From fcac7e435ad2dfd537d2eae57b830b3f4b067a6f Mon Sep 17 00:00:00 2001 From: Tayler Geiger Date: Thu, 23 May 2024 14:36:54 -0500 Subject: [PATCH] Implement TLS overlay for Catalogd TLS Signed-off-by: Tayler Geiger --- .gitignore | 1 + Makefile | 4 +- Tiltfile | 2 +- cmd/manager/main.go | 26 ++- ...peratorframework.io_clusterextensions.yaml | 181 ++++++++++++++++++ .../olm.operatorframework.io_extensions.yaml | 0 config/{ => base}/crd/kustomization.yaml | 0 config/{ => base}/crd/kustomizeconfig.yaml | 0 config/{ => base}/default/kustomization.yaml | 0 config/{ => base}/e2e/kustomization.yaml | 0 .../e2e/manager_e2e_coverage_copy_pod.yaml | 0 .../e2e/manager_e2e_coverage_patch.yaml | 0 .../e2e/manager_e2e_coverage_pvc.yaml | 0 config/{ => base}/manager/kustomization.yaml | 0 config/{ => base}/manager/manager.yaml | 2 +- .../{ => base}/prometheus/kustomization.yaml | 0 config/{ => base}/prometheus/monitor.yaml | 0 .../rbac/auth_proxy_client_clusterrole.yaml | 0 config/{ => base}/rbac/auth_proxy_role.yaml | 0 .../rbac/auth_proxy_role_binding.yaml | 0 .../{ => base}/rbac/auth_proxy_service.yaml | 0 .../rbac/clusterextension_editor_role.yaml | 0 .../rbac/clusterextension_viewer_role.yaml | 0 .../rbac/extension_editor_role.yaml | 0 .../rbac/extension_viewer_role.yaml | 0 config/{ => base}/rbac/kustomization.yaml | 0 .../{ => base}/rbac/leader_election_role.yaml | 0 .../rbac/leader_election_role_binding.yaml | 0 config/base/rbac/role.yaml | 52 +++++ config/{ => base}/rbac/role_binding.yaml | 0 config/{ => base}/rbac/service_account.yaml | 0 config/overlays/tls/kustomization.yaml | 27 +++ .../tls/patches/manager_deployment_cert.yaml | 9 + .../tls/patches/manager_namespace_label.yaml | 3 + config/rbac/role.yaml | 2 +- config/samples/catalogd_operatorcatalog.yaml | 2 +- .../clusterextension_controller.go | 2 +- scripts/install.tpl.sh | 4 +- 38 files changed, 307 insertions(+), 10 deletions(-) create mode 100644 config/base/crd/bases/olm.operatorframework.io_clusterextensions.yaml rename config/{ => base}/crd/bases/olm.operatorframework.io_extensions.yaml (100%) rename config/{ => base}/crd/kustomization.yaml (100%) rename config/{ => base}/crd/kustomizeconfig.yaml (100%) rename config/{ => base}/default/kustomization.yaml (100%) rename config/{ => base}/e2e/kustomization.yaml (100%) rename config/{ => base}/e2e/manager_e2e_coverage_copy_pod.yaml (100%) rename config/{ => base}/e2e/manager_e2e_coverage_patch.yaml (100%) rename config/{ => base}/e2e/manager_e2e_coverage_pvc.yaml (100%) rename config/{ => base}/manager/kustomization.yaml (100%) rename config/{ => base}/manager/manager.yaml (99%) rename config/{ => base}/prometheus/kustomization.yaml (100%) rename config/{ => base}/prometheus/monitor.yaml (100%) rename config/{ => base}/rbac/auth_proxy_client_clusterrole.yaml (100%) rename config/{ => base}/rbac/auth_proxy_role.yaml (100%) rename config/{ => base}/rbac/auth_proxy_role_binding.yaml (100%) rename config/{ => base}/rbac/auth_proxy_service.yaml (100%) rename config/{ => base}/rbac/clusterextension_editor_role.yaml (100%) rename config/{ => base}/rbac/clusterextension_viewer_role.yaml (100%) rename config/{ => base}/rbac/extension_editor_role.yaml (100%) rename config/{ => base}/rbac/extension_viewer_role.yaml (100%) rename config/{ => base}/rbac/kustomization.yaml (100%) rename config/{ => base}/rbac/leader_election_role.yaml (100%) rename config/{ => base}/rbac/leader_election_role_binding.yaml (100%) create mode 100644 config/base/rbac/role.yaml rename config/{ => base}/rbac/role_binding.yaml (100%) rename