From 6e1fa6a5f632015728a24f7d331d50e181db7445 Mon Sep 17 00:00:00 2001 From: Todd Short Date: Mon, 24 Jun 2024 17:19:47 -0400 Subject: [PATCH 1/2] Reorganize config to support reusable components Update to catalogd v0.17.0 to share a common certificate issuer Signed-off-by: Todd Short --- Makefile | 3 +- Tiltfile | 6 +-- config/README.md | 52 +++++++++++++++++++ .../components/ca}/issuers.yaml | 0 config/components/ca/kustomization.yaml | 5 ++ config/components/coverage/kustomization.yaml | 8 +++ .../manager_e2e_coverage_copy_pod.yaml | 0 .../coverage}/manager_e2e_coverage_patch.yaml | 0 .../coverage}/manager_e2e_coverage_pvc.yaml | 0 config/components/tls/kustomization.yaml | 10 ++++ .../tls/patches/manager_deployment_cert.yaml | 9 ++++ .../tls/resources/manager_cert.yaml | 0 .../overlays/cert-manager/kustomization.yaml | 10 ++++ config/overlays/e2e/kustomization.yaml | 18 ++++--- config/overlays/tls/kustomization.yaml | 22 -------- .../tls/patches/manager_cert_patch.yaml | 23 -------- .../tls/patches/manager_deployment_cert.yaml | 9 ---- go.mod | 2 +- go.sum | 4 +- scripts/install.tpl.sh | 36 ------------- 20 files changed, 111 insertions(+), 106 deletions(-) create mode 100644 config/README.md rename {testdata/certs => config/components/ca}/issuers.yaml (100%) create mode 100644 config/components/ca/kustomization.yaml create mode 100644 config/components/coverage/kustomization.yaml rename config/{overlays/e2e => components/coverage}/manager_e2e_coverage_copy_pod.yaml (100%) rename config/{overlays/e2e => components/coverage}/manager_e2e_coverage_patch.yaml (100%) rename config/{overlays/e2e => components/coverage}/manager_e2e_coverage_pvc.yaml (100%) create mode 100644 config/components/tls/kustomization.yaml create mode 100644 config/components/tls/patches/manager_deployment_cert.yaml rename config/{overlays => components}/tls/resources/manager_cert.yaml (100%) create mode 100644 config/overlays/cert-manager/kustomization.yaml delete mode 100644 config/overlays/tls/kustomization.yaml delete mode 100644 config/overlays/tls/patches/manager_cert_patch.yaml delete mode 100644 config/overlays/tls/patches/manager_deployment_cert.yaml diff --git a/Makefile b/Makefile index c2af631bf..45f086d3d 100644 --- a/Makefile +++ b/Makefile @@ -54,7 +54,7 @@ else $(warning Could not find docker or podman in path! This may result in targets requiring a container runtime failing!) endif -KUSTOMIZE_BUILD_DIR := config/overlays/tls +KUSTOMIZE_BUILD_DIR := config/overlays/cert-manager # Disable -j flag for make .NOTPARALLEL: @@ -155,6 +155,7 @@ test-e2e: GO_BUILD_FLAGS := -cover test-e2e: run image-registry build-push-e2e-catalog registry-load-bundles e2e e2e-coverage kind-clean #HELP Run e2e test suite on local kind cluster .PHONY: extension-developer-e2e +extension-developer-e2e: KUSTOMIZE_BUILD_DIR := config/overlays/cert-manager extension-developer-e2e: KIND_CLUSTER_NAME := operator-controller-ext-dev-e2e #EXHELP Run extension-developer e2e on local kind cluster extension-developer-e2e: run image-registry test-ext-dev-e2e kind-clean diff --git a/Tiltfile b/Tiltfile index a2c9b47c0..ebf2f7871 100644 --- a/Tiltfile +++ b/Tiltfile @@ -1,7 +1,7 @@ if not os.path.exists('../tilt-support'): fail('Please clone https://github.com/operator-framework/tilt-support to ../tilt-support') -load('../tilt-support/Tiltfile', 'deploy_repo', 'process_yaml') +load('../tilt-support/Tiltfile', 'deploy_repo') config.define_string_list('repos', args=True) cfg = config.parse() @@ -9,15 +9,13 @@ repos = cfg.get('repos', ['operator-controller', 'catalogd']) repo = { 'image': 'quay.io/operator-framework/operator-controller', - 'yaml': 'config/overlays/tls', + 'yaml': 'config/secure', 'binaries': { 'manager': 'operator-controller-controller-manager', }, 'starting_debug_port': 