsources.yaml @@ -0,0 +1,65 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.9.0 + creationTimestamp: null + name: catalogsources.catalogd.operatorframework.io +spec: + group: catalogd.operatorframework.io + names: + kind: CatalogSource + listKind: CatalogSourceList + plural: catalogsources + singular: catalogsource + scope: Cluster + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + description: CatalogSource + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: CatalogSourceSpec defines the desired state of CatalogSource + properties: + image: + description: Image is the Catalog image that contains Operators' metadata + in the FBC format https://olm.operatorframework.io/docs/reference/file-based-catalogs/#docs + type: string + pollingInterval: + description: PollingInterval is used to determine the time interval + between checks of the latest index image version. The image is polled + to see if a new version of the image is available. If available, + the latest image is pulled and the cache is updated to contain the + new content. + type: string + required: + - image + type: object + status: + description: CatalogSourceStatus defines the observed state of CatalogSource + properties: + latestImagePoll: + description: The last time the image has been polled to ensure the + image is up-to-date + format: date-time + type: string + required: + - latestImagePoll + type: object + type: object + served: true + storage: true diff --git a/config/crd/bases/catalogd.operatorframework.io_packages.yaml b/config/crd/bases/catalogd.operatorframework.io_packages.yaml new file mode 100644 index 00000000..4c03968e --- /dev/null +++ b/config/crd/bases/catalogd.operatorframework.io_packages.yaml @@ -0,0 +1,109 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.9.0 + creationTimestamp: null + name: packages.catalogd.operatorframework.io +spec: + group: catalogd.operatorframework.io + names: + kind: Package + listKind: PackageList + plural: packages + singular: package + scope: Cluster + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + description: Package + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: PackageSpec defines the desired state of Package + properties: + catalogSource: + description: CatalogSource is the name of the CatalogSource this package + belongs to + type: string + catalogSourceDisplayName: + type: string + catalogSourcePublisher: + type: string + channels: + description: Channels are the declared channels for the package, ala + `stable` or `alpha`. + items: + description: PackageChannel defines a single channel under a package, + pointing to a version of that package. + properties: + entries: + description: Entries is all the channel entries within a channel + items: + properties: + name: + type: string + replaces: + type: string + skipRange: + type: string + skips: + items: + type: string + type: array + required: + - name + type: object + type: array + name: + description: Name is the name of the channel, e.g. `alpha` or + `stable` + type: string + required: + - entries + - name + type: object + type: array + defaultChannel: + description: DefaultChannel is, if specified, the name of the default + channel for the package. The default channel will be installed if + no other channel is explicitly given. If the package has a single + channel, then that channel is implicitly the default. + type: string + description: + description: Description is the description of the package + type: string + icon: + description: Icon is the Base64data image of the package for console + display + properties: + base64data: + type: string + mediatype: + type: string + type: object + required: + - catalogSource + - channels + - defaultChannel + - description + type: object + status: + description: PackageStatus defines the observed state of Package + type: object + type: object + served: true + storage: true diff --git a/config/crd/kustomization.yaml b/config/crd/kustomization.yaml new