From 9a4f39a0fa0b69df373c1573c0b08d131db7cd3e Mon Sep 17 00:00:00 2001 From: Nick Carboni Date: Thu, 2 Jul 2020 13:59:19 -0400 Subject: [PATCH 01/10] Add the image pull secret to the orchestrator SA, not the deployment Also updates the SA using controllerutil.CreateOrUpdate --- .../manageiq/manageiq_controller.go | 6 +++-- .../helpers/miq-components/orchestrator.go | 25 +++++++++++++------ 2 files changed, 22 insertions(+), 9 deletions(-) diff --git a/manageiq-operator/pkg/controller/manageiq/manageiq_controller.go b/manageiq-operator/pkg/controller/manageiq/manageiq_controller.go index c337e69b..cfe27f72 100644 --- a/manageiq-operator/pkg/controller/manageiq/manageiq_controller.go +++ b/manageiq-operator/pkg/controller/manageiq/manageiq_controller.go @@ -351,9 +351,11 @@ func (r *ReconcileManageIQ) generateKafkaResources(cr *miqv1alpha1.ManageIQ) err } func (r *ReconcileManageIQ) generateOrchestratorResources(cr *miqv1alpha1.ManageIQ) error { - orchestratorServiceAccount := miqtool.OrchestratorServiceAccount(cr) - if err := r.createk8sResIfNotExist(cr, orchestratorServiceAccount, &corev1.ServiceAccount{}); err != nil { + orchestratorServiceAccount, mutateFunc := miqtool.OrchestratorServiceAccount(cr, r.scheme) + if result, err := controllerutil.CreateOrUpdate(context.TODO(), r.client, orchestratorServiceAccount, mutateFunc); err != nil { return err + } else { + logger.Info("Service Account has been reconciled", "component", "orchestrator", "result", result) } orchestratorRole := miqtool.OrchestratorRole(cr) diff --git a/manageiq-operator/pkg/helpers/miq-components/orchestrator.go b/manageiq-operator/pkg/helpers/miq-components/orchestrator.go index 198b6372..e3f66cd5 100644 --- a/manageiq-operator/pkg/helpers/miq-components/orchestrator.go +++ b/manageiq-operator/pkg/helpers/miq-components/orchestrator.go @@ -12,13 +12,29 @@ import ( "strings" ) -func OrchestratorServiceAccount(cr *miqv1alpha1.ManageIQ) *corev1.ServiceAccount { - return &corev1.ServiceAccount{ +func OrchestratorServiceAccount(cr *miqv1alpha1.ManageIQ, scheme *runtime.Scheme) (*corev1.ServiceAccount, controllerutil.MutateFn) { + sa := &corev1.ServiceAccount{ ObjectMeta: metav1.ObjectMeta{ Name: orchestratorObjectName(cr), Namespace: cr.ObjectMeta.Namespace, }, } + + f := func() error { + if err := controllerutil.SetControllerReference(cr, sa, scheme); err != nil { + return err + } + + if cr.Spec.ImagePullSecret != "" { + sa.ImagePullSecrets = []corev1.LocalObjectReference{ + corev1.LocalObjectReference{Name: cr.Spec.ImagePullSecret}, + } + } + + return nil + } + + return sa, f } func OrchestratorRole(cr *miqv1alpha1.ManageIQ) *rbacv1.Role { @@ -312,11 +328,6 @@ func OrchestratorDeployment(cr *miqv1alpha1.ManageIQ, scheme *runtime.Scheme) (* deployment.Spec.Template.Spec.TerminationGracePeriodSeconds = &termSecs if cr.Spec.ImagePullSecret != "" { - pullSecret := []corev1.LocalObjectReference{ - corev1.LocalObjectReference{Name: cr.Spec.ImagePullSecret}, - } - deployment.Spec.Template.Spec.ImagePullSecrets = pullSecret - c := &deployment.Spec.Template.Spec.Containers[0] pullSecretEnv := corev1.EnvVar{ Name: "IMAGE_PULL_SECRET", From 3a3e64274e8346ab55d38084187e41cba19732c7 Mon Sep 17 00:00:00 2001 From: Nick Carboni Date: Thu, 