config/{ => base}/rbac/service_account.yaml (100%) create mode 100644 config/overlays/tls/kustomization.yaml create mode 100644 config/overlays/tls/patches/manager_deployment_cert.yaml create mode 100644 config/overlays/tls/patches/manager_namespace_label.yaml diff --git a/.gitignore b/.gitignore index 273b66b81..d7ffdb1b3 100644 --- a/.gitignore +++ b/.gitignore @@ -39,3 +39,4 @@ install.sh site .tiltbuild/ +.vscode \ No newline at end of file diff --git a/Makefile b/Makefile index 2571eadab..c6751df9f 100644 --- a/Makefile +++ b/Makefile @@ -55,7 +55,7 @@ else $(warning Could not find docker or podman in path! This may result in targets requiring a container runtime failing!) endif -KUSTOMIZE_BUILD_DIR := config/default +KUSTOMIZE_BUILD_DIR := config/overlays/tls # Disable -j flag for make .NOTPARALLEL: @@ -149,7 +149,7 @@ build-push-e2e-catalog: ## Build the testdata catalog used for e2e tests and pus # for example: ARTIFACT_PATH=/tmp/artifacts make test-e2e .PHONY: test-e2e test-e2e: KIND_CLUSTER_NAME := operator-controller-e2e -test-e2e: KUSTOMIZE_BUILD_DIR := config/e2e +test-e2e: KUSTOMIZE_BUILD_DIR := config/base/e2e test-e2e: GO_BUILD_FLAGS := -cover test-e2e: run image-registry build-push-e2e-catalog kind-load-test-artifacts e2e e2e-coverage kind-clean #HELP Run e2e test suite on local kind cluster diff --git a/Tiltfile b/Tiltfile index 948d0991d..fc567ea6f 100644 --- a/Tiltfile +++ b/Tiltfile @@ -9,7 +9,7 @@ repos = cfg.get('repos', ['operator-controller', 'rukpak', 'catalogd']) repo = { 'image': 'quay.io/operator-framework/operator-controller', - 'yaml': 'config/default', + 'yaml': 'config/overlays/tls', 'binaries': { 'manager': 'operator-controller-controller-manager', }, diff --git a/cmd/manager/main.go b/cmd/manager/main.go index 855d80c3e..dc5230d1b 100644 --- a/cmd/manager/main.go +++ b/cmd/manager/main.go @@ -17,8 +17,11 @@ limitations under the License. package main import ( + "crypto/tls" + "crypto/x509" "flag" "fmt" + "log" "net/http" "os" "time" @@ -50,9 +53,11 @@ func main() { probeAddr string cachePath string operatorControllerVersion bool + tlsCert string ) flag.StringVar(&metricsAddr, "metrics-bind-address", ":8080", "The address the metric endpoint binds to.") flag.StringVar(&probeAddr, "health-probe-bind-address", ":8081", "The address the probe endpoint binds to.") + flag.StringVar(&tlsCert, "tls-cert", "", "The TLS certificate to use for verifying HTTPS connections to the Catalogd web server.") flag.BoolVar(&enableLeaderElection, "leader-elect", false, "Enable leader election for controller manager. "+ "Enabling this will ensure there is only one active controller manager.") @@ -98,8 +103,27 @@ func main() { os.Exit(1) } + httpClient := &http.Client{Timeout: 10 * time.Second} + + if tlsCert != "" { + cert, err := os.ReadFile(tlsCert) + if err != nil { + log.Fatalf("Failed to read certificate file: %v", err) + } + caCertPool := x509.NewCertPool() + caCertPool.AppendCertsFromPEM(cert) + tlsConfig := &tls.Config{ + RootCAs: caCertPool, + MinVersion: tls.VersionTLS12, + } + tlsTransport := &http.Transport{ + TLSClientConfig: tlsConfig, + } + httpClient.Transport = tlsTransport + } + cl := mgr.GetClient() - catalogClient := catalogclient.New(cl, cache.NewFilesystemCache(cachePath, &http.Client{Timeout: 10 * time.Second})) + catalogClient := catalogclient.New(cl, cache.NewFilesystemCache(cachePath, httpClient)) if err = (&controllers.ClusterExtensionReconciler{ Client: cl, diff --git a/config/base/crd/bases/olm.operatorframework.io_clusterextensions.yaml