30000, } -process_yaml("testdata/certs/issuers.yaml") - for r in repos: if r == 'operator-controller': deploy_repo('operator-controller', repo) diff --git a/config/README.md b/config/README.md new file mode 100644 index 000000000..1f8011507 --- /dev/null +++ b/config/README.md @@ -0,0 +1,52 @@ +# OPERATOR-CONTROLLER CONFIG + +## config/base + +This provides an insecure (i.e. no TLS) basic configuration of operator-controller. + +This configuration specifies a namespace of `olmv1-system`. + +## config/overlays/cert-manager + +This includes support for a secure (i.e. with TLS) configuration of operator-controller. This configuration uses: +* config/base +* config/components/tls +* config/components/ca + +This configuration requires cert-manager. + +## config/overlays/e2e + +This provides additional configuration support for end-to-end testing, including code coverage. This configuration uses: +* config/base +* config/components/tls +* config/components/ca +* config/components/coverage + +This configuration requires cert-manager. + +## Components + +Each of the `kustomization.yaml` files specify a `Component`, rather than an overlay. + +### config/components/tls + +This provides a basic configuration of operator-controller with TLS support for catalogd. + +This component specifies the `olmv1-system` namespace. + +This component requires cert-manager. + +### config/components/coverage + +Provides configuration for code coverage. + +This component specifies the `olmv1-system` namespace. + +### config/components/ca + +Procides a CA for operator-controller operation. + +This component _does not_ specify a namespace, and must be included last. + +This component requires cert-manager. diff --git a/testdata/certs/issuers.yaml b/config/components/ca/issuers.yaml similarity index 100% rename from testdata/certs/issuers.yaml rename to config/components/ca/issuers.yaml diff --git a/config/components/ca/kustomization.yaml b/config/components/ca/kustomization.yaml new file mode 100644 index 000000000..5cbe13ad2 --- /dev/null +++ b/config/components/ca/kustomization.yaml @@ -0,0 +1,5 @@ +apiVersion: kustomize.config.k8s.io/v1alpha1 +kind: Component +# No namespace is specified here, otherwise, it will overwrite _all_ the other namespaces! +resources: +- issuers.yaml diff --git a/config/components/coverage/kustomization.yaml b/config/components/coverage/kustomization.yaml new file mode 100644 index 000000000..5522eb7f8 --- /dev/null +++ b/config/components/coverage/kustomization.yaml @@ -0,0 +1,8 @@ +apiVersion: kustomize.config.k8s.io/v1alpha1 +kind: Component +namespace: olmv1-system +resources: +- manager_e2e_coverage_pvc.yaml +- manager_e2e_coverage_copy_pod.yaml +patches: +- path: manager_e2e_coverage_patch.yaml diff --git a/config/overlays/e2e/manager_e2e_coverage_copy_pod.yaml b/config/components/coverage/manager_e2e_coverage_copy_pod.yaml similarity index 100% rename from config/overlays/e2e/manager_e2e_coverage_copy_pod.yaml rename to config/components/coverage/manager_e2e_coverage_copy_pod.yaml diff --git a/config/overlays/e2e/manager_e2e_coverage_patch.yaml b/config/components/coverage/manager_e2e_coverage_patch.yaml similarity index 100% rename from config/overlays/e2e/manager_e2e_coverage_patch.yaml rename to config/components/coverage/manager_e2e_coverage_patch.yaml diff --git a/config/overlays/e2e/manager_e2e_coverage_pvc.yaml b/config/components/coverage/manager_e2e_coverage_pvc.yaml similarity index 100% rename from config/overlays/e2e/manager_e2e_coverage_pvc.yaml rename to config/components/coverage/manager_e2e_coverage_pvc.yaml diff --git a/config/components/tls/kustomization.yaml b/config/components/tls/kustomization.yaml new file mode 100644 index 000000000..8c1aa94cc --- /dev/null +++ b/config/components/tls/kustomization.yaml @@ -0,0 +1,10 @@ +apiVersion: kustomize.config.k8s.io/v1alpha1 +kind: Component +namespace: olmv1-system +resources: +- resources/manager_cert.yaml +patches: +- target: + kind: Deployment + name: controller-manager + path: patches/manager_deployment_cert.yaml diff --git a/config/components/tls/patches/manager_deployment_cert.yaml b/config/components/tls/patches/manager_deployment_cert.yaml new file mode 100644 index 000000000..9a1cf1b7a --- /dev/null +++ b/config/components/tls/patches/manager_deployment_cert.yaml @@ -0,0 +1,9 @@ +- op: add + path: /spec/template/spec/volumes/- + value: {"name":"olmv1-certificate", "secret":{"secretName":"olmv1-cert", "optional": false, "items": [{"key": "ca.crt", "path": "olm-ca.crt"}]}} +- op: add + path: /spec/template/spec/containers/0/volumeMounts/- + value: {"name":"olmv1-certificate", "readOnly": true, "mountPath":"/var/certs/olm-ca.crt", "subPath":"olm-ca.crt"} +- op: add + path: /spec/template/spec/containers/0/args/- + value: "--ca-certs-dir=/var/certs" diff --git a/config/overlays/tls/resources/manager_cert.yaml b/config/components/tls/resources/manager_cert.yaml similarity index 100% rename from config/overlays/tls/resources/manager_cert.yaml rename to config/components/tls/resources/manager_cert.yaml diff --git a/config/overlays/cert-manager/kustomization.yaml b/config/overlays/cert-manager/kustomization.yaml new file mode 100644 index 000000000..86746375b --- /dev/null +++ b/config/overlays/cert-manager/kustomization.yaml @@ -0,0 +1,10 @@ +# kustomization file for secure operator-controller +# DO NOT ADD A NAMESPACE HERE +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: +- ../../base +components: +- ../../components/tls +# ca must be last or tls will overwrite the namespaces +- ../../components/ca diff --git a/config/overlays/e2e/kustomization.yaml b/config/overlays/e2e/kustomization.yaml index e9a19438f..626ecb619 100644 --- a/config/overlays/e2e/kustomization.yaml +++ b/config/overlays/e2e/kustomization.yaml @@ -1,9 +1,11 @@ -namespace: olmv1-system - +# kustomization file for all the e2e's +# DO NOT ADD A NAMESPACE HERE +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization resources: -- ../../overlays/tls -- manager_e2e_coverage_pvc.yaml -- manager_e2e_coverage_copy_pod.yaml - -patches: -- path: manager_e2e_coverage_patch.yaml +- ../../base +components: +- ../../components/tls +- ../../components/coverage +# ca must be last or (tls|coverage) will overwrite the namespaces +- ../../components/ca diff --git a/config/overlays/tls/kustomization.yaml b/config/overlays/tls/kustomization.yaml deleted file mode 100644 index e7c746a95..000000000 --- a/config/overlays/tls/kustomization.yaml +++ /dev/null @@ -1,22 +0,0 @@ -# Adds namespace to all resources. -namespace: olmv1-system - -# Value of this field is prepended to the -# names of all resources, e.g. a deployment named -# "wordpress" becomes "alices-wordpress". -# Note that it should also match with the prefix (text before '-') of the namespace -# field above. - -# the following config is for teaching kustomize how to do var substitution -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: -- ../../base -- resources/manager_cert.yaml - -patches: -- target: - kind: Deployment - name: controller-manager - path: patches/manager_deployment_cert.yaml -- path: patches/manager_cert_patch.yaml diff --git a/config/overlays/tls/patches/manager_cert_patch.yaml b/config/overlays/tls/patches/manager_cert_patch.yaml deleted file mode 100644 index 959d53a9a..000000000 --- a/config/overlays/tls/patches/manager_cert_patch.yaml +++ /dev/null @@ -1,23 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: controller-manager - namespace: system -spec: - template: - spec: - containers: - - name: kube-rbac-proxy - - name: manager - volumeMounts: - - name: e2e-cert - mountPath: /var/certs/olm-ca.crt - subPath: olm-ca.crt - readOnly: true - volumes: - - name: e2e-cert - secret: - secretName: olmv1-cert - items: - - key: ca.crt - path: olm-ca.crt diff --git a/config/overlays/tls/patches/manager_deployment_cert.yaml b/config/overlays/tls/patches/manager_deployment_cert.yaml deleted file mode 100644 index 94df488c6..000000000 --- a/config/overlays/tls/patches/manager_deployment_cert.yaml +++ /dev/null @@ -1,9 +0,0 @@ -- op: add - path: /spec/template/spec/volumes/- - value: {"name":"catalogd-certificate", "secret":{"secretName":"catalogd-catalogserver-cert", "optional": false, "items": [{"key": "ca.crt", "path": "catalogd.crt"}]}} -- op: add - path: /spec/template/spec/containers/0/volumeMounts/- - value: {"name":"catalogd-certificate", "readOnly": true, "mountPath":"/var/certs/catalogd.crt", "subPath":"catalogd.crt"} -- op: add - path: /spec/template/spec/containers/0/args/- - value: "--ca-certs-dir=/var/certs" diff --git a/go.mod b/go.mod index 305fb3ece..32db129dd 100644 --- a/go.mod +++ b/go.mod @@ -10,7 +10,7 @@ require ( github.com/go-logr/logr v1.4.2 github.com/google/go-cmp v0.6.0 github.com/operator-framework/api v0.26.0 - github.com/operator-framework/catalogd v0.16.0 + github.com/operator-framework/catalogd v0.17.0 github.com/operator-framework/helm-operator-plugins v0.2.2-0.20240520180534-f463c36fedf9 github.com/operator-framework/operator-registry v1.44.0 github.com/operator-framework/rukpak v0.24.0 diff --git a/go.sum b/go.sum index 8d77e93f6..cab0fec29 100644 --- a/go.sum +++ b/go.sum @@ -606,8 +606,8 @@ github.com/openshift/crd-schema-checker v0.0.0-20240404194209-35a9033b1d11 h1:eT github.com/openshift/crd-schema-checker v0.0.0-20240404194209-35a9033b1d11/go.mod h1:EmVJt97N+pfWFsli/ipXTBZqSG5F5KGQhm3c3IsGq1o= github.com/operator-framework/api v0.26.0 h1:YVntU2NkVl5zSLLwK5kFcH6P3oSvN9QDgTsY9mb4yUM= github.com/operator-framework/api v0.26.0/go.mod h1:3IxOwzVUeGxYlzfwKCcfCyS+q3EEhWA/4kv7UehbeyM= -github.com/operator-framework/catalogd v0.16.0 h1:9J3Kg5ey5NptXReZ7J0ZAarXEz6RsWanfeWhurDtVh0= -github.com/operator-framework/catalogd v0.16.0/go.mod h1:7zVv39zlmvJvRePtRzdMRqn8s/WRH4ALXMJCKNQMKmc= +github.com/operator-framework/catalogd v0.17.0 h1:Vsl32qKf2nKbAnKNfJ6eREOkirx5+oxpUuSwMxGS/dc= +github.com/operator-framework/catalogd v0.17.0/go.mod h1:7zVv39zlmvJvRePtRzdMRqn8s/WRH4ALXMJCKNQMKmc= github.com/operator-framework/helm-operator-plugins v0.2.2-0.20240520180534-f463c36fedf9 h1:f7/TMBpuIZEQ3JbD9UyP1L1ZCSLLWdR2aPN+A+dOHFY= github.com/operator-framework/helm-operator-plugins v0.2.2-0.20240520180534-f463c36fedf9/go.mod h1:ly6Bd9rSzmt37Wy6WtZHmA+IY9zG958MryJFLcVpCXw= github.com/operator-framework/operator-lib v0.14.0 h1:er+BgZymZD1im2wytLJiPLZpGALAX6N0gXaHx3PKbO4= diff --git a/scripts/install.tpl.sh b/scripts/install.tpl.sh index 9af36c32c..1b44ac630 100644 --- a/scripts/install.tpl.sh +++ b/scripts/install.tpl.sh @@ -35,42 +35,6 @@ function kubectl_wait() { kubectl apply -f "https://github.com/cert-manager/cert-manager/releases/download/${cert_mgr_version}/cert-manager.yaml" kubectl_wait "cert-manager" "deployment/cert-manager-webhook" "60s" -# Create a self-signed ClusterIssuer -kubectl apply -f - < Date: Wed, 3 Jul 2024 13:25:10 -0400 Subject: [PATCH 2/2] fixup! Reorganize config to support reusable components Signed-off-by: Todd Short --- Tiltfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Tiltfile b/Tiltfile index ebf2f7871..330212902 100644 --- a/Tiltfile +++ b/Tiltfile @@ -9,7 +9,7 @@ repos = cfg.get('repos', ['operator-controller', 'catalogd']) repo = { 'image': 'quay.io/operator-framework/operator-controller', - 'yaml': 'config/secure', + 'yaml': 'config/overlays/cert-manager', 'binaries': { 'manager': 'operator-controller-controller-manager', },