file mode 100644 index 00000000..5d7c1db6 --- /dev/null +++ b/config/crd/kustomization.yaml @@ -0,0 +1,8 @@ +# This kustomization.yaml is not intended to be run by itself, +# since it depends on service name and namespace that are out of this kustomize package. +# It should be run by config/default +resources: +- bases/catalogd.operatorframework.io_bundlemetadata.yaml +- bases/catalogd.operatorframework.io_packages.yaml +- bases/catalogd.operatorframework.io_catalogsources.yaml +#+kubebuilder:scaffold:crdkustomizeresource diff --git a/config/default/kustomization.yaml b/config/default/kustomization.yaml new file mode 100644 index 00000000..9b6ad8ed --- /dev/null +++ b/config/default/kustomization.yaml @@ -0,0 +1,21 @@ +# Adds namespace to all resources. +namespace: catalogd-system + +# Value of this field is prepended to the +# names of all resources, e.g. a deployment named +# "wordpress" becomes "alices-wordpress". +# Note that it should also match with the prefix (text before '-') of the namespace +# field above. +namePrefix: catalogd- + +# the following config is for teaching kustomize how to do var substitution +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: +- ../crd +- ../rbac +- ../manager +- ../apiserver +- ../etcd +patches: +- path: manager_auth_proxy_patch.yaml diff --git a/config/default/manager_auth_proxy_patch.yaml b/config/default/manager_auth_proxy_patch.yaml new file mode 100644 index 00000000..687c4a7a --- /dev/null +++ b/config/default/manager_auth_proxy_patch.yaml @@ -0,0 +1,55 @@ +# This patch inject a sidecar container which is a HTTP proxy for the +# controller manager, it performs RBAC authorization against the Kubernetes API using SubjectAccessReviews. +apiVersion: apps/v1 +kind: Deployment +metadata: + name: controller-manager + namespace: system +spec: + template: + spec: + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: kubernetes.io/arch + operator: In + values: + - amd64 + - arm64 + - ppc64le + - s390x + - key: kubernetes.io/os + operator: In + values: + - linux + containers: + - name: kube-rbac-proxy + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - "ALL" + image: gcr.io/kubebuilder/kube-rbac-proxy:v0.13.0 + args: + - "--secure-listen-address=0.0.0.0:8443" + - "--upstream=http://127.0.0.1:8080/" + - "--logtostderr=true" + - "--v=0" + ports: + - containerPort: 8443 + protocol: TCP + name: https + resources: + limits: + cpu: 500m + memory: 128Mi + requests: + cpu: 5m + memory: 64Mi + - name: manager + args: + - "--health-probe-bind-address=:8081" + - "--metrics-bind-address=127.0.0.1:8080" + - "--leader-elect" diff --git a/config/default/manager_config_patch.yaml b/config/default/manager_config_patch.yaml new file mode 100644 index 00000000..f6f58916 --- /dev/null +++ b/config/default/manager_config_patch.yaml @@ -0,0 +1,10 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: controller-manager + namespace: system +spec: + template: + spec: + containers: + - name: manager diff --git a/config/etcd.yaml b/config/etcd/etcd.yaml similarity index 96% rename from config/etcd.yaml rename to config/etcd/etcd.yaml index 8e3125a8..e3f32cee 100644 --- a/config/etcd.yaml +++ b/config/etcd/etcd.yaml @@ -3,7 +3,7 @@ apiVersion: apps/v1 kind: StatefulSet metadata: name: etcd - namespace: catalogd-system + namespace: system spec: selector: matchLabels: @@ -74,7 +74,7 @@ apiVersion: v1 kind: Service metadata: name: etcd-svc - namespace: catalogd-system + namespace: system labels: app: etcd spec: diff --git a/config/etcd/kustomization.yaml b/config/etcd/kustomization.yaml new file mode 100644 index 00000000..35505723 --- /dev/null +++ b/config/etcd/kustomization.yaml @@ -0,0 +1,2 @@ +resources: +- etcd.yaml diff --git a/config/manager/kustomization.yaml b/config/manager/kustomization.yaml new file mode 100644 index 00000000..8fde1561 --- /dev/null +++ b/config/manager/kustomization.yaml @@ -0,0 +1,8 @@ +resources: +- manager.yaml +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +images: +- name: controller + newName: quay.io/operator-framework/catalogd-controller + newTag: latest diff --git a/config/manager/manager.yaml b/config/manager/manager.yaml new file mode 100644 index 00000000..bda5270a --- /dev/null +++ b/config/manager/manager.yaml @@ -0,0 +1,103 @@ +apiVersion: v1 +kind: Namespace +metadata: + labels: + control-plane: controller-manager + app.kubernetes.io/name: namespace + app.kubernetes.io/instance: system + app.kubernetes.io/component: manager + app.kubernetes.io/created-by: catalogd + app.kubernetes.io/part-of: catalogd + app.kubernetes.io/managed-by: kustomize + name: system +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: controller-manager + namespace: system + labels: + control-plane: controller-manager + app.kubernetes.io/name: deployment + app.kubernetes.io/instance: controller-manager + app.kubernetes.io/component: manager + app.kubernetes.io/created-by: catalogd + app.kubernetes.io/part-of: catalogd + app.kubernetes.io/managed-by: kustomize +spec: + selector: + matchLabels: + control-plane: controller-manager + replicas: 1 + template: + metadata: + annotations: + kubectl.kubernetes.io/default-container: manager + labels: + control-plane: controller-manager + spec: + # TODO(user): Uncomment the following code to configure the nodeAffinity expression + # according to the platforms which are supported by your solution. + # It is considered best practice to support multiple architectures. You can + # build your manager image using the makefile target docker-buildx. + # affinity: + # nodeAffinity: + # requiredDuringSchedulingIgnoredDuringExecution: + # nodeSelectorTerms: + # - matchExpressions: + # - key: kubernetes.io/arch + # operator: In + # values: + # - amd64 + # - arm64 + # - ppc64le + # - s390x + # - key: kubernetes.io/os + # operator: In + # values: + # - linux + securityContext: + runAsNonRoot: true + # TODO(user): For common cases that do not require escalating privileges + # it is recommended to ensure that all your Pods/Containers are restrictive. + # More info: https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted + # Please uncomment the following code if your project does NOT have to work on old Kubernetes + # versions < 1.19 or on vendors versions which do NOT support this field by default (i.e. Openshift < 4.11 ). + # seccompProfile: + # type: RuntimeDefault + containers: + - command: + - "./manager" + args: + - --leader-elect + image: controller:latest + name: manager + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - "ALL" + livenessProbe: + httpGet: + path: /healthz + port: 8081 + initialDelaySeconds: 15 + periodSeconds: 20 + readinessProbe: + httpGet: + path: /readyz + port: 8081 + initialDelaySeconds: 5 + periodSeconds: 10 + # TODO(user): Configure the resources accordingly based on the project requirements. + # More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + resources: + limits: + cpu: 1000m + memory: 1000Mi + requests: + cpu: 1000m + memory: 200Mi + imagePullPolicy: IfNotPresent + serviceAccountName: controller-manager + terminationGracePeriodSeconds: 10 diff --git a/config/prometheus/kustomization.yaml b/config/prometheus/kustomization.yaml new file mode 100644 index 00000000..ed137168 --- /dev/null +++ b/config/prometheus/kustomization.yaml @@ -0,0 +1,2 @@ +resources: +- monitor.yaml diff --git a/config/prometheus/monitor.yaml b/config/prometheus/monitor.yaml new file mode 100644 index 00000000..8d96dc19 --- /dev/null +++ b/config/prometheus/monitor.yaml @@ -0,0 +1,26 @@ + +# Prometheus Monitor Service (Metrics) +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + labels: + control-plane: controller-manager + app.kubernetes.io/name: servicemonitor + app.kubernetes.io/instance: controller-manager-metrics-monitor + app.kubernetes.io/component: metrics + app.kubernetes.io/created-by: catalogd + app.kubernetes.io/part-of: catalogd + app.kubernetes.io/managed-by: kustomize + name: controller-manager-metrics-monitor + namespace: system +spec: + endpoints: + - path: /metrics + port: https + scheme: https + bearerTokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token + tlsConfig: + insecureSkipVerify: true + selector: + matchLabels: + control-plane: controller-manager diff --git a/config/rbac.yaml b/config/rbac.yaml deleted file mode 100644 index 6c0d4bbc..00000000 --- a/config/rbac.yaml +++ /dev/null @@ -1,101 +0,0 @@ ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: catalogd-apiserver-auth-reader -rules: - - apiGroups: - - "" - resourceNames: - - extension-apiserver-authentication - resources: - - configmaps - verbs: - - get - - list ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: catalogd-apiserver-auth-reader - namespace: catalogd-system -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: catalogd-apiserver-auth-reader -subjects: - - kind: ServiceAccount - namespace: catalogd-system - name: default ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: catalogd-apiserver-auth-delegator - namespace: catalogd-system -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: system:auth-delegator -subjects: - - kind: ServiceAccount - namespace: catalogd-system - name: default ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: catalogd-controller - namespace: catalogd-system -rules: - - apiGroups: - - 'core.catalogd.io' - resources: - - '*' - verbs: - - '*' - - apiGroups: - - '' - resources: - - 'configmaps' - - 'namespaces' - - 'pods' - - 'pods/log' - verbs: - - 'get' - - 'list' - - 'watch' - - apiGroups: - - 'admissionregistration.k8s.io' - resources: - - '*' - verbs: - - 'list' - - 'watch' - - nonResourceURLs: - - '*' - verbs: - - '*' - - apiGroups: - - 'batch' - resources: - - 'jobs' - verbs: - - 'create' - - 'get' - - 'list' - - 'watch' ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: catalogd-controller - namespace: catalogd-system -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: catalogd-controller -subjects: - - kind: ServiceAccount - namespace: catalogd-system - name: default diff --git a/config/rbac/apiserver_role.yaml b/config/rbac/apiserver_role.yaml new file mode 100644 index 00000000..86fa259c --- /dev/null +++ b/config/rbac/apiserver_role.yaml @@ -0,0 +1,25 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: apiserver-auth-reader +rules: + - apiGroups: + - "" + resources: + - configmaps + - namespaces + verbs: + - get + - list + - watch + - apiGroups: + - 'admissionregistration.k8s.io' + resources: + - '*' + verbs: + - 'list' + - 'watch' + - nonResourceURLs: + - '*' + verbs: + - '*' diff --git a/config/rbac/apiserver_rolebindings.yaml b/config/rbac/apiserver_rolebindings.yaml new file mode 100644 index 00000000..18ac8395 --- /dev/null +++ b/config/rbac/apiserver_rolebindings.yaml @@ -0,0 +1,27 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: apiserver-auth-reader + namespace: system +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: catalogd-apiserver-auth-reader +subjects: + - kind: ServiceAccount + namespace: catalogd-system + name: catalogd-apiserver +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: apiserver-auth-delegator + namespace: system +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: system:auth-delegator +subjects: + - kind: ServiceAccount + namespace: catalogd-system + name: catalogd-apiserver diff --git a/config/rbac/auth_proxy_client_clusterrole.yaml b/config/rbac/auth_proxy_client_clusterrole.yaml new file mode 100644 index 00000000..42068354 --- /dev/null +++ b/config/rbac/auth_proxy_client_clusterrole.yaml @@ -0,0 +1,16 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/name: clusterrole + app.kubernetes.io/instance: metrics-reader + app.kubernetes.io/component: kube-rbac-proxy + app.kubernetes.io/created-by: catalogd + app.kubernetes.io/part-of: catalogd + app.kubernetes.io/managed-by: kustomize + name: metrics-reader +rules: +- nonResourceURLs: + - "/metrics" + verbs: + - get diff --git a/config/rbac/auth_proxy_role.yaml b/config/rbac/auth_proxy_role.yaml new file mode 100644 index 00000000..86ca3cc0 --- /dev/null +++ b/config/rbac/auth_proxy_role.yaml @@ -0,0 +1,24 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/name: clusterrole + app.kubernetes.io/instance: proxy-role + app.kubernetes.io/component: kube-rbac-proxy + app.kubernetes.io/created-by: catalogd + app.kubernetes.io/part-of: catalogd + app.kubernetes.io/managed-by: kustomize + name: proxy-role +rules: +- apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create +- apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create diff --git a/config/rbac/auth_proxy_role_binding.yaml b/config/rbac/auth_proxy_role_binding.yaml new file mode 100644 index 00000000..8c40d628 --- /dev/null +++ b/config/rbac/auth_proxy_role_binding.yaml @@ -0,0 +1,19 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app.kubernetes.io/name: clusterrolebinding + app.kubernetes.io/instance: proxy-rolebinding + app.kubernetes.io/component: kube-rbac-proxy + app.kubernetes.io/created-by: catalogd + app.kubernetes.io/part-of: catalogd + app.kubernetes.io/managed-by: kustomize + name: proxy-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: proxy-role +subjects: +- kind: ServiceAccount + name: controller-manager + namespace: system diff --git a/config/rbac/auth_proxy_service.yaml b/config/rbac/auth_proxy_service.yaml new file mode 100644 index 00000000..fcd6f2ae --- /dev/null +++ b/config/rbac/auth_proxy_service.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Service +metadata: + labels: + control-plane: controller-manager + app.kubernetes.io/name: service + app.kubernetes.io/instance: controller-manager-metrics-service + app.kubernetes.io/component: kube-rbac-proxy + app.kubernetes.io/created-by: catalogd + app.kubernetes.io/part-of: catalogd + app.kubernetes.io/managed-by: kustomize + name: controller-manager-metrics-service + namespace: system +spec: + ports: + - name: https + port: 8443 + protocol: TCP + targetPort: https + selector: + control-plane: controller-manager diff --git a/config/rbac/kustomization.yaml b/config/rbac/kustomization.yaml new file mode 100644 index 00000000..68abd2f7 --- /dev/null +++ b/config/rbac/kustomization.yaml @@ -0,0 +1,20 @@ +resources: +# All RBAC will be applied under this service account in +# the deployment namespace. You may comment out this resource +# if your manager will use a service account that exists at +# runtime. Be sure to update RoleBinding and ClusterRoleBinding +# subjects if changing service account names. +- service_account.yaml +- role.yaml +- role_binding.yaml +- leader_election_role.yaml +- leader_election_role_binding.yaml +# Comment the following 4 lines if you want to disable +# the auth proxy (https://github.com/brancz/kube-rbac-proxy) +# which protects your /metrics endpoint. +- auth_proxy_service.yaml +- auth_proxy_role.yaml +- auth_proxy_role_binding.yaml +- auth_proxy_client_clusterrole.yaml +- apiserver_role.yaml +- apiserver_rolebindings.yaml diff --git a/config/rbac/leader_election_role.yaml b/config/rbac/leader_election_role.yaml new file mode 100644 index 00000000..c76dcdca --- /dev/null +++ b/config/rbac/leader_election_role.yaml @@ -0,0 +1,44 @@ +# permissions to do leader election. +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + labels: + app.kubernetes.io/name: role + app.kubernetes.io/instance: leader-election-role + app.kubernetes.io/component: rbac + app.kubernetes.io/created-by: catalogd + app.kubernetes.io/part-of: catalogd + app.kubernetes.io/managed-by: kustomize + name: leader-election-role +rules: +- apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch diff --git a/config/rbac/leader_election_role_binding.yaml b/config/rbac/leader_election_role_binding.yaml new file mode 100644 index 00000000..b5bee512 --- /dev/null +++ b/config/rbac/leader_election_role_binding.yaml @@ -0,0 +1,19 