From dc55d01139a1eb14cac739dfc7fcd9aa84192e96 Mon Sep 17 00:00:00 2001 From: craig Date: Fri, 3 Nov 2023 08:50:19 +0000 Subject: [PATCH] wip allow policy controller to be deployed independantly give policy controller gateway perms give policy controller secret perms move crds update bundle change local-setup mgc to use new crd location move install and uninstall to policy.make --- .github/workflows/ci-e2e.yaml | 5 +- .github/workflows/controller-image.yaml | 1 + .../workflows/policy-controller-image.yaml | 1 + Makefile | 19 +- README.md | 11 +- ...eway-controller.clusterserviceversion.yaml | 186 +++++++++++----- config/add-on-manager/kustomization.yaml | 2 + config/add-on-manager/manager.yaml | 2 +- .../delete-kuadrant-system-ns-object.yaml | 6 + config/default/kustomization.yaml | 30 +-- config/default/namespace.yaml | 12 - config/manager/kustomization.yaml | 5 +- config/manager/manager.yaml | 7 + .../kuadrant.io_dnshealthcheckprobes.yaml | 0 .../crd/bases/kuadrant.io_dnspolicies.yaml | 0 .../crd/bases/kuadrant.io_dnsrecords.yaml | 0 .../crd/bases/kuadrant.io_managedzones.yaml | 0 .../crd/bases/kuadrant.io_tlspolicies.yaml | 0 .../crd/kustomization.yaml | 0 .../crd/kustomizeconfig.yaml | 0 .../crd/patches/policy-patch.yaml | 0 .../default/issuer.yaml | 0 .../default/kustomization.yaml | 16 ++ .../{ => manager}/kustomization.yaml | 7 +- .../{ => manager}/manager.yaml | 9 +- .../rbac/dnsrecord_editor_role.yaml | 0 .../rbac/dnsrecord_viewer_role.yaml | 0 .../policy-controller/rbac/kustomization.yaml | 13 ++ .../rbac/leader_election_role.yaml | 45 ++++ .../rbac/leader_election_role_binding.yaml | 19 ++ .../rbac/managedzone_editor_role.yaml | 0 .../rbac/managedzone_viewer_role.yaml | 0 config/policy-controller/rbac/role.yaml | 208 ++++++++++++++++++ .../policy-controller/rbac/rolebinding.yaml | 19 ++ .../rbac/service_account.yaml | 12 + .../rbac/tlspolicy_editor_role.yaml | 0 .../rbac/tlspolicy_viewer_role.yaml | 0 config/rbac/role.yaml | 154 ------------- docs/contribution/vscode-debugging.md | 2 +- docs/demos/dns-policy/dnspolicy-demo.md | 8 +- ...r-poc-2-gateways-resiliency-walkthrough.md | 6 +- .../submariner-poc-hub-gateway-walkthrough.md | 8 +- hack/.deployUtils | 4 +- hack/make/policy_controller.make | 10 + .../dnspolicy/dnspolicy_controller.go | 3 + pkg/controllers/gateway/gateway_controller.go | 14 -- .../tlspolicy/tlspolicy_controller.go | 2 + test/gateway_integration/suite_test.go | 2 +- test/policy_integration/suite_test.go | 2 +- 49 files changed, 563 insertions(+), 287 deletions(-) create mode 100644 config/default/delete-kuadrant-system-ns-object.yaml delete mode 100644 config/default/namespace.yaml rename config/{ => policy-controller}/crd/bases/kuadrant.io_dnshealthcheckprobes.yaml (100%) rename config/{ => policy-controller}/crd/bases/kuadrant.io_dnspolicies.yaml (100%) rename config/{ => policy-controller}/crd/bases/kuadrant.io_dnsrecords.yaml (100%) rename config/{ => policy-controller}/crd/bases/kuadrant.io_managedzones.yaml (100%) rename config/{ => policy-controller}/crd/bases/kuadrant.io_tlspolicies.yaml (100%) rename config/{ => policy-controller}/crd/kustomization.yaml (100%) rename config/{ => policy-controller}/crd/kustomizeconfig.yaml (100%) rename config/{ => policy-controller}/crd/patches/policy-patch.yaml (100%) rename config/{ => policy-controller}/default/issuer.yaml (100%) create mode 100644 config/policy-controller/default/kustomization.yaml rename config/policy-controller/{ => manager}/kustomization.yaml (57%) rename config/policy-controller/{ => manager}/manager.yaml (92%) rename config/{ => policy-controller}/rbac/dnsrecord_editor_role.yaml (100%) rename config/{ => policy-controller}/rbac/dnsrecord_viewer_role.yaml (100%) create mode 100644 config/policy-controller/rbac/kustomization.yaml create mode 100644 config/policy-controller/rbac/leader_election_role.yaml create mode 100644 config/policy-controller/rbac/leader_election_role_binding.yaml rename config/{ => policy-controller}/rbac/managedzone_editor_role.yaml (100%) rename config/{ => policy-controller}/rbac/managedzone_viewer_role.yaml (100%) create mode 100644 config/policy-controller/rbac/role.yaml create mode 100644 config/policy-controller/rbac/rolebinding.yaml create mode 100644 config/policy-controller/rbac/service_account.yaml rename config/{ => policy-controller}/rbac/tlspolicy_editor_role.yaml (100%) rename config/{ => policy-controller}/rbac/tlspolicy_viewer_role.yaml (100%) diff --git a/.github/workflows/ci-e2e.yaml b/.github/workflows/ci-e2e.yaml index d3d875c35..95f273216 100644 --- a/.github/workflows/ci-e2e.yaml +++ b/.github/workflows/ci-e2e.yaml @@ -5,6 +5,7 @@ on: branches: - main - "release-*" + - separate-controller-deploy tags: - "v[0-9]+.[0-9]+.