appuio · bastjan · Apr 19, 2022 · Apr 19, 2022 · Apr 19, 2022 · Apr 19, 2022
@@ -61,6 +61,10 @@ parameters:
         typekey: 'kubernetes.labels.logFormat'
         typename: 'nologformat'
 
-  openshift4_elasticsearch_operator:
-    targetNamespaces:
-      - ${openshift4_logging:namespace}
+    elasticsearchOperator:
+      patchTarget:
+        namespace: openshift-operators-redhat
+        name: elasticsearch-operator
+      patch:
+        nodeSelector:
+          node-role.kubernetes.io/infra: ''
@@ -0,0 +1,25 @@
+local common = import 'common.libsonnet';
+local kap = import 'lib/kapitan.libjsonnet';
+local kube = import 'lib/kube.libjsonnet';
+local resourceLocker = import 'lib/resource-locker.libjsonnet';
+local inv = kap.inventory();
+// The hiera parameters for the component
+local params = inv.parameters.openshift4_logging;
+
+local deploymentToPatch = kube._Object('apps/v1', 'Deployment', params.elasticsearchOperator.patchTarget.name) {
+  metadata+: {
+    namespace: params.elasticsearchOperator.patchTarget.namespace,
+  },
+};
+
+local patch = resourceLocker.Patch(deploymentToPatch, {
+  spec: {
+    template: {
+      spec: params.elasticsearchOperator.patch,
+    },
+  },
+});
+
+{
+  '40_deployment_patch': patch,
+}
@@ -204,4 +204,6 @@ local namespace_groups = (
       },
     },
   '60_prometheus_rules': alert_rules.rules,
-} + (import 'kibana-host.libsonnet')
+}
++ (import 'kibana-host.libsonnet')
++ (import 'deployment-patch.libsonnet')
@@ -304,6 +304,24 @@ clusterLogForwarding:
 See the https://docs.openshift.com/container-platform/latest/logging/cluster-logging-enabling-json-logging.html#cluster-logging-configuration-of-json-log-data-for-default-elasticsearch_cluster-logging-enabling-json-logging[OpenShift docs] for a detailed explanation.
 
 
+== `elasticsearchOperator`
+
+[horizontal]
+type:: dictionary
+default::
++
+[source,yaml]
+----
+patchTarget:
+  namespace: openshift-operators-redhat
+  name: elasticsearch-operator
+patch:
+  nodeSelector:
+    node-role.kubernetes.io/infra: ''
+----
+
+Overrides for the ElasticSearch Operator deployment.
+
 == Example
 
 [source,yaml]

