From 9cc846b431c2450b03884aaee22c9f50fdf961db Mon Sep 17 00:00:00 2001 From: Maskym Vavilov Date: Thu, 1 Feb 2024 12:02:44 +0000 Subject: [PATCH 1/3] GH-661 join addon-manager and gw-controller binaries --- .github/workflows/addon-manger-image.yaml | 62 ------ Dockerfile | 14 +- .../mgc-add-on-manager_v1_serviceaccount.yaml | 12 ++ ...c.authorization.k8s.io_v1_clusterrole.yaml | 137 ++++++++++++++ ...rization.k8s.io_v1_clusterrolebinding.yaml | 13 ++ ...eway-controller.clusterserviceversion.yaml | 179 +----------------- .../manifests/cluster-role-binding.yaml | 0 .../addon-manager/manifests/cluster-role.yaml | 0 .../manifests/kuadrant-namespace.yaml | 0 .../addon-manager/manifests/kuadrant.yaml | 0 .../manifests/operator-group.yaml | 0 .../addon-manager/manifests/subscription.yaml | 0 cmd/gateway_controller/main.go | 138 ++++++++++++-- cmd/ocm/main.go | 101 ---------- .../cluster-management-addon.yaml | 10 - config/add-on-manager/kustomization.yaml | 11 -- config/add-on-manager/manager.yaml | 49 ----- config/default/kustomization.yaml | 1 - .../control-plane-installation.md | 3 +- hack/make/addon.make | 27 --- 20 files changed, 285 insertions(+), 472 deletions(-) delete mode 100644 .github/workflows/addon-manger-image.yaml create mode 100644 bundle/manifests/mgc-add-on-manager_v1_serviceaccount.yaml create mode 100644 bundle/manifests/mgc-kuadrant-addon_rbac.authorization.k8s.io_v1_clusterrole.yaml create mode 100644 bundle/manifests/mgc-kuadrant-addon_rbac.authorization.k8s.io_v1_clusterrolebinding.yaml rename cmd/{ocm => gateway_controller}/addon-manager/manifests/cluster-role-binding.yaml (100%) rename cmd/{ocm => gateway_controller}/addon-manager/manifests/cluster-role.yaml (100%) rename cmd/{ocm => gateway_controller}/addon-manager/manifests/kuadrant-namespace.yaml (100%) rename cmd/{ocm => gateway_controller}/addon-manager/manifests/kuadrant.yaml (100%) rename cmd/{ocm => gateway_controller}/addon-manager/manifests/operator-group.yaml (100%) rename cmd/{ocm => gateway_controller}/addon-manager/manifests/subscription.yaml (100%) delete mode 100644 cmd/ocm/main.go delete mode 100644 config/add-on-manager/cluster-management-addon.yaml delete mode 100644 config/add-on-manager/kustomization.yaml delete mode 100644 config/add-on-manager/manager.yaml diff --git a/.github/workflows/addon-manger-image.yaml b/.github/workflows/addon-manger-image.yaml deleted file mode 100644 index 7e6daab6a..000000000 --- a/.github/workflows/addon-manger-image.yaml +++ /dev/null @@ -1,62 +0,0 @@ -name: Build and Publish add-on manager Image - -on: - push: - branches: - - main - - "release-*" - tags: - - "v[0-9]+.[0-9]+.[0-9]+" - -env: - IMG_REGISTRY_HOST: quay.io - IMG_REGISTRY_ORG: kuadrant - IMG_REGISTRY_REPO: addon-manager - MAIN_BRANCH_NAME: main - -jobs: - build: - if: github.repository_owner == 'kuadrant' - name: Build and Publish Addon Manager Image - runs-on: ubuntu-22.04 - outputs: - sha_short: ${{ steps.vars.outputs.sha_short }} - controller_image: ${{ steps.vars.outputs.base_image }}:${{ steps.vars.outputs.sha_short }} - steps: - - uses: actions/checkout@v3 - - - name: Calculate vars - id: vars - run: | - echo "sha_short=$(echo ${{ github.sha }} | cut -b -7)" >> $GITHUB_OUTPUT - echo "base_image=${{ env.IMG_REGISTRY_HOST }}/${{ env.IMG_REGISTRY_ORG }}/${{ env.IMG_REGISTRY_REPO }}" >> $GITHUB_OUTPUT - - - name: Add image tags - id: add-tags - run: echo "IMG_TAGS=${{ steps.vars.outputs.base_image }}:${{ steps.vars.outputs.sha_short }},${{ steps.vars.outputs.base_image }}:${{ github.ref_name }}" >> $GITHUB_ENV - - - name: Add latest tag - if: ${{ github.ref_name == env.MAIN_BRANCH_NAME }} - id: add-latest-tag - run: echo "IMG_TAGS=${{ steps.vars.outputs.base_image }}:latest,${{ env.IMG_TAGS }}" >> $GITHUB_ENV - - - name: Login to Quay.io - uses: docker/login-action@v2 - id: registry-login - with: - registry: ${{ env.IMG_REGISTRY_HOST }} - username: ${{ secrets.IMG_REGISTRY_USERNAME }} - password: ${{ secrets.IMG_REGISTRY_TOKEN }} - - - name: Build and push add-on manager Image - id: build-and-push - uses: docker/build-push-action@v4 - with: - push: true - tags: ${{ env.IMG_TAGS }} - target: add-on-manager - - - name: Print Image URL - run: | - echo "Image pushed to ${{ env.IMG_TAGS }}" - echo "Image digest: ${{ steps.build-and-push.outputs.digest }}" diff --git a/Dockerfile b/Dockerfile index 15b7ce96d..88d96a5c9 100644 --- a/Dockerfile +++ b/Dockerfile @@ -23,9 +23,6 @@ COPY pkg/ pkg/ FROM builder as controller_builder RUN CGO_ENABLED=0 GOOS=${TARGETOS:-linux} GOARCH=${TARGETARCH} go build -a -o controller cmd/gateway_controller/main.go -FROM builder as addon_builder -RUN CGO_ENABLED=0 GOOS=${TARGETOS:-linux} GOARCH=${TARGETARCH} go build -a -o add-on-manager cmd/ocm/main.go - # Use distroless as minimal base image to package the manager binary # Refer to https://github.com/GoogleContainerTools/distroless for more details FROM gcr.io/distroless/static:nonroot as controller @@ -33,13 +30,4 @@ WORKDIR / COPY --from=controller_builder /workspace/controller . USER 65532:65532 -ENTRYPOINT ["/controller"] - -# Use distroless as minimal base image to package the manager binary -# Refer to https://github.com/GoogleContainerTools/distroless for more details -FROM gcr.io/distroless/static:nonroot as add-on-manager -WORKDIR / -COPY --from=addon_builder /workspace/add-on-manager . -USER 65532:65532 - -ENTRYPOINT ["/add-on-manager"] +ENTRYPOINT ["/controller"] \ No newline at end of file diff --git a/bundle/manifests/mgc-add-on-manager_v1_serviceaccount.yaml b/bundle/manifests/mgc-add-on-manager_v1_serviceaccount.yaml new file mode 100644 index 000000000..0d0f0921c --- /dev/null +++ b/bundle/manifests/mgc-add-on-manager_v1_serviceaccount.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/component: rbac + app.kubernetes.io/created-by: kuadrant + app.kubernetes.io/instance: add-on-manager + app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/name: serviceaccount + app.kubernetes.io/part-of: multicluster-gateway-controller + name: mgc-add-on-manager diff --git a/bundle/manifests/mgc-kuadrant-addon_rbac.authorization.k8s.io_v1_clusterrole.yaml b/bundle/manifests/mgc-kuadrant-addon_rbac.authorization.k8s.io_v1_clusterrole.yaml new file mode 100644 index 000000000..7c312f35d --- /dev/null +++ b/bundle/manifests/mgc-kuadrant-addon_rbac.authorization.k8s.io_v1_clusterrole.yaml @@ -0,0 +1,137 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + creationTimestamp: null + name: mgc-kuadrant-addon +rules: +- apiGroups: + - "" + resources: + - configmaps + - events + verbs: + - get + - list + - watch + - create + - update + - delete + - deletecollection + - patch +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - get + - list + - watch + - create + - update + - patch +- apiGroups: + - rbac.authorization.k8s.io + resources: + - roles + - rolebindings + verbs: + - get + - list + - watch + - create + - update + - delete +- apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - get + - create +- apiGroups: + - certificates.k8s.io + resources: + - certificatesigningrequests + - certificatesigningrequests/approval + verbs: + - get + - list + - watch + - create + - update +- apiGroups: + - certificates.k8s.io + resources: + - signers + verbs: + - approve +- apiGroups: + - cluster.open-cluster-management.io + resources: + - managedclusters + verbs: + - get + - list + - watch + - update +- apiGroups: + - work.open-cluster-management.io + resources: + - manifestworks + verbs: + - create + - update + - get + - list + - watch + - delete + - deletecollection + - patch +- apiGroups: + - addon.open-cluster-management.io + resources: + - managedclusteraddons/finalizers + verbs: + - update +- apiGroups: + - addon.open-cluster-management.io + resources: + - clustermanagementaddons/finalizers + verbs: + - update +- apiGroups: + - addon.open-cluster-management.io + resources: + - clustermanagementaddons + verbs: + - get + - list + - watch +- apiGroups: + - addon.open-cluster-management.io + resources: + - managedclusteraddons + verbs: + - get + - list + - watch + - create + - update + - delete +- apiGroups: + - addon.open-cluster-management.io + resources: + - managedclusteraddons/status + verbs: + - update + - patch +- apiGroups: + - kuadrant.io/v1beta1 + resources: + - kuadrant + verbs: + - get + - list + - watch + - create + - update diff --git a/bundle/manifests/mgc-kuadrant-addon_rbac.authorization.k8s.io_v1_clusterrolebinding.yaml b/bundle/manifests/mgc-kuadrant-addon_rbac.authorization.k8s.io_v1_clusterrolebinding.yaml new file mode 100644 index 000000000..e7e5246ae --- /dev/null +++ b/bundle/manifests/mgc-kuadrant-addon_rbac.authorization.k8s.io_v1_clusterrolebinding.yaml @@ -0,0 +1,13 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + creationTimestamp: null + name: mgc-kuadrant-addon +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: mgc-kuadrant-addon +subjects: +- kind: ServiceAccount + name: mgc-add-on-manager + namespace: multicluster-gateway-controller-system diff --git a/bundle/manifests/multicluster-gateway-controller.clusterserviceversion.yaml b/bundle/manifests/multicluster-gateway-controller.clusterserviceversion.yaml index a07fa57f7..e6831eb10 100644 --- a/bundle/manifests/multicluster-gateway-controller.clusterserviceversion.yaml +++ b/bundle/manifests/multicluster-gateway-controller.clusterserviceversion.yaml @@ -4,7 +4,7 @@ metadata: annotations: alm-examples: '[]' capabilities: Basic Install - createdAt: "2024-02-09T15:14:21Z" + createdAt: "2024-02-02T12:19:59Z" operators.operatorframework.io/builder: operator-sdk-v1.28.0 operators.operatorframework.io/project_layout: go.kubebuilder.io/v3 name: multicluster-gateway-controller.v0.0.0 @@ -21,139 +21,6 @@ spec: install: spec: clusterPermissions: - - rules: - - apiGroups: - - "" - resources: - - configmaps - - events - verbs: - - get - - list - - watch - - create - - update - - delete - - deletecollection - - patch - - apiGroups: - - coordination.k8s.io - resources: - - leases - verbs: - - get - - list - - watch - - create - - update - - patch - - apiGroups: - - rbac.authorization.k8s.io - resources: - - roles - - rolebindings - verbs: - - get - - list - - watch - - create - - update - - delete - - apiGroups: - - authorization.k8s.io - resources: - - subjectaccessreviews - verbs: - - get - - create - - apiGroups: - - certificates.k8s.io - resources: - - certificatesigningrequests - - certificatesigningrequests/approval - verbs: - - get - - list - - watch - - create - - update - - apiGroups: - - certificates.k8s.io - resources: - - signers - verbs: - - approve - - apiGroups: - - cluster.open-cluster-management.io - resources: - - managedclusters - verbs: - - get - - list - - watch - - update - - apiGroups: - - work.open-cluster-management.io - resources: - - manifestworks - verbs: - - create - - update - - get - - list - - watch - - delete - - deletecollection - - patch - - apiGroups: - - addon.open-cluster-management.io - resources: - - managedclusteraddons/finalizers - verbs: - - update - - apiGroups: - - addon.open-cluster-management.io - resources: - - clustermanagementaddons/finalizers - verbs: - - update - - apiGroups: - - addon.open-cluster-management.io - resources: - - clustermanagementaddons - verbs: - - get - - list - - watch - - apiGroups: - - addon.open-cluster-management.io - resources: - - managedclusteraddons - verbs: - - get - - list - - watch - - create - - update - - delete - - apiGroups: - - addon.open-cluster-management.io - resources: - - managedclusteraddons/status - verbs: - - update - - patch - - apiGroups: - - kuadrant.io/v1beta1 - resources: - - kuadrant - verbs: - - get - - list - - watch - - create - - update - serviceAccountName: mgc-add-on-manager - rules: - apiGroups: - "" @@ -295,50 +162,6 @@ spec: - create serviceAccountName: mgc-controller-manager deployments: - - label: - control-plane: kuadrant-add-on-manager - name: mgc-add-on-manager - spec: - replicas: 1 - selector: - matchLabels: - control-plane: kuadrant-add-on-manager - strategy: {} - template: - metadata: - annotations: - kubectl.kubernetes.io/default-container: controller - labels: - control-plane: kuadrant-add-on-manager - spec: - containers: - - args: - - --leader-elect - command: - - /add-on-manager - envFrom: - - configMapRef: - name: controller-config - optional: true - image: quay.io/kuadrant/addon-manager:main - imagePullPolicy: Always - name: controller - resources: - limits: - cpu: 500m - memory: 128Mi - requests: - cpu: 10m - memory: 64Mi - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - securityContext: - runAsNonRoot: true - serviceAccountName: mgc-add-on-manager - terminationGracePeriodSeconds: 10 - label: app.kubernetes.io/component: manager app.kubernetes.io/created-by: multicluster-gateway-controller diff --git a/cmd/ocm/addon-manager/manifests/cluster-role-binding.yaml b/cmd/gateway_controller/addon-manager/manifests/cluster-role-binding.yaml similarity index 100% rename from cmd/ocm/addon-manager/manifests/cluster-role-binding.yaml rename to cmd/gateway_controller/addon-manager/manifests/cluster-role-binding.yaml diff --git a/cmd/ocm/addon-manager/manifests/cluster-role.yaml b/cmd/gateway_controller/addon-manager/manifests/cluster-role.yaml similarity index 100% rename from cmd/ocm/addon-manager/manifests/cluster-role.yaml rename to cmd/gateway_controller/addon-manager/manifests/cluster-role.yaml diff --git a/cmd/ocm/addon-manager/manifests/kuadrant-namespace.yaml b/cmd/gateway_controller/addon-manager/manifests/kuadrant-namespace.yaml similarity index 100% rename from cmd/ocm/addon-manager/manifests/kuadrant-namespace.yaml rename to cmd/gateway_controller/addon-manager/manifests/kuadrant-namespace.yaml diff --git a/cmd/ocm/addon-manager/manifests/kuadrant.yaml b/cmd/gateway_controller/addon-manager/manifests/kuadrant.yaml similarity index 100% rename from cmd/ocm/addon-manager/manifests/kuadrant.yaml rename to cmd/gateway_controller/addon-manager/manifests/kuadrant.yaml diff --git a/cmd/ocm/addon-manager/manifests/operator-group.yaml b/cmd/gateway_controller/addon-manager/manifests/operator-group.yaml similarity index 100% rename from cmd/ocm/addon-manager/manifests/operator-group.yaml rename to cmd/gateway_controller/addon-manager/manifests/operator-group.yaml diff --git a/cmd/ocm/addon-manager/manifests/subscription.yaml b/cmd/gateway_controller/addon-manager/manifests/subscription.yaml similarity index 100% rename from cmd/ocm/addon-manager/manifests/subscription.yaml rename to cmd/gateway_controller/addon-manager/manifests/subscription.yaml diff --git a/cmd/gateway_controller/main.go b/cmd/gateway_controller/main.go index 6ca936b99..4a0df5ed2 100644 --- a/cmd/gateway_controller/main.go +++ b/cmd/gateway_controller/main.go @@ -17,14 +17,24 @@ limitations under the License. package main import ( + "context" + "embed" "flag" "os" - + "sync" + + certmanv1 "github.com/jetstack/cert-manager/pkg/apis/certmanager/v1" + operatorsv1 "github.com/operator-framework/api/pkg/operators/v1" + operatorsv1alpha1 "github.com/operator-framework/api/pkg/operators/v1alpha1" + "open-cluster-management.io/addon-framework/pkg/addonfactory" + "open-cluster-management.io/addon-framework/pkg/addonmanager" + addonapiv1alpha1 "open-cluster-management.io/api/addon/v1alpha1" clusterv1 "open-cluster-management.io/api/cluster/v1" clusterv1beta2 "open-cluster-management.io/api/cluster/v1beta1" workv1 "open-cluster-management.io/api/work/v1" corev1 "k8s.io/api/core/v1" + "k8s.io/apimachinery/pkg/runtime" "k8s.io/apimachinery/pkg/runtime/schema" utilruntime "k8s.io/apimachinery/pkg/util/runtime" "k8s.io/client-go/dynamic" @@ -40,14 +50,28 @@ import ( "sigs.k8s.io/controller-runtime/pkg/webhook" gatewayapiv1 "sigs.k8s.io/gateway-api/apis/v1" + kuadrantv1beta1 "github.com/kuadrant/kuadrant-operator/api/v1beta1" + + "github.com/Kuadrant/multicluster-gateway-controller/pkg/apis/v1alpha1" "github.com/Kuadrant/multicluster-gateway-controller/pkg/controllers/gateway" + "github.com/Kuadrant/multicluster-gateway-controller/pkg/ocm/hub" "github.com/Kuadrant/multicluster-gateway-controller/pkg/placement" "github.com/Kuadrant/multicluster-gateway-controller/pkg/policysync" //+kubebuilder:scaffold:imports ) var ( - setupLog = ctrl.Log.WithName("setup") + metricsAddr string + enableLeaderElection bool + probeAddr string + setupLog = ctrl.Log.WithName("setup") + + //go:embed addon-manager/manifests + FS embed.FS +) + +const ( + addonName = "kuadrant-addon" ) func init() { @@ -61,24 +85,75 @@ func init() { //+kubebuilder:scaffold:scheme } -func main() { - var metricsAddr string - var enableLeaderElection bool - var probeAddr string - flag.StringVar(&metricsAddr, "metrics-bind-address", ":8080", "The address the metric endpoint binds to.") - flag.StringVar(&probeAddr, "health-probe-bind-address", ":8081", "The address the probe endpoint binds to.") - flag.BoolVar(&enableLeaderElection, "leader-elect", false, - "Enable leader election for controller manager. "+ - "Enabling this will ensure there is only one active controller manager.") - opts := zap.Options{ - Development: true, +func GetDefaultValues(cluster *clusterv1.ManagedCluster, + addon *addonapiv1alpha1.ManagedClusterAddOn) (addonfactory.Values, error) { + + defaultIstioOperator := "istiocontrolplane" + defaultIstioOperatorNS := "istio-system" + defaultIstioConfigMap := "istio" + defaultCatalog := "operatorhubio-catalog" + defaultCatalogNS := "olm" + defaultChannel := "stable" + + manifestConfig := struct { + IstioOperator string + IstioConfigMapName string + IstioOperatorNamespace string + ClusterName string + CatalogSource string + CatalogSourceNS string + Channel string + }{ + ClusterName: cluster.Name, + IstioOperator: defaultIstioOperator, + IstioConfigMapName: defaultIstioConfigMap, + IstioOperatorNamespace: defaultIstioOperatorNS, + CatalogSource: defaultCatalog, + CatalogSourceNS: defaultCatalogNS, + Channel: defaultChannel, } - opts.BindFlags(flag.CommandLine) - flag.Parse() - ctrl.SetLogger(zap.New(zap.UseFlagOptions(&opts))) + return addonfactory.StructToValues(manifestConfig), nil +} - ctx := ctrl.SetupSignalHandler() +func startAddonManager(ctx context.Context) { + setupLog.Info("starting add-on manager") + addonScheme := runtime.NewScheme() + utilruntime.Must(operatorsv1alpha1.AddToScheme(addonScheme)) + utilruntime.Must(operatorsv1.AddToScheme(addonScheme)) + utilruntime.Must(kuadrantv1beta1.AddToScheme(addonScheme)) + + kubeConfig := ctrl.GetConfigOrDie() + + addonMgr, err := addonmanager.New(kubeConfig) + if err != nil { + setupLog.Error(err, "unable to setup addon manager") + os.Exit(1) + } + + agentAddon, err := addonfactory.NewAgentAddonFactory(addonName, FS, "addon-manager/manifests"). + WithAgentHealthProber(hub.AddonHealthProber()). + WithScheme(addonScheme). + WithGetValuesFuncs(GetDefaultValues, addonfactory.GetValuesFromAddonAnnotation). + BuildTemplateAgentAddon() + if err != nil { + setupLog.Error(err, "failed to build agent addon") + os.Exit(1) + } + err = addonMgr.AddAgent(agentAddon) + if err != nil { + setupLog.Error(err, "failed to add addon agent") + os.Exit(1) + } + + if err := addonMgr.Start(ctx); err != nil { + setupLog.Error(err, "problem running addon manager") + os.Exit(1) + } + +} + +func startGatewayController(ctx context.Context) { mgr, err := ctrl.NewManager(ctrl.GetConfigOrDie(), ctrl.Options{ Scheme: scheme.Scheme, Metrics: metricsserver.Options{BindAddress: metricsAddr}, @@ -139,8 +214,35 @@ func main() { } setupLog.Info("starting manager") + if err := mgr.Start(ctx); err != nil { - setupLog.Error(err, "problem running manager") + setupLog.Error(err, "problem running controller manager") os.Exit(1) } + +} + +func main() { + flag.StringVar(&metricsAddr, "metrics-bind-address", ":8080", "The address the metric endpoint binds to.") + flag.StringVar(&probeAddr, "health-probe-bind-address", ":8081", "The address the probe endpoint binds to.") + flag.BoolVar(&enableLeaderElection, "leader-elect", false, + "Enable leader election for controller manager. "+ + "Enabling this will ensure there is only one active controller manager.") + opts := zap.Options{ + Development: true, + } + opts.BindFlags(flag.CommandLine) + flag.Parse() + + ctrl.SetLogger(zap.New(zap.UseFlagOptions(&opts))) + + ctx := ctrl.SetupSignalHandler() + + wg := sync.WaitGroup{} + wg.Add(2) + go startAddonManager(ctx) + go startGatewayController(ctx) + wg.Wait() + + <-ctx.Done() } diff --git a/cmd/ocm/main.go b/cmd/ocm/main.go deleted file mode 100644 index 6b2799e64..000000000 --- a/cmd/ocm/main.go +++ /dev/null @@ -1,101 +0,0 @@ -package main - -import ( - "context" - "embed" - "fmt" - - operatorsv1 "github.com/operator-framework/api/pkg/operators/v1" - operatorsv1alpha1 "github.com/operator-framework/api/pkg/operators/v1alpha1" - "open-cluster-management.io/addon-framework/pkg/addonfactory" - "open-cluster-management.io/addon-framework/pkg/addonmanager" - addonapiv1alpha1 "open-cluster-management.io/api/addon/v1alpha1" - clusterv1 "open-cluster-management.io/api/cluster/v1" - - "k8s.io/apimachinery/pkg/runtime" - utilruntime "k8s.io/apimachinery/pkg/util/runtime" - "k8s.io/klog/v2" - ctrl "sigs.k8s.io/controller-runtime" - - kuadrantv1beta1 "github.com/kuadrant/kuadrant-operator/api/v1beta1" - - hub "github.com/Kuadrant/multicluster-gateway-controller/pkg/ocm/hub" -) - -//go:embed addon-manager/manifests -var FS embed.FS - -const ( - addonName = "kuadrant-addon" -) - -func GetDefaultValues(cluster *clusterv1.ManagedCluster, - addon *addonapiv1alpha1.ManagedClusterAddOn) (addonfactory.Values, error) { - - defaultIstioOperator := "istiocontrolplane" - defaultIstioOperatorNS := "istio-system" - defaultIstioConfigMap := "istio" - defaultCatalog := "operatorhubio-catalog" - defaultCatalogNS := "olm" - defaultChannel := "stable" - - manifestConfig := struct { - IstioOperator string - IstioConfigMapName string - IstioOperatorNamespace string - ClusterName string - CatalogSource string - CatalogSourceNS string - Channel string - }{ - ClusterName: cluster.Name, - IstioOperator: defaultIstioOperator, - IstioConfigMapName: defaultIstioConfigMap, - IstioOperatorNamespace: defaultIstioOperatorNS, - CatalogSource: defaultCatalog, - CatalogSourceNS: defaultCatalogNS, - Channel: defaultChannel, - } - - return addonfactory.StructToValues(manifestConfig), nil -} - -func main() { - fmt.Println("starting add-on manager") - addonScheme := runtime.NewScheme() - utilruntime.Must(operatorsv1alpha1.AddToScheme(addonScheme)) - utilruntime.Must(operatorsv1.AddToScheme(addonScheme)) - utilruntime.Must(kuadrantv1beta1.AddToScheme(addonScheme)) - - kubeConfig := ctrl.GetConfigOrDie() - - addonMgr, err := addonmanager.New(kubeConfig) - if err != nil { - klog.Errorf("unable to setup addon manager: %v", err) - panic(err) - } - - agentAddon, err := addonfactory.NewAgentAddonFactory(addonName, FS, "addon-manager/manifests"). - WithAgentHealthProber(hub.AddonHealthProber()). - WithScheme(addonScheme). - WithGetValuesFuncs(GetDefaultValues, addonfactory.GetValuesFromAddonAnnotation). - BuildTemplateAgentAddon() - if err != nil { - klog.Errorf("failed to build agent addon %v", err) - panic(err) - } - err = addonMgr.AddAgent(agentAddon) - if err != nil { - klog.Errorf("failed to add addon agent: %v", err) - panic(err) - } - - ctx := context.Background() - go func() { - if err := addonMgr.Start(ctx); err != nil { - panic(err) - } - }() - - <-ctx.Done() -} diff --git a/config/add-on-manager/cluster-management-addon.yaml b/config/add-on-manager/cluster-management-addon.yaml deleted file mode 100644 index 5e7abe868..000000000 --- a/config/add-on-manager/cluster-management-addon.yaml +++ /dev/null @@ -1,10 +0,0 @@ -apiVersion: addon.open-cluster-management.io/v1alpha1 -kind: ClusterManagementAddOn -metadata: - name: kuadrant-addon -spec: - addOnMeta: - displayName: kuadrant Addon - description: "kuadrant operator" - - diff --git a/config/add-on-manager/kustomization.yaml b/config/add-on-manager/kustomization.yaml deleted file mode 100644 index 57a44f48f..000000000 --- a/config/add-on-manager/kustomization.yaml +++ /dev/null @@ -1,11 +0,0 @@ -resources: -- manager.yaml -- cluster-management-addon.yaml - - -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -images: -- name: addon-manager - newName: quay.io/kuadrant/addon-manager - newTag: main \ No newline at end of file diff --git a/config/add-on-manager/manager.yaml b/config/add-on-manager/manager.yaml deleted file mode 100644 index 3656972ba..000000000 --- a/config/add-on-manager/manager.yaml +++ /dev/null @@ -1,49 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: add-on-manager - namespace: system - labels: - control-plane: kuadrant-add-on-manager -spec: - selector: - matchLabels: - control-plane: kuadrant-add-on-manager - replicas: 1 - template: - metadata: - annotations: - kubectl.kubernetes.io/default-container: controller - labels: - control-plane: kuadrant-add-on-manager - spec: - securityContext: - runAsNonRoot: true - containers: - - command: - - /add-on-manager - args: - - --leader-elect - image: addon-manager:latest - imagePullPolicy: Always - envFrom: - - configMapRef: - name: controller-config - optional: true - name: controller - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - "ALL" - #TODO add health and readiness probes - # More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - resources: - limits: - cpu: 500m - memory: 128Mi - requests: - cpu: 10m - memory: 64Mi - serviceAccountName: add-on-manager - terminationGracePeriodSeconds: 10 \ No newline at end of file diff --git a/config/default/kustomization.yaml b/config/default/kustomization.yaml index 41eda0db8..bac9fe760 100644 --- a/config/default/kustomization.yaml +++ b/config/default/kustomization.yaml @@ -11,7 +11,6 @@ namePrefix: mgc- resources: - ../rbac - ../manager -- ../add-on-manager patches: - path: manager_metrics_patch.yaml diff --git a/docs/installation/control-plane-installation.md b/docs/installation/control-plane-installation.md index 2a4b6c1b0..058abe60e 100644 --- a/docs/installation/control-plane-installation.md +++ b/docs/installation/control-plane-installation.md @@ -64,11 +64,10 @@ In addition to the MGC, this will also install the Kuadrant add-on manager and a Verify that the MGC and add-on manager have been installed and are running: ```bash -kubectl wait --timeout=5m -n multicluster-gateway-controller-system deployment/mgc-controller-manager deployment/mgc-add-on-manager deployment/mgc-policy-controller --for=condition=Available --context $HUB_CLUSTER +kubectl wait --timeout=5m -n multicluster-gateway-controller-system deployment/mgc-controller-manager deployment/mgc-policy-controller --for=condition=Available --context $HUB_CLUSTER ``` ``` deployment.apps/mgc-controller-manager condition met -deployment.apps/mgc-add-on-manager condition met deployment/mgc-policy-controller condition met ``` diff --git a/hack/make/addon.make b/hack/make/addon.make index 966173d90..e69de29bb 100644 --- a/hack/make/addon.make +++ b/hack/make/addon.make @@ -1,27 +0,0 @@ -OCM_ADDON_IMG ?= quay.io/kuadrant/addon-manager:v0.0.1 - -.PHONY: build-addon-manager -build-addon-manager: manifests generate fmt vet ## Build ocm binary. - go build -o bin/addon-manager ./cmd/ocm/main.go - -.PHONY: run-addon-manager -run-addon-manager: manifests generate fmt vet - go run ./cmd/ocm/main.go - - -.PHONY: docker-build-add-on-manager -docker-build-add-on-manager: ## Build docker image with the add-on manager. - docker build --target add-on-manager -t ${OCM_ADDON_IMG} . - docker image prune -f --filter label=stage=mgc-builder - -.PHONY: kind-load-add-on-manager -kind-load-add-on-manager: docker-build-ocm - kind load docker-image ${OCM_ADDON_IMG} --name mgc-control-plane --nodes mgc-control-plane-control-plane - -.PHONY: docker-push-add-on-manager -docker-push-ocm: ## Push docker image with the ocm. - docker push ${OCM_ADDON_IMG} - - .PHONY: deploy-add-on-manager -deploy-add-on-manager: ## Deploy controller to the K8s cluster specified in ~/.kube/config. - kubectl apply -f config/ocm \ No newline at end of file From 9e08bd575aa36a05094d1fe8854ac0182022358a Mon Sep 17 00:00:00 2001 From: Maskym Vavilov Date: Mon, 19 Feb 2024 11:31:40 +0000 Subject: [PATCH 2/3] GH-661 comments p1 --- .../addon-manager/addon-manager.go | 103 +++++++++++++ cmd/gateway_controller/main.go | 135 +++--------------- 2 files changed, 126 insertions(+), 112 deletions(-) create mode 100644 cmd/gateway_controller/addon-manager/addon-manager.go diff --git a/cmd/gateway_controller/addon-manager/addon-manager.go b/cmd/gateway_controller/addon-manager/addon-manager.go new file mode 100644 index 000000000..ab8b79bf5 --- /dev/null +++ b/cmd/gateway_controller/addon-manager/addon-manager.go @@ -0,0 +1,103 @@ +package addon_manager + +import ( + "context" + "embed" + "os" + + operatorsv1 "github.com/operator-framework/api/pkg/operators/v1" + operatorsv1alpha1 "github.com/operator-framework/api/pkg/operators/v1alpha1" + "open-cluster-management.io/addon-framework/pkg/addonfactory" + "open-cluster-management.io/addon-framework/pkg/addonmanager" + addonapiv1alpha1 "open-cluster-management.io/api/addon/v1alpha1" + clusterv1 "open-cluster-management.io/api/cluster/v1" + + "k8s.io/apimachinery/pkg/runtime" + utilruntime "k8s.io/apimachinery/pkg/util/runtime" + ctrl "sigs.k8s.io/controller-runtime" + + kuadrantv1beta1 "github.com/kuadrant/kuadrant-operator/api/v1beta1" + + "github.com/Kuadrant/multicluster-gateway-controller/pkg/ocm/hub" +) + +//go:embed manifests +var FS embed.FS + +const ( + addonName = "kuadrant-addon" +) + +type AddonRunnable struct{} + +func (r AddonRunnable) Start(ctx context.Context) error { + setupLog := ctrl.Log.WithName("addon manager setup") + setupLog.Info("starting add-on manager") + addonScheme := runtime.NewScheme() + utilruntime.Must(operatorsv1alpha1.AddToScheme(addonScheme)) + utilruntime.Must(operatorsv1.AddToScheme(addonScheme)) + utilruntime.Must(kuadrantv1beta1.AddToScheme(addonScheme)) + + kubeConfig := ctrl.GetConfigOrDie() + + addonMgr, err := addonmanager.New(kubeConfig) + if err != nil { + setupLog.Error(err, "unable to setup addon manager") + os.Exit(1) + } + + agentAddon, err := addonfactory.NewAgentAddonFactory(addonName, FS, "manifests"). + WithAgentHealthProber(hub.AddonHealthProber()). + WithScheme(addonScheme). + WithGetValuesFuncs(GetDefaultValues, addonfactory.GetValuesFromAddonAnnotation). + BuildTemplateAgentAddon() + if err != nil { + setupLog.Error(err, "failed to build agent addon") + os.Exit(1) + } + err = addonMgr.AddAgent(agentAddon) + if err != nil { + setupLog.Error(err, "failed to add addon agent") + os.Exit(1) + } + + if err = addonMgr.Start(ctx); err != nil { + setupLog.Error(err, "problem running addon manager") + return err + } + + <-ctx.Done() + + return nil +} + +func GetDefaultValues(cluster *clusterv1.ManagedCluster, + addon *addonapiv1alpha1.ManagedClusterAddOn) (addonfactory.Values, error) { + + defaultIstioOperator := "istiocontrolplane" + defaultIstioOperatorNS := "istio-system" + defaultIstioConfigMap := "istio" + defaultCatalog := "operatorhubio-catalog" + defaultCatalogNS := "olm" + defaultChannel := "stable" + + manifestConfig := struct { + IstioOperator string + IstioConfigMapName string + IstioOperatorNamespace string + ClusterName string + CatalogSource string + CatalogSourceNS string + Channel string + }{ + ClusterName: cluster.Name, + IstioOperator: defaultIstioOperator, + IstioConfigMapName: defaultIstioConfigMap, + IstioOperatorNamespace: defaultIstioOperatorNS, + CatalogSource: defaultCatalog, + CatalogSourceNS: defaultCatalogNS, + Channel: defaultChannel, + } + + return addonfactory.StructToValues(manifestConfig), nil +} diff --git a/cmd/gateway_controller/main.go b/cmd/gateway_controller/main.go index 4a0df5ed2..9b80db709 100644 --- a/cmd/gateway_controller/main.go +++ b/cmd/gateway_controller/main.go @@ -17,24 +17,15 @@ limitations under the License. package main import ( - "context" - "embed" "flag" "os" - "sync" certmanv1 "github.com/jetstack/cert-manager/pkg/apis/certmanager/v1" - operatorsv1 "github.com/operator-framework/api/pkg/operators/v1" - operatorsv1alpha1 "github.com/operator-framework/api/pkg/operators/v1alpha1" - "open-cluster-management.io/addon-framework/pkg/addonfactory" - "open-cluster-management.io/addon-framework/pkg/addonmanager" - addonapiv1alpha1 "open-cluster-management.io/api/addon/v1alpha1" clusterv1 "open-cluster-management.io/api/cluster/v1" clusterv1beta2 "open-cluster-management.io/api/cluster/v1beta1" workv1 "open-cluster-management.io/api/work/v1" corev1 "k8s.io/api/core/v1" - "k8s.io/apimachinery/pkg/runtime" "k8s.io/apimachinery/pkg/runtime/schema" utilruntime "k8s.io/apimachinery/pkg/util/runtime" "k8s.io/client-go/dynamic" @@ -50,11 +41,9 @@ import ( "sigs.k8s.io/controller-runtime/pkg/webhook" gatewayapiv1 "sigs.k8s.io/gateway-api/apis/v1" - kuadrantv1beta1 "github.com/kuadrant/kuadrant-operator/api/v1beta1" - + addon_manager "github.com/Kuadrant/multicluster-gateway-controller/cmd/gateway_controller/addon-manager" "github.com/Kuadrant/multicluster-gateway-controller/pkg/apis/v1alpha1" "github.com/Kuadrant/multicluster-gateway-controller/pkg/controllers/gateway" - "github.com/Kuadrant/multicluster-gateway-controller/pkg/ocm/hub" "github.com/Kuadrant/multicluster-gateway-controller/pkg/placement" "github.com/Kuadrant/multicluster-gateway-controller/pkg/policysync" //+kubebuilder:scaffold:imports @@ -64,14 +53,6 @@ var ( metricsAddr string enableLeaderElection bool probeAddr string - setupLog = ctrl.Log.WithName("setup") - - //go:embed addon-manager/manifests - FS embed.FS -) - -const ( - addonName = "kuadrant-addon" ) func init() { @@ -85,75 +66,23 @@ func init() { //+kubebuilder:scaffold:scheme } -func GetDefaultValues(cluster *clusterv1.ManagedCluster, - addon *addonapiv1alpha1.ManagedClusterAddOn) (addonfactory.Values, error) { - - defaultIstioOperator := "istiocontrolplane" - defaultIstioOperatorNS := "istio-system" - defaultIstioConfigMap := "istio" - defaultCatalog := "operatorhubio-catalog" - defaultCatalogNS := "olm" - defaultChannel := "stable" - - manifestConfig := struct { - IstioOperator string - IstioConfigMapName string - IstioOperatorNamespace string - ClusterName string - CatalogSource string - CatalogSourceNS string - Channel string - }{ - ClusterName: cluster.Name, - IstioOperator: defaultIstioOperator, - IstioConfigMapName: defaultIstioConfigMap, - IstioOperatorNamespace: defaultIstioOperatorNS, - CatalogSource: defaultCatalog, - CatalogSourceNS: defaultCatalogNS, - Channel: defaultChannel, - } - - return addonfactory.StructToValues(manifestConfig), nil -} - -func startAddonManager(ctx context.Context) { - setupLog.Info("starting add-on manager") - addonScheme := runtime.NewScheme() - utilruntime.Must(operatorsv1alpha1.AddToScheme(addonScheme)) - utilruntime.Must(operatorsv1.AddToScheme(addonScheme)) - utilruntime.Must(kuadrantv1beta1.AddToScheme(addonScheme)) - - kubeConfig := ctrl.GetConfigOrDie() - - addonMgr, err := addonmanager.New(kubeConfig) - if err != nil { - setupLog.Error(err, "unable to setup addon manager") - os.Exit(1) - } - - agentAddon, err := addonfactory.NewAgentAddonFactory(addonName, FS, "addon-manager/manifests"). - WithAgentHealthProber(hub.AddonHealthProber()). - WithScheme(addonScheme). - WithGetValuesFuncs(GetDefaultValues, addonfactory.GetValuesFromAddonAnnotation). - BuildTemplateAgentAddon() - if err != nil { - setupLog.Error(err, "failed to build agent addon") - os.Exit(1) - } - err = addonMgr.AddAgent(agentAddon) - if err != nil { - setupLog.Error(err, "failed to add addon agent") - os.Exit(1) +func main() { + flag.StringVar(&metricsAddr, "metrics-bind-address", ":8080", "The address the metric endpoint binds to.") + flag.StringVar(&probeAddr, "health-probe-bind-address", ":8081", "The address the probe endpoint binds to.") + flag.BoolVar(&enableLeaderElection, "leader-elect", false, + "Enable leader election for controller manager. "+ + "Enabling this will ensure there is only one active controller manager.") + opts := zap.Options{ + Development: true, } + opts.BindFlags(flag.CommandLine) + flag.Parse() - if err := addonMgr.Start(ctx); err != nil { - setupLog.Error(err, "problem running addon manager") - os.Exit(1) - } + ctrl.SetLogger(zap.New(zap.UseFlagOptions(&opts))) + setupLog := ctrl.Log.WithName("gateway controller setup") -} + ctx := ctrl.SetupSignalHandler() -func startGatewayController(ctx context.Context) { mgr, err := ctrl.NewManager(ctrl.GetConfigOrDie(), ctrl.Options{ Scheme: scheme.Scheme, Metrics: metricsserver.Options{BindAddress: metricsAddr}, @@ -204,45 +133,27 @@ func startGatewayController(ctx context.Context) { //+kubebuilder:scaffold:builder - if err := mgr.AddHealthzCheck("healthz", healthz.Ping); err != nil { + if err = mgr.AddHealthzCheck("healthz", healthz.Ping); err != nil { setupLog.Error(err, "unable to set up health check") os.Exit(1) } - if err := mgr.AddReadyzCheck("readyz", healthz.Ping); err != nil { + if err = mgr.AddReadyzCheck("readyz", healthz.Ping); err != nil { setupLog.Error(err, "unable to set up ready check") os.Exit(1) } - setupLog.Info("starting manager") - - if err := mgr.Start(ctx); err != nil { - setupLog.Error(err, "problem running controller manager") + // add addon-manager + if err = mgr.Add(addon_manager.AddonRunnable{}); err != nil { + setupLog.Error(err, "unable to add addon manager