b/config/base/crd/bases/olm.operatorframework.io_clusterextensions.yaml new file mode 100644 index 000000000..2b0ebb960 --- /dev/null +++ b/config/base/crd/bases/olm.operatorframework.io_clusterextensions.yaml @@ -0,0 +1,181 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.14.0 + name: clusterextensions.olm.operatorframework.io +spec: + group: olm.operatorframework.io + names: + kind: ClusterExtension + listKind: ClusterExtensionList + plural: clusterextensions + singular: clusterextension + scope: Cluster + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: ClusterExtension is the Schema for the clusterextensions API + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: ClusterExtensionSpec defines the desired state of ClusterExtension + properties: + channel: + description: Channel constraint definition + maxLength: 48 + pattern: ^[a-z0-9]+([\.-][a-z0-9]+)*$ + type: string + installNamespace: + description: |- + installNamespace is the namespace where the bundle should be installed. However, note that + the bundle may contain resources that are cluster-scoped or that are + installed in a different namespace. This namespace is expected to exist. + maxLength: 63 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + packageName: + maxLength: 48 + pattern: ^[a-z0-9]+(-[a-z0-9]+)*$ + type: string + upgradeConstraintPolicy: + default: Enforce + description: Defines the policy for how to handle upgrade constraints + enum: + - Enforce + - Ignore + type: string + version: + description: |- + Version is an optional semver constraint on the package version. If not specified, the latest version available of the package will be installed. + If specified, the specific version of the package will be installed so long as it is available in any of the content sources available. + Examples: 1.2.3, 1.0.0-alpha, 1.0.0-rc.1 + + + For more information on semver, please see https://semver.org/ + maxLength: 64 + pattern: ^(\s*(=||!=|>|<|>=|=>|<=|=<|~|~>|\^)\s*(v?(0|[1-9]\d*|[x|X|\*])(\.(0|[1-9]\d*|x|X|\*]))?(\.(0|[1-9]\d*|x|X|\*))?(-([0-9A-Za-z\-]+(\.[0-9A-Za-z\-]+)*))?(\+([0-9A-Za-z\-]+(\.[0-9A-Za-z\-]+)*))?)\s*)((?:\s+|,\s*|\s*\|\|\s*)(=||!=|>|<|>=|=>|<=|=<|~|~>|\^)\s*(v?(0|[1-9]\d*|x|X|\*])(\.(0|[1-9]\d*|x|X|\*))?(\.(0|[1-9]\d*|x|X|\*]))?(-([0-9A-Za-z\-]+(\.[0-9A-Za-z\-]+)*))?(\+([0-9A-Za-z\-]+(\.[0-9A-Za-z\-]+)*))?)\s*)*$ + type: string + required: + - installNamespace + - packageName + type: object + status: + description: ClusterExtensionStatus defines the observed state of ClusterExtension + properties: + conditions: + items: + description: "Condition contains details for one aspect of the current + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + installedBundle: + properties: + name: + type: string + version: + type: string + required: + - name + - version + type: object + resolvedBundle: + properties: + name: + type: string + version: + type: string + required: + - name + - version + type: object + type: object + type: object + served: true + storage: true + subresources: + status: {} diff --git a/config/crd/bases/olm.operatorframework.io_extensions.yaml b/config/base/crd/bases/olm.operatorframework.io_extensions.yaml similarity index 100% rename from config/crd/bases/olm.operatorframework.io_extensions.yaml rename to config/base/crd/bases/olm.operatorframework.io_extensions.yaml diff --git a/config/crd/kustomization.yaml b/config/base/crd/kustomization.yaml similarity index 100% rename from config/crd/kustomization.yaml rename to config/base/crd/kustomization.yaml diff --git a/config/crd/kustomizeconfig.yaml b/config/base/crd/kustomizeconfig.yaml