2 Jul 2020 14:04:48 -0400 Subject: [PATCH 02/10] Change the orchestrator role and role binding to use createorupdate This will ensure that we're enforcing our desired rbac on the orchestrator even though it can't be changed through the CR --- .../manageiq/manageiq_controller.go | 13 +++--- .../helpers/miq-components/orchestrator.go | 42 ++++++++++++++----- 2 files changed, 40 insertions(+), 15 deletions(-) diff --git a/manageiq-operator/pkg/controller/manageiq/manageiq_controller.go b/manageiq-operator/pkg/controller/manageiq/manageiq_controller.go index cfe27f72..bfec5e01 100644 --- a/manageiq-operator/pkg/controller/manageiq/manageiq_controller.go +++ b/manageiq-operator/pkg/controller/manageiq/manageiq_controller.go @@ -8,7 +8,6 @@ import ( miqtool "github.com/ManageIQ/manageiq-pods/manageiq-operator/pkg/helpers/miq-components" appsv1 "k8s.io/api/apps/v1" corev1 "k8s.io/api/core/v1" - rbacv1 "k8s.io/api/rbac/v1" "k8s.io/apimachinery/pkg/api/errors" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/runtime" @@ -358,14 +357,18 @@ func (r *ReconcileManageIQ) generateOrchestratorResources(cr *miqv1alpha1.Manage logger.Info("Service Account has been reconciled", "component", "orchestrator", "result", result) } - orchestratorRole := miqtool.OrchestratorRole(cr) - if err := r.createk8sResIfNotExist(cr, orchestratorRole, &rbacv1.Role{}); err != nil { + orchestratorRole, mutateFunc := miqtool.OrchestratorRole(cr, r.scheme) + if result, err := controllerutil.CreateOrUpdate(context.TODO(), r.client, orchestratorRole, mutateFunc); err != nil { return err + } else { + logger.Info("Role has been reconciled", "component", "orchestrator", "result", result) } - orchestratorRoleBinding := miqtool.OrchestratorRoleBinding(cr) - if err := r.createk8sResIfNotExist(cr, orchestratorRoleBinding, &rbacv1.RoleBinding{}); err != nil { + orchestratorRoleBinding, mutateFunc := miqtool.OrchestratorRoleBinding(cr, r.scheme) + if result, err := controllerutil.CreateOrUpdate(context.TODO(), r.client, orchestratorRoleBinding, mutateFunc); err != nil { return err + } else { + logger.Info("Role Binding has been reconciled", "component", "orchestrator", "result", result) } orchestratorDeployment, mutateFunc, err := miqtool.OrchestratorDeployment(cr, r.scheme) diff --git a/manageiq-operator/pkg/helpers/miq-components/orchestrator.go b/manageiq-operator/pkg/helpers/miq-components/orchestrator.go index e3f66cd5..f0255139 100644 --- a/manageiq-operator/pkg/helpers/miq-components/orchestrator.go +++ b/manageiq-operator/pkg/helpers/miq-components/orchestrator.go @@ -37,13 +37,20 @@ func OrchestratorServiceAccount(cr *miqv1alpha1.ManageIQ, scheme *runtime.Scheme return sa, f } -func OrchestratorRole(cr *miqv1alpha1.ManageIQ) *rbacv1.Role { - return &rbacv1.Role{ +func OrchestratorRole(cr *miqv1alpha1.ManageIQ, scheme *runtime.Scheme) (*rbacv1.Role, controllerutil.MutateFn) { + role := &rbacv1.Role{ ObjectMeta: metav1.ObjectMeta{ Name: orchestratorObjectName(cr), Namespace: cr.ObjectMeta.Namespace, }, - Rules: []rbacv1.PolicyRule{ + } + + f := func() error { + if err := controllerutil.SetControllerReference(cr, role, scheme); err != nil { + return err + } + + role.Rules = []rbacv1.PolicyRule{ rbacv1.PolicyRule{ APIGroups: []string{""}, Resources: []string{"pods", "pods/finalizers"}, @@ -59,28 +66,43 @@ func OrchestratorRole(cr *miqv1alpha1.ManageIQ) *rbacv1.Role { Resources: []string{"deployments", "deployments/scale"}, Verbs: []string{"*"}, }, - }, + } + + return nil } + + return role, f } -func OrchestratorRoleBinding(cr *miqv1alpha1.ManageIQ) *rbacv1.RoleBinding { - return &rbacv1.RoleBinding{ +func OrchestratorRoleBinding(cr *miqv1alpha1.ManageIQ, scheme *runtime.Scheme) (*rbacv1.RoleBinding, controllerutil.MutateFn) { + rb := &rbacv1.RoleBinding{ ObjectMeta: metav1.ObjectMeta{ Name: orchestratorObjectName(cr), Namespace: cr.ObjectMeta.Namespace, }, - RoleRef: rbacv1.RoleRef{ + } + + f := func() error { + if err := controllerutil.SetControllerReference(cr, rb, scheme); err != nil { + return err + } + + rb.RoleRef = rbacv1.RoleRef{ Kind: "Role", Name: orchestratorObjectName(cr), APIGroup: "rbac.authorization.k8s.io", - }, - Subjects: []rbacv1.Subject{ + } + rb.Subjects = []rbacv1.Subject{ rbacv1.Subject{ Kind: "ServiceAccount", Name: orchestratorObjectName(cr), }, - }, + } + + return nil } + + return rb, f } func orchestratorObjectName(cr *miqv1alpha1.ManageIQ) string { From 78fe41460d60751d1e6bd924ef74e0b354aa9526 Mon Sep 17 00:00:00 2001 From: Nick Carboni Date: Thu, 2 Jul 2020 14:07:06 -0400 Subject: [PATCH 03/10] Drop the orchestrator variable prefix in generateOrchestratorResources We know they apply to the orchestrator because we're in an orchestrator specific function. --- .../controller/manageiq/manageiq_controller.go | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/manageiq-operator/pkg/controller/manageiq/manageiq_controller.go b/manageiq-operator/pkg/controller/manageiq/manageiq_controller.go index bfec5e01..4fce8a07 100644 --- a/manageiq-operator/pkg/controller/manageiq/manageiq_controller.go +++ b/manageiq-operator/pkg/controller/manageiq/manageiq_controller.go @@ -350,33 +350,33 @@ func (r *ReconcileManageIQ) generateKafkaResources(cr *miqv1alpha1.ManageIQ) err } func (r *ReconcileManageIQ) generateOrchestratorResources(cr *miqv1alpha1.ManageIQ) error { - orchestratorServiceAccount, mutateFunc := miqtool.OrchestratorServiceAccount(cr, r.scheme) - if result, err := controllerutil.CreateOrUpdate(context.TODO(), r.client, orchestratorServiceAccount, mutateFunc); err != nil { + serviceAccount, mutateFunc := miqtool.OrchestratorServiceAccount(cr, r.scheme) + if result, err := controllerutil.CreateOrUpdate(context.TODO(), r.client, serviceAccount, mutateFunc); err != nil { return err } else { logger.Info("Service Account has been reconciled", "component", "orchestrator", "result", result) } - orchestratorRole, mutateFunc := miqtool.OrchestratorRole(cr, r.scheme) - if result, err := controllerutil.CreateOrUpdate(context.TODO(), r.client, orchestratorRole, mutateFunc); err != nil { + role, mutateFunc := miqtool.OrchestratorRole(cr, r.scheme) + if result, err := controllerutil.CreateOrUpdate(context.TODO(), r.client, role, mutateFunc); err != nil { return err } else { logger.Info("Role has been reconciled", "component", "orchestrator", "result", result) } - orchestratorRoleBinding, mutateFunc := miqtool.OrchestratorRoleBinding(cr, r.scheme) - if result, err := controllerutil.CreateOrUpdate(context.TODO(), r.client, orchestratorRoleBinding, mutateFunc); err != nil { + roleBinding, mutateFunc := miqtool.OrchestratorRoleBinding(cr, r.scheme) + if result, err := controllerutil.CreateOrUpdate(context.TODO(), r.client, roleBinding, mutateFunc); err != nil { return err } else { logger.Info("Role Binding has been reconciled", "component", "orchestrator", "result", result) } - orchestratorDeployment, mutateFunc, err := miqtool.OrchestratorDeployment(cr, r.scheme) + deployment, mutateFunc, err := miqtool.OrchestratorDeployment(cr, r.scheme) if err != nil { return err } - if result, err := controllerutil.CreateOrUpdate(context.TODO(), r.client, orchestratorDeployment, mutateFunc); err != nil { + if result, err := controllerutil.CreateOrUpdate(context.TODO(), r.client, deployment, mutateFunc); err != nil { return err } else if result != controllerutil.OperationResultNone { logger.Info("Deployment has been reconciled", "component", "orchestrator", "result", result) From 9186fbb8a1bcfbd904530232fbd5b821a77ea100 Mon Sep 17 00:00:00 2001 From: Nick Carboni Date: Thu, 2 Jul 2020 16:31:46 -0400 Subject: [PATCH 04/10] Append our pull secret to the SA pull secret list OpenShift creates a default pull secret with the service account so before this change we were fighting with OpenShift by removing their pull secret and replacing it with ours. This commit checks to see if there are any other secrets in the SA and appends ours to the list if it isn't already there. --- .../pkg/helpers/miq-components/orchestrator.go | 4 +--- .../pkg/helpers/miq-components/util.go | 14 ++++++++++++++ 2 files changed, 15 insertions(+), 3 deletions(-) diff --git a/manageiq-operator/pkg/helpers/miq-components/orchestrator.go b/manageiq-operator/pkg/helpers/miq-components/orchestrator.go index f0255139..df2b7090 100644 --- a/manageiq-operator/pkg/helpers/miq-components/orchestrator.go +++ b/manageiq-operator/pkg/helpers/miq-components/orchestrator.go @@ -26,9 +26,7 @@ func OrchestratorServiceAccount(cr *miqv1alpha1.ManageIQ, scheme *runtime.Scheme } if cr.Spec.ImagePullSecret != "" { - sa.ImagePullSecrets = []corev1.LocalObjectReference{ - corev1.LocalObjectReference{Name: cr.Spec.ImagePullSecret}, - } + addSAPullSecret(sa, cr.Spec.ImagePullSecret) } return nil diff --git a/manageiq-operator/pkg/helpers/miq-components/util.go b/manageiq-operator/pkg/helpers/miq-components/util.go index de4a6c74..345c9116 100644 --- a/manageiq-operator/pkg/helpers/miq-components/util.go +++ b/manageiq-operator/pkg/helpers/miq-components/util.go @@ -60,3 +60,17 @@ func addAppLabel(appName string, meta *metav1.ObjectMeta) { } meta.Labels["app"] = appName } + +func addSAPullSecret(sa *corev1.ServiceAccount, secret string) { + secretRef := corev1.LocalObjectReference{Name: secret} + if sa.ImagePullSecrets == nil { + sa.ImagePullSecrets = []corev1.LocalObjectReference{secretRef} + } else { + for _, ref := range sa.ImagePullSecrets { + if ref.Name == secret { + return + } + } + sa.ImagePullSecrets = append(sa.ImagePullSecrets, secretRef) + } +} From fc080fe9e8e5be23ba7002cac5366c3cb5068dbb Mon Sep 17 00:00:00 2001 From: Nick Carboni Date: Tue, 7 Jul 2020 14:22:22 -0400 Subject: [PATCH 05/10] Remove dependency on google's uuid library The only use was