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + labels: + app.kubernetes.io/name: rolebinding + app.kubernetes.io/instance: leader-election-rolebinding + app.kubernetes.io/component: rbac + app.kubernetes.io/created-by: catalogd + app.kubernetes.io/part-of: catalogd + app.kubernetes.io/managed-by: kustomize + name: leader-election-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: leader-election-role +subjects: +- kind: ServiceAccount + name: controller-manager + namespace: system diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml index 2d7bdf2b..76c2b05b 100644 --- a/config/rbac/role.yaml +++ b/config/rbac/role.yaml @@ -6,7 +6,16 @@ metadata: name: manager-role rules: - apiGroups: - - "" + - batch + resources: + - jobs + verbs: + - create + - get + - list + - watch +- apiGroups: + - catalogd.operatorframework.io resources: - bundlemetadata verbs: @@ -18,13 +27,13 @@ rules: - update - watch - apiGroups: - - "" + - catalogd.operatorframework.io resources: - bundlemetadata/finalizers verbs: - update - apiGroups: - - "" + - catalogd.operatorframework.io resources: - bundlemetadata/status verbs: @@ -32,9 +41,9 @@ rules: - patch - update - apiGroups: - - "" + - catalogd.operatorframework.io resources: - - packages + - catalogsources verbs: - create - delete @@ -44,23 +53,23 @@ rules: - update - watch - apiGroups: - - "" + - catalogd.operatorframework.io resources: - - packages/finalizers + - catalogsources/finalizers verbs: - update - apiGroups: - - "" + - catalogd.operatorframework.io resources: - - packages/status + - catalogsources/status verbs: - get - patch - update - apiGroups: - - core.catalogd.io + - catalogd.operatorframework.io resources: - - catalogsources + - packages verbs: - create - delete @@ -70,16 +79,32 @@ rules: - update - watch - apiGroups: - - core.catalogd.io + - catalogd.operatorframework.io resources: - - catalogsources/finalizers + - packages/finalizers verbs: - update - apiGroups: - - core.catalogd.io + - catalogd.operatorframework.io resources: - - catalogsources/status + - packages/status verbs: - get - patch - update +- apiGroups: + - "" + resources: + - pods + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - pods/log + verbs: + - get + - list + - watch diff --git a/config/rbac/role_binding.yaml b/config/rbac/role_binding.yaml new file mode 100644 index 00000000..da9b5ab5 --- /dev/null +++ b/config/rbac/role_binding.yaml @@ -0,0 +1,19 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app.kubernetes.io/name: clusterrolebinding + app.kubernetes.io/instance: manager-rolebinding + app.kubernetes.io/component: rbac + app.kubernetes.io/created-by: catalogd + app.kubernetes.io/part-of: catalogd + app.kubernetes.io/managed-by: kustomize + name: manager-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: manager-role +subjects: +- kind: ServiceAccount + name: controller-manager + namespace: system diff --git a/config/rbac/service_account.yaml b/config/rbac/service_account.yaml new file mode 100644 index 00000000..42fe8e19 --- /dev/null +++ b/config/rbac/service_account.yaml @@ -0,0 +1,25 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + app.kubernetes.io/name: serviceaccount + app.kuberentes.io/instance: controller-manager + app.kubernetes.io/component: rbac + app.kubernetes.io/created-by: catalogd + app.kubernetes.io/part-of: catalogd + app.kubernetes.io/managed-by: kustomize + name: controller-manager + namespace: system +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + app.kubernetes.io/name: serviceaccount + app.kuberentes.io/instance: apiserver + app.kubernetes.io/component: rbac + app.kubernetes.io/created-by: catalogd + app.kubernetes.io/part-of: catalogd + app.kubernetes.io/managed-by: kustomize + name: apiserver + namespace: system diff --git a/config/samples/catalogsource.yaml b/config/samples/catalogsource.yaml deleted file mode 100644 index 1f86ac90..00000000 --- a/config/samples/catalogsource.yaml +++ /dev/null @@ -1,7 +0,0 @@ -apiVersion: core.catalogd.io/v1beta1 -kind: CatalogSource -metadata: - name: catalogsource-sample -spec: - image: quay.io/operatorhubio/catalog:latest - diff --git a/config/samples/core_v1beta1_catalogsource.yaml b/config/samples/core_v1beta1_catalogsource.yaml new file mode 100644 index 00000000..b34f3750 --- /dev/null +++ b/config/samples/core_v1beta1_catalogsource.yaml @@ -0,0 +1,13 @@ +apiVersion: catalogd.operatorframework.io/v1beta1 +kind: CatalogSource +metadata: + labels: + app.kubernetes.io/name: catalogsource + app.kubernetes.io/instance: catalogsource-sample + app.kubernetes.io/part-of: catalogd + app.kuberentes.io/managed-by: kustomize + app.kubernetes.io/created-by: catalogd + name: catalogsource-sample +spec: + image: quay.io/operatorhubio/catalog:latest + pollingInterval: 45m diff --git a/main.go b/main.go index 4cf674bb..04ad2153 100644 --- a/main.go +++ b/main.go @@ -76,7 +76,7 @@ func main() { Port: 9443, HealthProbeBindAddress: probeAddr, LeaderElection: enableLeaderElection, - LeaderElectionID: "510231d7.", + LeaderElectionID: "catalogd-operator-lock", }) if err != nil { setupLog.Error(err, "unable to start manager") diff --git a/pkg/apis/core/doc.go b/pkg/apis/core/doc.go index 1f5e4571..955ece26 100644 --- a/pkg/apis/core/doc.go +++ b/pkg/apis/core/doc.go @@ -15,7 +15,7 @@ limitations under the License. */ // +k8s:deepcopy-gen=package,register -// +groupName=core.catalogd.io +// +groupName=catalogd.operatorframework.io // Package api is the internal version of the API. package core diff --git a/pkg/apis/core/v1beta1/bundlemetadata_types.go b/pkg/apis/core/v1beta1/bundlemetadata_types.go index cd8d050f..660c5e1a 100644 --- a/pkg/apis/core/v1beta1/bundlemetadata_types.go +++ b/pkg/apis/core/v1beta1/bundlemetadata_types.go @@ -107,7 +107,7 @@ func (in *BundleMetadata) NewList() runtime.Object { func (in *BundleMetadata) GetGroupVersionResource() schema.GroupVersionResource { return schema.GroupVersionResource{ - Group: "core.catalogd.io", + Group: "catalogd.operatorframework.io", Version: "v1beta1", Resource: "bundlemetadata", } diff --git a/pkg/apis/core/v1beta1/catalogsource_types.go b/pkg/apis/core/v1beta1/catalogsource_types.go index 59fe84af..2387ec98 100644 --- a/pkg/apis/core/v1beta1/catalogsource_types.go +++ b/pkg/apis/core/v1beta1/catalogsource_types.go @@ -85,7 +85,7 @@ func (in *CatalogSource) NewList() runtime.Object { func (in *CatalogSource) GetGroupVersionResource() schema.GroupVersionResource { return schema.GroupVersionResource{ - Group: "core.catalogd.io", + Group: "catalogd.operatorframework.io", Version: "v1beta1", Resource: "catalogsources", } diff --git a/pkg/apis/core/v1beta1/doc.go b/pkg/apis/core/v1beta1/doc.go index e7803629..ba44f0f2 100644 --- a/pkg/apis/core/v1beta1/doc.go +++ b/pkg/apis/core/v1beta1/doc.go @@ -22,5 +22,5 @@ limitations under the License. // +k8s:deepcopy-gen=package,register // +k8s:conversion-gen=github.com/operator-framework/catalogd/pkg/apis/core // +k8s:defaulter-gen=TypeMeta -// +groupName=core.catalogd.io +// +groupName=catalogd.operatorframework.io package v1beta1 // import "github.com/operator-framework/catalogd/pkg/apis/core/v1beta1" diff --git a/pkg/apis/core/v1beta1/package_types.go b/pkg/apis/core/v1beta1/package_types.go index f62c0ceb..9ac12837 100644 --- a/pkg/apis/core/v1beta1/package_types.go +++ b/pkg/apis/core/v1beta1/package_types.go @@ -122,7 +122,7 @@ func (in *Package) NewList() runtime.Object { func (in *Package) GetGroupVersionResource() schema.GroupVersionResource { return schema.GroupVersionResource{ - Group: "core.catalogd.io", + Group: "catalogd.operatorframework.io", Version: "v1beta1", Resource: "packages", } diff --git a/pkg/apis/core/v1beta1/register.go b/pkg/apis/core/v1beta1/register.go index 8186764c..531c4772 100644 --- a/pkg/apis/core/v1beta1/register.go +++ b/pkg/apis/core/v1beta1/register.go @@ -24,7 +24,7 @@ import ( var AddToScheme = func(scheme *runtime.Scheme) error { gv := schema.GroupVersion{ - Group: "core.catalogd.io", + Group: "catalogd.operatorframework.io", Version: "v1beta1", } metav1.AddToGroupVersion(scheme, gv) diff --git a/pkg/apis/doc.go b/pkg/apis/doc.go index 77ab342f..3b7ad4cd 100644 --- a/pkg/apis/doc.go +++ b/pkg/apis/doc.go @@ -17,6 +17,6 @@ limitations under the License. //go:generate apiregister-gen --input-dirs ./... -h ../../boilerplate.go.txt // -// +domain=catalogd.io +// +domain=operatorframework.io package apis diff --git a/pkg/controllers/core/bundlemetadata_controller.go b/pkg/controllers/core/bundlemetadata_controller.go index e31d66b5..0c5d9149 100644 --- a/pkg/controllers/core/bundlemetadata_controller.go +++ b/pkg/controllers/core/bundlemetadata_controller.go @@ -33,9 +33,9 @@ type BundleMetadataReconciler struct { Scheme *runtime.Scheme } -//+kubebuilder:rbac:groups=core,resources=bundlemetadata,verbs=get;list;watch;create;update;patch;delete -//+kubebuilder:rbac:groups=core,resources=bundlemetadata/status,verbs=get;update;patch -//+kubebuilder:rbac:groups=core,resources=bundlemetadata/finalizers,verbs=update +//+kubebuilder:rbac:groups=catalogd.operatorframework.io,resources=bundlemetadata,verbs=get;list;watch;create;update;patch;delete +//+kubebuilder:rbac:groups=catalogd.operatorframework.io,resources=bundlemetadata/status,verbs=get;update;patch +//+kubebuilder:rbac:groups=catalogd.operatorframework.io,resources=bundlemetadata/finalizers,verbs=update // Reconcile is part of the main kubernetes reconciliation loop which aims to // move the current state of the cluster closer to the desired state. diff --git a/pkg/controllers/core/catalogsource_controller.go b/pkg/controllers/core/catalogsource_controller.go index f4e47c3e..6e1a3460 100644 --- a/pkg/controllers/core/catalogsource_controller.go +++ b/pkg/controllers/core/catalogsource_controller.go @@ -47,9 +47,12 @@ type CatalogSourceReconciler struct { OpmImage string } -//+kubebuilder:rbac:groups=core.catalogd.io,resources=catalogsources,verbs=get;list;watch;create;update;patch;delete -//+kubebuilder:rbac:groups=core.catalogd.io,resources=catalogsources/status,verbs=get;update;patch -//+kubebuilder:rbac:groups=core.catalogd.io,resources=catalogsources/finalizers,verbs=update +//+kubebuilder:rbac:groups=catalogd.operatorframework.io,resources=catalogsources,verbs=get;list;watch;create;update;patch;delete +//+kubebuilder:rbac:groups=catalogd.operatorframework.io,resources=catalogsources/status,verbs=get;update;patch +//+kubebuilder:rbac:groups=catalogd.operatorframework.io,resources=catalogsources/finalizers,verbs=update +//+kubebuilder:rbac:groups=core,resources=pods,verbs=get;list;watch +//+kubebuilder:rbac:groups=core,resources=pods/log,verbs=get;list;watch +//+kubebuilder:rbac:groups=batch,resources=jobs,verbs=create;get;list;watch // Reconcile is part of the main kubernetes reconciliation loop which aims to // move the current state of the cluster closer to the desired state. diff --git a/pkg/controllers/core/package_controller.go b/pkg/controllers/core/package_controller.go index 250a528b..38d61f12 100644 --- a/pkg/controllers/core/package_controller.go +++ b/pkg/controllers/core/package_controller.go @@ -33,9 +33,9 @@ type PackageReconciler struct { Scheme *runtime.Scheme } -//+kubebuilder:rbac:groups=core,resources=packages,verbs=get;list;watch;create;update;patch;delete -//+kubebuilder:rbac:groups=core,resources=packages/status,verbs=get;update;patch -//+kubebuilder:rbac:groups=core,resources=packages/finalizers,verbs=update +//+kubebuilder:rbac:groups=catalogd.operatorframework.io,resources=packages,verbs=get;list;watch;create;update;patch;delete +//+kubebuilder:rbac:groups=catalogd.operatorframework.io,resources=packages/status,verbs=get;update;patch +//+kubebuilder:rbac:groups=catalogd.operatorframework.io,resources=packages/finalizers,verbs=update // Reconcile is part of the main kubernetes reconciliation loop which aims to // move the current state of the cluster closer to the desired state.