similarity index 100% rename from config/crd/kustomizeconfig.yaml rename to config/base/crd/kustomizeconfig.yaml diff --git a/config/default/kustomization.yaml b/config/base/default/kustomization.yaml similarity index 100% rename from config/default/kustomization.yaml rename to config/base/default/kustomization.yaml diff --git a/config/e2e/kustomization.yaml b/config/base/e2e/kustomization.yaml similarity index 100% rename from config/e2e/kustomization.yaml rename to config/base/e2e/kustomization.yaml diff --git a/config/e2e/manager_e2e_coverage_copy_pod.yaml b/config/base/e2e/manager_e2e_coverage_copy_pod.yaml similarity index 100% rename from config/e2e/manager_e2e_coverage_copy_pod.yaml rename to config/base/e2e/manager_e2e_coverage_copy_pod.yaml diff --git a/config/e2e/manager_e2e_coverage_patch.yaml b/config/base/e2e/manager_e2e_coverage_patch.yaml similarity index 100% rename from config/e2e/manager_e2e_coverage_patch.yaml rename to config/base/e2e/manager_e2e_coverage_patch.yaml diff --git a/config/e2e/manager_e2e_coverage_pvc.yaml b/config/base/e2e/manager_e2e_coverage_pvc.yaml similarity index 100% rename from config/e2e/manager_e2e_coverage_pvc.yaml rename to config/base/e2e/manager_e2e_coverage_pvc.yaml diff --git a/config/manager/kustomization.yaml b/config/base/manager/kustomization.yaml similarity index 100% rename from config/manager/kustomization.yaml rename to config/base/manager/kustomization.yaml diff --git a/config/manager/manager.yaml b/config/base/manager/manager.yaml similarity index 99% rename from config/manager/manager.yaml rename to config/base/manager/manager.yaml index 5c3b89f91..f9f919ee1 100644 --- a/config/manager/manager.yaml +++ b/config/base/manager/manager.yaml @@ -110,4 +110,4 @@ spec: terminationGracePeriodSeconds: 10 volumes: - name: cache - emptyDir: {} + emptyDir: {} \ No newline at end of file diff --git a/config/prometheus/kustomization.yaml b/config/base/prometheus/kustomization.yaml similarity index 100% rename from config/prometheus/kustomization.yaml rename to config/base/prometheus/kustomization.yaml diff --git a/config/prometheus/monitor.yaml b/config/base/prometheus/monitor.yaml similarity index 100% rename from config/prometheus/monitor.yaml rename to config/base/prometheus/monitor.yaml diff --git a/config/rbac/auth_proxy_client_clusterrole.yaml b/config/base/rbac/auth_proxy_client_clusterrole.yaml similarity index 100% rename from config/rbac/auth_proxy_client_clusterrole.yaml rename to config/base/rbac/auth_proxy_client_clusterrole.yaml diff --git a/config/rbac/auth_proxy_role.yaml b/config/base/rbac/auth_proxy_role.yaml similarity index 100% rename from config/rbac/auth_proxy_role.yaml rename to config/base/rbac/auth_proxy_role.yaml diff --git a/config/rbac/auth_proxy_role_binding.yaml b/config/base/rbac/auth_proxy_role_binding.yaml similarity index 100% rename from config/rbac/auth_proxy_role_binding.yaml rename to config/base/rbac/auth_proxy_role_binding.yaml diff --git a/config/rbac/auth_proxy_service.yaml b/config/base/rbac/auth_proxy_service.yaml similarity index 100% rename from config/rbac/auth_proxy_service.yaml rename to config/base/rbac/auth_proxy_service.yaml diff --git a/config/rbac/clusterextension_editor_role.yaml b/config/base/rbac/clusterextension_editor_role.yaml similarity index 100% rename from config/rbac/clusterextension_editor_role.yaml rename to config/base/rbac/clusterextension_editor_role.yaml diff --git a/config/rbac/clusterextension_viewer_role.yaml b/config/base/rbac/clusterextension_viewer_role.yaml similarity