[0-9]+" paths-ignore: @@ -69,9 +70,9 @@ jobs: run: | make docker-build-gateway-controller kind-load-gateway-controller docker-build-policy-controller kind-load-policy-controller deploy-gateway-controller kubectl --context kind-mgc-control-plane -n multicluster-gateway-controller-system wait --timeout=300s --for=condition=Available deployment/mgc-controller-manager - kubectl --context kind-mgc-control-plane -n multicluster-gateway-controller-system wait --timeout=300s --for=condition=Available deployment/mgc-policy-controller-manager + kubectl --context kind-mgc-control-plane -n multicluster-gateway-controller-system wait --timeout=300s --for=condition=Available deployment/mgc-kuadrant-policy-controller-manager kubectl --context kind-mgc-control-plane logs --all-containers --ignore-errors deployment/mgc-controller-manager -n multicluster-gateway-controller-system - kubectl --context kind-mgc-control-plane logs --all-containers --ignore-errors deployment/mgc-policy-controller-manager -n multicluster-gateway-controller-system + kubectl --context kind-mgc-control-plane logs --all-containers --ignore-errors deployment/mgc-kuadrant-policy-controller-manager -n multicluster-gateway-controller-system kubectl get managedzones -n multi-cluster-gateways mgc-dev-mz-aws -o yaml kubectl --context kind-mgc-control-plane -n multi-cluster-gateways wait --timeout=60s --for=condition=Ready managedzone/mgc-dev-mz-aws kubectl get managedzones -n multi-cluster-gateways mgc-dev-mz-gcp -o yaml diff --git a/.github/workflows/controller-image.yaml b/.github/workflows/controller-image.yaml index e707e81e9..6e3315642 100644 --- a/.github/workflows/controller-image.yaml +++ b/.github/workflows/controller-image.yaml @@ -5,6 +5,7 @@ on: branches: - main - "release-*" + - separate-controller-deploy tags: - "v[0-9]+.[0-9]+.[0-9]+" diff --git a/.github/workflows/policy-controller-image.yaml b/.github/workflows/policy-controller-image.yaml index f48418dda..a53e2acd7 100644 --- a/.github/workflows/policy-controller-image.yaml +++ b/.github/workflows/policy-controller-image.yaml @@ -5,6 +5,7 @@ on: branches: - main - "release-*" + - separate-controller-deploy tags: - "v[0-9]+.[0-9]+.[0-9]+" diff --git a/Makefile b/Makefile index d55e3b20d..3d42975e1 100644 --- a/Makefile +++ b/Makefile @@ -47,9 +47,17 @@ clean: ## Clean up temporary files. -rm -rf ./tmp -rm -rf ./config/**/charts +.PHONY: gateway-manifests +gateway-manifests: controller-gen ## Generate WebhookConfiguration, ClusterRole and CustomResourceDefinition objects. + $(CONTROLLER_GEN) rbac:roleName=manager-role paths="./pkg/controllers/gateway" output:rbac:artifacts:config=config/rbac + +.PHONY: policy-manifests +policy-manifests: controller-gen ## Generate WebhookConfiguration, ClusterRole and CustomResourceDefinition objects. + $(CONTROLLER_GEN) rbac:roleName=policy-role paths="./pkg/controllers/dnshealthcheckprobe" paths="./pkg/controllers/dnspolicy" paths="./pkg/controllers/dnsrecord" paths="./pkg/controllers/managedzone" paths="./pkg/controllers/tlspolicy" output:rbac:dir=config/policy-controller/rbac + $(CONTROLLER_GEN) crd paths="./..." output:crd:artifacts:config=config/policy-controller/crd/bases + .PHONY: manifests -manifests: controller-gen ## Generate WebhookConfiguration, ClusterRole and CustomResourceDefinition objects. - $(CONTROLLER_GEN) rbac:roleName=manager-role crd paths="./..." output:crd:artifacts:config=config/crd/bases +manifests: gateway-manifests policy-manifests .PHONY: generate generate: controller-gen ## Generate code containing DeepCopy, DeepCopyInto, and DeepCopyObject method implementations. @@ -117,13 +125,6 @@ ifndef ignore-not-found ignore-not-found = false endif -.PHONY: install -install: manifests kustomize ## Install CRDs into the K8s cluster specified in ~/.kube/config. - $(KUSTOMIZE) build config/crd | kubectl apply -f - - -.PHONY: uninstall -uninstall: manifests kustomize ## Uninstall CRDs from the K8s cluster specified in ~/.kube/config. Call with ignore-not-found=true to ignore resource not found errors during deletion. - $(KUSTOMIZE) build config/crd | kubectl delete --ignore-not-found=$(ignore-not-found) -f - .PHONY: deploy-sample-applicationset deploy-sample-applicationset: diff --git a/README.md b/README.md index cdf0b564f..eacbe592a 100644 --- a/README.md +++ b/README.md @@ -43,10 +43,12 @@ When deploying the multicluster gateway controller using the make targets, the f 1. Build the controller image and load it into the control plane ```sh kubectl config use-context kind-mgc-control-plane - make kind-load-policy-controller + make kind-load-gateway-controller + kubectl config use-context kind-mgc-control-plane - make kind-load-gateway-controller + make kind-load-policy-controller + ``` 1. Deploy the controller(s) to the control plane cluster @@ -71,11 +73,12 @@ When deploying the multicluster gateway controller using the make targets, the f 1. Run the controller locally: ```sh + kubectl config use-context kind-mgc-control-plane - make build-policy-controller install run-policy-controller + make build-gateway-controller install run-gateway-controller kubectl config use-context kind-mgc-control-plane - make build-gateway-controller install run-gatewway-controller + make build-policy-controller install run-policy-controller ``` ## 3. Running the agent in the cluster: diff --git a/bundle/manifests/multicluster-gateway-controller.clusterserviceversion.yaml b/bundle/manifests/multicluster-gateway-controller.clusterserviceversion.yaml index de772a979..95132f401 100644 --- a/bundle/manifests/multicluster-gateway-controller.clusterserviceversion.yaml +++ b/bundle/manifests/multicluster-gateway-controller.clusterserviceversion.yaml @@ -4,7 +4,7 @@ metadata: annotations: alm-examples: '[]' capabilities: Basic Install - createdAt: "2023-10-27T14:36:31Z" + createdAt: "2023-11-06T07:47:49Z" operators.operatorframework.io/builder: operator-sdk-v1.28.0 operators.operatorframework.io/project_layout: go.kubebuilder.io/v3 name: multicluster-gateway-controller.v0.0.0 @@ -206,28 +206,6 @@ spec: - patch - update - watch - - apiGroups: - - cert-manager.io - resources: - - clusterissuers - verbs: - - get - - list - - apiGroups: - - cert-manager.io - resources: - - issuers - verbs: - - get - - list - - apiGroups: - - cluster.open-cluster-management.io - resources: - - managedclusters - verbs: - - get - - list - - watch - apiGroups: - cluster.open-cluster-management.io resources: @@ -301,6 +279,101 @@ spec: - get - list - watch + - apiGroups: + - work.open-cluster-management.io + resources: + - manifestworks + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create + - apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create + serviceAccountName: mgc-controller-manager + - rules: + - apiGroups: + - "" + resources: + - secrets + verbs: + - delete + - get + - list + - watch + - apiGroups: + - cert-manager.io + resources: + - certificates + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - cert-manager.io + resources: + - clusterissuers + verbs: + - get + - list + - apiGroups: + - cert-manager.io + resources: + - issuers + verbs: + - get + - list + - apiGroups: + - cluster.open-cluster-management.io + resources: + - managedclusters + verbs: + - get + - list + - watch + - apiGroups: + - gateway.networking.k8s.io + resources: + - gateways + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - gateway.networking.k8s.io + resources: + - gateways/finalizers + verbs: + - update + - apiGroups: + - gateway.networking.k8s.io + resources: + - gateways/status + verbs: + - get + - patch + - update - apiGroups: - kuadrant.io resources: @@ -433,31 +506,7 @@ spec: - get - patch - update - - apiGroups: - - work.open-cluster-management.io - resources: - - manifestworks - verbs: - - create - - delete - - get - - list - - patch - - update - - watch - - apiGroups: - - authentication.k8s.io - resources: - - tokenreviews - verbs: - - create - - apiGroups: - - authorization.k8s.io - resources: - - subjectaccessreviews - verbs: - - create - serviceAccountName: mgc-controller-manager + serviceAccountName: mgc-kuadrant-policy-controller deployments: - label: app.kubernetes.io/component: manager @@ -487,7 +536,7 @@ spec: - --leader-elect command: - /controller - image: quay.io/kuadrant/multicluster-gateway-controller:main + image: quay.io/kuadrant/multicluster-gateway-controller:separate-controller-deploy imagePullPolicy: Always livenessProbe: httpGet: @@ -579,7 +628,7 @@ spec: app.kubernetes.io/name: deployment app.kubernetes.io/part-of: kuadrant control-plane: controller-manager - name: mgc-policy-controller-manager + name: mgc-kuadrant-policy-controller-manager spec: replicas: 1 selector: @@ -598,7 +647,7 @@ spec: - --leader-elect command: - /policy_controller - image: quay.io/kuadrant/policy-controller:main + image: quay.io/kuadrant/policy-controller:separate-controller-deploy imagePullPolicy: Always livenessProbe: httpGet: @@ -627,7 +676,7 @@ spec: - ALL securityContext: runAsNonRoot: true - serviceAccountName: mgc-controller-manager + serviceAccountName: mgc-kuadrant-policy-controller terminationGracePeriodSeconds: 10 permissions: - rules: @@ -663,6 +712,39 @@ spec: - create - patch serviceAccountName: mgc-controller-manager + - rules: + - apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - watch + - create + - update + - patch + - delete + - apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - get + - list + - watch + - create + - update + - patch + - delete + - apiGroups: + - "" + resources: + - events + verbs: + - create + - patch + serviceAccountName: mgc-kuadrant-policy-controller strategy: deployment installModes: - supported: false diff --git a/config/add-on-manager/kustomization.yaml b/config/add-on-manager/kustomization.yaml index 9961f0a40..57a44f48f 100644 --- a/config/add-on-manager/kustomization.yaml +++ b/config/add-on-manager/kustomization.yaml @@ -1,6 +1,8 @@ resources: - manager.yaml - cluster-management-addon.yaml + + apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization images: diff --git a/config/add-on-manager/manager.yaml b/config/add-on-manager/manager.yaml index fd1284a41..c811da1f6 100644 --- a/config/add-on-manager/manager.yaml +++ b/config/add-on-manager/manager.yaml @@ -2,7 +2,7 @@ apiVersion: apps/v1 kind: Deployment metadata: name: kuadrant-add-on-manager - namespace: system + namespace: multicluster-gateway-controller-system labels: control-plane: kuadrant-add-on-manager app.kubernetes.io/name: deployment diff --git a/config/default/delete-kuadrant-system-ns-object.yaml b/config/default/delete-kuadrant-system-ns-object.yaml new file mode 100644 index 000000000..b64be7c28 --- /dev/null +++ b/config/default/delete-kuadrant-system-ns-object.yaml @@ -0,0 +1,6 @@ +--- +$patch: delete +apiVersion: v1 +kind: Namespace +metadata: + name: kuadrant-system \ No newline at end of file diff --git a/config/default/kustomization.yaml b/config/default/kustomization.yaml index cad637732..37923ec6e 100644 --- a/config/default/kustomization.yaml +++ b/config/default/kustomization.yaml @@ -1,6 +1,4 @@ -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -# Adds namespace to all resources. + namespace: multicluster-gateway-controller-system # Value of this field is prepended to the @@ -10,30 +8,14 @@ namespace: multicluster-gateway-controller-system # field above. namePrefix: mgc- -# Labels to add to all resources and selectors. -#commonLabels: -# someName: someValue - -# [CERTMANAGER] To enable cert-manager, uncomment all sections with 'CERTMANAGER'. -#- ../certmanager -# [PROMETHEUS] To enable prometheus monitor, uncomment all sections with 'PROMETHEUS'. -#- ../prometheus - -# Protect the /metrics endpoint by putting it behind auth. -# If you want your controller-manager to expose the /metrics -# endpoint w/o any authn/z, please comment the following line. - -# [CERTMANAGER] To enable cert-manager, uncomment all sections with 'CERTMANAGER'. -# Uncomment 'CERTMANAGER' sections in crd/kustomization.yaml to enable the CA injection in the admission webhooks. -# 'CERTMANAGER' needs to be enabled to use ca injection -#- webhookcainjection_patch.yaml - resources: -- ../crd - ../rbac -- namespace.yaml - ../manager - ../add-on-manager -- ../policy-controller +- ../policy-controller/default + patches: - path: manager_metrics_patch.yaml + +patchesStrategicMerge: + - delete-kuadrant-system-ns-object.yaml diff --git a/config/default/namespace.yaml b/config/default/namespace.yaml deleted file mode 100644 index 46765a6bd..000000000 --- a/config/default/namespace.yaml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: v1 -kind: Namespace -metadata: - labels: - control-plane: controller-manager - app.kubernetes.io/name: namespace - app.kubernetes.io/instance: system - app.kubernetes.io/component: manager - app.kubernetes.io/created-by: multicluster-gateway-controller - app.kubernetes.io/part-of: multicluster-gateway-controller - app.kubernetes.io/managed-by: kustomize - name: system \ No newline at end of file diff --git a/config/manager/kustomization.yaml b/config/manager/kustomization.yaml index 730f91846..112ec0fb9 100644 --- a/config/manager/kustomization.yaml +++ b/config/manager/kustomization.yaml @@ -1,8 +1,7 @@ resources: - manager.yaml -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization + images: - name: controller newName: quay.io/kuadrant/multicluster-gateway-controller - newTag: main + newTag: separate-controller-deploy \ No newline at end of file diff --git a/config/manager/manager.yaml b/config/manager/manager.yaml index 40e122e5d..13fdb76e2 100644 --- a/config/manager/manager.yaml +++ b/config/manager/manager.yaml @@ -1,3 +1,10 @@ +apiVersion: v1 +kind: Namespace +metadata: + labels: + control-plane: controller-manager + name: system +--- apiVersion: apps/v1 kind: Deployment metadata: diff --git a/config/crd/bases/kuadrant.io_dnshealthcheckprobes.yaml b/config/policy-controller/crd/bases/kuadrant.io_dnshealthcheckprobes.yaml similarity index 100% rename from config/crd/bases/kuadrant.io_dnshealthcheckprobes.yaml rename to config/policy-controller/crd/bases/kuadrant.io_dnshealthcheckprobes.yaml diff --git a/config/crd/bases/kuadrant.io_dnspolicies.yaml b/config/policy-controller/crd/bases/kuadrant.io_dnspolicies.yaml similarity index 100% rename from config/crd/bases/kuadrant.io_dnspolicies.yaml rename to config/policy-controller/crd/bases/kuadrant.io_dnspolicies.yaml diff --git a/config/crd/bases/kuadrant.io_dnsrecords.yaml b/config/policy-controller/crd/bases/kuadrant.io_dnsrecords.yaml similarity index 100% rename from config/crd/bases/kuadrant.io_dnsrecords.yaml rename to config/policy-controller/crd/bases/kuadrant.io_dnsrecords.yaml diff --git a/config/crd/bases/kuadrant.io_managedzones.yaml b/config/policy-controller/crd/bases/kuadrant.io_managedzones.yaml similarity index 100% rename from config/crd/bases/kuadrant.io_managedzones.yaml rename to config/policy-controller/crd/bases/kuadrant.io_managedzones.yaml diff --git a/config/crd/bases/kuadrant.io_tlspolicies.yaml b/config/policy-controller/crd/bases/kuadrant.io_tlspolicies.yaml similarity index 100% rename from config/crd/bases/kuadrant.io_tlspolicies.yaml rename to config/policy-controller/crd/bases/kuadrant.io_tlspolicies.yaml diff --git a/config/crd/kustomization.yaml b/config/policy-controller/crd/kustomization.yaml similarity index 100% rename from config/crd/kustomization.yaml rename to config/policy-controller/crd/kustomization.yaml diff --git a/config/crd/kustomizeconfig.yaml b/config/policy-controller/crd/kustomizeconfig.yaml similarity index 100% rename from config/crd/kustomizeconfig.yaml rename to config/policy-controller/crd/kustomizeconfig.yaml diff --git a/config/crd/patches/policy-patch.yaml b/config/policy-controller/crd/patches/policy-patch.yaml similarity index 100% rename from config/crd/patches/policy-patch.yaml rename to config/policy-controller/crd/patches/policy-patch.yaml diff --git a/config/default/issuer.yaml b/config/policy-controller/default/issuer.yaml similarity index 100% rename from config/default/issuer.yaml rename to config/policy-controller/default/issuer.yaml diff --git a/config/policy-controller/default/kustomization.yaml b/config/policy-controller/default/kustomization.yaml new file mode 100644 index 000000000..6ccbcf067 --- /dev/null +++ b/config/policy-controller/default/kustomization.yaml @@ -0,0 +1,16 @@ + +# Value of this field is prepended to the +# names of all resources, e.g. a deployment named +# "wordpress" becomes "alices-wordpress". +# Note that it should also match with the prefix (text before '-') of the namespace +# field above. +namePrefix: kuadrant- + + +resources: +- ../manager +- ./issuer.yaml +- ../crd +- ../rbac + +namespace: kuadrant-system \ No newline at end of file diff --git a/config/policy-controller/kustomization.yaml b/config/policy-controller/manager/kustomization.yaml similarity index 57% rename from config/policy-controller/kustomization.yaml rename to config/policy-controller/manager/kustomization.yaml index 4fe55410a..057bfc975 100644 --- a/config/policy-controller/kustomization.yaml +++ b/config/policy-controller/manager/kustomization.yaml @@ -1,8 +1,9 @@ + + resources: - manager.yaml -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization + images: - name: policy-controller newName: quay.io/kuadrant/policy-controller - newTag: main + newTag: separate-controller-deploy \ No newline at end of file diff --git a/config/policy-controller/manager.yaml b/config/policy-controller/manager/manager.yaml similarity index 92% rename from config/policy-controller/manager.yaml rename to config/policy-controller/manager/manager.yaml index ab13c4927..75e22bb93 100644 --- a/config/policy-controller/manager.yaml +++ b/config/policy-controller/manager/manager.yaml @@ -1,3 +1,10 @@ +apiVersion: v1 +kind: Namespace +metadata: + labels: + control-plane: controller-manager + name: system +--- apiVersion: apps/v1 kind: Deployment metadata: @@ -59,5 +66,5 @@ spec: requests: cpu: 10m memory: 64Mi - serviceAccountName: controller-manager + serviceAccountName: policy-controller terminationGracePeriodSeconds: 10 diff --git a/config/rbac/dnsrecord_editor_role.yaml b/config/policy-controller/rbac/dnsrecord_editor_role.yaml similarity index 100% rename from config/rbac/dnsrecord_editor_role.yaml rename to config/policy-controller/rbac/dnsrecord_editor_role.yaml diff --git a/config/rbac/dnsrecord_viewer_role.yaml b/config/policy-controller/rbac/dnsrecord_viewer_role.yaml similarity index 100% rename from config/rbac/dnsrecord_viewer_role.yaml rename to config/policy-controller/rbac/dnsrecord_viewer_role.yaml diff --git a/config/policy-controller/rbac/kustomization.yaml b/config/policy-controller/rbac/kustomization.yaml new file mode 100644 index 000000000..de0a9b8a7 --- /dev/null +++ b/config/policy-controller/rbac/kustomization.yaml @@ -0,0 +1,13 @@ +resources: +# All RBAC will be applied under this service account in +# the deployment namespace. You may comment out this resource +# if your manager will use a service account that exists at +# runtime. Be sure to update RoleBinding and ClusterRoleBinding +# subjects if changing service account names. +- service_account.yaml +- role.yaml +- rolebinding.yaml +- leader_election_role.yaml +- leader_election_role_binding.yaml +- dnsrecord_editor_role.yaml +- dnsrecord_viewer_role.yaml \ No newline at end of file diff --git a/config/policy-controller/rbac/leader_election_role.yaml b/config/policy-controller/rbac/leader_election_role.yaml new file mode 100644 index 000000000..1e08c2a87 --- /dev/null +++ b/config/policy-controller/rbac/leader_election_role.yaml @@ -0,0 +1,45 @@ +# permissions to do leader election. +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + labels: + app.kubernetes.io/name: role + app.kubernetes.io/instance: policy-controller-leader-election-role + app.kubernetes.io/component: rbac + app.kubernetes.io/created-by: policy-controller + app.kubernetes.io/part-of: kuadrant + app.kubernetes.io/managed-by: kustomize + name: policy-controller-leader-election-role + namespace: system +rules: +- apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch diff --git a/config/policy-controller/rbac/leader_election_role_binding.yaml b/config/policy-controller/rbac/leader_election_role_binding.yaml new file mode 100644 index 000000000..fd6f1f18c --- /dev/null +++ b/config/policy-controller/rbac/leader_election_role_binding.yaml @@ -0,0 +1,19 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + labels: + app.kubernetes.io/name: rolebinding + app.kubernetes.io/instance: leader-election-rolebinding + app.kubernetes.io/component: rbac + app.kubernetes.io/created-by: multicluster-gateway-controller + app.kubernetes.io/part-of: multicluster-gateway-controller + app.kubernetes.io/managed-by: kustomize + name: policy-controller-leader-election-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: policy-controller-leader-election-role +subjects: +- kind: ServiceAccount + name: policy-controller + namespace: system diff --git a/config/rbac/managedzone_editor_role.yaml b/config/policy-controller/rbac/managedzone_editor_role.yaml similarity index 100% rename from config/rbac/managedzone_editor_role.yaml rename to config/policy-controller/rbac/managedzone_editor_role.yaml diff --git a/config/rbac/managedzone_viewer_role.yaml b/config/policy-controller/rbac/managedzone_viewer_role.yaml similarity index 100% rename from config/rbac/managedzone_viewer_role.yaml rename to config/policy-controller/rbac/managedzone_viewer_role.yaml diff --git a/config/policy-controller/rbac/role.yaml b/config/policy-controller/rbac/role.yaml new file mode 100644 index 000000000..9f4981ab4 --- /dev/null +++ b/config/policy-controller/rbac/role.yaml @@ -0,0 +1,208 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + creationTimestamp: null + name: policy-role +rules: +- apiGroups: + - "" + resources: + - secrets + verbs: + - delete + - get + - list + - watch +- apiGroups: + - cert-manager.io + resources: + - certificates + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - cert-manager.io + resources: + - clusterissuers + verbs: + - get + - list +- apiGroups: + - cert-manager.io + resources: + - issuers + verbs: + - get + - list +- apiGroups: + - cluster.open-cluster-management.io + resources: + - managedclusters + verbs: + - get + - list + - watch +- apiGroups: + - gateway.networking.k8s.io + resources: + - gateways + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - gateway.networking.k8s.io + resources: + - gateways/finalizers + verbs: + - update +- apiGroups: + - gateway.networking.k8s.io + resources: + - gateways/status + verbs: + - get + - patch + - update +- apiGroups: + - kuadrant.io + resources: + - dnshealthcheckprobes + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - kuadrant.io + resources: + - dnshealthcheckprobes/finalizers + verbs: + - get + - patch + - update +- apiGroups: + - kuadrant.io + resources: + - dnshealthcheckprobes/status + verbs: + - get + - patch + - update +- apiGroups: + - kuadrant.io + resources: + - dnspolicies + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - kuadrant.io + resources: + - dnspolicies/finalizers + verbs: + - update +- apiGroups: + - kuadrant.io + resources: + - dnspolicies/status + verbs: + - get + - patch + - update +- apiGroups: + - kuadrant.io + resources: + - dnsrecords + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - kuadrant.io + resources: + - dnsrecords/finalizers + verbs: + - update +- apiGroups: + - kuadrant.io + resources: + - dnsrecords/status + verbs: + - get + - patch + - update +- apiGroups: + - kuadrant.io + resources: + - managedzones + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - kuadrant.io + resources: + - managedzones/finalizers + verbs: + - update +- apiGroups: + - kuadrant.io + resources: + - managedzones/status + verbs: + - get + - patch + - update +- apiGroups: + - kuadrant.io + resources: + - tlspolicies + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - kuadrant.io + resources: + - tlspolicies/finalizers + verbs: + - update +- apiGroups: + - kuadrant.io + resources: + - tlspolicies/status + verbs: + - get + - patch + - update diff --git a/config/policy-controller/rbac/rolebinding.yaml b/config/policy-controller/rbac/rolebinding.yaml new file mode 100644 index 000000000..2202796e9 --- /dev/null +++ b/config/policy-controller/rbac/rolebinding.yaml @@ -0,0 +1,19 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app.kubernetes.io/name: clusterrolebinding + app.kubernetes.io/instance: manager-rolebinding + app.kubernetes.io/component: rbac + app.kubernetes.io/created-by: policy-controller + app.kubernetes.io/part-of: kuadrant + app.kubernetes.io/managed-by: kustomize + name: policy-controller-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: policy-role +subjects: +- kind: ServiceAccount + name: policy-controller + namespace: system diff --git a/config/policy-controller/rbac/service_account.yaml b/config/policy-controller/rbac/service_account.yaml new file mode 100644 index 000000000..9a18634f0 --- /dev/null +++ b/config/policy-controller/rbac/service_account.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + app.kubernetes.io/name: serviceaccount + app.kubernetes.io/instance: policy-controller + app.kubernetes.io/component: rbac + app.kubernetes.io/created-by: policy-controller + app.kubernetes.io/part-of: kuadrant + app.kubernetes.io/managed-by: kustomize + name: policy-controller + namespace: system diff --git a/config/rbac/tlspolicy_editor_role.yaml b/config/policy-controller/rbac/tlspolicy_editor_role.yaml similarity index 100% rename from config/rbac/tlspolicy_editor_role.yaml rename to config/policy-controller/rbac/tlspolicy_editor_role.yaml diff --git a/config/rbac/tlspolicy_viewer_role.yaml b/config/policy-controller/rbac/tlspolicy_viewer_role.yaml similarity index 100% rename from config/rbac/tlspolicy_viewer_role.yaml rename to config/policy-controller/rbac/tlspolicy_viewer_role.yaml diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml index ac80d56c7..626f49b38 100644 --- a/config/rbac/role.yaml +++ b/config/rbac/role.yaml @@ -38,28 +38,6 @@ rules: - patch - update - watch -- apiGroups: - - cert-manager.io - resources: - - clusterissuers - verbs: - - get - - list -- apiGroups: - - cert-manager.io - resources: - - issuers - verbs: - - get - - list -- apiGroups: - - cluster.open-cluster-management.io - resources: - - managedclusters - verbs: - - get - - list - - watch - apiGroups: - cluster.open-cluster-management.io resources: @@ -133,138 +111,6 @@ rules: - get - list - watch -- apiGroups: - - kuadrant.io - resources: - - dnshealthcheckprobes - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - kuadrant.io - resources: - - dnshealthcheckprobes/finalizers - verbs: - - get - - patch - - update -- apiGroups: - - kuadrant.io - resources: - - dnshealthcheckprobes/status - verbs: - - get - - patch - - update -- apiGroups: - - kuadrant.io - resources: - - dnspolicies - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - kuadrant.io - resources: - - dnspolicies/finalizers - verbs: - - update -- apiGroups: - - kuadrant.io - resources: - - dnspolicies/status - verbs: - - get - - patch - - update -- apiGroups: - - kuadrant.io - resources: - - dnsrecords - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - kuadrant.io - resources: - - dnsrecords/finalizers - verbs: - - update -- apiGroups: - - kuadrant.io - resources: - - dnsrecords/status - verbs: - - get - - patch - - update -- apiGroups: - - kuadrant.io - resources: - - managedzones - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - kuadrant.io - resources: - - managedzones/finalizers - verbs: - - update -- apiGroups: - - kuadrant.io - resources: - - managedzones/status - verbs: - - get - - patch - - update -- apiGroups: - - kuadrant.io - resources: - - tlspolicies - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - kuadrant.io - resources: - - tlspolicies/finalizers - verbs: - - update -- apiGroups: - - kuadrant.io - resources: - - tlspolicies/status - verbs: - - get - - patch - - update - apiGroups: - work.open-cluster-management.io resources: diff --git a/docs/contribution/vscode-debugging.md b/docs/contribution/vscode-debugging.md index 28460c302..479b1335c 100644 --- a/docs/contribution/vscode-debugging.md +++ b/docs/contribution/vscode-debugging.md @@ -10,7 +10,7 @@ There is an included VSCode `launch.json`. Instead of starting the Gateway Controller via something like: ```bash -make build-controller install run-controller +make build-{policy | gateway}-controller install run-{policy | gateway}-controller ``` You can now simply hit `F5` in VSCode. The controller will launch with the following config: diff --git a/docs/demos/dns-policy/dnspolicy-demo.md b/docs/demos/dns-policy/dnspolicy-demo.md index 88ad03d8c..e278b3116 100644 --- a/docs/demos/dns-policy/dnspolicy-demo.md +++ b/docs/demos/dns-policy/dnspolicy-demo.md @@ -14,7 +14,13 @@ ```bash ./install.sh -(export $(cat ./controller-config.env | xargs) && export $(cat ./aws-credentials.env | xargs) && make build-controller install run-controller) +(export $(cat ./controller-config.env | xargs) && export $(cat ./aws-credentials.env | xargs) && make build-gateway-controller install run-gateway-controller) + +## separate window + +(export $(cat ./controller-config.env | xargs) && export $(cat ./aws-credentials.env | xargs) && make build-policy-controller install run-policy-controller) + + ``` ## Preamble diff --git a/docs/experimental/submariner-poc-2-gateways-resiliency-walkthrough.md b/docs/experimental/submariner-poc-2-gateways-resiliency-walkthrough.md index cde9b8926..b9ad29144 100644 --- a/docs/experimental/submariner-poc-2-gateways-resiliency-walkthrough.md +++ b/docs/experimental/submariner-poc-2-gateways-resiliency-walkthrough.md @@ -107,7 +107,11 @@ kubectl create -f hack/ocm/gatewayclass.yaml In `T2` run the following to start the Gateway Controller: ```bash -make build-controller install run-controller +make build-gateway-controller install run-gateway-controller + +#new window + +make build-policy-controller install run-policy-controller ``` ### Create a Gateway diff --git a/docs/experimental/submariner-poc-hub-gateway-walkthrough.md b/docs/experimental/submariner-poc-hub-gateway-walkthrough.md index 94a1a04de..c1e1127f1 100644 --- a/docs/experimental/submariner-poc-hub-gateway-walkthrough.md +++ b/docs/experimental/submariner-poc-hub-gateway-walkthrough.md @@ -111,7 +111,13 @@ In `T2` run the following to start the Gateway Controller: ```bash kind export kubeconfig --name=mgc-control-plane --kubeconfig=$(pwd)/local/kube/control-plane.yaml && export KUBECONFIG=$(pwd)/local/kube/control-plane.yaml -make build-controller install run-controller +make build-gateway-controller install run-gateway-controller + + +# new window + +kind export kubeconfig --name=mgc-control-plane --kubeconfig=$(pwd)/local/kube/control-plane.yaml && export KUBECONFIG=$(pwd)/local/kube/control-plane.yaml +make build-policy-controller install run-policy-controller ``` ### Create a Gateway diff --git a/hack/.deployUtils b/hack/.deployUtils index 298d1b44a..d59f65805 100644 --- a/hack/.deployUtils +++ b/hack/.deployUtils @@ -141,7 +141,7 @@ deployCertManager() { kubectl delete validatingWebhookConfiguration mgc-cert-manager-webhook kubectl delete mutatingWebhookConfiguration mgc-cert-manager-webhook # Apply the default glbc-ca issuer - kubectl apply -n cert-manager -f ./config/default/issuer.yaml + kubectl apply -n cert-manager -f ./config/policy-controller/default/issuer.yaml } deployExternalDNS() { @@ -258,7 +258,7 @@ initController() { kubectl config use-context kind-${clusterName} echo "Initialize local dev setup for the controller on ${clusterName}" # Add the mgc CRDs - ${KUSTOMIZE_BIN} build config/crd | kubectl apply -f - + ${KUSTOMIZE_BIN} build config/policy-controller/crd | kubectl apply -f - ${KUSTOMIZE_BIN} build config/local-setup/controller/ | kubectl apply -f - if [[ -f "controller-config.env" && -f "gcp-credentials.env" ]]; then ${KUSTOMIZE_BIN} --reorder none --load-restrictor LoadRestrictionsNone build config/local-setup/controller/gcp | kubectl apply -f - diff --git a/hack/make/policy_controller.make b/hack/make/policy_controller.make index ecc24ae58..5890707d8 100644 --- a/hack/make/policy_controller.make +++ b/hack/make/policy_controller.make @@ -7,6 +7,16 @@ LOG_LEVEL ?