diff --git a/chart/open-feature-operator/.gitignore b/chart/open-feature-operator/.gitignore index ca9b9da0e..05f3770e9 100755 --- a/chart/open-feature-operator/.gitignore +++ b/chart/open-feature-operator/.gitignore @@ -4,5 +4,3 @@ templates/crds/*.yaml # the following files are not generated, they are special cases !templates/namespace.yaml !templates/admissionregistration.k8s.io_v1_validatingwebhookconfiguration_open-feature-operator-validating-webhook-configuration.yaml -!templates/rbac.authorization.k8s.io_v1_clusterrole_open-feature-operator-manager-role.yaml -!templates/rbac.authorization.k8s.io_v1_clusterrolebinding_open-feature-operator-manager-rolebinding.yaml diff --git a/chart/open-feature-operator/README.md b/chart/open-feature-operator/README.md index 62cf7bba5..cd8894d09 100644 --- a/chart/open-feature-operator/README.md +++ b/chart/open-feature-operator/README.md @@ -157,23 +157,22 @@ The command removes all the Kubernetes components associated with the chart and ### Operator resource configuration -| Name | Description | Value | -| ------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------- | -| `controllerManager.kubeRbacProxy.image.repository` | Sets the image for the kube-rbac-proxy. | `gcr.io/kubebuilder/kube-rbac-proxy` | -| `controllerManager.kubeRbacProxy.image.tag` | Sets the version tag for the kube-rbac-proxy. | `v0.14.1` | -| `controllerManager.kubeRbacProxy.resources.limits.cpu` | Sets cpu resource limits for kube-rbac-proxy. | `500m` | -| `controllerManager.kubeRbacProxy.resources.limits.memory` | Sets memory resource limits for kube-rbac-proxy. | `128Mi` | -| `controllerManager.kubeRbacProxy.resources.requests.cpu` | Sets cpu resource requests for kube-rbac-proxy. | `5m` | -| `controllerManager.kubeRbacProxy.resources.requests.memory` | Sets memory resource requests for kube-rbac-proxy. | `64Mi` | -| `controllerManager.manager.image.repository` | Sets the image for the operator. | `ghcr.io/open-feature/open-feature-operator` | -| `controllerManager.manager.image.tag` | Sets the version tag for the operator. | `v0.5.6` | -| `controllerManager.manager.resources.limits.cpu` | Sets cpu resource limits for operator. | `500m` | -| `controllerManager.manager.resources.limits.memory` | Sets memory resource limits for operator. | `128Mi` | -| `controllerManager.manager.resources.requests.cpu` | Sets cpu resource requests for operator. | `10m` | -| `controllerManager.manager.resources.requests.memory` | Sets memory resource requests for operator. | `64Mi` | -| `controllerManager.replicas` | Sets number of replicas of the OpenFeature operator pod. | `1` | -| `managerConfig.flagsValidatonEnabled` | Enables the validating webhook for FeatureFlag CR. | `true` | -| `managerConfig.flagdResourceEnabled` | Enables the controller for the Flagd CR and adds the required permissions to automatically manage the exposure of flagd via Service and Ingress resources. | `true` | -| `managerConfig.controllerManagerConfigYaml.health.healthProbeBindAddress` | Sets the bind address for health probes. | `:8081` | -| `managerConfig.controllerManagerConfigYaml.metrics.bindAddress` | Sets the bind address for metrics. | `127.0.0.1:8080` | -| `managerConfig.controllerManagerConfigYaml.webhook.port` | Sets the bind address for webhook. | `9443` | +| Name | Description | Value | +| ------------------------------------------------------------------------- | -------------------------------------------------------- | -------------------------------------------- | +| `controllerManager.kubeRbacProxy.image.repository` | Sets the image for the kube-rbac-proxy. | `gcr.io/kubebuilder/kube-rbac-proxy` | +| `controllerManager.kubeRbacProxy.image.tag` | Sets the