index 100% rename from config/rbac/clusterextension_viewer_role.yaml rename to config/base/rbac/clusterextension_viewer_role.yaml diff --git a/config/rbac/extension_editor_role.yaml b/config/base/rbac/extension_editor_role.yaml similarity index 100% rename from config/rbac/extension_editor_role.yaml rename to config/base/rbac/extension_editor_role.yaml diff --git a/config/rbac/extension_viewer_role.yaml b/config/base/rbac/extension_viewer_role.yaml similarity index 100% rename from config/rbac/extension_viewer_role.yaml rename to config/base/rbac/extension_viewer_role.yaml diff --git a/config/rbac/kustomization.yaml b/config/base/rbac/kustomization.yaml similarity index 100% rename from config/rbac/kustomization.yaml rename to config/base/rbac/kustomization.yaml diff --git a/config/rbac/leader_election_role.yaml b/config/base/rbac/leader_election_role.yaml similarity index 100% rename from config/rbac/leader_election_role.yaml rename to config/base/rbac/leader_election_role.yaml diff --git a/config/rbac/leader_election_role_binding.yaml b/config/base/rbac/leader_election_role_binding.yaml similarity index 100% rename from config/rbac/leader_election_role_binding.yaml rename to config/base/rbac/leader_election_role_binding.yaml diff --git a/config/base/rbac/role.yaml b/config/base/rbac/role.yaml new file mode 100644 index 000000000..73dcbfa0b --- /dev/null +++ b/config/base/rbac/role.yaml @@ -0,0 +1,52 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: manager-role +rules: +- apiGroups: + - catalogd.operatorframework.io + resources: + - catalogmetadata + verbs: + - list + - watch +- apiGroups: + - catalogd.operatorframework.io + resources: + - clustercatalogs + verbs: + - list + - watch +- apiGroups: + - core.rukpak.io + resources: + - bundledeployments + verbs: + - create + - get + - list + - patch + - update + - watch +- apiGroups: + - olm.operatorframework.io + resources: + - clusterextensions + verbs: + - get + - list + - watch +- apiGroups: + - olm.operatorframework.io + resources: + - clusterextensions/finalizers + verbs: + - update +- apiGroups: + - olm.operatorframework.io + resources: + - clusterextensions/status + verbs: + - patch + - update diff --git a/config/rbac/role_binding.yaml b/config/base/rbac/role_binding.yaml similarity index 100% rename from config/rbac/role_binding.yaml rename to config/base/rbac/role_binding.yaml diff --git a/config/rbac/service_account.yaml b/config/base/rbac/service_account.yaml similarity index 100% rename from config/rbac/service_account.yaml rename to config/base/rbac/service_account.yaml diff --git a/config/overlays/tls/kustomization.yaml b/config/overlays/tls/kustomization.yaml new file mode 100644 index 000000000..d66be5635 --- /dev/null +++ b/config/overlays/tls/kustomization.yaml @@ -0,0 +1,27 @@ +# Adds namespace to all resources. +namespace: operator-controller-system + +# Value of this field is prepended to the +# names of all resources, e.g. a deployment named +# "wordpress" becomes "alices-wordpress". +# Note that it should also match with the prefix (text before '-') of the namespace +# field above. +namePrefix: operator-controller- + +# the following config is for teaching kustomize how to do var substitution +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: +- ../../base/crd +- ../../base/rbac +- ../../base/manager + +patches: +- target: + kind: Deployment + name: controller-manager + path: patches/manager_deployment_cert.yaml +- target: + kind: Namespace + name: system + path: patches/manager_namespace_label.yaml \ No newline at end of file