removed in f68458ce43651e3cfe795bfceb6c5b0b1268af5e --- manageiq-operator/go.mod | 1 - 1 file changed, 1 deletion(-) diff --git a/manageiq-operator/go.mod b/manageiq-operator/go.mod index 19595483..448df49f 100644 --- a/manageiq-operator/go.mod +++ b/manageiq-operator/go.mod @@ -3,7 +3,6 @@ module github.com/ManageIQ/manageiq-pods/manageiq-operator go 1.14 require ( - github.com/google/uuid v1.1.1 github.com/operator-framework/operator-sdk v0.15.1 github.com/spf13/pflag v1.0.5 k8s.io/api v0.0.0 From 80914d5d3d46cf4ed54d6b22d44ad5138bbe6320 Mon Sep 17 00:00:00 2001 From: Nick Carboni Date: Tue, 7 Jul 2020 14:23:38 -0400 Subject: [PATCH 06/10] Re-add rbac.go to deal with app-wide rbac Specifically add a service account to be used by all components that don't require one for other reasons. --- .../manageiq/manageiq_controller.go | 14 +++++ .../pkg/helpers/miq-components/rbac.go | 51 +++++++++++++++++++ .../pkg/helpers/miq-components/util.go | 14 ----- 3 files changed, 65 insertions(+), 14 deletions(-) create mode 100644 manageiq-operator/pkg/helpers/miq-components/rbac.go diff --git a/manageiq-operator/pkg/controller/manageiq/manageiq_controller.go b/manageiq-operator/pkg/controller/manageiq/manageiq_controller.go index 4fce8a07..ce64976b 100644 --- a/manageiq-operator/pkg/controller/manageiq/manageiq_controller.go +++ b/manageiq-operator/pkg/controller/manageiq/manageiq_controller.go @@ -117,6 +117,9 @@ func (r *ReconcileManageIQ) Reconcile(request reconcile.Request) (reconcile.Resu if e := r.generateSecrets(miqInstance); e != nil { return reconcile.Result{}, e } + if e := r.generateDefaultServiceAccount(miqInstance); e != nil { + return reconcile.Result{}, e + } if e := r.generatePostgresqlResources(miqInstance); e != nil { return reconcile.Result{}, e } @@ -138,6 +141,17 @@ func (r *ReconcileManageIQ) Reconcile(request reconcile.Request) (reconcile.Resu return reconcile.Result{}, nil } +func (r *ReconcileManageIQ) generateDefaultServiceAccount(cr *miqv1alpha1.ManageIQ) error { + serviceAccount, mutateFunc := miqtool.DefaultServiceAccount(cr, r.scheme) + if result, err := controllerutil.CreateOrUpdate(context.TODO(), r.client, serviceAccount, mutateFunc); err != nil { + return err + } else if result != controllerutil.OperationResultNone { + logger.Info("Service Account has been reconciled", "component", "app", "result", result) + } + + return nil +} + func (r *ReconcileManageIQ) generateHttpdResources(cr *miqv1alpha1.ManageIQ) error { privileged, err := miqtool.PrivilegedHttpd(cr.Spec.HttpdAuthenticationType) if err != nil { diff --git a/manageiq-operator/pkg/helpers/miq-components/rbac.go b/manageiq-operator/pkg/helpers/miq-components/rbac.go new file mode 100644 index 00000000..433b9b61 --- /dev/null +++ b/manageiq-operator/pkg/helpers/miq-components/rbac.go @@ -0,0 +1,51 @@ +package miqtools + +import ( + "fmt" + miqv1alpha1 "github.com/ManageIQ/manageiq-pods/manageiq-operator/pkg/apis/manageiq/v1alpha1" + corev1 "k8s.io/api/core/v1" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/runtime" + "sigs.k8s.io/controller-runtime/pkg/controller/controllerutil" +) + +func addSAPullSecret(sa *corev1.ServiceAccount, secret string) { + secretRef := corev1.LocalObjectReference{Name: secret} + if