diff --git a/manifests/0000_26_cloud-controller-manager-operator_05_metrics-service.yaml b/manifests/0000_26_cloud-controller-manager-operator_04_metrics-service.yaml similarity index 100% rename from manifests/0000_26_cloud-controller-manager-operator_05_metrics-service.yaml rename to manifests/0000_26_cloud-controller-manager-operator_04_metrics-service.yaml diff --git a/manifests/0000_26_cloud-controller-manager-operator_04_rbac_provider_openstack.yaml b/manifests/0000_26_cloud-controller-manager-operator_04_rbac_provider_openstack.yaml deleted file mode 100644 index fe45e469f..000000000 --- a/manifests/0000_26_cloud-controller-manager-operator_04_rbac_provider_openstack.yaml +++ /dev/null @@ -1,53 +0,0 @@ ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - namespace: kube-system - name: cloud-controller-manager - annotations: - capability.openshift.io/name: CloudControllerManager - include.release.openshift.io/self-managed-high-availability: "true" - include.release.openshift.io/single-node-developer: "true" - ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: openstack-cloud-controller-manager - annotations: - capability.openshift.io/name: CloudControllerManager - include.release.openshift.io/self-managed-high-availability: "true" - include.release.openshift.io/single-node-developer: "true" -rules: -- apiGroups: - - "" - # Required by occm to annotate services - resources: - - services - verbs: - - patch -- apiGroups: - # Required by occm to create events - - "" - resources: - - events - verbs: - - create - - patch ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: openstack-cloud-controller-manager - annotations: - capability.openshift.io/name: CloudControllerManager - include.release.openshift.io/self-managed-high-availability: "true" - include.release.openshift.io/single-node-developer: "true" -roleRef: - kind: ClusterRole - name: openstack-cloud-controller-manager - apiGroup: rbac.authorization.k8s.io -subjects: -- kind: ServiceAccount - namespace: kube-system - name: cloud-controller-manager diff --git a/manifests/0000_26_cloud-controller-manager-operator_06_kube-rbac-proxy-config.yaml b/manifests/0000_26_cloud-controller-manager-operator_05_kube-rbac-proxy-config.yaml similarity index 100% rename from manifests/0000_26_cloud-controller-manager-operator_06_kube-rbac-proxy-config.yaml rename to manifests/0000_26_cloud-controller-manager-operator_05_kube-rbac-proxy-config.yaml diff --git a/pkg/cloud/openstack/assets/deployment.yaml b/pkg/cloud/openstack/assets/deployment.yaml index 06843649d..91989e653 100644 --- a/pkg/cloud/openstack/assets/deployment.yaml +++ b/pkg/cloud/openstack/assets/deployment.yaml @@ -23,7 +23,7 @@ spec: infrastructure.openshift.io/cloud-controller-manager: {{ .cloudproviderName }} spec: hostNetwork: true - serviceAccount: cloud-controller-manager + serviceAccountName: cloud-controller-manager priorityClassName: system-cluster-critical nodeSelector: node-role.kubernetes.io/master: "" @@ -67,7 +67,7 @@ spec: --v=1 \ --cloud-config=$(CLOUD_CONFIG) \ --cloud-provider=openstack \ - --use-service-account-credentials=true \ + --use-service-account-credentials=false \ --configure-cloud-routes=false \ --bind-address=127.0.0.1 \ --leader-elect=true \ diff --git a/pkg/cloud/openstack/assets/openstack-cloud-controller-manager-clusterrole.yaml b/pkg/cloud/openstack/assets/openstack-cloud-controller-manager-clusterrole.yaml new file mode 100644 index 000000000..474ef6a9d --- /dev/null +++ b/pkg/cloud/openstack/assets/openstack-cloud-controller-manager-clusterrole.yaml @@ -0,0 +1,15 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: openstack-cloud-controller-manager + annotations: + include.release.openshift.io/self-managed-high-availability: "true" + include.release.openshift.io/single-node-developer: "true" +rules: + - apiGroups: + - "" + resources: + - services + - services/status + verbs: + - patch diff --git a/pkg/cloud/openstack/assets/openstack-cloud-controller-manager-clusterrolebinding.yaml b/pkg/cloud/openstack/assets/openstack-cloud-controller-manager-clusterrolebinding.yaml new file mode 100644 index 000000000..8e4958a6e --- /dev/null +++ b/pkg/cloud/openstack/assets/openstack-cloud-controller-manager-clusterrolebinding.yaml @@ -0,0 +1,12 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: cloud-controller-manager:openstack-cloud-controller-manager +roleRef: + kind: ClusterRole + name: openstack-cloud-controller-manager + apiGroup: rbac.authorization.k8s.io +subjects: + - kind: ServiceAccount + namespace: openshift-cloud-controller-manager + name: cloud-controller-manager diff --git a/pkg/cloud/openstack/openstack.go b/pkg/cloud/openstack/openstack.go index 50d084981..4530be472 100644 --- a/pkg/cloud/openstack/openstack.go +++ b/pkg/cloud/openstack/openstack.go @@ -9,6 +9,7 @@ import ( configv1 "github.com/openshift/api/config/v1" ini "gopkg.in/ini.v1" appsv1 "k8s.io/api/apps/v1" + rbacv1 "k8s.io/api/rbac/v1" "k8s.io/klog/v2" "sigs.k8s.io/controller-runtime/pkg/client" @@ -24,6 +25,8 @@ var ( templates = []common.TemplateSource{ {ReferenceObject: &appsv1.Deployment{}, EmbedFsPath: "assets/deployment.yaml"}, + {ReferenceObject: &rbacv1.ClusterRole{}, EmbedFsPath: "assets/openstack-cloud-controller-manager-clusterrole.yaml"}, + {ReferenceObject: &rbacv1.ClusterRoleBinding{}, EmbedFsPath: "assets/openstack-cloud-controller-manager-clusterrolebinding.yaml"}, } ) diff --git a/pkg/cloud/openstack/openstack_test.go b/pkg/cloud/openstack/openstack_test.go index 78b5b793a..b383e9b2b 100644 --- a/pkg/cloud/openstack/openstack_test.go +++ b/pkg/cloud/openstack/openstack_test.go @@ -51,7 +51,7 @@ func TestResourcesRenderingSmoke(t *testing.T) { } resources := assets.GetRenderedResources() - g.Expect(resources).Should(HaveLen(1)) + g.Expect(resources).Should(HaveLen(3)) }) } }