From f17a035da857d5a8a93700d316efc588cab01598 Mon Sep 17 00:00:00 2001 From: Ricardo Zanini Date: Thu, 27 Jul 2023 14:35:51 -0300 Subject: [PATCH] Add OpenShift specifics and fix resources for ubiquity Signed-off-by: Ricardo Zanini --- .../artifacts/examples/01-ns.yaml | 2 +- .../examples/02-service_account.yaml | 4 +- .../artifacts/examples/03-auth_delegator.yaml | 6 +-- .../artifacts/examples/04-auth_reader.yaml | 5 +- .../artifacts/examples/05-rbac.yaml | 2 +- .../artifacts/examples/06-rbac_bind.yaml | 8 +-- .../artifacts/examples/07-deployment.yaml | 8 +-- .../artifacts/examples/08-service.yaml | 6 +-- .../artifacts/examples/09-apiservice.yaml | 4 +- .../examples/openshift/07-deployment.yaml | 53 +++++++++++++++++++ .../examples/openshift/08-service.yaml | 28 ++++++++++ 11 files changed, 105 insertions(+), 21 deletions(-) create mode 100644 workflowproj-apiserver/artifacts/examples/openshift/07-deployment.yaml create mode 100644 workflowproj-apiserver/artifacts/examples/openshift/08-service.yaml diff --git a/workflowproj-apiserver/artifacts/examples/01-ns.yaml b/workflowproj-apiserver/artifacts/examples/01-ns.yaml index 058942124..b3680740c 100644 --- a/workflowproj-apiserver/artifacts/examples/01-ns.yaml +++ b/workflowproj-apiserver/artifacts/examples/01-ns.yaml @@ -15,4 +15,4 @@ apiVersion: v1 kind: Namespace metadata: - name: workflowproj + name: sonataflow-operator-system diff --git a/workflowproj-apiserver/artifacts/examples/02-service_account.yaml b/workflowproj-apiserver/artifacts/examples/02-service_account.yaml index 54ef4a40e..1212db06b 100644 --- a/workflowproj-apiserver/artifacts/examples/02-service_account.yaml +++ b/workflowproj-apiserver/artifacts/examples/02-service_account.yaml @@ -15,5 +15,5 @@ kind: ServiceAccount apiVersion: v1 metadata: - name: apiserver - namespace: workflowproj + name: workflowproj-apiserver + namespace: sonataflow-operator-system diff --git a/workflowproj-apiserver/artifacts/examples/03-auth_delegator.yaml b/workflowproj-apiserver/artifacts/examples/03-auth_delegator.yaml index f2af0c2c4..8918ffbde 100644 --- a/workflowproj-apiserver/artifacts/examples/03-auth_delegator.yaml +++ b/workflowproj-apiserver/artifacts/examples/03-auth_delegator.yaml @@ -15,12 +15,12 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: - name: workflowproj:system:auth-delegator + name: workflowproj-apiserver:system:auth-delegator roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: system:auth-delegator subjects: - kind: ServiceAccount - name: apiserver - namespace: workflowproj + name: workflowproj-apiserver + namespace: sonataflow-operator-system diff --git a/workflowproj-apiserver/artifacts/examples/04-auth_reader.yaml b/workflowproj-apiserver/artifacts/examples/04-auth_reader.yaml index 5a3a1f110..9bcd06224 100644 --- a/workflowproj-apiserver/artifacts/examples/04-auth_reader.yaml +++ b/workflowproj-apiserver/artifacts/examples/04-auth_reader.yaml @@ -16,6 +16,7 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: workflowproj-auth-reader + # The rolebinding must be in the same namespace as the role we are referring below namespace: kube-system roleRef: apiGroup: rbac.authorization.k8s.io @@ -23,5 +24,5 @@ roleRef: name: extension-apiserver-authentication-reader subjects: - kind: ServiceAccount - name: apiserver - namespace: workflowproj + name: workflowproj-apiserver + namespace: sonataflow-operator-system diff --git a/workflowproj-apiserver/artifacts/examples/05-rbac.yaml b/workflowproj-apiserver/artifacts/examples/05-rbac.yaml index 9d25a332a..881c08278 100644 --- a/workflowproj-apiserver/artifacts/examples/05-rbac.yaml +++ b/workflowproj-apiserver/artifacts/examples/05-rbac.yaml @@ -15,7 +15,7 @@ kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: - name: aggregated-apiserver-clusterrole + name: workflowproj-apiserver-clusterrole rules: - apiGroups: - "" diff --git a/workflowproj-apiserver/artifacts/examples/06-rbac_bind.yaml b/workflowproj-apiserver/artifacts/examples/06-rbac_bind.yaml index 080008021..31cd0f77a 100644 --- a/workflowproj-apiserver/artifacts/examples/06-rbac_bind.yaml +++ b/workflowproj-apiserver/artifacts/examples/06-rbac_bind.yaml @@ -15,12 +15,12 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: - name: sample-apiserver-clusterrolebinding + name: workflowproj-apiserver-clusterrolebinding roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: aggregated-apiserver-clusterrole + name: workflowproj-apiserver-clusterrole