sa.ImagePullSecrets == nil { + sa.ImagePullSecrets = []corev1.LocalObjectReference{secretRef} + } else { + for _, ref := range sa.ImagePullSecrets { + if ref.Name == secret { + return + } + } + sa.ImagePullSecrets = append(sa.ImagePullSecrets, secretRef) + } +} + +func defaultServiceAccountName(appName string) string { + return fmt.Sprintf("%s-default", appName) +} + +func DefaultServiceAccount(cr *miqv1alpha1.ManageIQ, scheme *runtime.Scheme) (*corev1.ServiceAccount, controllerutil.MutateFn) { + sa := &corev1.ServiceAccount{ + ObjectMeta: metav1.ObjectMeta{ + Name: defaultServiceAccountName(cr.Spec.AppName), + Namespace: cr.ObjectMeta.Namespace, + }, + } + + f := func() error { + if err := controllerutil.SetControllerReference(cr, sa, scheme); err != nil { + return err + } + + if cr.Spec.ImagePullSecret != "" { + addSAPullSecret(sa, cr.Spec.ImagePullSecret) + } + + return nil + } + + return sa, f +} diff --git a/manageiq-operator/pkg/helpers/miq-components/util.go b/manageiq-operator/pkg/helpers/miq-components/util.go index 345c9116..de4a6c74 100644 --- a/manageiq-operator/pkg/helpers/miq-components/util.go +++ b/manageiq-operator/pkg/helpers/miq-components/util.go @@ -60,17 +60,3 @@ func addAppLabel(appName string, meta *metav1.ObjectMeta) { } meta.Labels["app"] = appName } - -func addSAPullSecret(sa *corev1.ServiceAccount, secret string) { - secretRef := corev1.LocalObjectReference{Name: secret} - if sa.ImagePullSecrets == nil { - sa.ImagePullSecrets = []corev1.LocalObjectReference{secretRef} - } else { - for _, ref := range sa.ImagePullSecrets { - if ref.Name == secret { - return - } - } - sa.ImagePullSecrets = append(sa.ImagePullSecrets, secretRef) - } -} From 7fa09a8094e95ea6dae06d24f057d053808a65a4 Mon Sep 17 00:00:00 2001 From: Nick Carboni Date: Tue, 7 Jul 2020 15:06:02 -0400 Subject: [PATCH 07/10] Add the pull secret to httpd SA if present --- manageiq-operator/pkg/helpers/miq-components/httpd.go | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/manageiq-operator/pkg/helpers/miq-components/httpd.go b/manageiq-operator/pkg/helpers/miq-components/httpd.go index 80405d2f..68325393 100644 --- a/manageiq-operator/pkg/helpers/miq-components/httpd.go +++ b/manageiq-operator/pkg/helpers/miq-components/httpd.go @@ -25,6 +25,11 @@ func HttpdServiceAccount(cr *miqv1alpha1.ManageIQ, scheme *runtime.Scheme) (*cor if err := controllerutil.SetControllerReference(cr, serviceAccount, scheme); err != nil { return err } + + if cr.Spec.ImagePullSecret != "" { + addSAPullSecret(serviceAccount, cr.Spec.ImagePullSecret) + } + return nil } From 4940c2ff47332e1525cc4943ff7513e219733fe7 Mon Sep 17 00:00:00 2001 From: Nick Carboni Date: Tue, 7 Jul 2020 15:07:49 -0400 Subject: [PATCH 08/10] Set the service account for all operands This way they will all have access to the pull secret if needed --- manageiq-operator/pkg/helpers/miq-components/httpd.go | 2 ++ manageiq-operator/pkg/helpers/miq-components/kafka.go | 2 ++ manageiq-operator/pkg/helpers/miq-components/memcached.go | 1 + manageiq-operator/pkg/helpers/miq-components/postgresql.go | 1 + 4 files changed, 6 insertions(+) diff --git a/manageiq-operator/pkg/helpers/miq-components/httpd.go b/manageiq-operator/pkg/helpers/miq-components/httpd.go