diff --git a/.github/workflows/addon-manger-image.yaml b/.github/workflows/addon-manger-image.yaml deleted file mode 100644 index 7e6daab6a..000000000 --- a/.github/workflows/addon-manger-image.yaml +++ /dev/null @@ -1,62 +0,0 @@ -name: Build and Publish add-on manager Image - -on: - push: - branches: - - main - - "release-*" - tags: - - "v[0-9]+.[0-9]+.[0-9]+" - -env: - IMG_REGISTRY_HOST: quay.io - IMG_REGISTRY_ORG: kuadrant - IMG_REGISTRY_REPO: addon-manager - MAIN_BRANCH_NAME: main - -jobs: - build: - if: github.repository_owner == 'kuadrant' - name: Build and Publish Addon Manager Image - runs-on: ubuntu-22.04 - outputs: - sha_short: ${{ steps.vars.outputs.sha_short }} - controller_image: ${{ steps.vars.outputs.base_image }}:${{ steps.vars.outputs.sha_short }} - steps: - - uses: actions/checkout@v3 - - - name: Calculate vars - id: vars - run: | - echo "sha_short=$(echo ${{ github.sha }} | cut -b -7)" >> $GITHUB_OUTPUT - echo "base_image=${{ env.IMG_REGISTRY_HOST }}/${{ env.IMG_REGISTRY_ORG }}/${{ env.IMG_REGISTRY_REPO }}" >> $GITHUB_OUTPUT - - - name: Add image tags - id: add-tags - run: echo "IMG_TAGS=${{ steps.vars.outputs.base_image }}:${{ steps.vars.outputs.sha_short }},${{ steps.vars.outputs.base_image }}:${{ github.ref_name }}" >> $GITHUB_ENV - - - name: Add latest tag - if: ${{ github.ref_name == env.MAIN_BRANCH_NAME }} - id: add-latest-tag - run: echo "IMG_TAGS=${{ steps.vars.outputs.base_image }}:latest,${{ env.IMG_TAGS }}" >> $GITHUB_ENV - - - name: Login to Quay.io - uses: docker/login-action@v2 - id: registry-login - with: - registry: ${{ env.IMG_REGISTRY_HOST }} - username: ${{ secrets.IMG_REGISTRY_USERNAME }} - password: ${{ secrets.IMG_REGISTRY_TOKEN }} - - - name: Build and push add-on manager Image - id: build-and-push - uses: docker/build-push-action@v4 - with: - push: true - tags: ${{ env.IMG_TAGS }} - target: add-on-manager - - - name: Print Image URL - run: | - echo "Image pushed to ${{ env.IMG_TAGS }}" - echo "Image digest: ${{ steps.build-and-push.outputs.digest }}" diff --git a/Dockerfile b/Dockerfile index 15b7ce96d..88d96a5c9 100644 --- a/Dockerfile +++ b/Dockerfile @@ -23,9 +23,6 @@ COPY pkg/ pkg/ FROM builder as controller_builder RUN CGO_ENABLED=0 GOOS=${TARGETOS:-linux} GOARCH=${TARGETARCH} go build -a -o controller cmd/gateway_controller/main.go -FROM builder as addon_builder -RUN CGO_ENABLED=0 GOOS=${TARGETOS:-linux} GOARCH=${TARGETARCH} go build -a -o add-on-manager cmd/ocm/main.go - # Use distroless as minimal base image to package the manager binary # Refer to https://github.com/GoogleContainerTools/distroless for more details FROM gcr.io/distroless/static:nonroot as controller @@ -33,13 +30,4 @@ WORKDIR / COPY --from=controller_builder /workspace/controller . USER 65532:65532 -ENTRYPOINT ["/controller"] - -# Use distroless as minimal base image to package the manager binary -# Refer to https://github.com/GoogleContainerTools/distroless for more details -FROM gcr.io/distroless/static:nonroot as add-on-manager -WORKDIR / -COPY --from=addon_builder /workspace/add-on-manager . -USER 65532:65532 - -ENTRYPOINT ["/add-on-manager"] +ENTRYPOINT ["/controller"] \ No newline at end of file diff --git a/bundle/manifests/multicluster-gateway-controller.clusterserviceversion.yaml b/bundle/manifests/multicluster-gateway-controller.clusterserviceversion.yaml index a07fa57f7..19e8a48c1 100644 --- a/bundle/manifests/multicluster-gateway-controller.clusterserviceversion.yaml +++ b/bundle/manifests/multicluster-gateway-controller.clusterserviceversion.yaml @@ -4,7 +4,7 @@ metadata: annotations: alm-examples: '[]' capabilities: Basic Install - createdAt: "2024-02-09T15:14:21Z" + createdAt: "2024-02-21T15:02:50Z" operators.operatorframework.io/builder: operator-sdk-v1.28.0 operators.operatorframework.io/project_layout: go.kubebuilder.io/v3 name: multicluster-gateway-controller.v0.0.0 @@ -26,91 +26,45 @@ spec: - "" resources: - configmaps - - events verbs: - - get - - list - - watch - create - - update - delete - - deletecollection - - patch - - apiGroups: - - coordination.k8s.io - resources: - - leases - verbs: - get - list - - watch - - create - - update - patch - - apiGroups: - - rbac.authorization.k8s.io - resources: - - roles - - rolebindings - verbs: - - get - - list - - watch - - create - update - - delete + - watch - apiGroups: - - authorization.k8s.io + - "" resources: - - subjectaccessreviews + - configmaps + - events verbs: - - get - create - - apiGroups: - - certificates.k8s.io - resources: - - certificatesigningrequests - - certificatesigningrequests/approval - verbs: + - delete + - deletecollection - get - list - - watch - - create + - patch - update + - watch - apiGroups: - - certificates.k8s.io - resources: - - signers - verbs: - - approve - - apiGroups: - - cluster.open-cluster-management.io + - "" resources: - - managedclusters + - secrets verbs: + - delete - get - list - watch - - update - apiGroups: - - work.open-cluster-management.io + - addon.open-cluster-management.io resources: - - manifestworks + - clustermanagementaddons verbs: - - create - - update - get - list - watch - - delete - - deletecollection - - patch - - apiGroups: - - addon.open-cluster-management.io - resources: - - managedclusteraddons/finalizers - verbs: - - update - apiGroups: - addon.open-cluster-management.io resources: @@ -120,45 +74,38 @@ spec: - apiGroups: - addon.open-cluster-management.io resources: - - clustermanagementaddons + - managedclusteraddons verbs: + - create + - delete - get - list + - update - watch - apiGroups: - addon.open-cluster-management.io resources: - - managedclusteraddons + - managedclusteraddons/finalizers verbs: - - get - - list - - watch - - create - update - - delete - apiGroups: - addon.open-cluster-management.io resources: - managedclusteraddons/status verbs: - - update - patch + - update - apiGroups: - - kuadrant.io/v1beta1 + - authorization.k8s.io resources: - - kuadrant + - subjectaccessreviews verbs: - - get - - list - - watch - create - - update - serviceAccountName: mgc-add-on-manager - - rules: + - get - apiGroups: - - "" + - cert-manager.io resources: - - configmaps + - certificates verbs: - create - delete @@ -168,26 +115,22 @@ spec: - update - watch - apiGroups: - - "" + - certificates.k8s.io resources: - - secrets + - certificatesigningrequests + - certificatesigningrequests/approval verbs: - - delete + - create - get - list + - update - watch - apiGroups: - - cert-manager.io + - certificates.k8s.io resources: - - certificates + - signers verbs: - - create - - delete - - get - - list - - patch - - update - - watch + - approve - apiGroups: - cluster.open-cluster-management.io resources: @@ -195,6 +138,7 @@ spec: verbs: - get - list + - update - watch - apiGroups: - cluster.open-cluster-management.io @@ -208,6 +152,17 @@ spec: - patch - update - watch + - apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - create + - get + - list + - patch + - update + - watch - apiGroups: - gateway.networking.k8s.io resources: @@ -269,6 +224,28 @@ spec: - get - list - watch + - apiGroups: + - kuadrant.io + resources: + - kuadrant + verbs: + - create + - get + - list + - update + - watch + - apiGroups: + - rbac.authorization.k8s.io + resources: + - rolebindings + - roles + verbs: + - create + - delete + - get + - list + - update + - watch - apiGroups: - work.open-cluster-management.io resources: @@ -276,6 +253,7 @@ spec: verbs: - create - delete + - deletecollection - get - list - patch @@ -295,50 +273,6 @@ spec: - create serviceAccountName: mgc-controller-manager deployments: - - label: - control-plane: kuadrant-add-on-manager - name: mgc-add-on-manager - spec: - replicas: 1 - selector: - matchLabels: - control-plane: kuadrant-add-on-manager - strategy: {} - template: - metadata: - annotations: - kubectl.kubernetes.io/default-container: controller - labels: - control-plane: kuadrant-add-on-manager - spec: - containers: - - args: - - --leader-elect - command: - - /add-on-manager - envFrom: - - configMapRef: - name: controller-config - optional: true - image: quay.io/kuadrant/addon-manager:main - imagePullPolicy: Always - name: controller - resources: - limits: - cpu: 500m - memory: 128Mi - requests: - cpu: 10m - memory: 64Mi - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - securityContext: - runAsNonRoot: true - serviceAccountName: mgc-add-on-manager - terminationGracePeriodSeconds: 10 - label: app.kubernetes.io/component: manager app.kubernetes.io/created-by: multicluster-gateway-controller diff --git a/cmd/gateway_controller/main.go b/cmd/gateway_controller/main.go index 6ca936b99..5c56440fc 100644 --- a/cmd/gateway_controller/main.go +++ b/cmd/gateway_controller/main.go @@ -40,6 +40,7 @@ import ( "sigs.k8s.io/controller-runtime/pkg/webhook" gatewayapiv1 "sigs.k8s.io/gateway-api/apis/v1" + "github.com/Kuadrant/multicluster-gateway-controller/cmd/gateway_controller/ocm" "github.com/Kuadrant/multicluster-gateway-controller/pkg/controllers/gateway" "github.com/Kuadrant/multicluster-gateway-controller/pkg/placement" "github.com/Kuadrant/multicluster-gateway-controller/pkg/policysync" @@ -47,7 +48,9 @@ import ( ) var ( - setupLog = ctrl.Log.WithName("setup") + metricsAddr string + enableLeaderElection bool + probeAddr string ) func init() { @@ -62,9 +65,6 @@ func init() { } func main() { - var metricsAddr string - var enableLeaderElection bool - var probeAddr string flag.StringVar(&metricsAddr, "metrics-bind-address", ":8080", "The address the metric endpoint binds to.") flag.StringVar(&probeAddr, "health-probe-bind-address", ":8081", "The address the probe endpoint binds to.") flag.BoolVar(&enableLeaderElection, "leader-elect", false, @@ -77,8 +77,10 @@ func main() { flag.Parse() ctrl.SetLogger(zap.New(zap.UseFlagOptions(&opts))) + setupLog := ctrl.Log.WithName("gateway controller setup") ctx := ctrl.SetupSignalHandler() + mgr, err := ctrl.NewManager(ctrl.GetConfigOrDie(), ctrl.Options{ Scheme: scheme.Scheme, Metrics: metricsserver.Options{BindAddress: metricsAddr}, @@ -129,18 +131,27 @@ func main() { //+kubebuilder:scaffold:builder - if err := mgr.AddHealthzCheck("healthz", healthz.Ping); err != nil { + if err = mgr.AddHealthzCheck("healthz", healthz.Ping); err != nil { setupLog.Error(err, "unable to set up health check") os.Exit(1) } - if err := mgr.AddReadyzCheck("readyz", healthz.Ping); err != nil { + if err = mgr.AddReadyzCheck("readyz", healthz.Ping); err != nil { setupLog.Error(err, "unable to set up ready check") os.Exit(1) } + // add addon-manager + if err = mgr.Add(ocm.AddonRunnable{}); err != nil { + setupLog.Error(err, "unable to add addon manager runnable") + os.Exit(1) + } + setupLog.Info("starting manager") - if err := mgr.Start(ctx); err != nil { - setupLog.Error(err, "problem running manager") + + if err = mgr.Start(ctx); err != nil { + setupLog.Error(err, "problem running controller manager") os.Exit(1) } + + <-ctx.Done() } diff --git a/cmd/ocm/main.go b/cmd/gateway_controller/ocm/addon-manager.go similarity index 78% rename from cmd/ocm/main.go rename to cmd/gateway_controller/ocm/addon-manager.go index 6b2799e64..5560da4a7 100644 --- a/cmd/ocm/main.go +++ b/cmd/gateway_controller/ocm/addon-manager.go @@ -1,9 +1,9 @@ -package main +package ocm import ( "context" "embed" - "fmt" + "os" operatorsv1 "github.com/operator-framework/api/pkg/operators/v1" operatorsv1alpha1 "github.com/operator-framework/api/pkg/operators/v1alpha1" @@ -14,21 +14,63 @@ import ( "k8s.io/apimachinery/pkg/runtime" utilruntime "k8s.io/apimachinery/pkg/util/runtime" - "k8s.io/klog/v2" ctrl "sigs.k8s.io/controller-runtime" kuadrantv1beta1 "github.com/kuadrant/kuadrant-operator/api/v1beta1" - hub "github.com/Kuadrant/multicluster-gateway-controller/pkg/ocm/hub" + "github.com/Kuadrant/multicluster-gateway-controller/pkg/ocm/hub" ) -//go:embed addon-manager/manifests +//go:embed manifests var FS embed.FS const ( addonName = "kuadrant-addon" ) +type AddonRunnable struct{} + +func (r AddonRunnable) Start(ctx context.Context) error { + setupLog := ctrl.Log.WithName("addon manager setup") + setupLog.Info("starting add-on manager") + addonScheme := runtime.NewScheme() + utilruntime.Must(operatorsv1alpha1.AddToScheme(addonScheme)) + utilruntime.Must(operatorsv1.AddToScheme(addonScheme)) + utilruntime.Must(kuadrantv1beta1.AddToScheme(addonScheme)) + + kubeConfig := ctrl.GetConfigOrDie() + + addonMgr, err := addonmanager.New(kubeConfig) + if err != nil { + setupLog.Error(err, "unable to setup addon manager") + os.Exit(1) + } + + agentAddon, err := addonfactory.NewAgentAddonFactory(addonName, FS, "manifests"). + WithAgentHealthProber(hub.AddonHealthProber()). + WithScheme(addonScheme). + WithGetValuesFuncs(GetDefaultValues, addonfactory.GetValuesFromAddonAnnotation). + BuildTemplateAgentAddon() + if err != nil { + setupLog.Error(err, "failed to build agent addon") + os.Exit(1) + } + err = addonMgr.AddAgent(agentAddon) + if err != nil { + setupLog.Error(err, "failed to add addon agent") + os.Exit(1) + } + + if err = addonMgr.Start(ctx); err != nil { + setupLog.Error(err, "problem running addon manager") + return err + } + + <-ctx.Done() + + return nil +} + func GetDefaultValues(cluster *clusterv1.ManagedCluster, addon *addonapiv1alpha1.ManagedClusterAddOn) (addonfactory.Values, error) { @@ -59,43 +101,3 @@ func GetDefaultValues(cluster *clusterv1.ManagedCluster, return addonfactory.StructToValues(manifestConfig), nil } - -func main() { - fmt.Println("starting add-on manager") - addonScheme := runtime.NewScheme() - utilruntime.Must(operatorsv1alpha1.AddToScheme(addonScheme)) - utilruntime.Must(operatorsv1.AddToScheme(addonScheme)) - utilruntime.Must(kuadrantv1beta1.AddToScheme(addonScheme)) - - kubeConfig := ctrl.GetConfigOrDie() - - addonMgr, err := addonmanager.New(kubeConfig) - if err != nil { - klog.Errorf("unable to setup addon manager: %v", err) - panic(err) - } - - agentAddon, err := addonfactory.NewAgentAddonFactory(addonName, FS, "addon-manager/manifests"). - WithAgentHealthProber(hub.AddonHealthProber()). - WithScheme(addonScheme). - WithGetValuesFuncs(GetDefaultValues, addonfactory.GetValuesFromAddonAnnotation). - BuildTemplateAgentAddon() - if err != nil { - klog.Errorf("failed to build agent addon %v", err) - panic(err) - } - err = addonMgr.AddAgent(agentAddon) - if err != nil { - klog.Errorf("failed to add addon agent: %v", err) - panic(err) - } - - ctx := context.Background() - go func() { - if err := addonMgr.Start(ctx); err != nil { - panic(err) - } - }() - - <-ctx.Done() -} diff --git a/cmd/ocm/addon-manager/manifests/cluster-role-binding.yaml b/cmd/gateway_controller/ocm/manifests/cluster-role-binding.yaml similarity index 100% rename from cmd/ocm/addon-manager/manifests/cluster-role-binding.yaml rename to cmd/gateway_controller/ocm/manifests/cluster-role-binding.yaml diff --git a/cmd/ocm/addon-manager/manifests/cluster-role.yaml b/cmd/gateway_controller/ocm/manifests/cluster-role.yaml similarity index 100% rename from cmd/ocm/addon-manager/manifests/cluster-role.yaml