runnable") os.Exit(1) } -} + setupLog.Info("starting manager") -func main() { - flag.StringVar(&metricsAddr, "metrics-bind-address", ":8080", "The address the metric endpoint binds to.") - flag.StringVar(&probeAddr, "health-probe-bind-address", ":8081", "The address the probe endpoint binds to.") - flag.BoolVar(&enableLeaderElection, "leader-elect", false, - "Enable leader election for controller manager. "+ - "Enabling this will ensure there is only one active controller manager.") - opts := zap.Options{ - Development: true, + if err = mgr.Start(ctx); err != nil { + setupLog.Error(err, "problem running controller manager") + os.Exit(1) } - opts.BindFlags(flag.CommandLine) - flag.Parse() - - ctrl.SetLogger(zap.New(zap.UseFlagOptions(&opts))) - - ctx := ctrl.SetupSignalHandler() - - wg := sync.WaitGroup{} - wg.Add(2) - go startAddonManager(ctx) - go startGatewayController(ctx) - wg.Wait() <-ctx.Done() } From d03a768cdb0ab88dd7acb55c8073bf43819d55bf Mon Sep 17 00:00:00 2001 From: Maskym Vavilov Date: Wed, 21 Feb 2024 14:53:57 +0000 Subject: [PATCH 3/3] GH-661 comments p2 and rebase --- .../mgc-add-on-manager_v1_serviceaccount.yaml | 12 -- ...c.authorization.k8s.io_v1_clusterrole.yaml | 137 ------------------ ...rization.k8s.io_v1_clusterrolebinding.yaml | 13 -- ...eway-controller.clusterserviceversion.yaml | 113 ++++++++++++++- cmd/gateway_controller/main.go | 6 +- .../{addon-manager => ocm}/addon-manager.go | 2 +- .../manifests/cluster-role-binding.yaml | 0 .../manifests/cluster-role.yaml | 0 .../manifests/kuadrant-namespace.yaml | 0 .../manifests/kuadrant.yaml | 0 .../manifests/operator-group.yaml | 0 .../manifests/subscription.yaml | 0 config/rbac/add-on-clusterrole-binding.yaml | 12 -- config/rbac/add-on-clusterrole.yaml | 47 ------ config/rbac/add-on-service-account.yaml | 12 -- config/rbac/kustomization.yaml | 3 - config/rbac/role.yaml | 111 ++++++++++++++ pkg/controllers/gateway/gateway_controller.go | 17 ++- 18 files changed, 241 insertions(+), 244 deletions(-) delete mode 100644 bundle/manifests/mgc-add-on-manager_v1_serviceaccount.yaml delete mode 100644 bundle/manifests/mgc-kuadrant-addon_rbac.authorization.k8s.io_v1_clusterrole.yaml delete mode 100644 bundle/manifests/mgc-kuadrant-addon_rbac.authorization.k8s.io_v1_clusterrolebinding.yaml rename cmd/gateway_controller/{addon-manager => ocm}/addon-manager.go (99%) rename cmd/gateway_controller/{addon-manager => ocm}/manifests/cluster-role-binding.yaml (100%) rename cmd/gateway_controller/{addon-manager => ocm}/manifests/cluster-role.yaml (100%) rename cmd/gateway_controller/{addon-manager => ocm}/manifests/kuadrant-namespace.yaml (100%) rename cmd/gateway_controller/{addon-manager => ocm}/manifests/kuadrant.yaml (100%) rename cmd/gateway_controller/{addon-manager => ocm}/manifests/operator-group.yaml (100%) rename cmd/gateway_controller/{addon-manager => ocm}/manifests/subscription.yaml (100%) delete mode 100644 config/rbac/add-on-clusterrole-binding.yaml delete mode 100644 config/rbac/add-on-clusterrole.yaml delete mode 100644 config/rbac/add-on-service-account.yaml diff --git a/bundle/manifests/mgc-add-on-manager_v1_serviceaccount.yaml b/bundle/manifests/mgc-add-on-manager_v1_serviceaccount.yaml deleted file mode 100644 index 0d0f0921c..000000000 --- a/bundle/manifests/mgc-add-on-manager_v1_serviceaccount.yaml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: v1 -kind: ServiceAccount -metadata: - creationTimestamp: null - labels: - app.kubernetes.io/component: rbac - app.kubernetes.io/created-by: kuadrant - app.kubernetes.io/instance: add-on-manager - app.kubernetes.io/managed-by: kustomize - app.kubernetes.io/name: serviceaccount - app.kubernetes.io/part-of: multicluster-gateway-controller - name: mgc-add-on-manager diff --git a/bundle/manifests/mgc-kuadrant-addon_rbac.authorization.k8s.io_v1_clusterrole.yaml b/bundle/manifests/mgc-kuadrant-addon_rbac.authorization.k8s.io_v1_clusterrole.yaml deleted file mode 100644 index 7c312f35d..000000000 --- a/bundle/manifests/mgc-kuadrant-addon_rbac.authorization.k8s.io_v1_clusterrole.yaml +++ /dev/null @@ -1,137 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - creationTimestamp: null - name: mgc-kuadrant-addon -rules: -- apiGroups: - - "" - resources: - - configmaps - - events - verbs: - - get - - list - - watch - - create - - update - - delete - - deletecollection - - patch -- apiGroups: - - coordination.k8s.io - resources: - - leases - verbs: - - get - - list - - watch - - create - - update - - patch -- apiGroups: - - rbac.authorization.k8s.io - resources: - - roles - - rolebindings - verbs: - - get - - list - - watch - - create - - update - - delete -- apiGroups: - - authorization.k8s.io - resources: - - subjectaccessreviews - verbs: - - get - - create -- apiGroups: - - certificates.k8s.io - resources: - - certificatesigningrequests - - certificatesigningrequests/approval - verbs: - - get - - list - - watch - - create - - update -- apiGroups: - - certificates.k8s.io - resources: - - signers - verbs: - - approve -- apiGroups: - - cluster.open-cluster-management.io - resources: - - managedclusters - verbs: - - get - - list - - watch - - update -- apiGroups: - - work.open-cluster-management.io - resources: - - manifestworks - verbs: - - create - - update - - get - - list - - watch - - delete - - deletecollection - - patch -- apiGroups: - - addon.open-cluster-management.io - resources: - - managedclusteraddons/finalizers - verbs: - - update -- apiGroups: - - addon.open-cluster-management.io - resources: - - clustermanagementaddons/finalizers - verbs: - - update -- apiGroups: - - addon.open-cluster-management.io - resources: - - clustermanagementaddons - verbs: - - get - - list - - watch -- apiGroups: - - addon.open-cluster-management.io - resources: - - managedclusteraddons - verbs: - - get - - list - - watch - - create - - update - - delete -- apiGroups: - - addon.open-cluster-management.io - resources: - - managedclusteraddons/status - verbs: - - update - - patch -- apiGroups: - - kuadrant.io/v1beta1 - resources: - - kuadrant - verbs: - - get - - list - - watch - - create - - update diff --git a/bundle/manifests/mgc-kuadrant-addon_rbac.authorization.k8s.io_v1_clusterrolebinding.yaml b/bundle/manifests/mgc-kuadrant-addon_rbac.authorization.k8s.io_v1_clusterrolebinding.yaml deleted file mode 100644 index e7e5246ae..000000000 --- a/bundle/manifests/mgc-kuadrant-addon_rbac.authorization.k8s.io_v1_clusterrolebinding.yaml +++ /dev/null @@ -1,13 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - creationTimestamp: null - name: mgc-kuadrant-addon -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: mgc-kuadrant-addon -subjects: -- kind: ServiceAccount - name: mgc-add-on-manager - namespace: multicluster-gateway-controller-system diff --git a/bundle/manifests/multicluster-gateway-controller.clusterserviceversion.yaml b/bundle/manifests/multicluster-gateway-controller.clusterserviceversion.yaml index e6831eb10..19e8a48c1 100644 --- a/bundle/manifests/multicluster-gateway-controller.clusterserviceversion.yaml +++ b/bundle/manifests/multicluster-gateway-controller.clusterserviceversion.yaml @@ -4,7 +4,7 @@ metadata: annotations: alm-examples: '[]' capabilities: Basic Install - createdAt: "2024-02-02T12:19:59Z" + createdAt: "2024-02-21T15:02:50Z" operators.operatorframework.io/builder: operator-sdk-v1.28.0 operators.operatorframework.io/project_layout: go.kubebuilder.io/v3 name: multicluster-gateway-controller.v0.0.0 @@ -34,6 +34,20 @@ spec: - patch - update - watch + - apiGroups: + - "" + resources: + - configmaps + - events + verbs: + - create + - delete + - deletecollection + - get + - list + - patch + - update + - watch - apiGroups: - "" resources: @@ -43,6 +57,51 @@ spec: - get - list - watch + - apiGroups: + - addon.open-cluster-management.io + resources: + - clustermanagementaddons + verbs: + - get + - list + - watch + - apiGroups: + - addon.open-cluster-management.io + resources: + - clustermanagementaddons/finalizers + verbs: + - update + - apiGroups: + - addon.open-cluster-management.io + resources: + - managedclusteraddons + verbs: + - create + - delete + - get + - list + - update + - watch + - apiGroups: + - addon.open-cluster-management.io + resources: + - managedclusteraddons/finalizers + verbs: + - update + - apiGroups: + - addon.open-cluster-management.io + resources: + - managedclusteraddons/status + verbs: + - patch + - update + - apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create + - get - apiGroups: - cert-manager.io resources: @@ -55,6 +114,23 @@ spec: - patch - update - watch + - apiGroups: + - certificates.k8s.io + resources: + - certificatesigningrequests + - certificatesigningrequests/approval + verbs: + - create + - get + - list + - update + - watch + - apiGroups: + - certificates.k8s.io + resources: + - signers + verbs: + - approve - apiGroups: - cluster.open-cluster-management.io resources: @@ -62,6 +138,7 @@ spec: verbs: - get - list + - update - watch - apiGroups: - cluster.open-cluster-management.io @@ -75,6 +152,17 @@ spec: - patch - update - watch + - apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - create + - get + - list + - patch + - update + - watch - apiGroups: - gateway.networking.k8s.io resources: @@ -136,6 +224,28 @@ spec: - get - list - watch + - apiGroups: + - kuadrant.io + resources: + - kuadrant + verbs: + - create + - get + - list + - update + - watch + - apiGroups: + - rbac.authorization.k8s.io + resources: + - rolebindings + - roles + verbs: + - create + - delete + - get + - list + - update + - watch - apiGroups: - work.open-cluster-management.io resources: @@ -143,6 +253,7 @@ spec: verbs: - create - delete + - deletecollection - get - list - patch diff --git a/cmd/gateway_controller/main.go b/cmd/gateway_controller/main.go index 9b80db709..5c56440fc 100644 --- a/cmd/gateway_controller/main.go +++ b/cmd/gateway_controller/main.go @@ -20,7 +20,6 @@ import ( "flag" "os" - certmanv1 "github.com/jetstack/cert-manager/pkg/apis/certmanager/v1" clusterv1 "open-cluster-management.io/api/cluster/v1" clusterv1beta2 "open-cluster-management.io/api/cluster/v1beta1" workv1 "open-cluster-management.io/api/work/v1" @@ -41,8 +40,7 @@ import ( "sigs.k8s.io/controller-runtime/pkg/webhook" gatewayapiv1 "sigs.k8s.io/gateway-api/apis/v1" - addon_manager "github.com/Kuadrant/multicluster-gateway-controller/cmd/gateway_controller/addon-manager" - "github.com/Kuadrant/multicluster-gateway-controller/pkg/apis/v1alpha1" + "github.com/Kuadrant/multicluster-gateway-controller/cmd/gateway_controller/ocm" "github.com/Kuadrant/multicluster-gateway-controller/pkg/controllers/gateway" "github.com/Kuadrant/multicluster-gateway-controller/pkg/placement" "github.com/Kuadrant/multicluster-gateway-controller/pkg/policysync" @@ -143,7 +141,7 @@ func main() { } // add addon-manager - if err = mgr.Add(addon_manager.AddonRunnable{}); err != nil { + if err = mgr.Add(ocm.AddonRunnable{}); err != nil { setupLog.Error(err, "unable to add addon manager runnable") os.Exit(1) } diff --git a/cmd/gateway_controller/addon-manager/addon-manager.go b/cmd/gateway_controller/ocm/addon-manager.go similarity index 99% rename from cmd/gateway_controller/addon-manager/addon-manager.go rename to cmd/gateway_controller/ocm/addon-manager.go index ab8b79bf5..5560da4a7 100644 --- a/cmd/gateway_controller/addon-manager/addon-manager.go +++ b/cmd/gateway_controller/ocm/addon-manager.go @@ -1,4 +1,4 @@ -package addon_manager +package ocm import ( "context" diff --git a/cmd/gateway_controller/addon-manager/manifests/cluster-role-binding.yaml b/cmd/gateway_controller/ocm/manifests/cluster-role-binding.yaml similarity index 100% rename from cmd/gateway_controller/addon-manager/manifests/cluster-role-binding.yaml rename to cmd/gateway_controller/ocm/manifests/cluster-role-binding.yaml diff --git a/cmd/gateway_controller/addon-manager/manifests/cluster-role.yaml b/cmd/gateway_controller/ocm/manifests/cluster-role.yaml similarity index 100% rename from cmd/gateway_controller/addon-manager/manifests/cluster-role.yaml rename to cmd/gateway_controller/ocm/manifests/cluster-role.yaml diff --git a/cmd/gateway_controller/addon-manager/manifests/kuadrant-namespace.yaml b/cmd/gateway_controller/ocm/manifests/kuadrant-namespace.yaml similarity index 100% rename from cmd/gateway_controller/addon-manager/manifests/kuadrant-namespace.yaml rename to cmd/gateway_controller/ocm/manifests/kuadrant-namespace.yaml diff --git a/cmd/gateway_controller/addon-manager/manifests/kuadrant.yaml b/cmd/gateway_controller/ocm/manifests/kuadrant.yaml similarity index 100% rename from cmd/gateway_controller/addon-manager/manifests/kuadrant.yaml rename to cmd/gateway_controller/ocm/manifests/kuadrant.yaml diff --git a/cmd/gateway_controller/addon-manager/manifests/operator-group.yaml b/cmd/gateway_controller/ocm/manifests/operator-group.yaml similarity index 100% rename from cmd/gateway_controller/addon-manager/manifests/operator-group.yaml rename to cmd/gateway_controller/ocm/manifests/operator-group.yaml diff --git a/cmd/gateway_controller/addon-manager/manifests/subscription.yaml b/cmd/gateway_controller/ocm/manifests/subscription.yaml similarity index 100% rename from cmd/gateway_controller/addon-manager/manifests/subscription.yaml rename to cmd/gateway_controller/ocm/manifests/subscription.yaml diff --git a/config/rbac/add-on-clusterrole-binding.yaml b/config/rbac/add-on-clusterrole-binding.yaml deleted file mode 100644 index 1fef77a55..000000000 --- a/config/rbac/add-on-clusterrole-binding.yaml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: kuadrant-addon -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: kuadrant-addon -subjects: -- kind: ServiceAccount - name: add-on-manager - namespace: system \ No newline at end of file diff --git a/config/rbac/add-on-clusterrole.yaml b/config/rbac/add-on-clusterrole.yaml deleted file mode 100644 index 601671766..000000000 --- a/config/rbac/add-on-clusterrole.yaml +++ /dev/null @@ -1,47 +0,0 @@ - kind: ClusterRole - apiVersion: rbac.authorization.k8s.io/v1 - metadata: - name: kuadrant-addon - rules: - - apiGroups: [""] - resources: ["configmaps", "events"] - verbs: ["get", "list", "watch", "create", "update", "delete", "deletecollection", "patch"] - - apiGroups: ["coordination.k8s.io"] - resources: ["leases"] - verbs: ["get", "list", "watch", "create", "update", "patch"] - - apiGroups: ["rbac.authorization.k8s.io"] - resources: ["roles", "rolebindings"] - verbs: ["get", "list", "watch", "create", "update", "delete"] - - apiGroups: ["authorization.k8s.io"] - resources: ["subjectaccessreviews"] - verbs: ["get", "create"] - - apiGroups: ["certificates.k8s.io"] - resources: ["certificatesigningrequests", "certificatesigningrequests/approval"] - verbs: ["get", "list", "watch", "create", "update"] - - apiGroups: ["certificates.k8s.io"] - resources: ["signers"] - verbs: ["approve"] - - apiGroups: ["cluster.open-cluster-management.io"] - resources: ["managedclusters"] - verbs: ["get", "list", "watch", "update"] - - apiGroups: ["work.open-cluster-management.io"] - resources: ["manifestworks"] - verbs: ["create", "update", "get", "list", "watch", "delete", "deletecollection", "patch"] - - apiGroups: ["addon.open-cluster-management.io"] - resources: ["managedclusteraddons/finalizers"] - verbs: ["update"] - - apiGroups: [ "addon.open-cluster-management.io" ] - resources: [ "clustermanagementaddons/finalizers" ] - verbs: [ "update" ] - - apiGroups: ["addon.open-cluster-management.io"] - resources: ["clustermanagementaddons"] - verbs: ["get", "list", "watch"] - - apiGroups: ["addon.open-cluster-management.io"] - resources: ["managedclusteraddons"] - verbs: ["get", "list", "watch", "create", "update", "delete"] - - apiGroups: ["addon.open-cluster-management.io"] - resources: ["managedclusteraddons/status"] - verbs: ["update", "patch"] - - apiGroups: ["kuadrant.io/v1beta1"] - resources: ["kuadrant"] - verbs: ["get", "list", "watch", "create", "update"] \ No newline at end of file diff --git a/config/rbac/add-on-service-account.yaml b/config/rbac/add-on-service-account.yaml deleted file mode 100644 index 808e02f15..000000000 --- a/config/rbac/add-on-service-account.yaml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: v1 -kind: ServiceAccount -metadata: - labels: - app.kubernetes.io/name: serviceaccount - app.kubernetes.io/instance: add-on-manager - app.kubernetes.io/component: rbac - app.kubernetes.io/created-by: kuadrant - app.kubernetes.io/part-of: multicluster-gateway-controller - app.kubernetes.io/managed-by: kustomize - name: add-on-manager - namespace: system diff --git a/config/rbac/kustomization.yaml b/config/rbac/kustomization.yaml index 02adf2b00..731832a6a 100644 --- a/config/rbac/kustomization.yaml +++ b/config/rbac/kustomization.yaml @@ -16,6 +16,3 @@ resources: - auth_proxy_role.yaml - auth_proxy_role_binding.yaml - auth_proxy_client_clusterrole.yaml -- add-on-service-account.yaml -- add-on-clusterrole.yaml -- add-on-clusterrole-binding.yaml diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml index 82d2d04ee..cb914d7ba 100644 --- a/config/rbac/role.yaml +++ b/config/rbac/role.yaml @@ -17,6 +17,20 @@ rules: - patch - update - watch +- apiGroups: + - "" + resources: + - configmaps + - events + verbs: + - create + - delete + - deletecollection + - get + - list + - patch + - update + - watch - apiGroups: - "" resources: @@ -26,6 +40,51 @@ rules: - get - list - watch +- apiGroups: + - addon.open-cluster-management.io + resources: + - clustermanagementaddons + verbs: + - get + - list + - watch +- apiGroups: + - addon.open-cluster-management.io + resources: + - clustermanagementaddons/finalizers + verbs: + - update +- apiGroups: + - addon.open-cluster-management.io + resources: + - managedclusteraddons + verbs: + - create + - delete + - get + - list + - update + - watch +- apiGroups: + - addon.open-cluster-management.io + resources: + - managedclusteraddons/finalizers + verbs: + - update +- apiGroups: + - addon.open-cluster-management.io + resources: + - managedclusteraddons/status + verbs: + - patch + - update +- apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create + - get - apiGroups: - cert-manager.io resources: @@ -38,6 +97,23 @@ rules: - patch - update - watch +- apiGroups: + - certificates.k8s.io + resources: + - certificatesigningrequests + - certificatesigningrequests/approval + verbs: + - create + - get + - list + - update + - watch +- apiGroups: + - certificates.k8s.io + resources: + - signers + verbs: + - approve - apiGroups: - cluster.open-cluster-management.io resources: @@ -45,6 +121,7 @@ rules: verbs: - get - list + - update - watch - apiGroups: - cluster.open-cluster-management.io @@ -58,6 +135,17 @@ rules: - patch - update - watch +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - create + - get + - list + - patch + - update + - watch - apiGroups: - gateway.networking.k8s.io resources: @@ -119,6 +207,28 @@ rules: - get - list - watch +- apiGroups: + - kuadrant.io + resources: + - kuadrant + verbs: + - create + - get + - list + - update + - watch +- apiGroups: + - rbac.authorization.k8s.io + resources: + - rolebindings + - roles + verbs: + - create + - delete + - get + - list + - update + - watch - apiGroups: - work.open-cluster-management.io resources: @@ -126,6 +236,7 @@ rules: verbs: - create - delete + - deletecollection - get - list - patch diff --git a/pkg/controllers/gateway/gateway_controller.go b/pkg/controllers/gateway/gateway_controller.go index 002a52162..8170cbad4 100644 --- a/pkg/controllers/gateway/gateway_controller.go +++ b/pkg/controllers/gateway/gateway_controller.go @@ -78,14 +78,27 @@ type GatewayPlacer interface { GetAddresses(ctx context.Context, gateway *gatewayapiv1.Gateway, downstream string) ([]gatewayapiv1.GatewayAddress, error) } +// +kubebuilder:rbac:groups="",resources=configmaps;events,verbs=get;list;watch;create;update;delete;deletecollection;patch +// +kubebuilder:rbac:groups=coordination.k8s.io,resources=leases,verbs=get;list;watch;create;update;patch +// +kubebuilder:rbac:groups=rbac.authorization.k8s.io,resources=roles;rolebindings,verbs=get;list;watch;create;update;delete +// +kubebuilder:rbac:groups=authorization.k8s.io,resources=subjectaccessreviews,verbs=get;create +// +kubebuilder:rbac:groups=certificates.k8s.io,resources=certificatesigningrequests;certificatesigningrequests/approval,verbs=get;list;watch;create;update +// +kubebuilder:rbac:groups=certificates.k8s.io,resources=signers,verbs=approve +// +kubebuilder:rbac:groups=cluster.open-cluster-management.io,resources=managedclusters,verbs=get;list;watch;update +// +kubebuilder:rbac:groups=work.open-cluster-management.io,resources=manifestworks,verbs=get;list;watch;create;update;delete;deletecollection;patch +// +kubebuilder:rbac:groups=addon.open-cluster-management.io,resources=managedclusteraddons/finalizers,verbs=update +// +kubebuilder:rbac:groups=addon.open-cluster-management.io,resources=clustermanagementaddons/finalizers,verbs=update +// +kubebuilder:rbac:groups=addon.open-cluster-management.io,resources=clustermanagementaddons,verbs=get;list;watch +// +kubebuilder:rbac:groups=addon.open-cluster-management.io,resources=managedclusteraddons,verbs=get;list;watch;create;update;delete +// +kubebuilder:rbac:groups=addon.open-cluster-management.io,resources=managedclusteraddons/status,verbs=update;patch +// +kubebuilder:rbac:groups=kuadrant.io,resources=kuadrant,verbs=get;list;watch;create;update + // +kubebuilder:rbac:groups=gateway.networking.k8s.io,resources=gateways,verbs=get;list;watch;create;update;patch;delete // +kubebuilder:rbac:groups=gateway.networking.k8s.io,resources=gateways/status,verbs=get;update;patch // +kubebuilder:rbac:groups=gateway.networking.k8s.io,resources=gateways/finalizers,verbs=update -// +kubebuilder:rbac:groups=work.open-cluster-management.io,resources=manifestworks,verbs=get;list;watch;create;update;patch;delete // +kubebuilder:rbac:groups=cluster.open-cluster-management.io,resources=placementdecisions,verbs=get;list;watch;create;update;patch;delete // +kubebuilder:rbac:groups="",resources=secrets,verbs=get;list;watch;delete // +kubebuilder:rbac:groups="cert-manager.io",resources=certificates,verbs=get;list;watch;create;update;patch;delete -//+kubebuilder:rbac:groups=cluster.open-cluster-management.io,resources=managedclusters,verbs=get;list;watch // +kubebuilder:rbac:groups="kuadrant.io",resources=authpolicies;ratelimitpolicies,verbs=get;list;watch