diff --git a/config/overlays/tls/patches/manager_deployment_cert.yaml b/config/overlays/tls/patches/manager_deployment_cert.yaml new file mode 100644 index 000000000..dd35b5f1b --- /dev/null +++ b/config/overlays/tls/patches/manager_deployment_cert.yaml @@ -0,0 +1,9 @@ +- op: add + path: /spec/template/spec/volumes/- + value: {"name":"ca-certificate", "secret":{"secretName":"catalogd-catalogserver-cert", "optional": false, "items": [{"key": "tls.crt", "path": "tls.crt"}]}} +- op: add + path: /spec/template/spec/containers/0/volumeMounts/- + value: {"name":"ca-certificate", "readOnly": true, "mountPath":"/var/certs"} +- op: add + path: /spec/template/spec/containers/0/args/- + value: "--tls-cert=/var/certs/tls.crt" \ No newline at end of file diff --git a/config/overlays/tls/patches/manager_namespace_label.yaml b/config/overlays/tls/patches/manager_namespace_label.yaml new file mode 100644 index 000000000..c92a3742f --- /dev/null +++ b/config/overlays/tls/patches/manager_namespace_label.yaml @@ -0,0 +1,3 @@ +- op: add + path: /metadata/labels/trust + value: "enabled" \ No newline at end of file diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml index 4652565c6..73dcbfa0b 100644 --- a/config/rbac/role.yaml +++ b/config/rbac/role.yaml @@ -14,7 +14,7 @@ rules: - apiGroups: - catalogd.operatorframework.io resources: - - catalogs + - clustercatalogs verbs: - list - watch diff --git a/config/samples/catalogd_operatorcatalog.yaml b/config/samples/catalogd_operatorcatalog.yaml index 0a4de4d24..bd148bc85 100644 --- a/config/samples/catalogd_operatorcatalog.yaml +++ b/config/samples/catalogd_operatorcatalog.yaml @@ -1,5 +1,5 @@ apiVersion: catalogd.operatorframework.io/v1alpha1 -kind: Catalog +kind: ClusterCatalog metadata: name: operatorhubio spec: diff --git a/internal/controllers/clusterextension_controller.go b/internal/controllers/clusterextension_controller.go index 9fc30b286..7070cf509 100644 --- a/internal/controllers/clusterextension_controller.go +++ b/internal/controllers/clusterextension_controller.go @@ -65,7 +65,7 @@ type ClusterExtensionReconciler struct { //+kubebuilder:rbac:groups=core.rukpak.io,resources=bundledeployments,verbs=get;list;watch;create;update;patch -//+kubebuilder:rbac:groups=catalogd.operatorframework.io,resources=catalogs,verbs=list;watch +//+kubebuilder:rbac:groups=catalogd.operatorframework.io,resources=clustercatalogs,verbs=list;watch //+kubebuilder:rbac:groups=catalogd.operatorframework.io,resources=catalogmetadata,verbs=list;watch func (r *ClusterExtensionReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error) { diff --git a/scripts/install.tpl.sh b/scripts/install.tpl.sh index e6d4be2a6..5b233221f 100644 --- a/scripts/install.tpl.sh +++ b/scripts/install.tpl.sh @@ -44,8 +44,8 @@ kubectl_wait "rukpak-system" "deployment/core" "60s" kubectl_wait "rukpak-system" "deployment/helm-provisioner" "60s" kubectl_wait "rukpak-system" "deployment/rukpak-webhooks" "60s" -kubectl apply -f "https://github.com/operator-framework/catalogd/releases/download/${catalogd_version}/catalogd.yaml" -kubectl_wait "catalogd-system" "deployment/catalogd-controller-manager" "60s" +curl -L https://github.com/operator-framework/catalogd/releases/download/${catalogd_version}/catalogd.yaml | sed s/catalogd-system/operator-controller-system/g | kubectl apply -f - +kubectl_wait "operator-controller-system" "deployment/catalogd-controller-manager" "60s" kubectl apply -f "${operator_controller_manifest}" kubectl_wait "operator-controller-system" "deployment/operator-controller-controller-manager" "60s"