@@ -5,6 +5,9 @@ applications:
 parameters:
   kapitan:
     dependencies:
+      - type: https
+        source: https://raw.githubusercontent.com/projectsyn/component-resource-locker/v2.1.0/lib/resource-locker.libjsonnet
+        output_path: vendor/lib/resource-locker.libjsonnet
       - type: https
         source: https://raw.githubusercontent.com/appuio/component-openshift4-operators/v1.0.2/lib/openshift4-operators.libsonnet
         output_path: vendor/lib/openshift4-operators.libsonnet
@@ -17,3 +20,9 @@ parameters:
   openshift4_monitoring:
     alerts:
       ignoreNames: []
+
+  resource_locker:
+    namespace: syn-resource-locker
+
+  openshift4_logging:
+    kibana_host: kibana.example.com
@@ -0,0 +1,97 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  labels:
+    name: kibana-manager
+  name: kibana-manager
+  namespace: syn-resource-locker
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    name: syn-resource-locker-kibana-manager
+  name: syn-resource-locker-kibana-manager
+rules:
+  - apiGroups:
+      - route.openshift.io
+    resources:
+      - routes
+    verbs:
+      - list
+      - watch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  labels:
+    name: syn-resource-locker-kibana-manager
+  name: syn-resource-locker-kibana-manager
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: syn-resource-locker-kibana-manager
+subjects:
+  - kind: ServiceAccount
+    name: kibana-manager
+    namespace: syn-resource-locker
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  labels:
+    name: syn-resource-locker-kibana-manager
+  name: syn-resource-locker-kibana-manager
+  namespace: openshift-logging
+rules:
+  - apiGroups:
+      - route.openshift.io
+    resources:
+      - routes
+    verbs:
+      - get
+      - patch
+  - apiGroups:
+      - route.openshift.io
+    resources:
+      - routes/custom-host
+    verbs:
+      - '*'
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  labels:
+    name: syn-resource-locker-kibana-manager
+  name: syn-resource-locker-kibana-manager
+  namespace: openshift-logging
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: syn-resource-locker-kibana-manager
+subjects:
+  - kind: ServiceAccount
+    name: kibana-manager
+    namespace: syn-resource-locker
+---
+apiVersion: redhatcop.redhat.io/v1alpha1
+kind: ResourceLocker
+metadata:
+  annotations:
+    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
+  labels:
+    name: openshift-logging-kibana
+  name: openshift-logging-kibana
+  namespace: syn-resource-locker
+spec:
+  patches:
+    - id: patch1
+      patchTemplate: "\"spec\":\n  \"host\": \"kibana.example.com\""
+      patchType: application/strategic-merge-patch+json
+      targetObjectRef:
+        apiVersion: route.openshift.io/v1
+        kind: Route
+        name: kibana
+        namespace: openshift-logging
+  serviceAccountRef:
+    name: kibana-manager
@@ -0,0 +1,92 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  labels:
+    name: elasticsearch-operator-manager
+  name: elasticsearch-operator-manager
+  namespace: syn-resource-locker
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    name: syn-resource-locker-elasticsearch-operator-manager
+  name: syn-resource-locker-elasticsearch-operator-manager
+rules:
+  - apiGroups:
+      - apps
+    resources:
+      - deployments
+    verbs:
+      - list
+      - watch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  labels:
+    name: syn-resource-locker-elasticsearch-operator-manager
+  name: syn-resource-locker-elasticsearch-operator-manager
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: syn-resource-locker-elasticsearch-operator-manager
+subjects:
+  - kind: ServiceAccount
+    name: elasticsearch-operator-manager
+    namespace: syn-resource-locker
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  labels:
+    name: syn-resource-locker-elasticsearch-operator-manager
+  name: syn-resource-locker-elasticsearch-operator-manager
+  namespace: openshift-operators-redhat
+rules:
+  - apiGroups:
+      - apps
+    resources:
+      - deployments
+    verbs:
+      - get
+      - patch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  labels:
+    name: syn-resource-locker-elasticsearch-operator-manager
+  name: syn-resource-locker-elasticsearch-operator-manager
+  namespace: openshift-operators-redhat
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: syn-resource-locker-elasticsearch-operator-manager
+subjects:
+  - kind: ServiceAccount
+    name: elasticsearch-operator-manager
+    namespace: syn-resource-locker
+---
+apiVersion: redhatcop.redhat.io/v1alpha1
+kind: ResourceLocker
+metadata:
+  annotations:
+    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
+  labels:
+    name: openshift-operators-redhat-elasticsearch-operator
+  name: openshift-operators-redhat-elasticsearch-operator
+  namespace: syn-resource-locker
+spec:
+  patches:
+    - id: patch1
+      patchTemplate: "\"spec\":\n  \"template\":\n    \"spec\":\n      \"nodeSelector\"\
+        :\n        \"node-role.kubernetes.io/infra\": \"\""
+      patchType: application/strategic-merge-patch+json
+      targetObjectRef:
+        apiVersion: apps/v1
+        kind: Deployment
+        name: elasticsearch-operator
+        namespace: openshift-operators-redhat
+  serviceAccountRef:
+    name: elasticsearch-operator-manager