version tag for the kube-rbac-proxy. | `v0.14.1` | +| `controllerManager.kubeRbacProxy.resources.limits.cpu` | Sets cpu resource limits for kube-rbac-proxy. | `500m` | +| `controllerManager.kubeRbacProxy.resources.limits.memory` | Sets memory resource limits for kube-rbac-proxy. | `128Mi` | +| `controllerManager.kubeRbacProxy.resources.requests.cpu` | Sets cpu resource requests for kube-rbac-proxy. | `5m` | +| `controllerManager.kubeRbacProxy.resources.requests.memory` | Sets memory resource requests for kube-rbac-proxy. | `64Mi` | +| `controllerManager.manager.image.repository` | Sets the image for the operator. | `ghcr.io/open-feature/open-feature-operator` | +| `controllerManager.manager.image.tag` | Sets the version tag for the operator. | `v0.5.7` | +| `controllerManager.manager.resources.limits.cpu` | Sets cpu resource limits for operator. | `500m` | +| `controllerManager.manager.resources.limits.memory` | Sets memory resource limits for operator. | `128Mi` | +| `controllerManager.manager.resources.requests.cpu` | Sets cpu resource requests for operator. | `10m` | +| `controllerManager.manager.resources.requests.memory` | Sets memory resource requests for operator. | `64Mi` | +| `controllerManager.replicas` | Sets number of replicas of the OpenFeature operator pod. | `1` | +| `managerConfig.flagsValidatonEnabled` | Enables the validating webhook for FeatureFlag CR. | `true` | +| `managerConfig.controllerManagerConfigYaml.health.healthProbeBindAddress` | Sets the bind address for health probes. | `:8081` | +| `managerConfig.controllerManagerConfigYaml.metrics.bindAddress` | Sets the bind address for metrics. | `127.0.0.1:8080` | +| `managerConfig.controllerManagerConfigYaml.webhook.port` | Sets the bind address for webhook. | `9443` | diff --git a/chart/open-feature-operator/templates/rbac.authorization.k8s.io_v1_clusterrole_open-feature-operator-manager-role.yaml b/chart/open-feature-operator/templates/rbac.authorization.k8s.io_v1_clusterrole_open-feature-operator-manager-role.yaml deleted file mode 100644 index b56e223f2..000000000 --- a/chart/open-feature-operator/templates/rbac.authorization.k8s.io_v1_clusterrole_open-feature-operator-manager-role.yaml +++ /dev/null @@ -1,139 +0,0 @@ ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: open-feature-operator-manager-role -rules: - - apiGroups: - - "" - resources: - - configmaps - verbs: - - create - - delete - - get - - list - - patch - - update - - watch - - apiGroups: - - "" - resources: - - pods - verbs: - - create - - delete - - get - - list - - patch - - update - - watch - - apiGroups: - - "" - resources: - - serviceaccounts - verbs: - - get - - list - - watch - - apiGroups: - - "" - resources: - - services - verbs: - - create - - get - - list - - apiGroups: - - apps - resources: - - deployments - verbs: - - create - - delete - - get - - list - - patch - - update - - watch - - apiGroups: - - core.openfeature.dev - resources: - - featureflagsources - verbs: - - create - - delete - - get - - list - - patch - - update - - watch - - apiGroups: - - core.openfeature.dev - resources: - - featureflagsources/finalizers - verbs: - - get - - update - - apiGroups: - - core.openfeature.dev - resources: - - featureflagsources/status - verbs: - - get - - patch - - update - - apiGroups: - - core.openfeature.dev - resources: - - flagds - verbs: - - create - - delete - - get - - list - - patch - - update - - watch - - apiGroups: - - core.openfeature.dev - resources: - - flagds/finalizers - verbs: - - update -{{ if eq .Values.managerConfig.flagdResourceEnabled "true" }} - - apiGroups: - - "" - resources: - - services - - services/finalizers - verbs: - - create - - delete - - get - - list - - patch - - update - - watch - - apiGroups: - - networking.k8s.io - resources: - - ingresses - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -{{ end }} - - apiGroups: - - rbac.authorization.k8s.io - resourceNames: - - open-feature-operator-flagd-kubernetes-sync - resources: - - clusterrolebindings - verbs: - - get - - update diff --git a/chart/open-feature-operator/templates/rbac.authorization.k8s.io_v1_clusterrolebinding_open-feature-operator-manager-rolebinding.yaml b/chart/open-feature-operator/templates/rbac.authorization.k8s.io_v1_clusterrolebinding_open-feature-operator-manager-rolebinding.yaml deleted file mode 100644 index 57d70fb6a..000000000 --- a/chart/open-feature-operator/templates/rbac.authorization.k8s.io_v1_clusterrolebinding_open-feature-operator-manager-rolebinding.yaml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: open-feature-operator-manager-rolebinding -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: open-feature-operator-manager-role -subjects: -- kind: ServiceAccount - name: open-feature-operator-controller-manager - namespace: '{{ include "chart.namespace" . }}' diff --git a/chart/open-feature-operator/values.yaml b/chart/open-feature-operator/values.yaml index 0c46f56b4..176157d12 100644 --- a/chart/open-feature-operator/values.yaml +++ b/chart/open-feature-operator/values.yaml @@ -141,8 +141,6 @@ controllerManager: managerConfig: ## @param managerConfig.flagsValidatonEnabled Enables the validating webhook for FeatureFlag CR. flagsValidatonEnabled: "true" - ## @param managerConfig.flagdResourceEnabled Enables the controller for the Flagd CR and adds the required permissions to automatically manage the exposure of flagd via Service and Ingress resources. - flagdResourceEnabled: "true" controllerManagerConfigYaml: health: ## @param managerConfig.controllerManagerConfigYaml.health.healthProbeBindAddress Sets the bind address for health probes. diff --git a/common/types/envconfig.go b/common/types/envconfig.go index c8a34fefd..ff7fb75c6 100644 --- a/common/types/envconfig.go +++ b/common/types/envconfig.go @@ -31,7 +31,6 @@ type EnvConfig struct { SidecarSyncProvider string `envconfig:"SIDECAR_SYNC_PROVIDER" default:"kubernetes"` SidecarLogFormat string `envconfig:"SIDECAR_LOG_FORMAT" default:"json"` SidecarProbesEnabled bool `envconfig:"SIDECAR_PROBES_ENABLED" default:"true"` - FlagdResourceEnabled bool `envconfig:"FLAGD_RESOURCE_ENABLED" default:"true"` // in-process configuration InProcessPort int `envconfig:"IN_PROCESS_PORT" default:"8015"` InProcessSocketPath string `envconfig:"IN_PROCESS_SOCKET_PATH" default:""` diff --git a/config/overlays/helm/exclude-role.yaml b/config/overlays/helm/exclude-role.yaml deleted file mode 100644 index 03ac94b0a..000000000 --- a/config/overlays/helm/exclude-role.yaml +++ /dev/null @@ -1,5 +0,0 @@ -$patch: delete -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: manager-role diff --git a/config/overlays/helm/exclude-rolebinding.yaml b/config/overlays/helm/exclude-rolebinding.yaml deleted file mode 100644 index 0e605a274..000000000 --- a/config/overlays/helm/exclude-rolebinding.yaml +++ /dev/null @@ -1,5 +0,0 @@ -$patch: delete -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: manager-rolebinding diff --git a/config/overlays/helm/kustomization.yaml b/config/overlays/helm/kustomization.yaml index c551b16f4..5b2441662 100644 --- a/config/overlays/helm/kustomization.yaml +++ b/config/overlays/helm/kustomization.yaml @@ -15,8 +15,6 @@ patchesStrategicMerge: - exclude-ns.yaml - manager.yaml - exclude-validatingwebhook.yaml - - exclude-role.yaml - - exclude-rolebinding.yaml configMapGenerator: - name: manager-config diff --git a/config/overlays/helm/manager.yaml b/config/overlays/helm/manager.yaml