index 68325393..3e9fd2c0 100644 --- a/manageiq-operator/pkg/helpers/miq-components/httpd.go +++ b/manageiq-operator/pkg/helpers/miq-components/httpd.go @@ -364,6 +364,8 @@ func HttpdDeployment(cr *miqv1alpha1.ManageIQ, scheme *runtime.Scheme) (*appsv1. // Only assign the service account if we need additional privileges if privileged { deployment.Spec.Template.Spec.ServiceAccountName = cr.Spec.AppName + "-httpd" + } else { + deployment.Spec.Template.Spec.ServiceAccountName = defaultServiceAccountName(cr.Spec.AppName) } configureHttpdAuth(&cr.Spec, &deployment.Spec.Template.Spec) diff --git a/manageiq-operator/pkg/helpers/miq-components/kafka.go b/manageiq-operator/pkg/helpers/miq-components/kafka.go index 7891817c..61ec1004 100644 --- a/manageiq-operator/pkg/helpers/miq-components/kafka.go +++ b/manageiq-operator/pkg/helpers/miq-components/kafka.go @@ -247,6 +247,7 @@ func KafkaDeployment(cr *miqv1alpha1.ManageIQ, scheme *runtime.Scheme) (*appsv1. var repNum int32 = 1 deployment.Spec.Replicas = &repNum deployment.Spec.Template.Spec.Containers = []corev1.Container{container} + deployment.Spec.Template.Spec.ServiceAccountName = defaultServiceAccountName(cr.Spec.AppName) var termSecs int64 = 10 deployment.Spec.Template.Spec.TerminationGracePeriodSeconds = &termSecs deployment.Spec.Template.Spec.Volumes = []corev1.Volume{ @@ -323,6 +324,7 @@ func ZookeeperDeployment(cr *miqv1alpha1.ManageIQ, scheme *runtime.Scheme) (*app var repNum int32 = 1 deployment.Spec.Replicas = &repNum deployment.Spec.Template.Spec.Containers = []corev1.Container{container} + deployment.Spec.Template.Spec.ServiceAccountName = defaultServiceAccountName(cr.Spec.AppName) deployment.Spec.Template.Spec.Volumes = []corev1.Volume{ corev1.Volume{ Name: "zookeeper-data", diff --git a/manageiq-operator/pkg/helpers/miq-components/memcached.go b/manageiq-operator/pkg/helpers/miq-components/memcached.go index 967ec983..d959ba39 100644 --- a/manageiq-operator/pkg/helpers/miq-components/memcached.go +++ b/manageiq-operator/pkg/helpers/miq-components/memcached.go @@ -89,6 +89,7 @@ func NewMemcachedDeployment(cr *miqv1alpha1.ManageIQ, scheme *runtime.Scheme) (* var repNum int32 = 1 deployment.Spec.Replicas = &repNum deployment.Spec.Template.Spec.Containers = []corev1.Container{container} + deployment.Spec.Template.Spec.ServiceAccountName = defaultServiceAccountName(cr.Spec.AppName) return nil } diff --git a/manageiq-operator/pkg/helpers/miq-components/postgresql.go b/manageiq-operator/pkg/helpers/miq-components/postgresql.go index 008bb8cb..c12a04a5 100644 --- a/manageiq-operator/pkg/helpers/miq-components/postgresql.go +++ b/manageiq-operator/pkg/helpers/miq-components/postgresql.go @@ -230,6 +230,7 @@ func PostgresqlDeployment(cr *miqv1alpha1.ManageIQ, scheme *runtime.Scheme) (*ap var repNum int32 = 1 deployment.Spec.Replicas = &repNum deployment.Spec.Template.Spec.Containers = []corev1.Container{container} + deployment.Spec.Template.Spec.ServiceAccountName = defaultServiceAccountName(cr.Spec.AppName) deployment.Spec.Template.Spec.Volumes = []corev1.Volume{ corev1.Volume{ Name: "miq-pgdb-volume", From ab3a779f3aa7bcf901f8092ac21b466fcea18c26 Mon Sep 17 00:00:00 2001 From: Nick Carboni Date: Tue, 7 Jul 2020 15:47:55 -0400 Subject: [PATCH 