rename to cmd/gateway_controller/ocm/manifests/cluster-role.yaml diff --git a/cmd/ocm/addon-manager/manifests/kuadrant-namespace.yaml b/cmd/gateway_controller/ocm/manifests/kuadrant-namespace.yaml similarity index 100% rename from cmd/ocm/addon-manager/manifests/kuadrant-namespace.yaml rename to cmd/gateway_controller/ocm/manifests/kuadrant-namespace.yaml diff --git a/cmd/ocm/addon-manager/manifests/kuadrant.yaml b/cmd/gateway_controller/ocm/manifests/kuadrant.yaml similarity index 100% rename from cmd/ocm/addon-manager/manifests/kuadrant.yaml rename to cmd/gateway_controller/ocm/manifests/kuadrant.yaml diff --git a/cmd/ocm/addon-manager/manifests/operator-group.yaml b/cmd/gateway_controller/ocm/manifests/operator-group.yaml similarity index 100% rename from cmd/ocm/addon-manager/manifests/operator-group.yaml rename to cmd/gateway_controller/ocm/manifests/operator-group.yaml diff --git a/cmd/ocm/addon-manager/manifests/subscription.yaml b/cmd/gateway_controller/ocm/manifests/subscription.yaml similarity index 100% rename from cmd/ocm/addon-manager/manifests/subscription.yaml rename to cmd/gateway_controller/ocm/manifests/subscription.yaml diff --git a/config/add-on-manager/cluster-management-addon.yaml b/config/add-on-manager/cluster-management-addon.yaml deleted file mode 100644 index 5e7abe868..000000000 --- a/config/add-on-manager/cluster-management-addon.yaml +++ /dev/null @@ -1,10 +0,0 @@ -apiVersion: addon.open-cluster-management.io/v1alpha1 -kind: ClusterManagementAddOn -metadata: - name: kuadrant-addon -spec: - addOnMeta: - displayName: kuadrant Addon - description: "kuadrant operator" - - diff --git a/config/add-on-manager/kustomization.yaml b/config/add-on-manager/kustomization.yaml deleted file mode 100644 index 57a44f48f..000000000 --- a/config/add-on-manager/kustomization.yaml +++ /dev/null @@ -1,11 +0,0 @@ -resources: -- manager.yaml -- cluster-management-addon.yaml - - -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -images: -- name: addon-manager - newName: quay.io/kuadrant/addon-manager - newTag: main \ No newline at end of file diff --git a/config/add-on-manager/manager.yaml b/config/add-on-manager/manager.yaml deleted file mode 100644 index 3656972ba..000000000 --- a/config/add-on-manager/manager.yaml +++ /dev/null @@ -1,49 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: add-on-manager - namespace: system - labels: - control-plane: kuadrant-add-on-manager -spec: - selector: - matchLabels: - control-plane: kuadrant-add-on-manager - replicas: 1 - template: - metadata: - annotations: - kubectl.kubernetes.io/default-container: controller - labels: - control-plane: kuadrant-add-on-manager - spec: - securityContext: - runAsNonRoot: true - containers: - - command: - - /add-on-manager - args: - - --leader-elect - image: addon-manager:latest - imagePullPolicy: Always - envFrom: - - configMapRef: - name: controller-config - optional: true - name: controller - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - "ALL" - #TODO add health and readiness probes - # More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - resources: - limits: - cpu: 500m - memory: 128Mi - requests: - cpu: 10m - memory: 64Mi - serviceAccountName: add-on-manager - terminationGracePeriodSeconds: 10 \ No newline at end of file diff --git a/config/default/kustomization.yaml b/config/default/kustomization.yaml index 41eda0db8..bac9fe760 100644 --- a/config/default/kustomization.yaml +++ b/config/default/kustomization.yaml @@ -11,7 +11,6 @@ namePrefix: mgc- resources: - ../rbac - ../manager -- ../add-on-manager patches: - path: manager_metrics_patch.yaml diff --git a/config/rbac/add-on-clusterrole-binding.yaml b/config/rbac/add-on-clusterrole-binding.yaml deleted