= 3 build-policy-controller: manifests generate fmt vet ## Build controller binary. go build -o bin/policy_controller ./cmd/policy_controller/main.go +.PHONY: install +install: manifests kustomize ## Install CRDs into the K8s cluster specified in ~/.kube/config. + $(KUSTOMIZE) build config/policy-controller/crd | kubectl apply -f - + + +.PHONY: uninstall +uninstall: manifests kustomize ## Uninstall CRDs from the K8s cluster specified in ~/.kube/config. Call with ignore-not-found=true to ignore resource not found errors during deletion. + $(KUSTOMIZE) build config/policy-controller/crd | kubectl delete --ignore-not-found=$(ignore-not-found) -f - + + .PHONY: run-policy-controller run-policy-controller: manifests generate fmt vet install go run ./cmd/policy_controller/main.go \ diff --git a/pkg/controllers/dnspolicy/dnspolicy_controller.go b/pkg/controllers/dnspolicy/dnspolicy_controller.go index 334217e2c..49ea49612 100644 --- a/pkg/controllers/dnspolicy/dnspolicy_controller.go +++ b/pkg/controllers/dnspolicy/dnspolicy_controller.go @@ -69,6 +69,9 @@ type DNSPolicyReconciler struct { //+kubebuilder:rbac:groups=kuadrant.io,resources=dnspolicies/status,verbs=get;update;patch //+kubebuilder:rbac:groups=kuadrant.io,resources=dnspolicies/finalizers,verbs=update //+kubebuilder:rbac:groups=cluster.open-cluster-management.io,resources=managedclusters,verbs=get;list;watch +// +kubebuilder:rbac:groups=gateway.networking.k8s.io,resources=gateways,verbs=get;list;watch;create;update;patch;delete +// +kubebuilder:rbac:groups=gateway.networking.k8s.io,resources=gateways/status,verbs=get;update;patch +// +kubebuilder:rbac:groups=gateway.networking.k8s.io,resources=gateways/finalizers,verbs=update func (r *DNSPolicyReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error) { log := r.Logger().WithValues("DNSPolicy", req.NamespacedName) diff --git a/pkg/controllers/gateway/gateway_controller.go b/pkg/controllers/gateway/gateway_controller.go index 1d2a90dd5..f29c7e8da 100644 --- a/pkg/controllers/gateway/gateway_controller.go +++ b/pkg/controllers/gateway/gateway_controller.go @@ -49,9 +49,7 @@ import ( "github.com/Kuadrant/multicluster-gateway-controller/pkg/_internal/gracePeriod" "github.com/Kuadrant/multicluster-gateway-controller/pkg/_internal/metadata" - "github.com/Kuadrant/multicluster-gateway-controller/pkg/_internal/policy" "github.com/Kuadrant/multicluster-gateway-controller/pkg/_internal/slice" - "github.com/Kuadrant/multicluster-gateway-controller/pkg/apis/v1alpha1" "github.com/Kuadrant/multicluster-gateway-controller/pkg/dns" "github.com/Kuadrant/multicluster-gateway-controller/pkg/policysync" ) @@ -486,18 +484,6 @@ func buildAcceptedCondition(generation int64, acceptedStatus metav1.ConditionSta func (r *GatewayReconciler) SetupWithManager(mgr ctrl.Manager, ctx context.Context) error { log := crlog.FromContext(ctx) - err := mgr.GetFieldIndexer().IndexField( - context.Background(), - &v1alpha1.DNSPolicy{}, - policy.POLICY_TARGET_REF_KEY, - func(obj client.Object) []string { - return []string{policy.GetTargetRefValueFromPolicy(obj.(*v1alpha1.DNSPolicy))} - }, - ) - if err != nil { - return err - } - //TODO need to trigger gateway reconcile when gatewayclass params changes return ctrl.NewControllerManagedBy(mgr). For(&gatewayv1beta1.Gateway{}). diff --git a/pkg/controllers/tlspolicy/tlspolicy_controller.go b/pkg/controllers/tlspolicy/tlspolicy_controller.go index eda4ffc19..196eea8c9 100644 --- a/pkg/controllers/tlspolicy/tlspolicy_controller.go +++ b/pkg/controllers/tlspolicy/tlspolicy_controller.go @@ -70,6 +70,8 @@ type TLSPolicyReconciler struct { //+kubebuilder:rbac:groups=kuadrant.io,resources=tlspolicies/finalizers,verbs=update //+kubebuilder:rbac:groups="cert-manager.io",resources=issuers,verbs=get;list; //+kubebuilder:rbac:groups="cert-manager.io",resources=clusterissuers,verbs=get;list; +// +kubebuilder:rbac:groups="",resources=secrets,verbs=get;list;watch;delete +// +kubebuilder:rbac:groups="cert-manager.io",resources=certificates,verbs=get;list;watch;create;update;patch;delete func (r *TLSPolicyReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error) { log := r.Logger().WithValues("TLSPolicy", req.NamespacedName) diff --git a/test/gateway_integration/suite_test.go b/test/gateway_integration/suite_test.go index 209cac7b1..20598c564 100644 --- a/test/gateway_integration/suite_test.go +++ b/test/gateway_integration/suite_test.go @@ -74,7 +74,7 @@ var _ = BeforeSuite(func() { By("bootstrapping test environment") testEnv = &envtest.Environment{ CRDDirectoryPaths: []string{ - filepath.Join("../../", "config", "crd", "bases"), + filepath.Join("../../", "config", "policy-controller", "crd", "bases"), filepath.Join("../../", "config", "gateway-api", "crd", "standard"), filepath.Join("../../", "config", "cert-manager", "crd", "latest"), filepath.Join("../../", "config", "ocm", "crd"), diff --git a/test/policy_integration/suite_test.go b/test/policy_integration/suite_test.go index 409aed80c..dcd158e2b 100644 --- a/test/policy_integration/suite_test.go +++ b/test/policy_integration/suite_test.go @@ -81,7 +81,7 @@ var _ = BeforeSuite(func() { By("bootstrapping test environment") testEnv = &envtest.Environment{ CRDDirectoryPaths: []string{ - filepath.Join("../../", "config", "crd", "bases"), + filepath.Join("../../", "config", "policy-controller", "crd", "bases"), filepath.Join("../../", "config", "gateway-api", "crd", "standard"), filepath.Join("../../", "config", "cert-manager", "crd", "latest"), //needed for now TODO remove once no longer need managedcluster in dnspolicy