09/10] Pass the service account to the orchestrator instead of the pull secret name The workers should be using the common service acount either way so might as well also use it to get access to the pull secret --- .../pkg/helpers/miq-components/orchestrator.go | 13 ++++--------- 1 file changed, 4 insertions(+), 9 deletions(-) diff --git a/manageiq-operator/pkg/helpers/miq-components/orchestrator.go b/manageiq-operator/pkg/helpers/miq-components/orchestrator.go index df2b7090..c8fda239 100644 --- a/manageiq-operator/pkg/helpers/miq-components/orchestrator.go +++ b/manageiq-operator/pkg/helpers/miq-components/orchestrator.go @@ -306,6 +306,10 @@ func OrchestratorDeployment(cr *miqv1alpha1.ManageIQ, scheme *runtime.Scheme) (* Name: "WORKER_RESOURCES", Value: strconv.FormatBool(*cr.Spec.EnforceWorkerResourceConstraints), }, + corev1.EnvVar{ + Name: "WORKER_SERVICE_ACCOUNT", + Value: defaultServiceAccountName(cr.Spec.AppName), + }, }, } @@ -347,15 +351,6 @@ func OrchestratorDeployment(cr *miqv1alpha1.ManageIQ, scheme *runtime.Scheme) (* deployment.Spec.Template.Spec.ServiceAccountName = cr.Spec.AppName + "-orchestrator" deployment.Spec.Template.Spec.TerminationGracePeriodSeconds = &termSecs - if cr.Spec.ImagePullSecret != "" { - c := &deployment.Spec.Template.Spec.Containers[0] - pullSecretEnv := corev1.EnvVar{ - Name: "IMAGE_PULL_SECRET", - Value: cr.Spec.ImagePullSecret, - } - c.Env = append(c.Env, pullSecretEnv) - } - return nil } From 966f161f92b6699d782b8bbb60d7b496e4247667 Mon Sep 17 00:00:00 2001 From: Nick Carboni Date: Wed, 8 Jul 2020 11:47:09 -0400 Subject: [PATCH 10/10] Only log orchestrator changes if something changed --- .../pkg/controller/manageiq/manageiq_controller.go | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/manageiq-operator/pkg/controller/manageiq/manageiq_controller.go b/manageiq-operator/pkg/controller/manageiq/manageiq_controller.go index ce64976b..062eefd7 100644 --- a/manageiq-operator/pkg/controller/manageiq/manageiq_controller.go +++ b/manageiq-operator/pkg/controller/manageiq/manageiq_controller.go @@ -367,21 +367,21 @@ func (r *ReconcileManageIQ) generateOrchestratorResources(cr *miqv1alpha1.Manage serviceAccount, mutateFunc := miqtool.OrchestratorServiceAccount(cr, r.scheme) if result, err := controllerutil.CreateOrUpdate(context.TODO(), r.client, serviceAccount, mutateFunc); err != nil { return err - } else { + } else if result != controllerutil.OperationResultNone { logger.Info("Service Account has been reconciled", "component", "orchestrator", "result", result) } role, mutateFunc := miqtool.OrchestratorRole(cr, r.scheme) if result, err := controllerutil.CreateOrUpdate(context.TODO(), r.client, role, mutateFunc); err != nil { return err - } else { + } else if result != controllerutil.OperationResultNone { logger.Info("Role has been reconciled", "component", "orchestrator", "result", result) } roleBinding, mutateFunc := miqtool.OrchestratorRoleBinding(cr, r.scheme) if result, err := controllerutil.CreateOrUpdate(context.TODO(), r.client, roleBinding, mutateFunc); err != nil { return err - } else { + } else if result != controllerutil.OperationResultNone { logger.Info("Role Binding has been reconciled", "component", "orchestrator", "result", result) }