file mode 100644 index 1fef77a55..000000000 --- a/config/rbac/add-on-clusterrole-binding.yaml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: kuadrant-addon -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: kuadrant-addon -subjects: -- kind: ServiceAccount - name: add-on-manager - namespace: system \ No newline at end of file diff --git a/config/rbac/add-on-clusterrole.yaml b/config/rbac/add-on-clusterrole.yaml deleted file mode 100644 index 601671766..000000000 --- a/config/rbac/add-on-clusterrole.yaml +++ /dev/null @@ -1,47 +0,0 @@ - kind: ClusterRole - apiVersion: rbac.authorization.k8s.io/v1 - metadata: - name: kuadrant-addon - rules: - - apiGroups: [""] - resources: ["configmaps", "events"] - verbs: ["get", "list", "watch", "create", "update", "delete", "deletecollection", "patch"] - - apiGroups: ["coordination.k8s.io"] - resources: ["leases"] - verbs: ["get", "list", "watch", "create", "update", "patch"] - - apiGroups: ["rbac.authorization.k8s.io"] - resources: ["roles", "rolebindings"] - verbs: ["get", "list", "watch", "create", "update", "delete"] - - apiGroups: ["authorization.k8s.io"] - resources: ["subjectaccessreviews"] - verbs: ["get", "create"] - - apiGroups: ["certificates.k8s.io"] - resources: ["certificatesigningrequests", "certificatesigningrequests/approval"] - verbs: ["get", "list", "watch", "create", "update"] - - apiGroups: ["certificates.k8s.io"] - resources: ["signers"] - verbs: ["approve"] - - apiGroups: ["cluster.open-cluster-management.io"] - resources: ["managedclusters"] - verbs: ["get", "list", "watch", "update"] - - apiGroups: ["work.open-cluster-management.io"] - resources: ["manifestworks"] - verbs: ["create", "update", "get", "list", "watch", "delete", "deletecollection", "patch"] - - apiGroups: ["addon.open-cluster-management.io"] - resources: ["managedclusteraddons/finalizers"] - verbs: ["update"] - - apiGroups: [ "addon.open-cluster-management.io" ] - resources: [ "clustermanagementaddons/finalizers" ] - verbs: [ "update" ] - - apiGroups: ["addon.open-cluster-management.io"] - resources: ["clustermanagementaddons"] - verbs: ["get", "list", "watch"] - - apiGroups: ["addon.open-cluster-management.io"] - resources: ["managedclusteraddons"] - verbs: ["get", "list", "watch", "create", "update", "delete"] - - apiGroups: ["addon.open-cluster-management.io"] - resources: ["managedclusteraddons/status"] - verbs: ["update", "patch"] - - apiGroups: ["kuadrant.io/v1beta1"] - resources: ["kuadrant"] - verbs: ["get", "list", "watch", "create", "update"] \ No newline at end of file diff --git a/config/rbac/add-on-service-account.yaml b/config/rbac/add-on-service-account.yaml deleted file mode 100644 index 808e02f15..000000000 --- a/config/rbac/add-on-service-account.yaml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: v1 -kind: ServiceAccount -metadata: - labels: - app.kubernetes.io/name: serviceaccount - app.kubernetes.io/instance: add-on-manager - app.kubernetes.io/component: rbac - app.kubernetes.io/created-by: kuadrant - app.kubernetes.io/part-of: multicluster-gateway-controller - app.kubernetes.io/managed-by: kustomize - name: add-on-manager - namespace: system diff --git a/config/rbac/kustomization.yaml b/config/rbac/kustomization.yaml index 02adf2b00..731832a6a 100644 --- a/config/rbac/kustomization.yaml +++ b/config/rbac/kustomization.yaml @@ -16,6 +16,3 @@ resources: - auth_proxy_role.yaml - auth_proxy_role_binding.yaml - auth_proxy_client_clusterrole.yaml -- add-on-service-account.yaml -- add-on-clusterrole.yaml -- add-on-clusterrole-binding.yaml diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml index 82d2d04ee..cb914d7ba 100644 --- a/config/rbac/role.yaml +++ b/config/rbac/role.yaml @@ -17,6 +17,20 @@ rules: - patch - update - watch +- apiGroups: + - "" + resources: + - configmaps + - events + verbs: + - create + - delete + - deletecollection + - get + - list + - patch + - update + - watch - apiGroups: - "" resources: @@ -26,6 +40,51 @@ rules: - get - list - watch +- apiGroups: + - addon.open-cluster-management.io + resources: + - clustermanagementaddons + verbs: + - get + - list + - watch +- apiGroups: + - addon.open-cluster-management.io + resources: + - clustermanagementaddons/finalizers + verbs: + - update +- apiGroups: + - addon.open-cluster-management.io + resources: + - managedclusteraddons + verbs: + - create + - delete + - get + - list + - update + - watch +- apiGroups: + - addon.open-cluster-management.io + resources: + - managedclusteraddons/finalizers + verbs: + - update +- apiGroups: + - addon.open-cluster-management.io + resources: + - managedclusteraddons/status + verbs: + - patch + - update +- apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create + - get - apiGroups: - cert-manager.io resources: @@ -38,6 +97,23 @@ rules: - patch - update - watch +- apiGroups: + - certificates.k8s.io + resources: + - certificatesigningrequests + - certificatesigningrequests/approval + verbs: + - create + - get + - list + - update + - watch +- apiGroups: + - certificates.k8s.io + resources: + - signers + verbs: + - approve - apiGroups: - cluster.open-cluster-management.io resources: @@ -45,6 +121,7 @@ rules: verbs: - get - list + - update - watch - apiGroups: - cluster.open-cluster-management.io @@ -58,6 +135,17 @@ rules: - patch - update - watch +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - create + - get + - list + - patch + - update + - watch - apiGroups: - gateway.networking.k8s.io resources: @@ -119,6 +207,28 @@ rules: - get - list - watch +- apiGroups: + - kuadrant.io + resources: + - kuadrant + verbs: + - create + - get + - list + - update + - watch +- apiGroups: + - rbac.authorization.k8s.io + resources: + - rolebindings + - roles + verbs: + - create + - delete + - get + - list + - update + - watch - apiGroups: - work.open-cluster-management.io resources: @@ -126,6 +236,7 @@ rules: verbs: - create - delete + - deletecollection - get - list - patch diff --git a/docs/installation/control-plane-installation.md b/docs/installation/control-plane-installation.md index 2a4b6c1b0..058abe60e 100644 --- a/docs/installation/control-plane-installation.md +++ b/docs/installation/control-plane-installation.md @@ -64,11 +64,10 @@ In addition to the MGC, this will also install the Kuadrant add-on manager and a Verify that the MGC and add-on manager have been installed and are running: ```bash -kubectl wait --timeout=5m -n multicluster-gateway-controller-system deployment/mgc-controller-manager deployment/mgc-add-on-manager deployment/mgc-policy-controller --for=condition=Available --context $HUB_CLUSTER +kubectl wait --timeout=5m -n multicluster-gateway-controller-system deployment/mgc-controller-manager deployment/mgc-policy-controller --for=condition=Available --context $HUB_CLUSTER ``` ``` deployment.apps/mgc-controller-manager condition met -deployment.apps/mgc-add-on-manager condition met deployment/mgc-policy-controller condition met ``` diff --git a/hack/make/addon.make b/hack/make/addon.make index 966173d90..e69de29bb 100644 --- a/hack/make/addon.make +++ b/hack/make/addon.make @@ -1,27 +0,0 @@ -OCM_ADDON_IMG ?