subjects: - kind: ServiceAccount - name: apiserver - namespace: workflowproj + name: workflowproj-apiserver + namespace: sonataflow-operator-system diff --git a/workflowproj-apiserver/artifacts/examples/07-deployment.yaml b/workflowproj-apiserver/artifacts/examples/07-deployment.yaml index 291b8ebd6..ba25a3285 100644 --- a/workflowproj-apiserver/artifacts/examples/07-deployment.yaml +++ b/workflowproj-apiserver/artifacts/examples/07-deployment.yaml @@ -16,7 +16,7 @@ apiVersion: apps/v1 kind: Deployment metadata: name: workflowproj-server - namespace: workflowproj + namespace: sonataflow-operator-system labels: apiserver: "true" spec: @@ -29,7 +29,7 @@ spec: labels: apiserver: "true" spec: - serviceAccountName: apiserver + serviceAccountName: workflowproj-apiserver containers: - name: workflowproj-server # build from staging/src/k8s.io/sample-apiserver/artifacts/simple-image/Dockerfile @@ -37,4 +37,6 @@ spec: # docker pull registry.k8s.io/e2e-test-images/sample-apiserver:1.17.4 # docker tag registry.k8s.io/e2e-test-images/sample-apiserver:1.17.4 kube-sample-apiserver:latest image: dev.local/workflowproj-apiserver:latest - imagePullPolicy: Never \ No newline at end of file + imagePullPolicy: Never + args: + - '--secure-port=8443' diff --git a/workflowproj-apiserver/artifacts/examples/08-service.yaml b/workflowproj-apiserver/artifacts/examples/08-service.yaml index 9c3c9d7f4..15248366a 100644 --- a/workflowproj-apiserver/artifacts/examples/08-service.yaml +++ b/workflowproj-apiserver/artifacts/examples/08-service.yaml @@ -15,12 +15,12 @@ apiVersion: v1 kind: Service metadata: - name: api - namespace: workflowproj + name: workflowproj-apiserver + namespace: sonataflow-operator-system spec: ports: - port: 443 protocol: TCP - targetPort: 443 + targetPort: 8443 selector: apiserver: "true" diff --git a/workflowproj-apiserver/artifacts/examples/09-apiservice.yaml b/workflowproj-apiserver/artifacts/examples/09-apiservice.yaml index 970b988a7..7cc80aa3f 100644 --- a/workflowproj-apiserver/artifacts/examples/09-apiservice.yaml +++ b/workflowproj-apiserver/artifacts/examples/09-apiservice.yaml @@ -22,6 +22,6 @@ spec: groupPriorityMinimum: 1000 versionPriority: 15 service: - name: api - namespace: workflowproj + name: workflowproj-apiserver + namespace: sonataflow-operator-system version: v1alpha08 diff --git a/workflowproj-apiserver/artifacts/examples/openshift/07-deployment.yaml b/workflowproj-apiserver/artifacts/examples/openshift/07-deployment.yaml new file mode 100644 index 000000000..a2f05cca3 --- /dev/null +++ b/workflowproj-apiserver/artifacts/examples/openshift/07-deployment.yaml @@ -0,0 +1,53 @@ +# Copyright 2023 Red Hat, Inc. and/or its affiliates +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: apps/v1 +kind: Deployment +metadata: + name: workflowproj-server + namespace: sonataflow-operator-system + labels: + apiserver: "true" +spec: + replicas: 1 + selector: + matchLabels: + apiserver: "true" + template: + metadata: + labels: + apiserver: "true" + spec: + serviceAccountName: workflowproj-apiserver + volumes: + - name: tls + secret: + # this secret is created automatically by ocp, see the annotation in our service + secretName: workflowproj-apiserver-cert + defaultMode: 420 + containers: + - name: workflowproj-server + image: dev.local/workflowproj-apiserver:latest + imagePullPolicy: Never + args: + - '--secure-port=8443' + # We use the certificate provided by the internal OCP CA + - '--tls-cert-file=/var/run/kubernetes/tls.crt' + - '--tls-private-key-file=/var/run/kubernetes/tls.key' + # Priority and Fairness are available only on k8s 1.20+ + - '--feature-gates=APIPriorityAndFairness=false' + volumeMounts: + - name: tls + readOnly: true + mountPath: /var/run/kubernetes diff --git a/workflowproj-apiserver/artifacts/examples/openshift/08-service.yaml b/workflowproj-apiserver/artifacts/examples/openshift/08-service.yaml new file mode 100644 index 000000000..48aa1335e --- /dev/null +++ b/workflowproj-apiserver/artifacts/examples/openshift/08-service.yaml @@ -0,0 +1,28 @@ +# Copyright 2023 Red Hat, Inc. and/or its affiliates +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v1 +kind: Service +metadata: + name: workflowproj-apiserver + namespace: sonataflow-operator-system + annotations: + service.beta.openshift.io/serving-cert-secret-name: workflowproj-apiserver-cert +spec: + ports: + - port: 443 + protocol: TCP + targetPort: 8443 + selector: + apiserver: "true"