index 22875a1a4..4f7e2a48a 100644 --- a/config/overlays/helm/manager.yaml +++ b/config/overlays/helm/manager.yaml @@ -66,8 +66,6 @@ spec: value: "{{ .Values.flagdConfiguration.debugLogging }}" - name: FLAGS_VALIDATION_ENABLED value: "{{ .Values.managerConfig.flagsValidatonEnabled }}" - - name: FLAGD_RESOURCE_ENABLED - value: "{{ .Values.managerConfig.flagdResourceEnabled }}" - name: IN_PROCESS_PORT value: "{{ .Values.inProcessConfiguration.port }}" - name: IN_PROCESS_HOST diff --git a/docs/flagd.md b/docs/flagd.md index 14fed9926..c50a71749 100644 --- a/docs/flagd.md +++ b/docs/flagd.md @@ -4,9 +4,6 @@ The CRD `Flagd` at version `v1beta1` is used to create a standalone flagd deploy accompanied by a `Service` and an optional `Ingress` to expose its API endpoint to clients outside the cluster. -The handling of this resource can be enabled/disabled by setting `managerConfig.flagdResourceEnabled` Helm value of the operator -chart to `true` or `false` respectively. - Below is an example of a `Flagd` resource: ```yaml diff --git a/docs/permissions.md b/docs/permissions.md index feb5e15c0..0465fca1b 100644 --- a/docs/permissions.md +++ b/docs/permissions.md @@ -41,9 +41,6 @@ The `ConfigMap` permissions are needed to allow the mounting of `FeatureFlag` re | `core.openfeature.dev` | `InProcessConfiguration` | create, delete, get, list, patch, update, watch | | `rbac.authorization.k8s.io` | `ClusterRoleBinding` | get, list, update, watch | -*(\*) Permissions for `Service` and `networking.k8s.ioIngress` are only granted if the `core.openfeature.dev.Flagd` -CRD has been enabled via the `managerConfig.flagdResourceEnabled` helm value.* - ### Proxy Role The `proxy-role` definition can be found [here](../config/rbac/auth_proxy_role.yaml) diff --git a/main.go b/main.go index 88c7b55be..754efe87d 100644 --- a/main.go +++ b/main.go @@ -203,36 +203,34 @@ func main() { Tag: env.SidecarTag, } - if env.FlagdResourceEnabled { - flagdControllerLogger := ctrl.Log.WithName("Flagd Controller") + flagdControllerLogger := ctrl.Log.WithName("Flagd Controller") - flagdResourceReconciler := &flagd.ResourceReconciler{ - Client: mgr.GetClient(), - Scheme: mgr.GetScheme(), - Log: flagdControllerLogger, - } - flagdConfig := flagd.NewFlagdConfiguration(env) - - if err = (&flagd.FlagdReconciler{ - Client: mgr.GetClient(), - Scheme: mgr.GetScheme(), - ResourceReconciler: flagdResourceReconciler, - FlagdDeployment: &flagdresources.FlagdDeployment{ - Client: mgr.GetClient(), - Log: flagdControllerLogger, - FlagdInjector: flagdContainerInjector, - FlagdConfig: flagdConfig, - }, - FlagdService: &flagdresources.FlagdService{ - FlagdConfig: flagdConfig, - }, - FlagdIngress: &flagdresources.FlagdIngress{ - FlagdConfig: flagdConfig, - }, - }).SetupWithManager(mgr); err != nil { - setupLog.Error(err, "unable to create controller", "controller", "Flagd") - os.Exit(1) - } + flagdResourceReconciler := &flagd.ResourceReconciler{ + Client: mgr.GetClient(), + Scheme: mgr.GetScheme(), + Log: flagdControllerLogger, + } + flagdConfig := flagd.NewFlagdConfiguration(env) + + if err = (&flagd.FlagdReconciler{ + Client: mgr.GetClient(), + Scheme: mgr.GetScheme(), + ResourceReconciler: flagdResourceReconciler, + FlagdDeployment: &flagdresources.FlagdDeployment{ + Client: mgr.GetClient(), + Log: flagdControllerLogger, + FlagdInjector: flagdContainerInjector, + FlagdConfig: flagdConfig, + }, + FlagdService: &flagdresources.FlagdService{ + FlagdConfig: flagdConfig, + }, + FlagdIngress: &flagdresources.FlagdIngress{ + FlagdConfig: flagdConfig, + }, + }).SetupWithManager(mgr); err != nil { + setupLog.Error(err, "unable to create controller", "controller", "Flagd") + os.Exit(1) } if env.FlagsValidationEnabled {