= quay.io/kuadrant/addon-manager:v0.0.1 - -.PHONY: build-addon-manager -build-addon-manager: manifests generate fmt vet ## Build ocm binary. - go build -o bin/addon-manager ./cmd/ocm/main.go - -.PHONY: run-addon-manager -run-addon-manager: manifests generate fmt vet - go run ./cmd/ocm/main.go - - -.PHONY: docker-build-add-on-manager -docker-build-add-on-manager: ## Build docker image with the add-on manager. - docker build --target add-on-manager -t ${OCM_ADDON_IMG} . - docker image prune -f --filter label=stage=mgc-builder - -.PHONY: kind-load-add-on-manager -kind-load-add-on-manager: docker-build-ocm - kind load docker-image ${OCM_ADDON_IMG} --name mgc-control-plane --nodes mgc-control-plane-control-plane - -.PHONY: docker-push-add-on-manager -docker-push-ocm: ## Push docker image with the ocm. - docker push ${OCM_ADDON_IMG} - - .PHONY: deploy-add-on-manager -deploy-add-on-manager: ## Deploy controller to the K8s cluster specified in ~/.kube/config. - kubectl apply -f config/ocm \ No newline at end of file diff --git a/pkg/controllers/gateway/gateway_controller.go b/pkg/controllers/gateway/gateway_controller.go index 002a52162..8170cbad4 100644 --- a/pkg/controllers/gateway/gateway_controller.go +++ b/pkg/controllers/gateway/gateway_controller.go @@ -78,14 +78,27 @@ type GatewayPlacer interface { GetAddresses(ctx context.Context, gateway *gatewayapiv1.Gateway, downstream string) ([]gatewayapiv1.GatewayAddress, error) } +// +kubebuilder:rbac:groups="",resources=configmaps;events,verbs=get;list;watch;create;update;delete;deletecollection;patch +// +kubebuilder:rbac:groups=coordination.k8s.io,resources=leases,verbs=get;list;watch;create;update;patch +// +kubebuilder:rbac:groups=rbac.authorization.k8s.io,resources=roles;rolebindings,verbs=get;list;watch;create;update;delete +// +kubebuilder:rbac:groups=authorization.k8s.io,resources=subjectaccessreviews,verbs=get;create +// +kubebuilder:rbac:groups=certificates.k8s.io,resources=certificatesigningrequests;certificatesigningrequests/approval,verbs=get;list;watch;create;update +// +kubebuilder:rbac:groups=certificates.k8s.io,resources=signers,verbs=approve +// +kubebuilder:rbac:groups=cluster.open-cluster-management.io,resources=managedclusters,verbs=get;list;watch;update +// +kubebuilder:rbac:groups=work.open-cluster-management.io,resources=manifestworks,verbs=get;list;watch;create;update;delete;deletecollection;patch +// +kubebuilder:rbac:groups=addon.open-cluster-management.io,resources=managedclusteraddons/finalizers,verbs=update +// +kubebuilder:rbac:groups=addon.open-cluster-management.io,resources=clustermanagementaddons/finalizers,verbs=update +// +kubebuilder:rbac:groups=addon.open-cluster-management.io,resources=clustermanagementaddons,verbs=get;list;watch +// +kubebuilder:rbac:groups=addon.open-cluster-management.io,resources=managedclusteraddons,verbs=get;list;watch;create;update;delete +// +kubebuilder:rbac:groups=addon.open-cluster-management.io,resources=managedclusteraddons/status,verbs=update;patch +// +kubebuilder:rbac:groups=kuadrant.io,resources=kuadrant,verbs=get;list;watch;create;update + // +kubebuilder:rbac:groups=gateway.networking.k8s.io,resources=gateways,verbs=get;list;watch;create;update;patch;delete // +kubebuilder:rbac:groups=gateway.networking.k8s.io,resources=gateways/status,verbs=get;update;patch // +kubebuilder:rbac:groups=gateway.networking.k8s.io,resources=gateways/finalizers,verbs=update -// +kubebuilder:rbac:groups=work.open-cluster-management.io,resources=manifestworks,verbs=get;list;watch;create;update;patch;delete // +kubebuilder:rbac:groups=cluster.open-cluster-management.io,resources=placementdecisions,verbs=get;list;watch;create;update;patch;delete // +kubebuilder:rbac:groups="",resources=secrets,verbs=get;list;watch;delete // +kubebuilder:rbac:groups="cert-manager.io",resources=certificates,verbs=get;list;watch;create;update;patch;delete -//+kubebuilder:rbac:groups=cluster.open-cluster-management.io,resources=managedclusters,verbs=get;list;watch // +kubebuilder:rbac:groups="kuadrant.io",resources=authpolicies;ratelimitpolicies,verbs=get;list;watch